NEOSYS Technical Support Wiki - User contributions [en]

Procedures

2021-07-29T08:05:36Z

Pratishthit: /* Handling Clients with Overdue Invoice */

Here are procedures to be followed by Support Staff in respect to various technical matters in day to day operations of client issues.

Once Support Staff have learnt how to follow these procedures & rules, you then start learning when and how to not follow them. Common sense trumps all rules! i.e. don't follow procedures and rules blindly all the time. Analyse the problem and solve it practically.

BUT if you are doing something off-piste deliberately, then just add an appropriate comment about why you are.

==Handling Clients with Overdue Invoice==
In order to maintain good payment speed by clients NEOSYS needs to restrict support to clients that dont pay their bills on time, however the degree of restriction needs to depend on an intimate knowledge of the client which cannot be expected from all NEOSYS support staff. Therefore we will use a simple escalation policy as follows:

===Overdue Support List===
NEOSYS SUPPORT MANAGERS WILL maintain an overdue list on a whiteboard visible to all support staff. Generally, clients will go on the list immediately when their invoice is overdue and come off only after satisfactory commitment to pay have been obtained.

The latest overdue list email MUST always be starred until there are no clients left on the overdue list (apart from the permanently overdue clients). When a client is added to the overdue list, support must set up a filter to move client support emails to the overdue folder. When a client is removed from the overdue list, client emails must be moved back into the support inbox. This way support team will know that there are still clients on the overdue list and will not mistakenly provide support to those clients.

[[image:FilterOverdue.jpg]]

For the first week of each quarter of the year, normal support should be provided for server failures and backup failures (including hung processes as it could eventually lead to backup failures).

For any other support requests from overdue clients, respond with the following letter (where XYZ is the overdue client):

Dear <user>,
There is an issue with your company's account. We have requested our Accounts team for approval in order to provide support to you and other <XYZ> users.

Support staff MUST then provide the required support to the overdue client only after 4 working hours. Support Staff need not actually contact the Accounts team for approval, although that is what is mentioned in the letter. This delay in support is to encourage clients to settle their payments on time.

After the first week of each quarter of the year, respond to any support requests from overdue clients with the above letter but MUST NOT PROVIDE SUPPORT even after 4 working hours. Instead, Support Staff must refer the support request to NEOSYS Support Manager.

Managers may well instruct support to provide support on a case by case basis even if clients are on the overdue list. Being on the overdue list does not necessarily indicate a major issue with accounts.

If the client provides proof of payment (e.g. cheque deposit slip), then carefully check all the details as mentioned in [https://userwiki.neosys.com/index.php/Sales_FAQ#When_can_NEOSYS_support_staff_start_installation_of_NEOSYS When can NEOSYS support staff start installation of NEOSYS], before getting approval from NEOSYS management to remove the client from the overdue list.

===Handling complaints about Licence restrictions===

Sometimes when a client delays payment of NEOSYS invoice, support places a licence restriction for the client. In such cases, users will not be able to create and save documents dated outside the licence period. Due to this sudden restriction, clients may raise complaints about the restriction placed.

Support MUST simply inform them that licence restrictions are a default procedure followed by NEOSYS and is applied to all clients, so that the client will in future avoid delaying the payment.

===Handling complaints about emails from NEOSYS Accounts Department===

If a client calls Support team to complain about emails from NEOSYS accounts department (e.g. invoice payment reminder), then immediately make them realise that they are wasting their time talking to support because support is not involved in client invoices and reminders procedure.

Any complaints or concerns they have MUST only be sent in reply to the email they received.

==Handling Frozen NEOSYS Installations and Databases==

Some clients retain fully operational NEOSYS installations or just particular databases even after they stop using them for some reason, either because they move to some other software, or because they terminate an operational division, or other reasons, and this can either be on NEOSYS or their own servers.

In this case, various NEOSYS upgrade and maintenance processes may be suspended, downgraded or completely skipped especially if instant access to the server is no longer available. This does not mean that it should never be done, and pros and cons need to be assessed and documented in support emails on a case by case basis.

*Upgrading NEOSYS version
*Upgrading/standardising NEOSYS database configuration and other files for consistency, security or other issues
*Patching Windows/IIS configuration for consistency, security or other issues

==Handling Links and Email Attachments==

'''DO NOT TRUST ANY LINK OR ATTACHMENT IN ANY EMAIL EVEN FROM HIGHLY TRUSTED PEOPLE OR ORGANISATIONS'''

These days you can no longer trust links or attachments in emails from anybody - even emails from highly trusted people like your bank.

If a personal computer or intermediate email server is hacked then even genuine emails sent out from it can be infected and modified in a hidden way that can result in the recipient being infected if they click or open anything in the email.

Therefore you should know and understand how to avoid, as far as possible, getting tricked and infected via emails.

Malware authors generally rely on the fact that most people devote no time at all to security precautions so a moderate cautious approach, slowing down a little to spending some time on security, even where it is apparently not required, is enough to defeat most attacks.

===Links===

Do NOT click on links, especially in emails that you are not expecting, but also anywhere else that you see links, without taking various precautions. The links in an email, even from someone you know and trust, can LIE to you about what website they will open and they can lead you to websites that mere browsing can infect your computer and then others inside our network.

WHAT LINK/WEBSITE WILL BE OPENED MAY NOT BE WHAT IT SAYS IN THE BODY OF YOUR EMAIL!

Therefore, to use a link in any and all emails, first hover your cursor over it and check the status bar at the bottom of the screen where you can see exactly what website will be opened, or, to be more sure exactly what website you are opening DO NOT click links in emails at all. COPY/PASTE the link to your browser, AFTER following the below points.

*Make sure you know and trust the website being opened.
*Carefully inspect the spelling of the domain name to avoid tricky look-alike fraudulent links eg hcsb.com instead of hsbc.com
*If you trust the sender but you do not personally know the website then get independent confirmation from the sender. Reply to the email so that the sender can check the link you received has not been tampered with.

Example 1:

Below is an example of a phishing email that you can easily tell is malware

[[image:Scamscreenshot1.png]]

*You don't expect it because it says "before your sign up is complete" ... but you didn't just sign up.

This doesn't mean that links in emails that you ARE expecting ARE safe to open. All the usual cautions apply to emails you DO expect.

*Hover mouse over the button and check the link visually

In the example above, the email is supposed to be from Dropbox, but hovering the mouse over the button shows the below link, which is obviously wrong:

http://fxloraisdoxbraxsil.com.br/dropbox.html

*Even if the link looks genuine e.g. something from a service that we use that we didn't expect, be careful for misspelt links that look like genuine links e.g. drobbox.com, which could trick you if you are sloppy.

Never click on links in emails unless you are absolutely 100% sure that the email and link is genuine.

Copy the link using right click copy link then paste into your browser if there is the slightest doubt.

Example 2:

In the following case, hovering over the first two links seem to go to real UPS website, BUT this is NOT sufficient to be sure since slight misspellings and other tricks can lead you to a totally different website.

However, hovering over the third "link" shows that clicking the apparent link would go to some website http://behappy.vn (Vietnam) so clearly this is a DECEPTION.

[[image:Scamscreenshot.png]]

Example 3:

In this case, an unknown organization behind the phishing attack is pretending to work for Leaseweb sales company and is sending emails from an email address similar to Leaseweb’s, and with Leaseweb’s footer. They claim that the original payment was declined and ask to wire or transfer money to a new account. These kind of emails are quite sophisticated and require you to be vigilant.

Try to confirm the sender’s identity before replying to email requests and before opening attachments or clicking on links, even if they appear to come from a legitimate source.

Below is an example of a fraudulent email request:

<pre>
Your payment has been declined!
Your invoice (100421) with Office 365 Service is due.
To make a payment, please log in with your email address and password at

https://leaseweb.com/payment/100421
Once logged in please click select the Make a Payment icon in the Billing Tab. You may complete payment by Credit Card or Paypal on this page.

Once paid no further action is needed and your account will remain active.
We thank you for your continued business and assistance in helping us to get this resolved.
Feel free to contact us if you have any questions, comments, or concerns.

Regards; </pre>

===Attachments===

Please follow these rules strictly:

*<nowiki>*NEVER* open an attachment that you did not expect.</nowiki>

*<nowiki>*NEVER* be curious to see what is in an attachment.</nowiki>

*<nowiki>*NEVER* open an attachment if there is some other way for the info to be sent e.g. Screenshot of document.</nowiki>

If the rules above are followed then:

*You can open an attachment if you have requested it and if sender is unable to take a screenshot.

*You can open an attachment if you get a good explanation of it contents from sender and they are unable to take a screenshot.

It is okay to save an attached eml file and open it with GEDIT as text, as it will not trigger any virus.

This does NOT mean that you can open attached files freely. As per the procedures above, you should NOT open any unknown or unexpected attachments without CONSIDERABLE thought.

But saving and then opening files with GEDIT to get an idea of their contents even if the view is mangled is okay. Although, there is little point in opening files like ZIP in gedit.

There is no way to determine if an attachment, even from someone you know, has not been infected and is therefore, dangerous.

The only protection is to rely on anti-virus/anti-malware e-mail filters and staff vigilance!

You can check the names and file types/extensions of attached files to spot any obviously strange or unexpected attachments, but this is not very effective. The filename of an attachment could be spoofed. An attacker could potentially exploit this by tricking the user in to opening an attachment of a different type to the one expected.

Attachments ending in .jar or any other unusual extensions shouldn’t be opened without SB's permission.

If there are a lot of attached files, don't assume they are all safe, make sure you asked for each of them.

==Handling emails from unknown email addresses==

Any sort of contact from an unknown email address must be ignored entirely, i.e. no response whatsoever from Support, as these emails could be from a fraudulent source. If the email is genuine, then the sender can surely contact their managers.

Support should keep in mind that hackers can send emails that look genuine, aiming to get private/confidential information and so should always stay alert when dealing with such emails.

==Handling junk/spam email==

In order to get better automatic spam email filtering please mark as many obviously spam emails as Junk, instead of just deleting them. Marking them will delete them so it takes not much longer to do.

*DO NOT delete emails from Junk or Spam folder because they are used to identify future junk and spam emails.
*Any email identified as junk should be marked as Junk so that they automatically go into the Junk folder. The spam filter in the mail server will use these emails in the Junk folder to decide what is moved into the spam folder.
*You MUST ensure that all clearly junk/spam emails are marked as Junk/Spam in ALL email inboxes. In other words they MUST be moved to Junk/Spam folders and not left in our inboxes or other main folders.
*Any emails which are not clearly junk/spam emails or are similar to genuine emails, but you know are spam/junk MUST be deleted i.e. NOT left in inbox NOR moved to Junk/Spam folders.

Failing the above we will have the following problems:

*Real emails disappearing into junk/spam folders by our email server.
*More junk/spam emails appearing in our inboxes than necessary.

The Junk email folder contains emails that have been manually marked as spam/junk whereas the "spam" email folder contains emails that have automatically been filtered out by the email server.

==Avoid burdening email servers with excessive graphics==

Support MUST install the "Auto Resize Image" addon in Thunderbird to reduce the size of images in emails resulting in a significant reduction in email size. See [[Configuring_Thunderbird#Configure_Auto_Resize_Image| setting up auto resize image]] for details.

It reduces the burden on NEOSYS and NEOSYS client's email servers. This is especially important on long conversations about subjects that include many screenshots, since for just a simple one line reply, the email can consume many MB of space. It massively wastes the email server space and makes backups massive and generally a total waste of resources and time.

To be able to refer back to graphics in previous emails, add the SIZE column to your email program so that you can locate large emails with graphics rapidly without searching back one by one.

==Client Communication Policies==
===Client Meeting Report Policy===

After every Client meeting online or otherwise Support MUST send a Follow-Up email to the Client which is open and fully informative and not brief, stating the events during the meet and any action required by either or both parties. The email to the client must not shrink from discussing contentious issues due to a false sense of politeness or timidity to address issues face on. Obviously one should not be rude but it is not rude to address issues openly.(cc Client managers and NEOSYS Managers)

The follow-up email MUST be sent within 24 hours of completion of the meeting so that the points discussed during the meeting are fresh in all the meeting participants' minds. This means that reports for meetings on the day before the weekend MUST be sent on the SAME day.

In addition to above email if there is some information that needs to be shared internally and cannot be said in public to the client then send a Client Meeting report to Support.

Support must also update the Client Contact Record file in Google Drive immediately after sending out the follow-up email.

===Follow Up of Support Issues===

All voice/chat communication MUST also be followed up with an email confirming at least the gist of the communication to keep the whole support team updated on the issue.

If not possible to contact for any reason, then an email MUST be sent stating so and suggesting or requesting a time to connect.

cc Client managers (and/or BCC NEOSYS Managers) MAY be done if thought to be useful and/or appropriate.

===Handling Contentious Emails from Clients===

If emails requesting support become contentious, then voice, phone call or chat is REQUIRED to save time. However, client support via phone call should be done only on local or low-cost calls. High-cost international calls should not be used except in extreme circumstances.

If clients become deliberately combative or uncooperative then Support team is supposed to kick back a little but still emphasise the point. Perhaps it could be done better with a little ironic humour or a smiley. Avoid using !! while responding to contentious emails.

===Apologising to clients for issues===

We only need to apologise for major issues that are a) definitely our fault and b) we wish to indicate that there is some general issue in NEOSYS procedures and that we are dealing with it.

We do not want to invite bullying by some clients by seeming to lack confidence in our ability.

An explanation of the cause and possibly FP is of more value to the client, since an apology doesn’t really make any difference.

===Discussing Pricing===
All discussions about pricing must be done only in Sales inbox. If clients bring up pricing discussion in support emails, NEOSYS staff must respond to the client by starting a new thread in the Sales Inbox.

==NEOSYS Support Response Time Policy==

NEOSYS contracts, in the few cases where we have a written contract with the client, specifies that maximum response time is one business day generally and one business hour for complete stoppages of the system. Obviously we have to do far better than this in practice.

Support staff must inform clients of the progress of the issue if it is not resolved the same day but only if they contact at least 1 hour before office closing.

Deciding to wait on issues is fine (also refer to: [[Procedures#Handling_users_who_do_not_act_upon_standard_messages|Response to standard messages]]), but support MUST at least spend up to 5 minutes on issues to see if they can be handled quickly. Support MUST respond quickly to issues that can be handled quickly, otherwise the client suffers unnecessarily.

When an issue is fixed or a client request has been implemented in NEOSYS, Support must immediately let users know that the issue is fixed, so that clients can continue their work without any further delay. Quick and prompt responses from Support will gain the client's appreciation.

For routine requests for service where there is a reasonable expectation of delay by the client then no need to send rapid reply.

==Default Browser for support staff==

NEOSYS supports and develops for Firefox primarily but other browsers such as Chrome and Edge MUST also be tested working fine. Support team currently uses Firefox for all work related tasks in Ubuntu which includes testing, wiki work etc.

Also refer to [http://itwiki.neosys.com/index.php/Setting_up_Ubuntu_on_NEOSYS_Support_Computers#Mozilla_Firefox Setting up Mozilla Firefox]

==Handling errors discovered by support staff==
{{Handling errors}}

==Handling browser script errors==

If a script error is faced, support should take a full screenshot of the script error including the script name, line number, etc.

Include every detail available regarding the script error and also the steps to replicate it and escalate this to the programmer.

Chrome JavaScript Error Notifier extension shows all the details available in the initial script error message itself. In Internet Explorer, you will have to click 'Yes' on the script error message to get all the details.

==Various checks done by Support to investigate errors==

A list of logs/reports that Support must look at, depending on the situation, to solve issues or investigate errors.

#Support inbox emails: Check old emails in Thunderbird. This is the quickest way to handle issues/errors that were handled recently.
#Logs/reports available in NEOSYS Menu
#*Request Log (Support -> RequestLog) - These logs can be checked to see what request were made and by which users etc., not as detailed as the xml logs mentioned under "Logs found on the server".
#*NEOSYS logs (Support -> Log) - Log of alerts sent out via email, e.g. backup email, login failure, etc.
#*What's New report (Help -> What's new in NEOSYS) - Contains a list of all the features added in NEOSYS
#*List of Database processes (Support -> List of Database Processes) - Status of processes windows running on the server.
#*List of documents in use (Support -> List of Documents in Use) - Currently used documents.
#*User details page (Help -> User Details) - To check logins and IPs and password reset details.
#*Version logs of files - The history of edits made to files in NEOSYS. This is available at the bottom of files in NEOSYS (e.g. Schedule file, Voucher file, etc.)
#*Usage Statistics (Support -> Usage Statistics) - Shows no. of requests made per user, per department, per database, per hour etc.
#Logs found on the server:
#*Xml logs - These logs can be checked to see what request were made and by which users etc. in detail.
#*Process logs (.LOG files) - These log files contain entries showing start of database backup, and process startup logs.
#*Process windows - Check process windows on the server for error messages or anything unusual, e.g. hung processes.
#*Procexp (Process Explorer)- Used to check ntvdm processes running for specific installations (useful on servers with multiple installations).
#*System logs (Event viewer) - Used to check for unusual system events, eg: unexpected shutdown.
#*Task manager - Checked to monitor CPU usage, NTVDM running etc.
#NAGIOS - Monitors the status of all hosts and services.

==Handling Cheques from Clients==

NEOSYS staff are not to accept deliveries from clients that might be cheques without prior instructions to accept the same. They can ask courier to wait a few minutes until NEOSYS accounts or management agrees but they may not be immediately available and probably will not agree anyway. If accounts or management is not immediate available, then cheque MUST not in any circumstances be accepted, otherwise client can cause problems in our accounts and we waste time visiting the bank to deposit.

NEOSYS payment terms do not accept cheques although clients are free to deposit cheques by themselves.

==Client Password Policy==
All client user passwords, including their initial one, are to be obtained via the user's email address using the password reminder/reset button on the login screen. [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#What_is_NEOSYS_password_policy.3F (NEOSYS password policy)]

NEOSYS staff should never know users passwords therefore NEOSYS will not obtain and grant user passwords. The reason for this is that in the event that users lose their passwords to other people who then login unauthorised then suspicion could fall on the NEOSYS staff who know their password.

All parties concerned, including client management, client users and NEOSYS support staff, benefit greatly from trusting that if something in a NEOSYS database is registered as having been done by a particular user then it was not in fact somehow done by NEOSYS support staff. Nothing should be done that would break such fundamental trust. To achieve this, NEOSYS support staff must never log in as particular users, never ask for users passwords and generally enforce the idea that all work logged as being done by users IS done by users.

Very limited amounts of work by NEOSYS support staff either in person or remotely using teamviewer is acceptable while a user is logged as long as the user login was performed by the user themselves, the user is present and the user specifically agrees with the work being done.

===Support requests from ordinary client users===
Any support requests concerning inability to obtain passwords will be forwarded to known skilled users on the client staff since this is the most efficient (not fastest) way to handle such issues.

===Support requests from senior client management===
Any support requests concerning inability to obtain passwords by senior client management users shall be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bearing in mind that NEOSYS staff should never know user's passwords this will probably involve NEOSYS staff using the Password Reminder/Reset button to send a new password to the user.

===User Defined Passwords===
NEOSYS will provide user defined passwords in very special cases which must be pre-approved case by case by NEOSYS management. NEOSYS will not approve this due to the reasons mentioned [[Procedures#Client_Password_Policy|here]].

If the user login gets blocked due to multiple login failures and the user requests support team to reset the password to the user defined password again, support MUST delay the response to this request by at least 1 hour in order to force the user to be more careful when typing the password.

Currently permission for user defined password has only been granted to one NEOSYS client with several hundreds of databases.

==Handling client issues and requests==

All support issues must be dealt with through phone/email/chat. Support Staff can schedule client visits for User Training but should not schedule client visits solely for providing support for petty issues.

ALL Support staff should check all the previous day's inbound emails for reply flags once in the morning. All Support staff will therefore be held responsible for any unreplied inbound email.

Support MUST NOT waste time and delay support by investigating issues WITHOUT SUFFICIENT INFORMATION.

Support must NOT get involved in any discussion about any document that is not directly out of NEOSYS, so that Support is able to reproduce it from NEOSYS screenshots of screen options that the client used.

Support should look for similar issues when solving a particular problem to avoid similar issues in future. This saves the time and energy of Support as well as the Client.

When sending screenshots to clients, support team should economise on space by minimising to the minimum that will show the problem clearly. This is because not every user will be viewing their emails on large wide screens like NEOSYS support team. Browser windows reformat their contents to suit the width available so this is particularly effective in most NEOSYS screens.

Support team MUST be cautious while sending screenshots so that no private/unnecessary information is sent to Client. If you cannot avoid taking the screenshot without unnecessary information then you should hide it in the screenshot.

Support team MUST learn not to do silly support for people, because we have an OPEN SUPPORT policy, which some users WILL try to abuse based on either poor understanding or lack of respect.
Either way support MUST learn to deal with abuse of privileges as it will save a lot of time, which could be spent on more important issues.

{{SensitiveSecurity }}

===Handling new emails in Support inbox===
Support MUST spend up to 5 minutes on new emails and send a quick reply to the client, to acknowledge the request or give a quick solution in case it is a petty issue or has a documented solution in wiki.

Client issues/requests should be prioritized, interrupting existing work and not wait for one hour and be dealt with quickly.

For routine service requests where there is a reasonable expectation of delay by the client, Support need not send a rapid reply but must keep the email starred in Support inbox to indicate that it is pending or being worked on.

===Handling starred emails in Support inbox===

When an email is received in Support inbox,

*if the email can be replied to immediately, then mark it as read after you have replied to the email.
*if the issue cannot be resolved immediately, then the email MUST be starred so that support does not forget to work on it. Once the issue has been resolved, Support should send an email to Support inbox confirming that the issue is closed. Only then should the email be unstarred.

No issue should be silently dropped without being fully resolved.

===Handling client-sensitive information in emails===

Support should avoid including information that could be sensitive to clients e.g. screenshots of reports that should only be viewed by client's upper management.

This can be done simply by clever cropping of images or blurring out of information in cases where cropping is not possible.

Support MUST not delay response to any client by wasting time blurring or cropping out information that is not sensitive to clients, e.g. blurring out the URL and tabs in browsers etc.

===Handling client call back requests===

Clients who ask us to call them should be given our phone number and asked to call us unless there is some GOOD reason why we should make the effort and pay phone charges.

===Handling login failure issues===

Users often get login failure issues due to typing wrong password and they simply won't read and act according to the error message they get. In this case, Support must send the below email to the user.

<pre>
Dear XYZ,

If you have trouble resetting password, please ask for assistance from your manager/IT Manager/Timesheet Administrator/NEOSYS-expert colleague.

Regards,
NEOSYS Support
</pre>

Local support users (TA or IT manager etc) have the LS key using which they can see the User Details page of all users. They should check all the information (usercode, registered email id, last login attempts etc) in the User Details page to find out what is the issue.

This procedure will reduce the endless mails sent back and forth to solve petty issues which could easily be solved by the client's local support.

===Handling requests or demands for "URGENT" or "PRIORITY" support===

Any request for prioritised action *without giving any reason for the prioritisation* should be disregarded and the request handled with normal priority. If a reason is given then you may at your discretion prioritise a response but there is no obligation to do so.

===Handling users who login with other people's NEOSYS usercodes===
This can cause a lot of confusion in both the client and NEOSYS support. It may also indicate that the correct NEOSYS monthly licensing fee is not being paid. There is no valid reason for anonymous logins or sharing logins between multiple users.

Therefore if NEOSYS support team get requests for support about using NEOSYS from users who are not registered properly in NEOSYS with an personally identifiable user code, name and email then the following email should be sent cc admin@neosys.com.

No exception should be granted to clients without NEOSYS management approval.

<pre>
Dear NEOSYSUSER,

Please note that in order to receive support from NEOSYS you must personally have an identifiable user code, name and email address registered
in NEOSYS.

We can create new user account for you with your management approval. This may or may not have an impact on the NEOSYS monthly licensing fee
depending on the agreement in force.

Please let us know what you would like us to do.

Best Regards,
NEOSYS Support
</pre>

===Handling support requests from expired users===

If expired users call for any reason including not being able to login, they must not be given any support. They should only be told that their account is expired without any reason being offered because employers sometimes do not want any information at all being passed to expired users.

===Handling support request from senior management===

Any support requests from senior client management users concerning report generations should be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bear in mind that NEOSYS staff should not agree or offer to do client work. Support staff can advise senior management to contact a skilled user to help them with basic NEOSYS reporting. Support staff can also send screenshots of step by step procedure on how to take reports. Depending on the situation and reasons provided by senior management, support staff can at their discretion provide reports but after informing them that this is an exception and no more reports will be sent out as this is against NEOSYS procedures.

===Handling requests that involve updating NEOSYS configuration files===

Changes to any configuration file in NEOSYS MUST be performed only by NEOSYS support, because even the slightest misconfiguration of the system may cause unrecoverable errors and NEOSYS is responsible for support.

===Handling emails with unrelated subject line===
At times, clients forward old emails, with new issues, resulting in completely unrelated subject line. In such situations, support MUST follow the below steps to ensure that unrelated emails do not appear in the same conversation group when viewing emails in conversation mode:

#Right click the email -> HeaderToolsLite -> Edit full source
#Modify the text that appears after "Message-ID: <". (e.g. replace the first few characters with "xxxxxxxxx")
#Remove all texts that appear after "References:" and "In-Reply-To:" and click OK.
#Click Reply All on the modified email.
#Change the subject to a relevant one.
#Delete old unrelated content from the email body.

In the email reply, include a comment like "PS Please don't forward old emails for new issues, start a new email with a new subject so that emails can be traced easily."

Sometimes the client does not bother putting the correct subject line for new issues (e.g. blank subject, or "Error"). Then support should add a meaningful subject line in order to make the email easy to search for.

===Handling emails with poor screenshots===
Sometimes Thunderbird shows full sized screenshots in a compact format that is not easy to read. These can be resized to make them more legible. To do this, make the email editable by hitting the "Reply" button, then click and drag to resize the screenshot as desired.

If the screenshot sent by the user is genuinely small and hard to read, reply to the mail and request for a full size, clear screenshot.

===Handling support-request emails sent to anywhere than support@neosys.com===
Client emails anywhere than support@neosys.com MUST be ignored. This is because ALL support must be recorded in support inbox without exception so that the whole support team is aware of the issue and action taken. If client complains about the delay in support then they can be told this is because they used the wrong email address.

===Handling users who do not act upon standard messages===
When users do not bother to read and act on standard NEOSYS-generated messages and instead ask for help, Support staff MUST delay response time and thereafter send them an email which is the same as the message so they get the point that in future they should read the messages and handle issues themselves.

===Handling Requests to do Client work===
NEOSYS Support staff must not agree or offer to do work on behalf of the client.

This is because doing client work while logged in as NEOSYS breaks security rules. Support uses the NEOSYS username which has unrestricted access, so when a user requests Support to do some work which they don’t have access to, and if Support agrees to do the work, the client has successfully defeated the security rules by accessing features that they are unauthorised to access.

If a client makes a false claim about an issue in NEOSYS, i.e. if Support finds out that there is no real issue, then direct the client in the right direction so that they find out their mistake by themselves. Support MUST NOT show/explain the problem to them in detail, since you are just doing their work for them by explaining the problem and this will encourage the client to contact support for every petty issue they face.

Client work also includes [[Procedures#Handling_issues_with_totals_on_reports|Handling issues with totals on reports]].

====Requests for colour and font changes====

Support should not be spending lots of time on colour and font changes. Clients can make as many changes as they want until they are happy with a selection. Clients MUST send a screenshot of their required color/font settings (not sample screen/reports) for Support to copy and setup for all users. If Support sees them doing something bad or poor then give comments or better suggestions.

===Handling Requests that require Approval from Higher Authority===

The following is a list of user requests that must be handled by NEOSYS support staff only if they are approved by or come from a higher authority (manager/admin). The LIST is '''NOT''' a complete list so there may be other things which might require approval so use good judgement and/or ASK if in doubt.

*Opening new financial year
*Adding new company/dataset
*Editing alert/backup email receiver addresses
*Customising Authorisation File ({{SensitiveSecurity }})
**Adding or removing accesses for existing users in Authorisation file
**[[Procedures#Handling_new_USER_creation| Adding new user(s) to Authorisation file]]
**Expiring a user
**[[Procedures#For_HTTPS_access| Allowing HTTPS/outside office access from any IP number]]

If an unauthorized user sends one of these requests to support staff, support staff must immediately instruct the user to get the request approved by the higher authority.

===Handling User Requests to add an IP or range of IPs to access NEOSYS===

Support staff must identify if the IP or range of IPs is for http or https access.
{{SensitiveSecurity }}

====For HTTP access====
Support staff can add local IP or range of local IPs when requested by the client. Top management approval is not needed to add local IP numbers. Listed below are the IP address ranges reserved for local network.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

====For HTTPS access====
Any request for https access from any IP address or range of IP addresses (eg. 123.456.* or just *), or in other words any use of an asterisk in the IP restrictions, MUST have TOP management i.e. the company's decision makers approval. The Staff and their Managers are not the best decision makers in this affair because they usually ignore the risks and it is not really their decision. Security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc can be triggered if access from any IP is enabled. It is completely pointless to inform the staff who want the access about these risks because only their top managers could really decide that this is NOT going to be allowed. Hence the Top Management MUST be asked for approvals and at the same time WARN them about the security risks/threats behind the no IP restrictions.

=====For clients with static IP=====
Any request to add a specific IP address to the list of allowed IP addresses MUST have management approval.

=====For clients with dynamic IP=====
For clients with dynamic IP, support MUST NOT add their public IP to the allowed list as this will encourage the client to again request for access from new IP numbers every time their public IP changes. Instead, support MUST force the client to either get a static IP, install VPN or get the Top Management i.e. the company's decision maker's approval to enable access from any IP after explaining the security risks in doing so, as mentioned above.

Support MUST also mention that installation of VPN by the Company is the industry standard way of providing access to mobile staff (i.e. those on dynamic IP numbers from home or traveling) to corporate software assets like NEOSYS IN A SECURE MANNER. Installation of VPN is to be done by their own IT support. Refer to [[Procedures#Using_VPN_to_enable_secure_access_from_outside_the_office|Using VPN to enable secure access from outside the office]]

Sample Email addressed to Top Management:
<pre>
Dear <XXXXX>,

I do not recommend allowing access from all IPs because security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc. can be triggered if access from any IP is enabled.

I strongly recommend that you keep IP restrictions for <XXXXXX> dataset.

If you want to provide access to mobile staff (i.e. those on dynamic IP numbers from home or traveling) to corporate software assets like NEOSYS IN A SECURE MANNER, then installation of VPN is the industry standard of achieving this. Installation of VPN is to be done by your own IT support.

If you still wish to allow access from all IPs, kindly confirm that you acknowledge the security threats of doing so.

</pre>

===Handling repeated request to allow users to access from all IPs===

{{SensitiveSecurity }}

If the client wants temporary access from outside for some staff twice in say a six months period then support should send the below email. The real reason is because we don't have the time to be doing this on a regular basis. If at all the client asks why we no longer support the provision of temporary outside access then we can say this is because of the frequency of such requests.

Dear XXX

We have given you temporary outside access this time, as requested. Please note that we can no longer support the provision of temporary outside access. So in the future, you will have to choose between either permanent or no outside access. Alternatively, you can ask your management to install a VPN (which is the industry standard of achieving outside access to a corporate asset in a secure manner), so that you can log in to NEOSYS from outside.

===Handling requests to create a new feature or modifying existing features===

Many issues are small and not important but can still be considered for development because they may be easy and neatly added to NEOSYS. The aim here is to avoid development on hard issues for little benefit, or little issues that make NEOSYS more complex for little benefit.

When a client requests to create a new feature or modify an existing feature, a workaround must be given to the user, which is either a permanent solution, for example if the issue is a rare case and not commonly faced by other clients (and the workaround is acceptable to the client), or a temporary solution until some better solution is discovered or can be developed.

Support MUST check all options on all pages to look for any already existing solution or workaround to the problem before emailing the programmer.

Any request to create a new feature or modify an existing feature MUST be discussed with other clients before forwarding it to the programmer because the other clients might not be comfortable with the change as it may not be in accordance with their workflow. If other clients agree to the proposed change then support should go ahead and request the programmer to implement it.

Therefore before escalating a request to the programmer to modify a feature in NEOSYS, the approval for the same from other clients must be taken into account.

Any request to fix or modify a feature in NEOSYS must be accompanied with good reason and some basic considerations, so that the programmer knows what level of priority it can be dealt with.

When escalating the request to the programmer, support MUST avoid using "Is it possible..?" because the obvious answer to that is "Anything is possible" and because this question is only a way to avoid doing the real work of deciding whether the new feature/modification should be implemented.

===Handling requests to add more fields to List of Invoices reports===

Many users may ask for the List of Invoices report to be expanded to show a zillion other things, but this makes it NOT a list of invoices. Therefore other break-downs MUST be obtained from other reports in NEOSYS.

===Updating Clients about unresolved issues===
Support should proactively inform clients if an issue is not solved within the same day it was raised, after judging the urgency of the issue and the time it was raised. An email to the client who raised the issue, before the end of each day, is a best practice that keeps the client updated and other support staff too. This email should be sent regardless of the degree to which the issue has been resolved or if the issue is unresolved. If the issue is unresolved, the email should explain why and also explain the cause of delay.

===Handling new USER creation===
====Get Approval====
Support staff should create new USERS for clients ONLY when requested by an authorised person. If the authorised person is unavailable, for example on leave, then get approval from someone who is in the backup mail list.

Ideally only people who are users in NEOSYS and have authority over some task can grant or request authority to do that task to other NEOSYS users. However, if this is not the case and the requesting person has some seniority in the company (but is either not a NEOSYS user, or is not actually currently authorised to perform the task themselves) you may decide that it is not wise to proceed without some confirmation. In such a case be very respectful of their position while rejecting any request perhaps stating something like:

"Currently we have instructions to take instructions concerning authorisation only from xxx, yyy and zzz. Please could this request be confirmed by one of them?" Rewrite this judiciously to suit the occasion.

Consider that different sections of a company may have different chain of commands. For example one should not assume that a Sales Director has authority over Finance unless there is firm evidence. If there is any doubt consult NEOSYS Support Managers.

Support MUST NOT directly contact the authorised person asking for approval/confirmation because that is client work.

Clients should not be discouraged to create new users. Clients are billed as per user usage which is reviewed periodically. Over time old USERS are replaced with new USERS.

====Creating User====
Preliminary:

New user requirements :-

*Full name - (like John Smith and not generic name like Copy Writer)
*Email address - (like johnsmith@example.com and not generic address like copywriter@example.com)
*Group level / User with similar authorisation

The USER code is the first name of a user.

1. Support MUST only create NEOSYS accounts with real names and email addresses WITH NO EXCEPTIONS unless agreed by NEOSYS management.

It is acceptable, although inefficient, for one person to have multiple user accounts either concurrently or sequentially, but the opposite MUST never occur.
One NEOSYS user code/account MUST never have more than one real person associated with it neither concurrently nor sequentially.
In order to maintain efficiency, various fleeting temptations to cut corners and break the ONE TO ONE link between NEOSYS users accounts and real people MUST be resisted.
These principle remain mandatory even when pressure is exerted by people, even senior management, who may not appreciate the issues involved.
The fact that NEOSYS support does not know for certain who is the real person using an NEOSYS account does not change these principles.

2. Support MUST not create GENERIC user codes like AUDITOR or MANAGEMENT (even to grant special access to such users like read-only access) as this breaks all security rules.
Do not re-use user codes. Always create NEW user codes for NEW users.

3. Support MUST not create or modify any usable NEOSYS account that is or has been used by more than one user.

4. Support is responsible to maintain the system in good working order and not knowing who is really doing the work in the system can make support harder.

5. Support MUST not collude with clients to by-pass the principles. If asked to do so Support MUST refuse to create or update such accounts.

6. Do not hand over user codes from one person to another in a mistaken attempt to represent a hand over to a replacement. EXPIRE THE OLD USER CODE/ACCOUNT AND CREATE A NEW USER CODE/ACCOUNT.

{{SensitiveSecurity }}

7. Support team MUST NOT discuss billings with clients unless authorised to do so. Also see [[Procedures#Discussing_Pricing|Discussing Pricing]]

8. Support team MUST NOT proceed with creating new users until the group level or existing user with similar authorisation has been clearly provided by the client, otherwise the new user may end up with more than the required authorisation, which can lead to problems in future.

====After Creating New User====

Support MUST send an email to the person who requested the creation of new user, confirming that the new user has been created along with a screenshot of that part of the authorisation table where the new user was created so that the new user's user code and email id is visible. This is done so that in case there is some error in the user code or email id, it is easily visible in the screenshot and also so that the person who requested the creation of the new user is informed about the user code of the new user.

===Handling letterhead change requests===

Support staff should reject any requests that require the letterhead to be setup on the TESTING dataset before it is setup in the MAIN dataset.This is to reduce double work for support staff and to ensure that clients have a clear understanding of their requirements and also send the correct logo image.
The MAIN dataset can be copied to the TEST dataset for any kind of testing.

See [http://userwiki.neosys.com/index.php/Configuring_Letterhead#Changing_the_letterhead_for_printed_documents How to change letterhead]

===Handling error messages===

'''Important:''' Before Attempting to resolve client issues, please ensure that we have secure access to the NEOSYS server.

#The very first step is understanding client problem. Ask questions to the client until you CLEARLY understand the problem.
#If the error is familiar and does not require a screenshot, resolve the problem immediately.
#If the error is unfamiliar and/or requires a screenshot and the user has not sent a screenshot, IMMEDIATELY ask the user to send a screenshot of the problem, along with the options used (basically you need to know HOW to replicate the error and the screenshot MUST show WHAT the error is).
#If the user says "nothing happens, so no screenshot of the error", then IMMEDIATELY request for screenshots again with the exact steps to reproduce the problem using mouse and keyboard.
#Support team MUST NOT provide support without a screenshot, otherwise the client will not pay attention to support team in future and ignore requests for screenshots.
#Upon receipt of the error and steps to reproduce the error, follow the steps and reproduce the error. Also refer to [[Procedures#Addressing_Browser_related_issues|Addressing Browser related issues]]
#If the issue is unknown or you don’t understand it clearly, with the users acknowledgement use remote support to gain access to the users desktop to view how to replicate the error.
{{Handling errors}}

====Understanding Internal error messages====

Internal errors messages appear in red on screen and an email which is sent to support with more details. (Example below)

[[image:Rawformdatapng.png]]

The "ERROR NO:" line is comprised of the error number (B16), the program (MARGIN_BASE) and the line number (1). Sometimes the line number is wrong, refer to section "Misleading line numbers in error messages" below for more info.

The "STACK:" line lists the "parent" calling programs "SYSMSG,LISTEN" used to trace how and where the error originates.

The "DATA:" is a string of characters that is used to recreate the options used by the client in order to replicate the error message. See how to [[Troubleshooting_NEOSYS_Generally#Replicate_options_used_.26_error_using_sysmsg_Data: | replicate the error with the options used, using internal error email]]

====Misleading line numbers in error messages====

Many small NEOSYS utility programs are compiled to run faster than usual programs and will not report the correct line on errors like Variable Not Assigned.

To get the actual line number, compile as usual. ie without the (CL) options mentioned below, and regenerate the error.

Note that most of these programs should have a source line "linemark" or "*linemark" in them somewhere near the top. When single stepping in the debugger, the program will break on this line and this line alone.

To compile a GBP program DATE for speed use something like the following:

COMPILE GBP DATE (CL)

*"L" means compile without line numbers. This makes them run faster, which is important for utility programs that are called extremely frequently eg for date or number input/output conversion.
*"C" means do not generate a symbol table in GBP $GETPERIOD. It makes no difference whether you do or do not.

===Addressing Browser related issues===

When resolving random browsing issues that seem to be on one user computer only, support MUST send the below email asking the user to check if the same issue occurs on other user computers. Rapidly convincing the user that the problem is only on their computer gains their willingness to sort the problem out at their end, using IT people if necessary and available.

Handling random issues that appear to be on one computer is very very common and it is important to deal with it effectively, not requiring stages of "denial" by the users until they accept something has to be done at their end, and not by NEOSYS. Speeding up this process gains the confidence and appreciation of the users.

<pre>Hi xxxx

Is this error happening only on your computer? If that is the case, it may be due to an issue in your browser cache. Please clear your browser cache with assistance from your IT team if required. Then restart the browser and try again.

If clearing browser cache does not fix the issue, I recommend a full browser reset to ensure that everything works fine.

Follow these instructions for clearing browser cache and resetting browser:
http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers

Please let us know if you face the issue again.</pre>

Also refer to [[Procedures#Handling_Browser_related_issues_in_NEOSYS| Handling Browser related issues]]

===Addressing Technical support emails===

In the case of technical support issues, address emails to the IT person and cc the complete group of recipients of backup emails and other NEOSYS alert emails. This allows both NEOSYS and client IT staff to take credit for resolving issues that NEOSYS raises instead of working in the background unacknowledged.

Technical support issues include backup failure, server failure, missing alert email, server connectivity issues and port forwarding issues and many other issues.

For technical issues like browser configuration, clear cache, etc. support must send the user a link to the appropriate wiki article to help the user fix the problem. In some cases the user may be helpless and unable to follow the steps to fix the problem. In such cases, support MUST NOT waste time trying to help the user fix the problem, instead support MUST ask the user to get help from the IT person.

===Acceptable report format when handling issues in NEOSYS reports===

NEOSYS Support must only resolve issues in NEOSYS output first. This is because only NEOSYS outputs can be trusted and user versions in Excel or PDF could be copied wrongly or edited by the user.

In case users send reports in excel or other formats, get them to send the original NEOSYS HTML report as an attachment or copy-pasted in email.

===Handling requests to create new charts or control accounts===

[http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Finance_System#Creating_New_Charts_or_Control_Accounts Refer here]

===Handling issues with totals on reports===

If a client has a problem with any total output by NEOSYS software then NEOSYS support will advise them which other NEOSYS report or reports provide a complete breakdown of the total (if necessary, to individual transactions) and ask the client to locate any offending transactions themselves.

NEOSYS support staff will handle any issues where the total on the breakdown report does not add up to the total on the summary report.

Reconciling totals can be hard if there are many transactions involved. Regardless of how hard it may be, reconciliation is an operational task for users not for support staff since NEOSYS support staff will not get involved in understanding client transactions or data.

====Trial Balance and Financial Statements====

NEOSYS support staff do not have to prove or trace any figures in NEOSYS Trial Balance Reports or any financial reports. If a figure is stated to be wrong by the user, then NEOSYS support staff should ask for proof or say NEOSYS is confident that the figures are correct unless proved otherwise.

NEOSYS support staff should point out reports in NEOSYS which will support the figures in question but not actually run the reports. Support staff can suggest the users to refer to detailed ledger accounts to prove balances.

==Using VPN to enable secure access from outside the office==
There are two ways in which a user can use VPN:

*User connects to the their office router and makes the PC act like it is on the office LAN.
*User connects to a VPN service that provides a static IP number and can therefore be authorised by NEOSYS to login.

If the client intends to use VPN to connect to their office router and make the PC act like it is on the office LAN, then it depends on what VPN protocols the client's office router supports.

The alternative is to use a paid VPN service that provides a static IP number. Getting a dynamic IP number on VPN is very cheap and there are many suppliers, but getting a static IP number on VPN services seems to be more expensive.

Internally in NEOSYS we use PFSENSE routers which support OPENVPN which is extremely flexible.

==Handling issues with Office PBX phones==

Support should check their respective Office PBX phones every morning to find out if the phone is up and working. In case Support finds any issue with their phone, immediately fix it so that clients do not lose contact with the Support team via phone. Next send an email to Support inbox mentioning the fault, cause and solution for records/future prevention.

==Running undocumented commands on Maintenance mode==

Support Staff MUST NOT run undocumented commands on ***LIVE*** database. Some commands are not documented for a reason, it could be because the commands might give an undesired output or because there is no clarity on what else could be effected by the command.

Even if the command is tested in TESTING database and the output looks okay, support staff MUST get the programmer's approval before going ahead and running the command in LIVE database as there is no guaranty that the command is properly programmed and will do no damage.

==Configuring Browsers to show Javascript errors in NEOSYS==
NEOSYS Support MUST ensure the following Settings for browsers because if NEOSYS generates any javascript error message, the same would appear in the bottom left corner of a window, which in turn helps the programmer to fix the error. This must be done after every Factory Reset.

===Internet Explorer===
Tools > Internet Options > Advanced > Browsing - the items Disable script debugging (Internet Explorer) and Disable script debugging (Other) are '''UNTICKED'''.

===Chrome===
Chrome Menu > More Tools > Extensions > Get More Extensions, search for '''Javascript Errors Notifier'''. Add the extension to Chrome.

[[image:Chrome.png]]

[[image:Chrome1.png]]
===Firefox===
Firebug add-on is used to NOTIFY about script errors because we have no other method to get any warning on screen but you should use the main firefox developer tools to investigate any errors as firebug is essentially replaced by built in developer tools.

For developer tools, go to Tools > Web Console

To enable notifications for script errors, download the add-on Firebug from [https://addons.mozilla.org/en-US/firefox/addon/firebug/ here]. When a Javascript error is encountered, the firebug icon will report the number of errors.

Set your firebug as per the second screen shot and select "Enable All Panels" as well, the tick will not appear like the other options but the option will get selected. If you miss out on any one of these steps, you will not be able to capture script errors.

[[file:firebug1.jpg|1200px]]

[[File:Firebug.png]]

==Handling Browser related issues in NEOSYS==
See [http://techwiki.neosys.com/index.php/Technical_/_Hardware_requirements#NEOSYS_Software_Browser_and_OS_Requirements NEOSYS browser requirements]

Clients frequently ask [http://userwiki.neosys.com/index.php/General_FAQ#Why_doesnt_NEOSYS_support_my_XYZ_browser.3F Why NEOSYS doesn't support other browsers]

To avoid browser errors, all new users must follow the steps given in [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#Getting_started_with_NEOSYS Getting started with NEOSYS] before logging in to NEOSYS for the first time.

To troubleshoot browser related errors see [http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers Troubleshooting Web Browsers]

Users must clear browser cache after every NEOSYS Upgrade to avoid errors. See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS#Sample_email_to_be_sent_to_clients_who_face_issues_due_to_failure_in_clearing_browser_cache Sample email to clients who face issues due to failure in clearing browser cache]

Pop-up blockers and any 3rd party toolbars must be deactivated/switched off or else certain pages and alert messages while using NEOSYS do not appear as a result of blocking from either the pop-up blocker or toolbars with built-in pop-up blockers.

NEOSYS support must ask users to Reset browser (See [http://userwiki.neosys.com/index.php/Reset_Browser Reset browser]) if they notice any user browsers which have pop-up blockers or 3rd party toolbars installed.

Also refer to [[Procedures#Addressing_Browser_related_issues| Addressing Browser related issues]]

==Handling NEOSYS Upgrade==
See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS Upgrading NEOSYS]

==Handling auto-reply emails like Out of Office etc.==

From 28th May 2017 version, emails sent out by the NEOSYS system now contain headers that in effect request recipient email systems not to auto-reply for things like Out of Office. This is to reduce unnecessary chatter by silencing unnecessary automatic replies. There is no guarantee that recipient email systems will comply. The headers added are:

*X-Auto-Response-Suppress: RN, NRN, OOF
*Precedence: bulk

Support team should notify SB of any auto-responses that come despite their installation being patched.

In NEOSYS versions after 10th Jun 2017, emails sent by NEOSYS from the NEOSYS Help menu, i.e. manually triggered emails, do NOT indicate that OOF replies are not wanted, since if you are sending emails to people using NEOSYS, you will want to know if they are OOF.

==Using Support Tools==
===Website Live Support===
www.neosys.com is equipped with a Live Support software and clients can visit the website, click on this link and chat with any of our support staff, without the need for any installation. The client has to fill in their name and enter their questions to connect to an available support personnel. During non-working hours, the Live Support icon on the website automatically displays "offline".

NEOSYS Support personnel who are authorised to provide such support, need to login to Live helper chat in Firefox using the link given below:

http://neosys.com/lhc_neosys/index.php/site_admin/

Support personnel should enter the account details as provided by their Manager.

Enable notifications for Live helper chat so that whenever there is a visitor trying to contact Support team, the Support personnel will get the notifications on his screen.

Set the Live helper chat login page as your home page in Firefox and this page must be kept open for the whole duration of working hours.

Support must always be alert and immediately reply to messages from visitors.

Use the link below to enable notifications:

http://neosys.com/lhc_neosys/index.php/site_admin/chat/listchatconfig

After setting up Live helper chat if you sign in to a new profile in Firefox, you might have to re enable the notifications after your Firefox is synced to the new profile.

===Teamviewer===
Since Teamviewer allows no restriction on access once a fixed pass is installed, Support must not install fixed pass on teamviewer however convenient it might be.

RULE: NO FIXED PASS TO BE INSTALLED ON TEAMVIEWER IN ANY NEOSYS OR NEOSYS CLIENT COMPUTER

Running teamviewer live from a web link is fine because it does not allow installation of a permanent password

For certain tasks that require temporary install of Teamviewer on the client servers (e.g. upgrading Cygwin remotely), use Teamviewer 7 on the server as well as Support staff computer. Contact NEOSYS IT for commercial license of Teamviewer 7. Teamviewer MUST be uninstalled after usage, otherwise it creates an additional unnecessary security risk.

To support client users who use the latest version of Teamviewer, support staff must also install the latest Teamviewer version available alongside Teamviewer 7.

==Documenting Processes in Wiki==
NEOSYS Support staff must be in continual learning mode. This is mandatory for support staff and is not an option. Support must read, learn and understand everything in the support emails and ask questions if they don't understand. This understanding must be transferred into wiki in the form of new articles and improvements to existing articles.

For all articles related to formatting and editing in Wiki, see [http://itwiki.neosys.com/index.php/Documenting_NEOSYS_systems Documenting NEOSYS systems]

===Avoiding duplication of text in wiki===

Duplication of text in wiki is to be avoided almost at any cost. Duplication has the problem that when one copy is changed or improved in future then it is highly likely the editor will fail to update the other copy or copies and wiki will over time become an inconsistent mess.

There are several ways to avoid duplication:

#Two or more procedures which have significant areas of duplication can be rewritten as a single procedure with alternatives in the middle of the procedure
#Wiki Templates- Templates reproduce the same text in all places and editing one place edits all places. See [[How to create templates in wiki]]
#Wiki links- Only put the text in one place and put links to that in all the other places that it is appropriate.
#Place a note in all copies something to the effect that "This is similar to x, y and z". This alerts any future editor of all other places in wiki that might also have to be updated.

Future modifications in one place may or may not be appropriate to other places. The editor must decide whether to change one or all places

===Highlighting information in wiki===

To highlight particular instructions or info in wiki do NOT invent new styles which are not the way the rest of wiki is done. Instead, follow the USUAL STYLE or open a DISCUSSION with any recommendations you have BEFORE USING THEM.

Instead of using various kinds of highlighting styles like bolding and words like "Note:", use the following words IN CAPITALS especially the word MUST.

The use of the following words IN CAPITALS indicates that you are using them in a special way with formally defined meaning as explained below. Use of the words in lower case indicates that you are using the word in an ordinary commonsense meaning.

*MAY - means optional
*SHOULD - means recommended and you need GOOD reason (not just any weak excuse) to not follow to follow this recommendation
*MUST - mandatory

Only in the rare cases where the consequences of doing or not doing something are irreversible or take a lot of work to reverse then you can use your own additional highlighting methods, eg ALL CAPS, stars, color red etc.

====Explain WHY====

Any sentence which uses the word "MUST" in capitals, MUST be followed by a SPECIFIC REASON explaining exactly why is the instruction is mandatory; the reason MUST not be vague and non-specific meaning no more than "or bad things will happen".

WRONG way: You MUST also delete ads if deleting schedules.

WRONG way: You MUST also delete ads if deleting schedules otherwise it will cause problems in future.

CORRECT way: You MUST also delete ads if deleting schedules otherwise the deleted schedules' ads will still show in all media-diary like reports and screens

The Wrong way above gives a general reason "it will cause problems in future" which is vague and a reader may even go ahead and ignore "MUST" because there is no objective or proper side effect mentioned for not following the MUST statement. Basically he doesn't understand the point behind following a certain rule.

Whereas the Correct way gives a SPECIFIC reason for "deleting ads while deleting schedules", so reader will exactly know the trouble that will be caused if ads are not deleted. Therefore "SPECIFIC REASON" behind using the word MUST must be to the point and very informative.

====Why explain WHY====
The information contained in the WHY phrase is often '''extremely informative''' to the reader about things that you may otherwise not have considered saying.

The most valuable information is usually contained in the "WHY" of something. There is an apocryphal story of a company where managers could be fired if they gave instructions to their staff without providing explanation. In almost all cases it is better for the efficiency of a team of people that any instructions they follow contain the "WHY" of something. Only in few cases should staff be expected to follow instructions without being well or fully informed.

==Email Retention Policy==

===Generally===

Emails are retained permanently to allow old issues to be discovered in email searches.

===Account: backups@neosys.com===

Only the last 365 days of emails to backups@neosys.com are kept in general to reduce the burden on servers and clients due to the heavy number of emails.

For the backups/neosys folder, only 31 days is kept due to the very high numbers of emails ~250/day.

Deletions are configured in and done by a thunderbird client in NEOSYS IT so may not be continuous.

==Use of personal email addresses by NEOSYS support staff==

NEOSYS support staff MUST NOT use any personal email addresses for NEOSYS business.

The xxxx.neosys@gmail.com addresses that are created by support staff for themselves on joining are also considered personal email addresses and must not be used for NEOSYS business. These email addresses might be linked to NEOSYS wiki accounts but that doesn't matter because wiki is not confidential.

==Accessing NEOSYS accounts on personal devices==

NEOSYS staff MUST NOT install NEOSYS accounts on skype/dropbox/gmail (or any other external tool) on their personal devices without written permission from NEOSYS management

==Support Staff work-in-progress documents/files==

Support Staff must not save working files hidden on their computer. Work that is not visible is not work .
Support work should not be done privately and should be shared to all.

ALL personal working files however trivial MUST be stored in Dropbox and MUST NOT be stored anywhere in personal computer (My Documents/Desktop etc.)

The personal encrypted pass file MUST be stored somewhere in personal folder under SB NEOSYS staff in Dropbox. This is because if there is a loss of OS/Computer, it should not lead to loss of access as all the passwords saved in the file will be lost.

==Handling CLIENT/NEOSYS Servers==

NEOSYS support staff must exercise extreme caution when working on CLIENT and NEOSYS servers. Do not risk making changes without due care and attention to the fact that the consequences of errors can be serious on working production servers.

===Handling Javascript Files in NEOSYS===

All the files in NEOSYS installation folder with .JS and .JSE extension are the executable javascript files which startup NEOSYS processes (in a usual DOS window). Their default program is 'Microsoft Windows Based Script Host' (wscript.exe). If a JavaScript file is opened using a notepad, the default program may change to notepad resulting in all NEOSYS processes to open up in a notepad.

Hence be very CAREFUL when accessing a .JS and .JSE file and double check that the default program remains wscript.exe. Refer to [[Troubleshooting_NEOSYS_Generally#Fixing_wrong_default_program_assigned_to_open_a_file_type|Fixing wrong default program assigned to open a file type]] in case this issue comes up.

==Handling "List of Open Ports" reports==

This email comes to NEOSYS support team once a day showing only those client's servers which appear to have changed what TCP ports are open to the internet since yesterday. It will also come once a week showing all clients servers open ports.

NEOSYS support team should work patiently with client IT staff, over time if necessary, to close all ports that are not absolutely mandatory to be open.

Clients with highly skilled IT staff may have a variety of ports open to various non-NEOSYS servers inside their organisation. In this case, NEOSYS plays little or no role other than getting their confirmation of exactly what ports are acceptable. Any new ports that appear over time should be handled in the same way.

For clients without such staff, NEOSYS is their only real line of defence and since NEOSYS requested opening some ports, we should get all other ports closed by patiently following up until action is taken. Involving management may be the only way to get IT to act.

High end port numbers (e.g. 49667) may represent transient outbound connections from users. Therefore for such port numbers, support team should contact the client only if the port remains open on the following working day.

In particular, port 80 and 443 controlling internal or external routers should be closed. It is NOT acceptable except in HIGH IT EXPERTISE environments that critical routers should be exposed to the internet and they MUST NOT be accessible from the internet because routers that do not have their software updated can be hacked using known defects. Even updated routers can be hacked. Making it easy for client IT staff to access the router configuration from outside is NOT a good enough excuse to break this rule. Professional IT does not allow access to critical routers from the internet.

Likewise, any port 80 (unencrypted web access) and port 3389 (RDP remote desktop) open to the NEOSYS server MUST be closed otherwise logins can be monitored and there is no way to guarantee server security.

Port 23 (Telnet) is an insecure port because it is unencrypted and should never be open for usage. This is standard practice and well known by any network professional. Since the port is unencrypted, attackers can listen in, watch for credentials, inject commands via man-in-the-middle attacks and ultimately perform Remote Code Executions (RCE).

If a port is definitely required and properly approved to be open by client IT support, please let NEOSYS IT (SB) know and it will be put in the "Authorised" column so that ports in the "Questionable" column are all pending action.

The report does not attempt to detect UDP ports since UDP ports can receive information from the internet without responding in any way so there is no way to detect them reliably.

Green color shows ports that have opened since the last report run. Open ports can sometimes not be detected accurately so a port may appear to disappear in one report and reappear in the next report.

===Why should HTTP port 80 not be open on my router?===

It is not advisable to expose any HTTP server for any private service on your computer network or router because HTTP is unencrypted and this means that all information regarding that service, including passwords, can be observed by any malware on your LAN and internet connection. This information can then be used to install horrible software on your internal PCs.

What to do?

Use https for any internal services - and advisably on a non-standard port, not the standard https port of 443.

For example, NEOSYS service is exposed as HTTPS (not HTTP) usually on port 4430 - not the standard https port of 443.

Commercial hacking is getting really common with things like FIREBALL and CRYPTOLOCKER causing a lot of damage.

It is advisable to take basic precautions pro-actively before any attack exposes weaknesses.

==Handling Nagios Client Monitoring system==

NEOSYS support staff on duty MUST follow the procedures outlined below in case the Firefox "imoin" add-on shows critical or warning messages for any service. Failure to schedule appropriate downtime will lead to REDUNDANT EMAIL ALERTS from Nagios every hour.

Any alert on the Firefox "imoin" add-on means that there is an issue that has not been attended to properly, and "attended to" does not always mean solved. Support staff MUST solve the problem immediately if possible.

If it is not possible to solve the problem immediately, then downtime/acknowledge the service and add a comment on the Nagios alert, explaining the problem briefly.

Support should check Nagios frequently during the day to look for any new alerts so that issues are fixed as soon as possible.

*Nagios is required to be checked first thing in the morning and any critical or warning messages need to be dealt with to resolve the same at the earliest.
*Some of the messages could be related to backup failures and the usual procedure as stated in Handling failure and warning messages on nightly backup alerts needs to be followed. In case the backup issue isn't resolved by 9:30 am, the Nagios service needs to be downtimed with an appropriate comment for a minimum of 2 hours and maximum until 1 am next day if the issue cannot be solved.
*In case of "Backup not changed" warning status which occurs if the client has not interchanged the USB before 12 noon on that day, no action is required from the support staff and a downtime with a comment like "Backup media not changed - Emailed client" needs to be scheduled until 1 am next day.
*In case any HTTPS, SSH, PING service or Host is down, immediate action is required and the relevant IT people at the client side needs to be contacted to get this resolved. A downtime of 2 hours with a comment like "Service/host down - Emailed client" is required to be scheduled with further intervals of 2 hours in case this is not resolved. Support staff shouldn't schedule downtime till 1 am next day, just to get rid of the alerts for the day. Proactive follow up with the client is required to get this resolved before the business day - more so, if there is a weekend ahead.
*In case the HTTPS, SSH, PING service or Host goes down during the day, a grace period of 10 minutes is given before the issue is reported to the client IT, in case there is any temporary internet connection issue at the client or along the internet route.
*In case the HTTPS, SSH PING service or Host is down for more than 1 day, client IT should acknowledge the problem and give NEOSYS support staff an approximate time frame before which the issue will be resolved. Set an appropriate downtime with a descriptive comment for such events.
*In case Host is down for more than 2 days and there is no progress with the fix from client IT, the client management should be notified about the seriousness of not having access to server and their acknowledgement is mandatory.

==Handling lack of remote access to NEOSYS server located in client’s premises==

If access to the NEOSYS server is lost then we must determine the root cause by:

#Checking if the server is UP and running
#If yes, please check internet connectivity on the server
#If there is connectivity, please check the router for connectivity issues

'''Sample Response:'''
<pre>
Dear XYZ,

Please note that we have currently lost access to the NEOSYS server. The server seems to be down at the moment and it seems that
NEOSYS processes are not running on the server.
Kindly check if the server is UP and running. If yes, please check internet connectivity on the server.
Do keep us posted on the server status so we can test connectivity from our side as well.

Best Regards,
</pre>
==New Router (Port Forwarding)==

If you have changed your router then you may notice that external access to NEOSYS is unavailable.

'''Solution:'''

Setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to the NEOSYS Server as follows:

#Port 19580 > 19580 for SSH
#Port 4430 > 4430 for HTTPS

You can see [http://portforward.com/ Set Up Port Forwarding] to learn how to configure your Router.

To see how to test/ troubleshoot port forwarding settings, go to [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting Port Forwarding]].

'''Sample Response:'''
<pre>
Dear XYZ,

You are requested to kindly setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to
the NEOSYS Server,i.e. port 19580 for SSH and port 4430 for HTTPS.

Once this is complete, kindly send me an email to confirm the same so that we could test connectivity from our end as well.

Best Regards
</pre>
==Creating and Handling passwords==
===Creating a password===
Passwords are generated from a pass phrase and it is important to create a very difficult to guess pass phrase.

Passwords made out of a pass phrase MUST be at least 10 characters since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts.

For example, a good pass phrase would be: '''Today is a good day and it is the best time to go for a holiday'''

The password for this would be '''Tiagd&iitbt2g4ah'''

The important instructions for the above are:

#You have to take the first letter of each word and that makes your password (i.e. by using initials)
#Wherever any word starts with a capital, then you have to take first letter as a capital (eg. For Today you will take T)
#Replace '''and''' with '''&'''
#Replace '''to''' with '''2'''
#Replace '''for''' with '''4'''

===Handling passwords===

#Never send the actual password - always send the pass phrase
#Make sure that the password created out of the pass phrase is at least 10 characters long since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts
#Pass phrases are never to be sent by email, whatever the case maybe.
#Pass phrases can be sent by chat - however they have to be broken down in two parts and sent separately over two different messengers or if you are using Gtalk then use the 'off the record' mode.
#Using SMS to send pass phrases is the best known way as of now.
#If you save the passwords on your system in an file then:
#*Ensure that you only store pass phrases in the excel file
#*Ensure that the excel file is encrypted with a master password

==NEOSYS Maintenance Window==

The NEOSYS server is functional from 6am – 1am. There is a 5hr window gap for the system to perform updates & backups.

The 5hr maintenance window:-

1. At 1am – The server performs a data backup on a USB (for the respective clients) & once the backup has been completed, the system automatically generates an email addressed to the neosys staff & the respective clients.

2. At 2:45am – The main data over writes the test data on the server.

3. At 3:00am – The server by itself performs an update for Windows.

4. At 4:00am – The server performs a backup to the headquarters for clients, and then automatically generates an email addressed to the NEOSYS staff & the respective clients.

5. At 6:00am – The server starts up NEOSYS.

==Using NEOSYS Terminology while communicating with Clients==

NEOSYS support must communicate in correct language to clients on finance issues in order to ensure that our records exactly represent reality. Conversely NEOSYS must not use other terminology because it can cause considerable confusion and poor quality results. In case client is new and still in training, use client terminology optionally as long as

#It is only an addition to NEOSYS standard terminology
#Only if clear that it is client terminology by putting in brackets like this "Sales Invoices (called PI by you)", where "you" means the client you are talking to or you can put the client company name instead perhaps.

The objective is over time to avoid having the support team to have to know the terminology of the client. NEOSYS support team cannot possibly know and remember it for each client therefore the client MUST over time learn and use NEOSYS terminology. The initial period is one of relearning and translation for the client not for NEOSYS.

Many users operating NEOSYS finance module do not know proper financial procedures and may not appreciate how doing something in a wrong or unusual way now may not be correctable in the future.

NEOSYS staff must follow NEOSYS procedures only. If NEOSYS procedures need to be updated then this must be agreed in advance and not AFTER the fact.

==Amending/Reposting Journal Entries==
In certain exceptional cases, amending/reposting of journal entries is allowed for only one day to enable clients to present reports in an alternative manner.

It must be agreed with the client that reposting rights will be granted for only one day and NEOSYS Support will automatically remove it and check for CCB error thereafter.

This would be subject to NEOSYS requiring a written LETTER OF APPROVAL duly signed and stamped by the highest management of the company.

In case the client management decides to allow editing/reposting of journal entries, the following procedure is to be followed:

#Client must de-allocate vouchers which need to be amended
#NEOSYS support staff must wait for a day so that de-allocated vouchers are copied into Test database
#Authorise required users to amend and repost (without record) '''in Test database only''' ( While reposting, we have 2 options i.e. with record and without record. The 'with record' option causes the system to maintain a history of edits made. Hence, we want to repost without record so that there is no trace of the edit in the system)
#Amend a substantial number of vouchers in Test and verify them. To verify if the edits made are reflected:
#<nowiki>*Print all ledgers for the whole year</nowiki>
#<nowiki>*Cross-check all balances</nowiki>
#Once you verify the balances are correct in Test database, grant users permission to amend and repost in the Live database.
#Ask users to amend and repost vouchers in the Live database.
#Cross-check all balances for the current year.
#If you successfully verify the balances, revoke permissions immediately. Else, wait for 24 hours and revoke permissions irrespectively.

==Removal of unauthorized third-party software on client servers==

Rule: Any third party software that is discovered by NEOSYS support staff on client servers that has been installed without the agreement of NEOSYS should be uninstalled immediately on discovery.

However purposeful a software is, NEOSYS is contractually responsible for support and there are too many opportunities for poorly installed software to cause unpredictable damage to the NEOSYS database so NEOSYS has to have a clear and safe and simple policy to ensure the integrity of client data. Installing software without prior discussion with NEOSYS by itself indicates that insufficient care and consideration has been given to possible issues.

Having unauthorized third party software on the server can possibly lead to a backup failure. For example, [[Backup_and_Restore#Error_Message:_.22LISTS_file_is_not_available.22|LISTS file not available]] error.

Any software required by client IT for some purpose may only be installed after discussion and agreement from NEOSYS support staff concerning the configuration and operation of the software.

The NEOSYS Software Licence and Support agreement requires that where NEOSYS software is installed on client servers that a dedicated server is provided and dedicated implies that no other software may be installed without the agreement of NEOSYS support.

==Configuring tunnelier to autologin on opening tlp files==
If you have many tunnelier tlp files in a directory and connect by opening the desired tlp file the, instead of opening the file and then clicking Login you can also right click the file and select Connect.

Alternatively, you can configure tunnelier to login (connect) automatically by following the procedure mentioned below. (Even if you configure automatic login, you can still open and not login by right clicking and choosing Open)

===Windows 8===

Cannot be done using standard Windows UI. Some download utilities can do it. TODO put a safe one in neosys.com/support

===Windows XP/Vista/7/2008===

#Go to My Computer
#Click on Tools -> Folder Options [[image:tunnauto-1.jpg]] 
#Click on File Types
#*Select TLP (Bitvise Tunnelier Profile) [Type "TLP" to find it quickly]
#*Click on Advanced [[image:tunnauto-2.jpg]] 
#Click on Connect and Click on Set Default [[image:tunnauto-3.jpg]] 

==International v/s Indian English==

There are some words which have completely different meanings in International and Indian English. NEOSYS Staff should follow International English only. Below are the examples of few of those words:

Word: '''Doubt'''

In the English language word "doubt" means to distrust an alleged fact on the basis of a reason, depending on the strength of the reason which may be anything from factual to feeling e.g "I have no reason to doubt him".
This usage is followed worldwide.

Some people especially from Indian origin use "doubt" when they are unaware about a fact. e.g "I want to clear my doubts about this procedure". This is incorrect. The word must be used when you do not agree on something on the basis of a reason and not when you do not have knowledge about it.

==[[ New Employee Training Checklist]]==

==[[ New Client Training Notes]]==

==[[ General Office Procedures]]==

Implementing NEOSYS

2021-07-28T11:31:09Z

Pratishthit: /* Setting up a new company in the new database */

==Setting up the System Configuration File==
See [http://userwiki.neosys.com/index.php/System_Configuration_File System Configuration File] for detailed description. The following points are essential configuration and must not be ignored.

#All configurations must be carefully done after evaluating which [http://userwiki.neosys.com/index.php/System_Configuration_File#Scope Scope] they fall under.
#Configure the startup of additional processes (Client server:3 for main data and 1 for test data: on Neosys vm server:1 for main data and 1 for test data) and tick the main database with the option to backup. If you do not tick this, the automated backup at 1 am will not happen
#Configure the automatic copy of main database to test database
#Configure backup drive. For virtual servers, refer to [[Handling_backup_in_Virtual_Server| Handling backup in Virtual Server]].
#Configure alert email addresses in the System Configuration File (make sure that there is at least 1 person from the client management [ ] and one person from client IT [ ] who receives the backup alert)
#Set up SMTP Hostname and Port and send a test email from Maintenance to support@neosys.com
#Configure [http://userwiki.neosys.com/index.php/System_Configuration_File#Web_Address_and_Description URL/Web Address] to access NEOSYS. This is very important for a Timesheet module installation as the approver links are picked up from the configuration.
#Set the User Timezone
#Set up [http://userwiki.neosys.com/index.php/System_Configuration_File#Email_Domains Email Domains] and [http://userwiki.neosys.com/index.php/System_Configuration_File#IP_numbers IP Numbers]. Support staff MUST request NEOSYS IT to add the client's email domain to NEOSYS internal email whitelist, so that emails from this client do not get automatically marked as spam.
#Set up [http://userwiki.neosys.com/index.php/System_Configuration_File#Sender_Email_Address Sender Email Address]. Support staff MUST request NEOSYS IT to add the Sender Email Address to the aliases for support@neosys.com. After the Sender Email Address has been added to the aliases for support@neosys.com, send a test email to the Sender Email Address to check whether the sent email is received in support@neosys.com inbox

==Start neosysddns service for Client's with dynamic ip==

See [[NEOSYS_DDNS_Service#Starting_Windows_service_on_the_client_server|Starting NEOSYS DDNS Service]] to start the neosysddns service so that NEOSYS monitoring server at monitor.neosys.com updates zonedit.com with the latest ip of the client server.

You MUST check if the ip is actually getting updated otherwise if the ip changes and neosysddns is not working we will lose access to the server. See [[NEOSYS_DDNS_Service#Troubleshooting_NEOSYS_DDNS_Service|Troubleshooting NEOSYS DDNS Service]] for commands to do so.

==Update Support.htm==
Add the new client to the list of clients page.

See [http://itwiki.neosys.com/index.php/Updating_Support.htm Updating Support.htm]

==Setting up a new company in the new database==
Refer to the [http://userwiki.neosys.com/index.php/Setting_up_multi_company_installations_/_Setting_up_a_new_company#Draft_email_requesting_info_required_to_add_new_company_to_existing_database sample email for New Company creation in existing Database/New Database]

Once the new company is added to the database:
#Set up exchange rate as "1" for the base currency by going to the Currency and Exchange Rate File
#Delete “Client X” from the Client and Brand File
#Set the letterhead refer to [http://userwiki.neosys.com/index.php/Configuring_Letterhead Configuring Letterhead]

Change the system mark for each of the new databases that were created. See [http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Generally#Configuring_Client_Security_mark Configuring Client Security Mark]

Procedures

2021-07-28T07:16:57Z

Pratishthit: /* Handling Clients with Overdue Invoice */

Here are procedures to be followed by Support Staff in respect to various technical matters in day to day operations of client issues.

Once Support Staff have learnt how to follow these procedures & rules, you then start learning when and how to not follow them. Common sense trumps all rules! i.e. don't follow procedures and rules blindly all the time. Analyse the problem and solve it practically.

BUT if you are doing something off-piste deliberately, then just add an appropriate comment about why you are.

==Handling Clients with Overdue Invoice==
In order to maintain good payment speed by clients NEOSYS needs to restrict support to clients that dont pay their bills on time, however the degree of restriction needs to depend on an intimate knowledge of the client which cannot be expected from all NEOSYS support staff. Therefore we will use a simple escalation policy as follows:

===Overdue Support List===
NEOSYS SUPPORT MANAGERS WILL maintain an overdue list on a whiteboard visible to all support staff. Generally, clients will go on the list immediately when their invoice is overdue and come off only after satisfactory commitment to pay have been obtained.

The latest overdue list email MUST always be starred until there are no clients left on the overdue list (apart from the permanently overdue clients). When a client is added to the overdue list, support must set up a filter to move client support emails to the overdue folder. When a client is removed from the overdue list, client emails must be moved back into the support inbox. This way support team will know that there are still clients on the overdue list and will not mistakenly provide support to those clients.

[[image:FilterOverdue.jpg]]

For the first week of each quarter of the year, normal support should be provided for server failures and backup failures (including hung processes as it could eventually lead to backup failures).

For any other support requests from overdue clients, respond with the following letter (where XYZ is the overdue client):

Dear <user>,
There is an issue with your company's account. We have requested our Accounts team for approval in order to provide support to you and other <XYZ> users.

Support staff MUST then provide the required support to the overdue client only after 4 working hours. Support Staff need not actually contact the Accounts team for approval, although that is what is mentioned in the letter. This delay in support is to encourage clients to settle their payments on time.

After the first week of each quarter of the year, respond to any support requests from overdue clients with the above letter but MUST NOT PROVIDE SUPPORT even after 4 working hours. Instead, Support Staff must refer the support request to NEOSYS Support Manager.

Managers may well instruct support to provide support on a case by case basis even if clients are on the overdue list. Being on the overdue list does not necessarily indicate a major issue with accounts.

Once the client provides a proof of payment, before removing them from Overdue list, check all the details as mentioned on [https://userwiki.neosys.com/index.php/Sales_FAQ#When_can_NEOSYS_support_staff_start_installation_of_NEOSYS When can NEOSYS support staff start installation of NEOSYS]

===Handling complaints about Licence restrictions===

Sometimes when a client delays payment of NEOSYS invoice, support places a licence restriction for the client. In such cases, users will not be able to create and save documents dated outside the licence period. Due to this sudden restriction, clients may raise complaints about the restriction placed.

Support MUST simply inform them that licence restrictions are a default procedure followed by NEOSYS and is applied to all clients, so that the client will in future avoid delaying the payment.

==Handling Frozen NEOSYS Installations and Databases==

Some clients retain fully operational NEOSYS installations or just particular databases even after they stop using them for some reason, either because they move to some other software, or because they terminate an operational division, or other reasons, and this can either be on NEOSYS or their own servers.

In this case, various NEOSYS upgrade and maintenance processes may be suspended, downgraded or completely skipped especially if instant access to the server is no longer available. This does not mean that it should never be done, and pros and cons need to be assessed and documented in support emails on a case by case basis.

*Upgrading NEOSYS version
*Upgrading/standardising NEOSYS database configuration and other files for consistency, security or other issues
*Patching Windows/IIS configuration for consistency, security or other issues

==Handling Links and Email Attachments==

'''DO NOT TRUST ANY LINK OR ATTACHMENT IN ANY EMAIL EVEN FROM HIGHLY TRUSTED PEOPLE OR ORGANISATIONS'''

These days you can no longer trust links or attachments in emails from anybody - even emails from highly trusted people like your bank.

If a personal computer or intermediate email server is hacked then even genuine emails sent out from it can be infected and modified in a hidden way that can result in the recipient being infected if they click or open anything in the email.

Therefore you should know and understand how to avoid, as far as possible, getting tricked and infected via emails.

Malware authors generally rely on the fact that most people devote no time at all to security precautions so a moderate cautious approach, slowing down a little to spending some time on security, even where it is apparently not required, is enough to defeat most attacks.

===Links===

Do NOT click on links, especially in emails that you are not expecting, but also anywhere else that you see links, without taking various precautions. The links in an email, even from someone you know and trust, can LIE to you about what website they will open and they can lead you to websites that mere browsing can infect your computer and then others inside our network.

WHAT LINK/WEBSITE WILL BE OPENED MAY NOT BE WHAT IT SAYS IN THE BODY OF YOUR EMAIL!

Therefore, to use a link in any and all emails, first hover your cursor over it and check the status bar at the bottom of the screen where you can see exactly what website will be opened, or, to be more sure exactly what website you are opening DO NOT click links in emails at all. COPY/PASTE the link to your browser, AFTER following the below points.

*Make sure you know and trust the website being opened.
*Carefully inspect the spelling of the domain name to avoid tricky look-alike fraudulent links eg hcsb.com instead of hsbc.com
*If you trust the sender but you do not personally know the website then get independent confirmation from the sender. Reply to the email so that the sender can check the link you received has not been tampered with.

Example 1:

Below is an example of a phishing email that you can easily tell is malware

[[image:Scamscreenshot1.png]]

*You don't expect it because it says "before your sign up is complete" ... but you didn't just sign up.

This doesn't mean that links in emails that you ARE expecting ARE safe to open. All the usual cautions apply to emails you DO expect.

*Hover mouse over the button and check the link visually

In the example above, the email is supposed to be from Dropbox, but hovering the mouse over the button shows the below link, which is obviously wrong:

http://fxloraisdoxbraxsil.com.br/dropbox.html

*Even if the link looks genuine e.g. something from a service that we use that we didn't expect, be careful for misspelt links that look like genuine links e.g. drobbox.com, which could trick you if you are sloppy.

Never click on links in emails unless you are absolutely 100% sure that the email and link is genuine.

Copy the link using right click copy link then paste into your browser if there is the slightest doubt.

Example 2:

In the following case, hovering over the first two links seem to go to real UPS website, BUT this is NOT sufficient to be sure since slight misspellings and other tricks can lead you to a totally different website.

However, hovering over the third "link" shows that clicking the apparent link would go to some website http://behappy.vn (Vietnam) so clearly this is a DECEPTION.

[[image:Scamscreenshot.png]]

Example 3:

In this case, an unknown organization behind the phishing attack is pretending to work for Leaseweb sales company and is sending emails from an email address similar to Leaseweb’s, and with Leaseweb’s footer. They claim that the original payment was declined and ask to wire or transfer money to a new account. These kind of emails are quite sophisticated and require you to be vigilant.

Try to confirm the sender’s identity before replying to email requests and before opening attachments or clicking on links, even if they appear to come from a legitimate source.

Below is an example of a fraudulent email request:

<pre>
Your payment has been declined!
Your invoice (100421) with Office 365 Service is due.
To make a payment, please log in with your email address and password at

https://leaseweb.com/payment/100421
Once logged in please click select the Make a Payment icon in the Billing Tab. You may complete payment by Credit Card or Paypal on this page.

Once paid no further action is needed and your account will remain active.
We thank you for your continued business and assistance in helping us to get this resolved.
Feel free to contact us if you have any questions, comments, or concerns.

Regards; </pre>

===Attachments===

Please follow these rules strictly:

*<nowiki>*NEVER* open an attachment that you did not expect.</nowiki>

*<nowiki>*NEVER* be curious to see what is in an attachment.</nowiki>

*<nowiki>*NEVER* open an attachment if there is some other way for the info to be sent e.g. Screenshot of document.</nowiki>

If the rules above are followed then:

*You can open an attachment if you have requested it and if sender is unable to take a screenshot.

*You can open an attachment if you get a good explanation of it contents from sender and they are unable to take a screenshot.

It is okay to save an attached eml file and open it with GEDIT as text, as it will not trigger any virus.

This does NOT mean that you can open attached files freely. As per the procedures above, you should NOT open any unknown or unexpected attachments without CONSIDERABLE thought.

But saving and then opening files with GEDIT to get an idea of their contents even if the view is mangled is okay. Although, there is little point in opening files like ZIP in gedit.

There is no way to determine if an attachment, even from someone you know, has not been infected and is therefore, dangerous.

The only protection is to rely on anti-virus/anti-malware e-mail filters and staff vigilance!

You can check the names and file types/extensions of attached files to spot any obviously strange or unexpected attachments, but this is not very effective. The filename of an attachment could be spoofed. An attacker could potentially exploit this by tricking the user in to opening an attachment of a different type to the one expected.

Attachments ending in .jar or any other unusual extensions shouldn’t be opened without SB's permission.

If there are a lot of attached files, don't assume they are all safe, make sure you asked for each of them.

==Handling emails from unknown email addresses==

Any sort of contact from an unknown email address must be ignored entirely, i.e. no response whatsoever from Support, as these emails could be from a fraudulent source. If the email is genuine, then the sender can surely contact their managers.

Support should keep in mind that hackers can send emails that look genuine, aiming to get private/confidential information and so should always stay alert when dealing with such emails.

==Handling junk/spam email==

In order to get better automatic spam email filtering please mark as many obviously spam emails as Junk, instead of just deleting them. Marking them will delete them so it takes not much longer to do.

*DO NOT delete emails from Junk or Spam folder because they are used to identify future junk and spam emails.
*Any email identified as junk should be marked as Junk so that they automatically go into the Junk folder. The spam filter in the mail server will use these emails in the Junk folder to decide what is moved into the spam folder.
*You MUST ensure that all clearly junk/spam emails are marked as Junk/Spam in ALL email inboxes. In other words they MUST be moved to Junk/Spam folders and not left in our inboxes or other main folders.
*Any emails which are not clearly junk/spam emails or are similar to genuine emails, but you know are spam/junk MUST be deleted i.e. NOT left in inbox NOR moved to Junk/Spam folders.

Failing the above we will have the following problems:

*Real emails disappearing into junk/spam folders by our email server.
*More junk/spam emails appearing in our inboxes than necessary.

The Junk email folder contains emails that have been manually marked as spam/junk whereas the "spam" email folder contains emails that have automatically been filtered out by the email server.

==Avoid burdening email servers with excessive graphics==

Support MUST install the "Auto Resize Image" addon in Thunderbird to reduce the size of images in emails resulting in a significant reduction in email size. See [[Configuring_Thunderbird#Configure_Auto_Resize_Image| setting up auto resize image]] for details.

It reduces the burden on NEOSYS and NEOSYS client's email servers. This is especially important on long conversations about subjects that include many screenshots, since for just a simple one line reply, the email can consume many MB of space. It massively wastes the email server space and makes backups massive and generally a total waste of resources and time.

To be able to refer back to graphics in previous emails, add the SIZE column to your email program so that you can locate large emails with graphics rapidly without searching back one by one.

==Client Communication Policies==
===Client Meeting Report Policy===

After every Client meeting online or otherwise Support MUST send a Follow-Up email to the Client which is open and fully informative and not brief, stating the events during the meet and any action required by either or both parties. The email to the client must not shrink from discussing contentious issues due to a false sense of politeness or timidity to address issues face on. Obviously one should not be rude but it is not rude to address issues openly.(cc Client managers and NEOSYS Managers)

The follow-up email MUST be sent within 24 hours of completion of the meeting so that the points discussed during the meeting are fresh in all the meeting participants' minds. This means that reports for meetings on the day before the weekend MUST be sent on the SAME day.

In addition to above email if there is some information that needs to be shared internally and cannot be said in public to the client then send a Client Meeting report to Support.

Support must also update the Client Contact Record file in Google Drive immediately after sending out the follow-up email.

===Follow Up of Support Issues===

All voice/chat communication MUST also be followed up with an email confirming at least the gist of the communication to keep the whole support team updated on the issue.

If not possible to contact for any reason, then an email MUST be sent stating so and suggesting or requesting a time to connect.

cc Client managers (and/or BCC NEOSYS Managers) MAY be done if thought to be useful and/or appropriate.

===Handling Contentious Emails from Clients===

If emails requesting support become contentious, then voice, phone call or chat is REQUIRED to save time. However, client support via phone call should be done only on local or low-cost calls. High-cost international calls should not be used except in extreme circumstances.

If clients become deliberately combative or uncooperative then Support team is supposed to kick back a little but still emphasise the point. Perhaps it could be done better with a little ironic humour or a smiley. Avoid using !! while responding to contentious emails.

===Apologising to clients for issues===

We only need to apologise for major issues that are a) definitely our fault and b) we wish to indicate that there is some general issue in NEOSYS procedures and that we are dealing with it.

We do not want to invite bullying by some clients by seeming to lack confidence in our ability.

An explanation of the cause and possibly FP is of more value to the client, since an apology doesn’t really make any difference.

===Discussing Pricing===
All discussions about pricing must be done only in Sales inbox. If clients bring up pricing discussion in support emails, NEOSYS staff must respond to the client by starting a new thread in the Sales Inbox.

==NEOSYS Support Response Time Policy==

NEOSYS contracts, in the few cases where we have a written contract with the client, specifies that maximum response time is one business day generally and one business hour for complete stoppages of the system. Obviously we have to do far better than this in practice.

Support staff must inform clients of the progress of the issue if it is not resolved the same day but only if they contact at least 1 hour before office closing.

Deciding to wait on issues is fine (also refer to: [[Procedures#Handling_users_who_do_not_act_upon_standard_messages|Response to standard messages]]), but support MUST at least spend up to 5 minutes on issues to see if they can be handled quickly. Support MUST respond quickly to issues that can be handled quickly, otherwise the client suffers unnecessarily.

When an issue is fixed or a client request has been implemented in NEOSYS, Support must immediately let users know that the issue is fixed, so that clients can continue their work without any further delay. Quick and prompt responses from Support will gain the client's appreciation.

For routine requests for service where there is a reasonable expectation of delay by the client then no need to send rapid reply.

==Default Browser for support staff==

NEOSYS supports and develops for Firefox primarily but other browsers such as Chrome and Edge MUST also be tested working fine. Support team currently uses Firefox for all work related tasks in Ubuntu which includes testing, wiki work etc.

Also refer to [http://itwiki.neosys.com/index.php/Setting_up_Ubuntu_on_NEOSYS_Support_Computers#Mozilla_Firefox Setting up Mozilla Firefox]

==Handling errors discovered by support staff==
{{Handling errors}}

==Handling browser script errors==

If a script error is faced, support should take a full screenshot of the script error including the script name, line number, etc.

Include every detail available regarding the script error and also the steps to replicate it and escalate this to the programmer.

Chrome JavaScript Error Notifier extension shows all the details available in the initial script error message itself. In Internet Explorer, you will have to click 'Yes' on the script error message to get all the details.

==Various checks done by Support to investigate errors==

A list of logs/reports that Support must look at, depending on the situation, to solve issues or investigate errors.

#Support inbox emails: Check old emails in Thunderbird. This is the quickest way to handle issues/errors that were handled recently.
#Logs/reports available in NEOSYS Menu
#*Request Log (Support -> RequestLog) - These logs can be checked to see what request were made and by which users etc., not as detailed as the xml logs mentioned under "Logs found on the server".
#*NEOSYS logs (Support -> Log) - Log of alerts sent out via email, e.g. backup email, login failure, etc.
#*What's New report (Help -> What's new in NEOSYS) - Contains a list of all the features added in NEOSYS
#*List of Database processes (Support -> List of Database Processes) - Status of processes windows running on the server.
#*List of documents in use (Support -> List of Documents in Use) - Currently used documents.
#*User details page (Help -> User Details) - To check logins and IPs and password reset details.
#*Version logs of files - The history of edits made to files in NEOSYS. This is available at the bottom of files in NEOSYS (e.g. Schedule file, Voucher file, etc.)
#*Usage Statistics (Support -> Usage Statistics) - Shows no. of requests made per user, per department, per database, per hour etc.
#Logs found on the server:
#*Xml logs - These logs can be checked to see what request were made and by which users etc. in detail.
#*Process logs (.LOG files) - These log files contain entries showing start of database backup, and process startup logs.
#*Process windows - Check process windows on the server for error messages or anything unusual, e.g. hung processes.
#*Procexp (Process Explorer)- Used to check ntvdm processes running for specific installations (useful on servers with multiple installations).
#*System logs (Event viewer) - Used to check for unusual system events, eg: unexpected shutdown.
#*Task manager - Checked to monitor CPU usage, NTVDM running etc.
#NAGIOS - Monitors the status of all hosts and services.

==Handling Cheques from Clients==

NEOSYS staff are not to accept deliveries from clients that might be cheques without prior instructions to accept the same. They can ask courier to wait a few minutes until NEOSYS accounts or management agrees but they may not be immediately available and probably will not agree anyway. If accounts or management is not immediate available, then cheque MUST not in any circumstances be accepted, otherwise client can cause problems in our accounts and we waste time visiting the bank to deposit.

NEOSYS payment terms do not accept cheques although clients are free to deposit cheques by themselves.

==Client Password Policy==
All client user passwords, including their initial one, are to be obtained via the user's email address using the password reminder/reset button on the login screen. [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#What_is_NEOSYS_password_policy.3F (NEOSYS password policy)]

NEOSYS staff should never know users passwords therefore NEOSYS will not obtain and grant user passwords. The reason for this is that in the event that users lose their passwords to other people who then login unauthorised then suspicion could fall on the NEOSYS staff who know their password.

All parties concerned, including client management, client users and NEOSYS support staff, benefit greatly from trusting that if something in a NEOSYS database is registered as having been done by a particular user then it was not in fact somehow done by NEOSYS support staff. Nothing should be done that would break such fundamental trust. To achieve this, NEOSYS support staff must never log in as particular users, never ask for users passwords and generally enforce the idea that all work logged as being done by users IS done by users.

Very limited amounts of work by NEOSYS support staff either in person or remotely using teamviewer is acceptable while a user is logged as long as the user login was performed by the user themselves, the user is present and the user specifically agrees with the work being done.

===Support requests from ordinary client users===
Any support requests concerning inability to obtain passwords will be forwarded to known skilled users on the client staff since this is the most efficient (not fastest) way to handle such issues.

===Support requests from senior client management===
Any support requests concerning inability to obtain passwords by senior client management users shall be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bearing in mind that NEOSYS staff should never know user's passwords this will probably involve NEOSYS staff using the Password Reminder/Reset button to send a new password to the user.

===User Defined Passwords===
NEOSYS will provide user defined passwords in very special cases which must be pre-approved case by case by NEOSYS management. NEOSYS will not approve this due to the reasons mentioned [[Procedures#Client_Password_Policy|here]].

If the user login gets blocked due to multiple login failures and the user requests support team to reset the password to the user defined password again, support MUST delay the response to this request by at least 1 hour in order to force the user to be more careful when typing the password.

Currently permission for user defined password has only been granted to one NEOSYS client with several hundreds of databases.

==Handling client issues and requests==

All support issues must be dealt with through phone/email/chat. Support Staff can schedule client visits for User Training but should not schedule client visits solely for providing support for petty issues.

ALL Support staff should check all the previous day's inbound emails for reply flags once in the morning. All Support staff will therefore be held responsible for any unreplied inbound email.

Support MUST NOT waste time and delay support by investigating issues WITHOUT SUFFICIENT INFORMATION.

Support must NOT get involved in any discussion about any document that is not directly out of NEOSYS, so that Support is able to reproduce it from NEOSYS screenshots of screen options that the client used.

Support should look for similar issues when solving a particular problem to avoid similar issues in future. This saves the time and energy of Support as well as the Client.

When sending screenshots to clients, support team should economise on space by minimising to the minimum that will show the problem clearly. This is because not every user will be viewing their emails on large wide screens like NEOSYS support team. Browser windows reformat their contents to suit the width available so this is particularly effective in most NEOSYS screens.

Support team MUST be cautious while sending screenshots so that no private/unnecessary information is sent to Client. If you cannot avoid taking the screenshot without unnecessary information then you should hide it in the screenshot.

Support team MUST learn not to do silly support for people, because we have an OPEN SUPPORT policy, which some users WILL try to abuse based on either poor understanding or lack of respect.
Either way support MUST learn to deal with abuse of privileges as it will save a lot of time, which could be spent on more important issues.

{{SensitiveSecurity }}

===Handling new emails in Support inbox===
Support MUST spend up to 5 minutes on new emails and send a quick reply to the client, to acknowledge the request or give a quick solution in case it is a petty issue or has a documented solution in wiki.

Client issues/requests should be prioritized, interrupting existing work and not wait for one hour and be dealt with quickly.

For routine service requests where there is a reasonable expectation of delay by the client, Support need not send a rapid reply but must keep the email starred in Support inbox to indicate that it is pending or being worked on.

===Handling starred emails in Support inbox===

When an email is received in Support inbox,

*if the email can be replied to immediately, then mark it as read after you have replied to the email.
*if the issue cannot be resolved immediately, then the email MUST be starred so that support does not forget to work on it. Once the issue has been resolved, Support should send an email to Support inbox confirming that the issue is closed. Only then should the email be unstarred.

No issue should be silently dropped without being fully resolved.

===Handling client-sensitive information in emails===

Support should avoid including information that could be sensitive to clients e.g. screenshots of reports that should only be viewed by client's upper management.

This can be done simply by clever cropping of images or blurring out of information in cases where cropping is not possible.

Support MUST not delay response to any client by wasting time blurring or cropping out information that is not sensitive to clients, e.g. blurring out the URL and tabs in browsers etc.

===Handling client call back requests===

Clients who ask us to call them should be given our phone number and asked to call us unless there is some GOOD reason why we should make the effort and pay phone charges.

===Handling login failure issues===

Users often get login failure issues due to typing wrong password and they simply won't read and act according to the error message they get. In this case, Support must send the below email to the user.

<pre>
Dear XYZ,

If you have trouble resetting password, please ask for assistance from your manager/IT Manager/Timesheet Administrator/NEOSYS-expert colleague.

Regards,
NEOSYS Support
</pre>

Local support users (TA or IT manager etc) have the LS key using which they can see the User Details page of all users. They should check all the information (usercode, registered email id, last login attempts etc) in the User Details page to find out what is the issue.

This procedure will reduce the endless mails sent back and forth to solve petty issues which could easily be solved by the client's local support.

===Handling requests or demands for "URGENT" or "PRIORITY" support===

Any request for prioritised action *without giving any reason for the prioritisation* should be disregarded and the request handled with normal priority. If a reason is given then you may at your discretion prioritise a response but there is no obligation to do so.

===Handling users who login with other people's NEOSYS usercodes===
This can cause a lot of confusion in both the client and NEOSYS support. It may also indicate that the correct NEOSYS monthly licensing fee is not being paid. There is no valid reason for anonymous logins or sharing logins between multiple users.

Therefore if NEOSYS support team get requests for support about using NEOSYS from users who are not registered properly in NEOSYS with an personally identifiable user code, name and email then the following email should be sent cc admin@neosys.com.

No exception should be granted to clients without NEOSYS management approval.

<pre>
Dear NEOSYSUSER,

Please note that in order to receive support from NEOSYS you must personally have an identifiable user code, name and email address registered
in NEOSYS.

We can create new user account for you with your management approval. This may or may not have an impact on the NEOSYS monthly licensing fee
depending on the agreement in force.

Please let us know what you would like us to do.

Best Regards,
NEOSYS Support
</pre>

===Handling support requests from expired users===

If expired users call for any reason including not being able to login, they must not be given any support. They should only be told that their account is expired without any reason being offered because employers sometimes do not want any information at all being passed to expired users.

===Handling support request from senior management===

Any support requests from senior client management users concerning report generations should be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bear in mind that NEOSYS staff should not agree or offer to do client work. Support staff can advise senior management to contact a skilled user to help them with basic NEOSYS reporting. Support staff can also send screenshots of step by step procedure on how to take reports. Depending on the situation and reasons provided by senior management, support staff can at their discretion provide reports but after informing them that this is an exception and no more reports will be sent out as this is against NEOSYS procedures.

===Handling requests that involve updating NEOSYS configuration files===

Changes to any configuration file in NEOSYS MUST be performed only by NEOSYS support, because even the slightest misconfiguration of the system may cause unrecoverable errors and NEOSYS is responsible for support.

===Handling emails with unrelated subject line===
At times, clients forward old emails, with new issues, resulting in completely unrelated subject line. In such situations, support MUST follow the below steps to ensure that unrelated emails do not appear in the same conversation group when viewing emails in conversation mode:

#Right click the email -> HeaderToolsLite -> Edit full source
#Modify the text that appears after "Message-ID: <". (e.g. replace the first few characters with "xxxxxxxxx")
#Remove all texts that appear after "References:" and "In-Reply-To:" and click OK.
#Click Reply All on the modified email.
#Change the subject to a relevant one.
#Delete old unrelated content from the email body.

In the email reply, include a comment like "PS Please don't forward old emails for new issues, start a new email with a new subject so that emails can be traced easily."

Sometimes the client does not bother putting the correct subject line for new issues (e.g. blank subject, or "Error"). Then support should add a meaningful subject line in order to make the email easy to search for.

===Handling emails with poor screenshots===
Sometimes Thunderbird shows full sized screenshots in a compact format that is not easy to read. These can be resized to make them more legible. To do this, make the email editable by hitting the "Reply" button, then click and drag to resize the screenshot as desired.

If the screenshot sent by the user is genuinely small and hard to read, reply to the mail and request for a full size, clear screenshot.

===Handling support-request emails sent to anywhere than support@neosys.com===
Client emails anywhere than support@neosys.com MUST be ignored. This is because ALL support must be recorded in support inbox without exception so that the whole support team is aware of the issue and action taken. If client complains about the delay in support then they can be told this is because they used the wrong email address.

===Handling users who do not act upon standard messages===
When users do not bother to read and act on standard NEOSYS-generated messages and instead ask for help, Support staff MUST delay response time and thereafter send them an email which is the same as the message so they get the point that in future they should read the messages and handle issues themselves.

===Handling Requests to do Client work===
NEOSYS Support staff must not agree or offer to do work on behalf of the client.

This is because doing client work while logged in as NEOSYS breaks security rules. Support uses the NEOSYS username which has unrestricted access, so when a user requests Support to do some work which they don’t have access to, and if Support agrees to do the work, the client has successfully defeated the security rules by accessing features that they are unauthorised to access.

If a client makes a false claim about an issue in NEOSYS, i.e. if Support finds out that there is no real issue, then direct the client in the right direction so that they find out their mistake by themselves. Support MUST NOT show/explain the problem to them in detail, since you are just doing their work for them by explaining the problem and this will encourage the client to contact support for every petty issue they face.

Client work also includes [[Procedures#Handling_issues_with_totals_on_reports|Handling issues with totals on reports]].

====Requests for colour and font changes====

Support should not be spending lots of time on colour and font changes. Clients can make as many changes as they want until they are happy with a selection. Clients MUST send a screenshot of their required color/font settings (not sample screen/reports) for Support to copy and setup for all users. If Support sees them doing something bad or poor then give comments or better suggestions.

===Handling Requests that require Approval from Higher Authority===

The following is a list of user requests that must be handled by NEOSYS support staff only if they are approved by or come from a higher authority (manager/admin). The LIST is '''NOT''' a complete list so there may be other things which might require approval so use good judgement and/or ASK if in doubt.

*Opening new financial year
*Adding new company/dataset
*Editing alert/backup email receiver addresses
*Customising Authorisation File ({{SensitiveSecurity }})
**Adding or removing accesses for existing users in Authorisation file
**[[Procedures#Handling_new_USER_creation| Adding new user(s) to Authorisation file]]
**Expiring a user
**[[Procedures#For_HTTPS_access| Allowing HTTPS/outside office access from any IP number]]

If an unauthorized user sends one of these requests to support staff, support staff must immediately instruct the user to get the request approved by the higher authority.

===Handling User Requests to add an IP or range of IPs to access NEOSYS===

Support staff must identify if the IP or range of IPs is for http or https access.
{{SensitiveSecurity }}

====For HTTP access====
Support staff can add local IP or range of local IPs when requested by the client. Top management approval is not needed to add local IP numbers. Listed below are the IP address ranges reserved for local network.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

====For HTTPS access====
Any request for https access from any IP address or range of IP addresses (eg. 123.456.* or just *), or in other words any use of an asterisk in the IP restrictions, MUST have TOP management i.e. the company's decision makers approval. The Staff and their Managers are not the best decision makers in this affair because they usually ignore the risks and it is not really their decision. Security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc can be triggered if access from any IP is enabled. It is completely pointless to inform the staff who want the access about these risks because only their top managers could really decide that this is NOT going to be allowed. Hence the Top Management MUST be asked for approvals and at the same time WARN them about the security risks/threats behind the no IP restrictions.

=====For clients with static IP=====
Any request to add a specific IP address to the list of allowed IP addresses MUST have management approval.

=====For clients with dynamic IP=====
For clients with dynamic IP, support MUST NOT add their public IP to the allowed list as this will encourage the client to again request for access from new IP numbers every time their public IP changes. Instead, support MUST force the client to either get a static IP, install VPN or get the Top Management i.e. the company's decision maker's approval to enable access from any IP after explaining the security risks in doing so, as mentioned above.

Support MUST also mention that installation of VPN by the Company is the industry standard way of providing access to mobile staff (i.e. those on dynamic IP numbers from home or traveling) to corporate software assets like NEOSYS IN A SECURE MANNER. Installation of VPN is to be done by their own IT support. Refer to [[Procedures#Using_VPN_to_enable_secure_access_from_outside_the_office|Using VPN to enable secure access from outside the office]]

Sample Email addressed to Top Management:
<pre>
Dear <XXXXX>,

I do not recommend allowing access from all IPs because security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc. can be triggered if access from any IP is enabled.

I strongly recommend that you keep IP restrictions for <XXXXXX> dataset.

If you want to provide access to mobile staff (i.e. those on dynamic IP numbers from home or traveling) to corporate software assets like NEOSYS IN A SECURE MANNER, then installation of VPN is the industry standard of achieving this. Installation of VPN is to be done by your own IT support.

If you still wish to allow access from all IPs, kindly confirm that you acknowledge the security threats of doing so.

</pre>

===Handling repeated request to allow users to access from all IPs===

{{SensitiveSecurity }}

If the client wants temporary access from outside for some staff twice in say a six months period then support should send the below email. The real reason is because we don't have the time to be doing this on a regular basis. If at all the client asks why we no longer support the provision of temporary outside access then we can say this is because of the frequency of such requests.

Dear XXX

We have given you temporary outside access this time, as requested. Please note that we can no longer support the provision of temporary outside access. So in the future, you will have to choose between either permanent or no outside access. Alternatively, you can ask your management to install a VPN (which is the industry standard of achieving outside access to a corporate asset in a secure manner), so that you can log in to NEOSYS from outside.

===Handling requests to create a new feature or modifying existing features===

Many issues are small and not important but can still be considered for development because they may be easy and neatly added to NEOSYS. The aim here is to avoid development on hard issues for little benefit, or little issues that make NEOSYS more complex for little benefit.

When a client requests to create a new feature or modify an existing feature, a workaround must be given to the user, which is either a permanent solution, for example if the issue is a rare case and not commonly faced by other clients (and the workaround is acceptable to the client), or a temporary solution until some better solution is discovered or can be developed.

Support MUST check all options on all pages to look for any already existing solution or workaround to the problem before emailing the programmer.

Any request to create a new feature or modify an existing feature MUST be discussed with other clients before forwarding it to the programmer because the other clients might not be comfortable with the change as it may not be in accordance with their workflow. If other clients agree to the proposed change then support should go ahead and request the programmer to implement it.

Therefore before escalating a request to the programmer to modify a feature in NEOSYS, the approval for the same from other clients must be taken into account.

Any request to fix or modify a feature in NEOSYS must be accompanied with good reason and some basic considerations, so that the programmer knows what level of priority it can be dealt with.

When escalating the request to the programmer, support MUST avoid using "Is it possible..?" because the obvious answer to that is "Anything is possible" and because this question is only a way to avoid doing the real work of deciding whether the new feature/modification should be implemented.

===Handling requests to add more fields to List of Invoices reports===

Many users may ask for the List of Invoices report to be expanded to show a zillion other things, but this makes it NOT a list of invoices. Therefore other break-downs MUST be obtained from other reports in NEOSYS.

===Updating Clients about unresolved issues===
Support should proactively inform clients if an issue is not solved within the same day it was raised, after judging the urgency of the issue and the time it was raised. An email to the client who raised the issue, before the end of each day, is a best practice that keeps the client updated and other support staff too. This email should be sent regardless of the degree to which the issue has been resolved or if the issue is unresolved. If the issue is unresolved, the email should explain why and also explain the cause of delay.

===Handling new USER creation===
====Get Approval====
Support staff should create new USERS for clients ONLY when requested by an authorised person. If the authorised person is unavailable, for example on leave, then get approval from someone who is in the backup mail list.

Ideally only people who are users in NEOSYS and have authority over some task can grant or request authority to do that task to other NEOSYS users. However, if this is not the case and the requesting person has some seniority in the company (but is either not a NEOSYS user, or is not actually currently authorised to perform the task themselves) you may decide that it is not wise to proceed without some confirmation. In such a case be very respectful of their position while rejecting any request perhaps stating something like:

"Currently we have instructions to take instructions concerning authorisation only from xxx, yyy and zzz. Please could this request be confirmed by one of them?" Rewrite this judiciously to suit the occasion.

Consider that different sections of a company may have different chain of commands. For example one should not assume that a Sales Director has authority over Finance unless there is firm evidence. If there is any doubt consult NEOSYS Support Managers.

Support MUST NOT directly contact the authorised person asking for approval/confirmation because that is client work.

Clients should not be discouraged to create new users. Clients are billed as per user usage which is reviewed periodically. Over time old USERS are replaced with new USERS.

====Creating User====
Preliminary:

New user requirements :-

*Full name - (like John Smith and not generic name like Copy Writer)
*Email address - (like johnsmith@example.com and not generic address like copywriter@example.com)
*Group level / User with similar authorisation

The USER code is the first name of a user.

1. Support MUST only create NEOSYS accounts with real names and email addresses WITH NO EXCEPTIONS unless agreed by NEOSYS management.

It is acceptable, although inefficient, for one person to have multiple user accounts either concurrently or sequentially, but the opposite MUST never occur.
One NEOSYS user code/account MUST never have more than one real person associated with it neither concurrently nor sequentially.
In order to maintain efficiency, various fleeting temptations to cut corners and break the ONE TO ONE link between NEOSYS users accounts and real people MUST be resisted.
These principle remain mandatory even when pressure is exerted by people, even senior management, who may not appreciate the issues involved.
The fact that NEOSYS support does not know for certain who is the real person using an NEOSYS account does not change these principles.

2. Support MUST not create GENERIC user codes like AUDITOR or MANAGEMENT (even to grant special access to such users like read-only access) as this breaks all security rules.
Do not re-use user codes. Always create NEW user codes for NEW users.

3. Support MUST not create or modify any usable NEOSYS account that is or has been used by more than one user.

4. Support is responsible to maintain the system in good working order and not knowing who is really doing the work in the system can make support harder.

5. Support MUST not collude with clients to by-pass the principles. If asked to do so Support MUST refuse to create or update such accounts.

6. Do not hand over user codes from one person to another in a mistaken attempt to represent a hand over to a replacement. EXPIRE THE OLD USER CODE/ACCOUNT AND CREATE A NEW USER CODE/ACCOUNT.

{{SensitiveSecurity }}

7. Support team MUST NOT discuss billings with clients unless authorised to do so. Also see [[Procedures#Discussing_Pricing|Discussing Pricing]]

8. Support team MUST NOT proceed with creating new users until the group level or existing user with similar authorisation has been clearly provided by the client, otherwise the new user may end up with more than the required authorisation, which can lead to problems in future.

====After Creating New User====

Support MUST send an email to the person who requested the creation of new user, confirming that the new user has been created along with a screenshot of that part of the authorisation table where the new user was created so that the new user's user code and email id is visible. This is done so that in case there is some error in the user code or email id, it is easily visible in the screenshot and also so that the person who requested the creation of the new user is informed about the user code of the new user.

===Handling letterhead change requests===

Support staff should reject any requests that require the letterhead to be setup on the TESTING dataset before it is setup in the MAIN dataset.This is to reduce double work for support staff and to ensure that clients have a clear understanding of their requirements and also send the correct logo image.
The MAIN dataset can be copied to the TEST dataset for any kind of testing.

See [http://userwiki.neosys.com/index.php/Configuring_Letterhead#Changing_the_letterhead_for_printed_documents How to change letterhead]

===Handling error messages===

'''Important:''' Before Attempting to resolve client issues, please ensure that we have secure access to the NEOSYS server.

#The very first step is understanding client problem. Ask questions to the client until you CLEARLY understand the problem.
#If the error is familiar and does not require a screenshot, resolve the problem immediately.
#If the error is unfamiliar and/or requires a screenshot and the user has not sent a screenshot, IMMEDIATELY ask the user to send a screenshot of the problem, along with the options used (basically you need to know HOW to replicate the error and the screenshot MUST show WHAT the error is).
#If the user says "nothing happens, so no screenshot of the error", then IMMEDIATELY request for screenshots again with the exact steps to reproduce the problem using mouse and keyboard.
#Support team MUST NOT provide support without a screenshot, otherwise the client will not pay attention to support team in future and ignore requests for screenshots.
#Upon receipt of the error and steps to reproduce the error, follow the steps and reproduce the error. Also refer to [[Procedures#Addressing_Browser_related_issues|Addressing Browser related issues]]
#If the issue is unknown or you don’t understand it clearly, with the users acknowledgement use remote support to gain access to the users desktop to view how to replicate the error.
{{Handling errors}}

====Understanding Internal error messages====

Internal errors messages appear in red on screen and an email which is sent to support with more details. (Example below)

[[image:Rawformdatapng.png]]

The "ERROR NO:" line is comprised of the error number (B16), the program (MARGIN_BASE) and the line number (1). Sometimes the line number is wrong, refer to section "Misleading line numbers in error messages" below for more info.

The "STACK:" line lists the "parent" calling programs "SYSMSG,LISTEN" used to trace how and where the error originates.

The "DATA:" is a string of characters that is used to recreate the options used by the client in order to replicate the error message. See how to [[Troubleshooting_NEOSYS_Generally#Replicate_options_used_.26_error_using_sysmsg_Data: | replicate the error with the options used, using internal error email]]

====Misleading line numbers in error messages====

Many small NEOSYS utility programs are compiled to run faster than usual programs and will not report the correct line on errors like Variable Not Assigned.

To get the actual line number, compile as usual. ie without the (CL) options mentioned below, and regenerate the error.

Note that most of these programs should have a source line "linemark" or "*linemark" in them somewhere near the top. When single stepping in the debugger, the program will break on this line and this line alone.

To compile a GBP program DATE for speed use something like the following:

COMPILE GBP DATE (CL)

*"L" means compile without line numbers. This makes them run faster, which is important for utility programs that are called extremely frequently eg for date or number input/output conversion.
*"C" means do not generate a symbol table in GBP $GETPERIOD. It makes no difference whether you do or do not.

===Addressing Browser related issues===

When resolving random browsing issues that seem to be on one user computer only, support MUST send the below email asking the user to check if the same issue occurs on other user computers. Rapidly convincing the user that the problem is only on their computer gains their willingness to sort the problem out at their end, using IT people if necessary and available.

Handling random issues that appear to be on one computer is very very common and it is important to deal with it effectively, not requiring stages of "denial" by the users until they accept something has to be done at their end, and not by NEOSYS. Speeding up this process gains the confidence and appreciation of the users.

<pre>Hi xxxx

Is this error happening only on your computer? If that is the case, it may be due to an issue in your browser cache. Please clear your browser cache with assistance from your IT team if required. Then restart the browser and try again.

If clearing browser cache does not fix the issue, I recommend a full browser reset to ensure that everything works fine.

Follow these instructions for clearing browser cache and resetting browser:
http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers

Please let us know if you face the issue again.</pre>

Also refer to [[Procedures#Handling_Browser_related_issues_in_NEOSYS| Handling Browser related issues]]

===Addressing Technical support emails===

In the case of technical support issues, address emails to the IT person and cc the complete group of recipients of backup emails and other NEOSYS alert emails. This allows both NEOSYS and client IT staff to take credit for resolving issues that NEOSYS raises instead of working in the background unacknowledged.

Technical support issues include backup failure, server failure, missing alert email, server connectivity issues and port forwarding issues and many other issues.

For technical issues like browser configuration, clear cache, etc. support must send the user a link to the appropriate wiki article to help the user fix the problem. In some cases the user may be helpless and unable to follow the steps to fix the problem. In such cases, support MUST NOT waste time trying to help the user fix the problem, instead support MUST ask the user to get help from the IT person.

===Acceptable report format when handling issues in NEOSYS reports===

NEOSYS Support must only resolve issues in NEOSYS output first. This is because only NEOSYS outputs can be trusted and user versions in Excel or PDF could be copied wrongly or edited by the user.

In case users send reports in excel or other formats, get them to send the original NEOSYS HTML report as an attachment or copy-pasted in email.

===Handling requests to create new charts or control accounts===

[http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Finance_System#Creating_New_Charts_or_Control_Accounts Refer here]

===Handling issues with totals on reports===

If a client has a problem with any total output by NEOSYS software then NEOSYS support will advise them which other NEOSYS report or reports provide a complete breakdown of the total (if necessary, to individual transactions) and ask the client to locate any offending transactions themselves.

NEOSYS support staff will handle any issues where the total on the breakdown report does not add up to the total on the summary report.

Reconciling totals can be hard if there are many transactions involved. Regardless of how hard it may be, reconciliation is an operational task for users not for support staff since NEOSYS support staff will not get involved in understanding client transactions or data.

====Trial Balance and Financial Statements====

NEOSYS support staff do not have to prove or trace any figures in NEOSYS Trial Balance Reports or any financial reports. If a figure is stated to be wrong by the user, then NEOSYS support staff should ask for proof or say NEOSYS is confident that the figures are correct unless proved otherwise.

NEOSYS support staff should point out reports in NEOSYS which will support the figures in question but not actually run the reports. Support staff can suggest the users to refer to detailed ledger accounts to prove balances.

==Using VPN to enable secure access from outside the office==
There are two ways in which a user can use VPN:

*User connects to the their office router and makes the PC act like it is on the office LAN.
*User connects to a VPN service that provides a static IP number and can therefore be authorised by NEOSYS to login.

If the client intends to use VPN to connect to their office router and make the PC act like it is on the office LAN, then it depends on what VPN protocols the client's office router supports.

The alternative is to use a paid VPN service that provides a static IP number. Getting a dynamic IP number on VPN is very cheap and there are many suppliers, but getting a static IP number on VPN services seems to be more expensive.

Internally in NEOSYS we use PFSENSE routers which support OPENVPN which is extremely flexible.

==Handling issues with Office PBX phones==

Support should check their respective Office PBX phones every morning to find out if the phone is up and working. In case Support finds any issue with their phone, immediately fix it so that clients do not lose contact with the Support team via phone. Next send an email to Support inbox mentioning the fault, cause and solution for records/future prevention.

==Running undocumented commands on Maintenance mode==

Support Staff MUST NOT run undocumented commands on ***LIVE*** database. Some commands are not documented for a reason, it could be because the commands might give an undesired output or because there is no clarity on what else could be effected by the command.

Even if the command is tested in TESTING database and the output looks okay, support staff MUST get the programmer's approval before going ahead and running the command in LIVE database as there is no guaranty that the command is properly programmed and will do no damage.

==Configuring Browsers to show Javascript errors in NEOSYS==
NEOSYS Support MUST ensure the following Settings for browsers because if NEOSYS generates any javascript error message, the same would appear in the bottom left corner of a window, which in turn helps the programmer to fix the error. This must be done after every Factory Reset.

===Internet Explorer===
Tools > Internet Options > Advanced > Browsing - the items Disable script debugging (Internet Explorer) and Disable script debugging (Other) are '''UNTICKED'''.

===Chrome===
Chrome Menu > More Tools > Extensions > Get More Extensions, search for '''Javascript Errors Notifier'''. Add the extension to Chrome.

[[image:Chrome.png]]

[[image:Chrome1.png]]
===Firefox===
Firebug add-on is used to NOTIFY about script errors because we have no other method to get any warning on screen but you should use the main firefox developer tools to investigate any errors as firebug is essentially replaced by built in developer tools.

For developer tools, go to Tools > Web Console

To enable notifications for script errors, download the add-on Firebug from [https://addons.mozilla.org/en-US/firefox/addon/firebug/ here]. When a Javascript error is encountered, the firebug icon will report the number of errors.

Set your firebug as per the second screen shot and select "Enable All Panels" as well, the tick will not appear like the other options but the option will get selected. If you miss out on any one of these steps, you will not be able to capture script errors.

[[file:firebug1.jpg|1200px]]

[[File:Firebug.png]]

==Handling Browser related issues in NEOSYS==
See [http://techwiki.neosys.com/index.php/Technical_/_Hardware_requirements#NEOSYS_Software_Browser_and_OS_Requirements NEOSYS browser requirements]

Clients frequently ask [http://userwiki.neosys.com/index.php/General_FAQ#Why_doesnt_NEOSYS_support_my_XYZ_browser.3F Why NEOSYS doesn't support other browsers]

To avoid browser errors, all new users must follow the steps given in [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#Getting_started_with_NEOSYS Getting started with NEOSYS] before logging in to NEOSYS for the first time.

To troubleshoot browser related errors see [http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers Troubleshooting Web Browsers]

Users must clear browser cache after every NEOSYS Upgrade to avoid errors. See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS#Sample_email_to_be_sent_to_clients_who_face_issues_due_to_failure_in_clearing_browser_cache Sample email to clients who face issues due to failure in clearing browser cache]

Pop-up blockers and any 3rd party toolbars must be deactivated/switched off or else certain pages and alert messages while using NEOSYS do not appear as a result of blocking from either the pop-up blocker or toolbars with built-in pop-up blockers.

NEOSYS support must ask users to Reset browser (See [http://userwiki.neosys.com/index.php/Reset_Browser Reset browser]) if they notice any user browsers which have pop-up blockers or 3rd party toolbars installed.

Also refer to [[Procedures#Addressing_Browser_related_issues| Addressing Browser related issues]]

==Handling NEOSYS Upgrade==
See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS Upgrading NEOSYS]

==Handling auto-reply emails like Out of Office etc.==

From 28th May 2017 version, emails sent out by the NEOSYS system now contain headers that in effect request recipient email systems not to auto-reply for things like Out of Office. This is to reduce unnecessary chatter by silencing unnecessary automatic replies. There is no guarantee that recipient email systems will comply. The headers added are:

*X-Auto-Response-Suppress: RN, NRN, OOF
*Precedence: bulk

Support team should notify SB of any auto-responses that come despite their installation being patched.

In NEOSYS versions after 10th Jun 2017, emails sent by NEOSYS from the NEOSYS Help menu, i.e. manually triggered emails, do NOT indicate that OOF replies are not wanted, since if you are sending emails to people using NEOSYS, you will want to know if they are OOF.

==Using Support Tools==
===Website Live Support===
www.neosys.com is equipped with a Live Support software and clients can visit the website, click on this link and chat with any of our support staff, without the need for any installation. The client has to fill in their name and enter their questions to connect to an available support personnel. During non-working hours, the Live Support icon on the website automatically displays "offline".

NEOSYS Support personnel who are authorised to provide such support, need to login to Live helper chat in Firefox using the link given below:

http://neosys.com/lhc_neosys/index.php/site_admin/

Support personnel should enter the account details as provided by their Manager.

Enable notifications for Live helper chat so that whenever there is a visitor trying to contact Support team, the Support personnel will get the notifications on his screen.

Set the Live helper chat login page as your home page in Firefox and this page must be kept open for the whole duration of working hours.

Support must always be alert and immediately reply to messages from visitors.

Use the link below to enable notifications:

http://neosys.com/lhc_neosys/index.php/site_admin/chat/listchatconfig

After setting up Live helper chat if you sign in to a new profile in Firefox, you might have to re enable the notifications after your Firefox is synced to the new profile.

===Teamviewer===
Since Teamviewer allows no restriction on access once a fixed pass is installed, Support must not install fixed pass on teamviewer however convenient it might be.

RULE: NO FIXED PASS TO BE INSTALLED ON TEAMVIEWER IN ANY NEOSYS OR NEOSYS CLIENT COMPUTER

Running teamviewer live from a web link is fine because it does not allow installation of a permanent password

For certain tasks that require temporary install of Teamviewer on the client servers (e.g. upgrading Cygwin remotely), use Teamviewer 7 on the server as well as Support staff computer. Contact NEOSYS IT for commercial license of Teamviewer 7. Teamviewer MUST be uninstalled after usage, otherwise it creates an additional unnecessary security risk.

To support client users who use the latest version of Teamviewer, support staff must also install the latest Teamviewer version available alongside Teamviewer 7.

==Documenting Processes in Wiki==
NEOSYS Support staff must be in continual learning mode. This is mandatory for support staff and is not an option. Support must read, learn and understand everything in the support emails and ask questions if they don't understand. This understanding must be transferred into wiki in the form of new articles and improvements to existing articles.

For all articles related to formatting and editing in Wiki, see [http://itwiki.neosys.com/index.php/Documenting_NEOSYS_systems Documenting NEOSYS systems]

===Avoiding duplication of text in wiki===

Duplication of text in wiki is to be avoided almost at any cost. Duplication has the problem that when one copy is changed or improved in future then it is highly likely the editor will fail to update the other copy or copies and wiki will over time become an inconsistent mess.

There are several ways to avoid duplication:

#Two or more procedures which have significant areas of duplication can be rewritten as a single procedure with alternatives in the middle of the procedure
#Wiki Templates- Templates reproduce the same text in all places and editing one place edits all places. See [[How to create templates in wiki]]
#Wiki links- Only put the text in one place and put links to that in all the other places that it is appropriate.
#Place a note in all copies something to the effect that "This is similar to x, y and z". This alerts any future editor of all other places in wiki that might also have to be updated.

Future modifications in one place may or may not be appropriate to other places. The editor must decide whether to change one or all places

===Highlighting information in wiki===

To highlight particular instructions or info in wiki do NOT invent new styles which are not the way the rest of wiki is done. Instead, follow the USUAL STYLE or open a DISCUSSION with any recommendations you have BEFORE USING THEM.

Instead of using various kinds of highlighting styles like bolding and words like "Note:", use the following words IN CAPITALS especially the word MUST.

The use of the following words IN CAPITALS indicates that you are using them in a special way with formally defined meaning as explained below. Use of the words in lower case indicates that you are using the word in an ordinary commonsense meaning.

*MAY - means optional
*SHOULD - means recommended and you need GOOD reason (not just any weak excuse) to not follow to follow this recommendation
*MUST - mandatory

Only in the rare cases where the consequences of doing or not doing something are irreversible or take a lot of work to reverse then you can use your own additional highlighting methods, eg ALL CAPS, stars, color red etc.

====Explain WHY====

Any sentence which uses the word "MUST" in capitals, MUST be followed by a SPECIFIC REASON explaining exactly why is the instruction is mandatory; the reason MUST not be vague and non-specific meaning no more than "or bad things will happen".

WRONG way: You MUST also delete ads if deleting schedules.

WRONG way: You MUST also delete ads if deleting schedules otherwise it will cause problems in future.

CORRECT way: You MUST also delete ads if deleting schedules otherwise the deleted schedules' ads will still show in all media-diary like reports and screens

The Wrong way above gives a general reason "it will cause problems in future" which is vague and a reader may even go ahead and ignore "MUST" because there is no objective or proper side effect mentioned for not following the MUST statement. Basically he doesn't understand the point behind following a certain rule.

Whereas the Correct way gives a SPECIFIC reason for "deleting ads while deleting schedules", so reader will exactly know the trouble that will be caused if ads are not deleted. Therefore "SPECIFIC REASON" behind using the word MUST must be to the point and very informative.

====Why explain WHY====
The information contained in the WHY phrase is often '''extremely informative''' to the reader about things that you may otherwise not have considered saying.

The most valuable information is usually contained in the "WHY" of something. There is an apocryphal story of a company where managers could be fired if they gave instructions to their staff without providing explanation. In almost all cases it is better for the efficiency of a team of people that any instructions they follow contain the "WHY" of something. Only in few cases should staff be expected to follow instructions without being well or fully informed.

==Email Retention Policy==

===Generally===

Emails are retained permanently to allow old issues to be discovered in email searches.

===Account: backups@neosys.com===

Only the last 365 days of emails to backups@neosys.com are kept in general to reduce the burden on servers and clients due to the heavy number of emails.

For the backups/neosys folder, only 31 days is kept due to the very high numbers of emails ~250/day.

Deletions are configured in and done by a thunderbird client in NEOSYS IT so may not be continuous.

==Use of personal email addresses by NEOSYS support staff==

NEOSYS support staff MUST NOT use any personal email addresses for NEOSYS business.

The xxxx.neosys@gmail.com addresses that are created by support staff for themselves on joining are also considered personal email addresses and must not be used for NEOSYS business. These email addresses might be linked to NEOSYS wiki accounts but that doesn't matter because wiki is not confidential.

==Accessing NEOSYS accounts on personal devices==

NEOSYS staff MUST NOT install NEOSYS accounts on skype/dropbox/gmail (or any other external tool) on their personal devices without written permission from NEOSYS management

==Support Staff work-in-progress documents/files==

Support Staff must not save working files hidden on their computer. Work that is not visible is not work .
Support work should not be done privately and should be shared to all.

ALL personal working files however trivial MUST be stored in Dropbox and MUST NOT be stored anywhere in personal computer (My Documents/Desktop etc.)

The personal encrypted pass file MUST be stored somewhere in personal folder under SB NEOSYS staff in Dropbox. This is because if there is a loss of OS/Computer, it should not lead to loss of access as all the passwords saved in the file will be lost.

==Handling CLIENT/NEOSYS Servers==

NEOSYS support staff must exercise extreme caution when working on CLIENT and NEOSYS servers. Do not risk making changes without due care and attention to the fact that the consequences of errors can be serious on working production servers.

===Handling Javascript Files in NEOSYS===

All the files in NEOSYS installation folder with .JS and .JSE extension are the executable javascript files which startup NEOSYS processes (in a usual DOS window). Their default program is 'Microsoft Windows Based Script Host' (wscript.exe). If a JavaScript file is opened using a notepad, the default program may change to notepad resulting in all NEOSYS processes to open up in a notepad.

Hence be very CAREFUL when accessing a .JS and .JSE file and double check that the default program remains wscript.exe. Refer to [[Troubleshooting_NEOSYS_Generally#Fixing_wrong_default_program_assigned_to_open_a_file_type|Fixing wrong default program assigned to open a file type]] in case this issue comes up.

==Handling "List of Open Ports" reports==

This email comes to NEOSYS support team once a day showing only those client's servers which appear to have changed what TCP ports are open to the internet since yesterday. It will also come once a week showing all clients servers open ports.

NEOSYS support team should work patiently with client IT staff, over time if necessary, to close all ports that are not absolutely mandatory to be open.

Clients with highly skilled IT staff may have a variety of ports open to various non-NEOSYS servers inside their organisation. In this case, NEOSYS plays little or no role other than getting their confirmation of exactly what ports are acceptable. Any new ports that appear over time should be handled in the same way.

For clients without such staff, NEOSYS is their only real line of defence and since NEOSYS requested opening some ports, we should get all other ports closed by patiently following up until action is taken. Involving management may be the only way to get IT to act.

High end port numbers (e.g. 49667) may represent transient outbound connections from users. Therefore for such port numbers, support team should contact the client only if the port remains open on the following working day.

In particular, port 80 and 443 controlling internal or external routers should be closed. It is NOT acceptable except in HIGH IT EXPERTISE environments that critical routers should be exposed to the internet and they MUST NOT be accessible from the internet because routers that do not have their software updated can be hacked using known defects. Even updated routers can be hacked. Making it easy for client IT staff to access the router configuration from outside is NOT a good enough excuse to break this rule. Professional IT does not allow access to critical routers from the internet.

Likewise, any port 80 (unencrypted web access) and port 3389 (RDP remote desktop) open to the NEOSYS server MUST be closed otherwise logins can be monitored and there is no way to guarantee server security.

Port 23 (Telnet) is an insecure port because it is unencrypted and should never be open for usage. This is standard practice and well known by any network professional. Since the port is unencrypted, attackers can listen in, watch for credentials, inject commands via man-in-the-middle attacks and ultimately perform Remote Code Executions (RCE).

If a port is definitely required and properly approved to be open by client IT support, please let NEOSYS IT (SB) know and it will be put in the "Authorised" column so that ports in the "Questionable" column are all pending action.

The report does not attempt to detect UDP ports since UDP ports can receive information from the internet without responding in any way so there is no way to detect them reliably.

Green color shows ports that have opened since the last report run. Open ports can sometimes not be detected accurately so a port may appear to disappear in one report and reappear in the next report.

===Why should HTTP port 80 not be open on my router?===

It is not advisable to expose any HTTP server for any private service on your computer network or router because HTTP is unencrypted and this means that all information regarding that service, including passwords, can be observed by any malware on your LAN and internet connection. This information can then be used to install horrible software on your internal PCs.

What to do?

Use https for any internal services - and advisably on a non-standard port, not the standard https port of 443.

For example, NEOSYS service is exposed as HTTPS (not HTTP) usually on port 4430 - not the standard https port of 443.

Commercial hacking is getting really common with things like FIREBALL and CRYPTOLOCKER causing a lot of damage.

It is advisable to take basic precautions pro-actively before any attack exposes weaknesses.

==Handling Nagios Client Monitoring system==

NEOSYS support staff on duty MUST follow the procedures outlined below in case the Firefox "imoin" add-on shows critical or warning messages for any service. Failure to schedule appropriate downtime will lead to REDUNDANT EMAIL ALERTS from Nagios every hour.

Any alert on the Firefox "imoin" add-on means that there is an issue that has not been attended to properly, and "attended to" does not always mean solved. Support staff MUST solve the problem immediately if possible.

If it is not possible to solve the problem immediately, then downtime/acknowledge the service and add a comment on the Nagios alert, explaining the problem briefly.

Support should check Nagios frequently during the day to look for any new alerts so that issues are fixed as soon as possible.

*Nagios is required to be checked first thing in the morning and any critical or warning messages need to be dealt with to resolve the same at the earliest.
*Some of the messages could be related to backup failures and the usual procedure as stated in Handling failure and warning messages on nightly backup alerts needs to be followed. In case the backup issue isn't resolved by 9:30 am, the Nagios service needs to be downtimed with an appropriate comment for a minimum of 2 hours and maximum until 1 am next day if the issue cannot be solved.
*In case of "Backup not changed" warning status which occurs if the client has not interchanged the USB before 12 noon on that day, no action is required from the support staff and a downtime with a comment like "Backup media not changed - Emailed client" needs to be scheduled until 1 am next day.
*In case any HTTPS, SSH, PING service or Host is down, immediate action is required and the relevant IT people at the client side needs to be contacted to get this resolved. A downtime of 2 hours with a comment like "Service/host down - Emailed client" is required to be scheduled with further intervals of 2 hours in case this is not resolved. Support staff shouldn't schedule downtime till 1 am next day, just to get rid of the alerts for the day. Proactive follow up with the client is required to get this resolved before the business day - more so, if there is a weekend ahead.
*In case the HTTPS, SSH, PING service or Host goes down during the day, a grace period of 10 minutes is given before the issue is reported to the client IT, in case there is any temporary internet connection issue at the client or along the internet route.
*In case the HTTPS, SSH PING service or Host is down for more than 1 day, client IT should acknowledge the problem and give NEOSYS support staff an approximate time frame before which the issue will be resolved. Set an appropriate downtime with a descriptive comment for such events.
*In case Host is down for more than 2 days and there is no progress with the fix from client IT, the client management should be notified about the seriousness of not having access to server and their acknowledgement is mandatory.

==Handling lack of remote access to NEOSYS server located in client’s premises==

If access to the NEOSYS server is lost then we must determine the root cause by:

#Checking if the server is UP and running
#If yes, please check internet connectivity on the server
#If there is connectivity, please check the router for connectivity issues

'''Sample Response:'''
<pre>
Dear XYZ,

Please note that we have currently lost access to the NEOSYS server. The server seems to be down at the moment and it seems that
NEOSYS processes are not running on the server.
Kindly check if the server is UP and running. If yes, please check internet connectivity on the server.
Do keep us posted on the server status so we can test connectivity from our side as well.

Best Regards,
</pre>
==New Router (Port Forwarding)==

If you have changed your router then you may notice that external access to NEOSYS is unavailable.

'''Solution:'''

Setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to the NEOSYS Server as follows:

#Port 19580 > 19580 for SSH
#Port 4430 > 4430 for HTTPS

You can see [http://portforward.com/ Set Up Port Forwarding] to learn how to configure your Router.

To see how to test/ troubleshoot port forwarding settings, go to [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting Port Forwarding]].

'''Sample Response:'''
<pre>
Dear XYZ,

You are requested to kindly setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to
the NEOSYS Server,i.e. port 19580 for SSH and port 4430 for HTTPS.

Once this is complete, kindly send me an email to confirm the same so that we could test connectivity from our end as well.

Best Regards
</pre>
==Creating and Handling passwords==
===Creating a password===
Passwords are generated from a pass phrase and it is important to create a very difficult to guess pass phrase.

Passwords made out of a pass phrase MUST be at least 10 characters since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts.

For example, a good pass phrase would be: '''Today is a good day and it is the best time to go for a holiday'''

The password for this would be '''Tiagd&iitbt2g4ah'''

The important instructions for the above are:

#You have to take the first letter of each word and that makes your password (i.e. by using initials)
#Wherever any word starts with a capital, then you have to take first letter as a capital (eg. For Today you will take T)
#Replace '''and''' with '''&'''
#Replace '''to''' with '''2'''
#Replace '''for''' with '''4'''

===Handling passwords===

#Never send the actual password - always send the pass phrase
#Make sure that the password created out of the pass phrase is at least 10 characters long since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts
#Pass phrases are never to be sent by email, whatever the case maybe.
#Pass phrases can be sent by chat - however they have to be broken down in two parts and sent separately over two different messengers or if you are using Gtalk then use the 'off the record' mode.
#Using SMS to send pass phrases is the best known way as of now.
#If you save the passwords on your system in an file then:
#*Ensure that you only store pass phrases in the excel file
#*Ensure that the excel file is encrypted with a master password

==NEOSYS Maintenance Window==

The NEOSYS server is functional from 6am – 1am. There is a 5hr window gap for the system to perform updates & backups.

The 5hr maintenance window:-

1. At 1am – The server performs a data backup on a USB (for the respective clients) & once the backup has been completed, the system automatically generates an email addressed to the neosys staff & the respective clients.

2. At 2:45am – The main data over writes the test data on the server.

3. At 3:00am – The server by itself performs an update for Windows.

4. At 4:00am – The server performs a backup to the headquarters for clients, and then automatically generates an email addressed to the NEOSYS staff & the respective clients.

5. At 6:00am – The server starts up NEOSYS.

==Using NEOSYS Terminology while communicating with Clients==

NEOSYS support must communicate in correct language to clients on finance issues in order to ensure that our records exactly represent reality. Conversely NEOSYS must not use other terminology because it can cause considerable confusion and poor quality results. In case client is new and still in training, use client terminology optionally as long as

#It is only an addition to NEOSYS standard terminology
#Only if clear that it is client terminology by putting in brackets like this "Sales Invoices (called PI by you)", where "you" means the client you are talking to or you can put the client company name instead perhaps.

The objective is over time to avoid having the support team to have to know the terminology of the client. NEOSYS support team cannot possibly know and remember it for each client therefore the client MUST over time learn and use NEOSYS terminology. The initial period is one of relearning and translation for the client not for NEOSYS.

Many users operating NEOSYS finance module do not know proper financial procedures and may not appreciate how doing something in a wrong or unusual way now may not be correctable in the future.

NEOSYS staff must follow NEOSYS procedures only. If NEOSYS procedures need to be updated then this must be agreed in advance and not AFTER the fact.

==Amending/Reposting Journal Entries==
In certain exceptional cases, amending/reposting of journal entries is allowed for only one day to enable clients to present reports in an alternative manner.

It must be agreed with the client that reposting rights will be granted for only one day and NEOSYS Support will automatically remove it and check for CCB error thereafter.

This would be subject to NEOSYS requiring a written LETTER OF APPROVAL duly signed and stamped by the highest management of the company.

In case the client management decides to allow editing/reposting of journal entries, the following procedure is to be followed:

#Client must de-allocate vouchers which need to be amended
#NEOSYS support staff must wait for a day so that de-allocated vouchers are copied into Test database
#Authorise required users to amend and repost (without record) '''in Test database only''' ( While reposting, we have 2 options i.e. with record and without record. The 'with record' option causes the system to maintain a history of edits made. Hence, we want to repost without record so that there is no trace of the edit in the system)
#Amend a substantial number of vouchers in Test and verify them. To verify if the edits made are reflected:
#<nowiki>*Print all ledgers for the whole year</nowiki>
#<nowiki>*Cross-check all balances</nowiki>
#Once you verify the balances are correct in Test database, grant users permission to amend and repost in the Live database.
#Ask users to amend and repost vouchers in the Live database.
#Cross-check all balances for the current year.
#If you successfully verify the balances, revoke permissions immediately. Else, wait for 24 hours and revoke permissions irrespectively.

==Removal of unauthorized third-party software on client servers==

Rule: Any third party software that is discovered by NEOSYS support staff on client servers that has been installed without the agreement of NEOSYS should be uninstalled immediately on discovery.

However purposeful a software is, NEOSYS is contractually responsible for support and there are too many opportunities for poorly installed software to cause unpredictable damage to the NEOSYS database so NEOSYS has to have a clear and safe and simple policy to ensure the integrity of client data. Installing software without prior discussion with NEOSYS by itself indicates that insufficient care and consideration has been given to possible issues.

Having unauthorized third party software on the server can possibly lead to a backup failure. For example, [[Backup_and_Restore#Error_Message:_.22LISTS_file_is_not_available.22|LISTS file not available]] error.

Any software required by client IT for some purpose may only be installed after discussion and agreement from NEOSYS support staff concerning the configuration and operation of the software.

The NEOSYS Software Licence and Support agreement requires that where NEOSYS software is installed on client servers that a dedicated server is provided and dedicated implies that no other software may be installed without the agreement of NEOSYS support.

==Configuring tunnelier to autologin on opening tlp files==
If you have many tunnelier tlp files in a directory and connect by opening the desired tlp file the, instead of opening the file and then clicking Login you can also right click the file and select Connect.

Alternatively, you can configure tunnelier to login (connect) automatically by following the procedure mentioned below. (Even if you configure automatic login, you can still open and not login by right clicking and choosing Open)

===Windows 8===

Cannot be done using standard Windows UI. Some download utilities can do it. TODO put a safe one in neosys.com/support

===Windows XP/Vista/7/2008===

#Go to My Computer
#Click on Tools -> Folder Options [[image:tunnauto-1.jpg]] 
#Click on File Types
#*Select TLP (Bitvise Tunnelier Profile) [Type "TLP" to find it quickly]
#*Click on Advanced [[image:tunnauto-2.jpg]] 
#Click on Connect and Click on Set Default [[image:tunnauto-3.jpg]] 

==International v/s Indian English==

There are some words which have completely different meanings in International and Indian English. NEOSYS Staff should follow International English only. Below are the examples of few of those words:

Word: '''Doubt'''

In the English language word "doubt" means to distrust an alleged fact on the basis of a reason, depending on the strength of the reason which may be anything from factual to feeling e.g "I have no reason to doubt him".
This usage is followed worldwide.

Some people especially from Indian origin use "doubt" when they are unaware about a fact. e.g "I want to clear my doubts about this procedure". This is incorrect. The word must be used when you do not agree on something on the basis of a reason and not when you do not have knowledge about it.

==[[ New Employee Training Checklist]]==

==[[ New Client Training Notes]]==

==[[ General Office Procedures]]==

Troubleshooting email not received

2021-06-13T11:39:28Z

Pratishthit: /* Error: The requested body part was not found in this message */

==Troubleshooting email not received==

===Was any email actually sent?===

Possibly the server was switched off at the time the email was supposed to be sent. Check the server uptime or logs. Check NEOSYS server monitor history.

Rerun the report or program with the exact same options and conditions. Monitor the process on the server maintenance screen looking for messages that emails have been sent or not.

====Error: The requested body part was not found in this message====

This error appears on Windows 10 installations when the Windows display language and the Regional Format language are not the same.

To solve, In Windows Settings > Time & Language > Language make sure Windows Display language is the same as Regional Format in the Region section. Recommended language is English (UK) for Middle-east clients and English (US) for US clients.

===Check log for any problems sending email===

#First step is Login to client’s server, open NEOSYS check the logs in support menu.
#It will generate the log report, check the report thoroughly and see if there is any error shown around the time that the emails were supposed to be sent.

====Error: No logs found====
No logs found for the date while checking the logs in support menu.

'''Error explained''':
This above error means that no error has been logged on the date you selected.

====Error: Failed to connect to the server====

[[Image:001.png]]

If report shows the error shown above then do the following steps to check why the email was not sent out.

This above error means that but the mail could not be sent due to an inability to connect to the outgoing email server.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

===Check NEOSYS email configuration===

NEOSYS needs to know how to send email. The default configuration is mailout.neosys.com 2500

Check the configuration in NEOSYS Support Menu, System Configuration File.

===Send a test email===

WARNING This test requires a version of NEOSYS later than 5th Dec 2012 otherwise no error message is shown in some cases when there is in fact an error.

Check if you can send a test email. Go to maintenance mode and press F5 then type the following.

sendmail support@neosys.com

If mail server accepts the message then you will see the following.

This is no guarantee that the mail server can or will deliver the email to the recipient.

╔══════════════════════════════════════════════════════════════════════════╗
║STEP 1 OK. Mail for SUPPORT@NEOSYS.COM accepted by mail server. ║
║ ║
║Sent using: ║
║fromaddress=amc@neosys.com ║
║smtphostname=mailout.neosys.com ║
║smtpportno=2500 ║
║smtptimeoutsecs= ║
║smtpusessl= ║
║smtpauthtype= ║
║smtpuserid= ║
║smtppassword= ║
║toaddress="SUPPOR@NEOSYS.COM" ║
║subject="NEOSYS: test email test subject" ║
║body="@$4549566.TXT" ║
║ ║
║STEP 2. Now check if actually received by recipient to verify ║
║that the mail server can actually deliver email to SUPPOR@NEOSYS.COM ║
║and that SUPPOR@NEOSYS.COM can receive email from the server ║
║ ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════════════════╝

If there is some problem connecting to the mail server then you might see something like the following:

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The transport ║
║ failed to connect to the server. ║
║ ║
║ From: companyxyz@neosys.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

To solve unreliable connections to NEOSYS email server, see [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

===Invalid Sender Email Address in NEOSYS System Configuration File===

The following problem might indicate that the "Sender email address" is not acceptable to the mail server - even though the message mentions a problem with "recipient addresses".

For sending email via the default NEOSYS mailout.neosys.com server the "Sender Email Address" MUST end in @neosys.com eg companyxyz@neosys.com.

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The server ║
║ rejected one or more recipient addresses. The server ║
║ response was: 550 Administrative prohibition ║
║ ║
║ From: neosys@companyxyz.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

===Check the size of the mail being sent to client's email account===

Email could be missing due to the reason that NEOSYS mail exceeds the upper limit of mail size on client mail server. Confirm the upper limit of mail size with client IT and check the size of email being sent by NEOSYS. For large clients a whole years report could exceed 10MB, which is the common upper limit for most mail servers. Ask client's IT to increase the upper limit of mail size to receive emails with large report from NEOSYS. NEOSYS staff can advise users to test a report attached email for a small period to check if emailed reports can actually be received by client's email or not. Also see [http://userwiki.neosys.com/index.php/Media_FAQ#How_to_handle_.22No_Response_from_the_database_server_in_600_seconds.22 whether email is received when Email Body is chosen as the Report Delivery option.]

===Check Nagios system if any email stuck in outgoing email queue===

Nagios Monitoring system checks and warns if there are any emails stuck in outgoing email queues on all NEOSYS servers, including imap/smtp, nl8, mailout and mailout2.

If there are any emails in the queues, Nagios Monitoring system will report the problem and you can get information about exactly what is pending and why it is, by clicking and inspecting the service in detail.

===Check low level network connectivity to the mail server===

To test if there is basic connectivity - from the client server to the configured email server, type the following in command prompt, on the client server.

You might need to install Windows option for Telnet on Windows 2008. A software firewall installed on the workstation may block connections selectively by program so you might be able to send email by telnet but not by outlook for example.

Assuming that the configuration is the default of mailout.neosys.com port 2500. You must use your configuration.

telnet mailout.neosys.com 2500

it will show you

Connecting to mailout.neosys.com ...

====Successful connection====

Blank window with some text at the top. This text can vary slightly but will usually mention SMTP somewhere.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)

Try to send an email using telnet as shown below. Type the bits in bold in the following with no mistyping since backspace doesn't work.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)
'''helo steve'''
250 mailout.neosys.com
'''mail from:<clientname@neosys.com>''' (use client name which is appropriate to the situation to identify sender)
250 2.1.0 Ok
'''rcpt to:<support@neosys.com>''' (use a recipient email ID which is appropriate to the the situation)
250 2.1.5 Ok
'''data'''
354 End data with <CR><LF>.<CR><LF>
'''Testing'''
'''Testing''' (don't forget to end with a dot on a new line)
'''.'''
250 2.0.0 Ok: queued as 872B21F6
'''quit'''
221 2.0.0 Bye
Connection to host lost.

====Unsuccessful connection====

If there is some network connection problem or the mail server is not running then after a while it will show something like:

Could not connect to the host, on port 2500: Connect failed

If you determine that there is a basic problem connecting to the mail server then and other locations are not facing the same problem then contact the IT administrator of the network and probe if they have outgoing ports (2500 in this case) blocked or filtered on their firewall.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

===Ensure missing email is not being treated as spam by NEOSYS email server===

Email could be missing due to the reason that NEOSYS mail server might be treating it like spam.
Escalate issue to NEOSYS IT, who will check if missing email is being treated as spam.

Setting up Windows 10 Pro Firewall

2021-03-15T07:39:05Z

Pratishthit: Added UDP ports

==Setting up Firewall on Windows 10 Pro==

===How to add rules===

#Windows Start Menu Search bar > "Windows Defender Firewall with Advanced Security".
#Select Inbound rules. (left side)
#Action > New Rule
#Select Port & click Next.
#Select TCP/UDP option.
#Specific port field set of ports as described below & click Next.
#Select option "Allow the connection" & click Next. (Connections protected by IPsec and not)
#Select Domain, Private and Public & click Next.
#Enter name as mentioned in port list below.

===Rules to Add===

*Client Hosted Server:
*#"All local ports" under UDP option - Name: "All UDP Ports"
*#"80, 443, 2500, 3389, 4430, <sshport>" (replace <sshport> with server ssh port) - Name: "NEOSYS Standard Ports"
*NEOSYS Hosted Server:
*#"4430-4499" - Name: "NEOSYS HTTPS"
*#"19580" - Name: "NEOSYS SSH"
*#"19485" - Name: "Nagios NSclient"
*#In section above "How to add rules", step 6, choose "All local Ports" - Name: "d:\apache24\bin\httpd.exe"

Setting up and using remote support

2021-02-07T13:23:15Z

Pratishthit: /* Configuring and starting SSHD */

==Getting agreement of client IT staff to provide remote access==

[[Letter to obtain agreement of client IT staff to provide remote access]]

==Initial Connection to the server before setting up permanent remote connection==

For remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection.

Get the one-time run quick support teamviewer utility from [[https://neosys.com/help|Team Quick Support]]. Otherwise refer to the wiki to install customised reverse connect "UltraVNC" SC file.

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

==Installing and configuring SSH==
===Installing Cygwin with OPENSSH===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

Read [[Avoid Corrupting Cygwin Installations]]

#Instruct client to login to server as Administrator.
#Connect to client server via Teamviewer or customised reverse connect UltraVNC SC file.
#ENSURE that you are logged in as the local (NOT DOMAIN) administrator.
#Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
#Download source: '''Install from Internet'''
#Root Directory: '''c:\cygwin'''
#Local Package Directory: '''c:\cygwin.lib'''
#Choose "yes" to "Folder does not exist. Create new?"
#Internet Connection: '''Direct Connection'''
#Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
#Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
#Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
#Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
#Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
#Click Next and complete the installation

===Win32 Error===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

===Configuring and starting SSHD===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshd_config file? yes
.
StrictModes - no
Privilege - yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net start sshd

===Configuring SSHD to use a non-standard port number===

This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is SIGNIFICANT AND CANNOT BE IGNORED in cygwin/linux commands

open cygwin command prompt

nano /etc/sshd_config

change the Port to look like this:

#Port 22
Port 19580

Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.

net stop cygsshd
net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net stop sshd
net start sshd

To check that the server is running and listening on port 19580

ssh -p 19580 administrator@localhost

If you are asked for to confirm the server id is correct or enter password then the check is successful. No need to continue.

===Changing ssh login from “Administrator” to “administrator”===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

===Error while changing Cygwin port 22 to 19580===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

===Enable Remote Connection on Windows to allow connection through Remmina===

#Open System Properties from Explorer
#Click on Remote settings
#Under 'Remote' section, check Remote Assistance (disabled on Win 2008 servers) and Remote Desktop to allow remote connections to this computer.

[[File:Win remote connection.png]]

===Opening up ssh connections to additional source ip nos===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

Enter IP numbers or CIDR format:

sshd 12.34.56.78
sshd 12.34.0.0/16

===Setting up email alerts for cygwin ssh logins===

1. Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages. MUST READ [[Avoid_Corrupting_Cygwin_Installations#To_see_what_modules_Cygwin_is_going_to_update |See what modules Cygwin is going to update]]

2. Run Cygwin and copy & paste script below into new file sshrc. Change it@neosys.com to the email ID to which the alert needs to be sent.

nano /etc/sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

3. Give execute permission to sshrc script file for all groups (owner, group, other):

chmod a+x sshrc

4.Add trusted IPs by copying & pasting text below:

cd /etc
nano trustedipnos

<pre>
#IP ranges and CIDR etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

===Quick way of adding all Support's public keys to allow Remmina support===

If a server has lost all authorised keys in .ssh/authorized_keys file, then instead of Support adding their public key individually using "./autologin.sh" use this method:

#Connect via SSH to any other client server that has support team's public keys saved.
#Then open Cygwin and type: <pre>cat .ssh/authorized_keys</pre>
#Select and copy all the text in the file. i.e public keys
#Exit and connect to the the new client and open Cygwin and type:<pre>nano .ssh/authorized_keys</pre>
#Right click and paste the copied keys in a new line below any possible existing keys ensuring that each key appears in a separate single line and then save and close the authorized_keys file.
#Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key option) in Remmina.

===Testing SSH connection to the NEOSYS server over port 19580===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

===Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

====Possible Problem 1 - Port mapping in router is using NAT====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

====Solution 1A====

Change the router configuration to not use NAT and leave the genuine original source IP number

====Solution 1B====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

===Troubleshooting sshd===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

===Reinstalling SSHD if service fails to startup===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

==Upgrading SSHD / Cygwin==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_7.7 (protocol 2.0)

Before updating Cygwin or its packages you MUST read [[Avoid Corrupting Cygwin Installations]]

===Upgrading Cygwin remotely===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

====Upgrading Cygwin with a script====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

*either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
*or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
*or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

=====Running the script=====

[[Setting_up_and_using_remote_support#Finding_the_script|Locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the version shown at http://www.neosys.com/support/upgradecygwin.cmd and ensure that the script you are using is the latest one, as the script is updated with fixes for problems faced in the past.

The upgradecygwin.cmd script will try to download the latest version of setup-x86 from cygwin.com. In case it is not possible to download the setup-x86.exe file from cygwin.com due to proxy/firewall or other issues, then follow the below steps before running the cygwin upgrade script.

#Download setup-x86.exe manually from http://www.cygwin.com/setup-x86.exe
#Place it in the same directory as the upgrade script
#Rename it to "setup-x86-manual.exe". The cygwin upgrade script will rename this file to setup-x86.exe

If you initiate the script while connected on ssh using tunnelier/remmina etc. halfway through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re-enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send the email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending the email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

=====Verifying successful run=====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

=====Dealing with reboot required=====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

=====Finding the script=====

The latest version of the script can be found in the latest version of NEOSYS. The script is installed in the neosys\neosys directory.

For older versions of NEOSYS it can be created or upgraded as follows:

Open http://www.neosys.com/support/upgradecygwin.cmd on your browser to view the script.

Then copy the script onto notepad on the server and save this as a .cmd file in the location mentioned below:

Single installation
x:\neosys\neosys\upgradecygwin.cmd

Multiple installation
x:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

where x is the drive in which NEOSYS is installed.

====How to check Cygwin version ?====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

==How to uninstall/reinstall cygwin==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

==Adding packages to Cygwin after installation==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

===Adding individual packages to cygwin without doing a full upgrade===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

==Getting Ownership and Permissions Correct==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

==Configuring Firewall/Router==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

==Configuring Specific Client Routers==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

==How to install ssh on port 19580 over vnc on port 19580==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

==Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

==Installing and configuring UltraVNC==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

==Remote Desktop Connection==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

===Changing RDC port from standard to nonstandard===

#Start Registry Editor.
#Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

#On the Edit menu, click Modify, and then click Decimal.
#Type the new port number, and then click OK.
#Quit Registry Editor.

==Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

===Error Message===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

===Solution 1===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

===Solution 2===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

===Solution 3===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

===Solution 4===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

Configuring NEOSYS Generally

2021-01-31T10:08:07Z

Pratishthit: /* Re-ordering databases in maintenance mode */

==System Configuration File==

See [http://userwiki.neosys.com/index.php/System_Configuration_File System Configuration File]

==Clearing files in database==

This is to be done if you want to clean an old database or clean a training database so that a client can enter fresh data.

These commands DO NOT reset the data to "factory settings" so for new installations you need to download a fresh BACKUP.ZIP file from the NEOSYS website.

*Clear transactions F5 - CLEAROP (only clears transactions not reference files)

*Clear all F5 - CLEARALL (rather nasty command because it clears all reference files as well)

*Clear finance transactions F5 - CLEARACC

REINDEXALL SHOULD be done after CLEAROP or CLEARACC in order to reduce the size of the index files to reflect the reduction in size of data, by rebuilding them from scratch, since index files don't reduce in size automatically when the data is cleared or reduced.

==Clearing selected files in database==

This can be done if you want to reimport selected files.

WARNING This procedure must not be used if there are any transaction in the system that might use the files being cleared.

WARNING Clearing individual files is error prone because other files might refer to the records you are clearing (referential integrity is not applied so dangling references may be created). For example, clearing suppliers without clearing vehicles in advance results in vehicles which have supplier codes that do not exist. Even if you reimport the suppliers, some supplier codes in the vehicles file may not be reimported leaving vehicles with problems.

WARNING The opportunity to create problems that have no solution and that may only surface when the system is in operation is endless unless you think through the implications very very very carefully.

*Flush Index F5 FLUSH.INDEX (this command MUST be performed immediately after any data clearing, because CLEARFILE does not clear the related indexes immediately and it will be done later on access, causing random stopping later on)

*Clear suppliers F5 CLEARFILE SUPPLIERS

*Clear vehicles F5 CLEARFILE VEHICLES

If a particular field needs to be cleared from a file then get the exact field name defined in the file.

To list the various fields in a file F5 LD CLIENTS (for Client and Brand file)

*Clear Payment Instruction from Client and Brand file F5 CLEARFIELD CLIENTS PAYMENT_INSTRUCTIONS (only clears the payment instruction defined in all the Client & Brand file)

*Clear Agency fee % from Client & Brand file F5 CLEARFIELD CLIENTS FEE (only clears the agency fee defined for all Client & Brand flies)

==Mass updating database without data entry==

Warning: It is advisable that you take the approval of NEOSYS DBA or programmers before doing any of the following procedures. There is no protection whatsoever from damaging the database if you do not appreciate all the implications of any particular update. Common sense and caution must be used. If you damage a database then it may be, or with operation become, irretrievably damaged and require reconstruction from a backup causing possibly extreme finance damages to the owner of the data and consequences for yourself. You have been warned.

There are many commands in maintenance mode that allow you to amend the database directly and without any record and without any ability to reverse changes.

Normally, no record of the changes is made. All changes will appear to have been done by the last user at the time and date of the last normal user interface amendments.

===Available fields to clear or set===

#Client & Brand File: CLIENTS MARKET_CODE
#Client & Brand File: BRANDS MARKET_CODE

===How to clear a database field===

Assuming that a particular database field may be blank (i.e. not required for data entry) then you may clear a field as follows.

Warning: There is nothing to stop you clearing a field that is mandatory and doing this may cause irrecoverable damage to the database.

In the following example we wish to change all clients with market code “UAE to have market code blank.

First, if you don’t want to clear all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “UAE”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE

===How to set a database field===

In the following example we change all the clients where the market code is blank (has not been entered) to become “UAE”.

Warning: You can set the market code to a market code that does not exist. This will cause various problems in the operation of the system but is probably not irrecoverable.

First, if you don’t want to set all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE/UAE

==Backup to other media (i.e. not to USB)==

[[Backup and Restore#Backup to other media (i.e. not to USB)|Backup to other media]]

==Reordering databases in maintenance mode==

#Open NEOSYS in maintenance mode
#General > Backup & data management > Reorder databases
#Pressing the Enter key select/deselect the databases in the order required.
#Press F9 once and confirm that the databases are in the required order, if not go back to Step 3.
#Press F9 again and select Yes to save the reordered list.

==Copying a single record from one database to another==

You need to know the file name and record key of the record to be copied.

In this case the file is DEFINITIONS and the key is AGENCY.PARAMS

You can invent any old style 8.3 filename instead of C:\AGP.DAT in the following example

On the source computer:

F5
COPY DEFINITIONS AGENCY.PARAMS TO: (DOS C:\AGP.DAT)

On the target computer:

F5
COPY DOS C:\AGP.DAT (ON) TO: (DEFINITIONS AGENCY.PARAMS)

The (O) option is required to force overwrite of the existing

The (N) option means only copy if the target already exists. It is advisable to use it when you know that the target already exists to avoid misspellings in the command. It must be omitted if the target doesnt exist.

==Allowing users temporary login as NEOSYS in maintenance mode==

#Get them to login with any name even NEOSYS
#Get them to enter "?" for the pass without the quotes
#NEOSYS will give them a lock like "NEOSYS 123456" which they must give you. You should not log out until the next step is completed
#Follow the NEOSYS lock/key procedure using the full contents of the lock including the user name

(to allow access EXCEPT access to authorisation screen use a special number (not documented here) as the last number of the initial command)

#Give them the key and get them to enter and proceed

==Configuring upload of photoshop "cs2" jpg files==

Photoshop version "cs2" produces jpg files that cannot be viewed in Internet Explorer.

A solution is to rename the files extension from .jpg to .psjpg before uploading.

"psjpg" files are an invention of NEOSYS and IIS must be configured to handle .psjpg files as follows:

Windows Server 2003 (doesnt work on XP)

#Computer Management, Internet Information Server, Properties
#Click MIME Types
#Click New
#Extension: psjpg
#MIME Type: application/photoshop
#Click OK,OK,OK
#Restart IIS (Right click, All Tasks, Restart)

Configuring NEOSYS Generally

2021-01-31T09:01:52Z

Pratishthit: Reordering databases in maintenance mode

==System Configuration File==

See [http://userwiki.neosys.com/index.php/System_Configuration_File System Configuration File]

==Clearing files in database==

This is to be done if you want to clean an old database or clean a training database so that a client can enter fresh data.

These commands DO NOT reset the data to "factory settings" so for new installations you need to download a fresh BACKUP.ZIP file from the NEOSYS website.

*Clear transactions F5 - CLEAROP (only clears transactions not reference files)

*Clear all F5 - CLEARALL (rather nasty command because it clears all reference files as well)

*Clear finance transactions F5 - CLEARACC

REINDEXALL SHOULD be done after CLEAROP or CLEARACC in order to reduce the size of the index files to reflect the reduction in size of data, by rebuilding them from scratch, since index files don't reduce in size automatically when the data is cleared or reduced.

==Clearing selected files in database==

This can be done if you want to reimport selected files.

WARNING This procedure must not be used if there are any transaction in the system that might use the files being cleared.

WARNING Clearing individual files is error prone because other files might refer to the records you are clearing (referential integrity is not applied so dangling references may be created). For example, clearing suppliers without clearing vehicles in advance results in vehicles which have supplier codes that do not exist. Even if you reimport the suppliers, some supplier codes in the vehicles file may not be reimported leaving vehicles with problems.

WARNING The opportunity to create problems that have no solution and that may only surface when the system is in operation is endless unless you think through the implications very very very carefully.

*Flush Index F5 FLUSH.INDEX (this command MUST be performed immediately after any data clearing, because CLEARFILE does not clear the related indexes immediately and it will be done later on access, causing random stopping later on)

*Clear suppliers F5 CLEARFILE SUPPLIERS

*Clear vehicles F5 CLEARFILE VEHICLES

If a particular field needs to be cleared from a file then get the exact field name defined in the file.

To list the various fields in a file F5 LD CLIENTS (for Client and Brand file)

*Clear Payment Instruction from Client and Brand file F5 CLEARFIELD CLIENTS PAYMENT_INSTRUCTIONS (only clears the payment instruction defined in all the Client & Brand file)

*Clear Agency fee % from Client & Brand file F5 CLEARFIELD CLIENTS FEE (only clears the agency fee defined for all Client & Brand flies)

==Mass updating database without data entry==

Warning: It is advisable that you take the approval of NEOSYS DBA or programmers before doing any of the following procedures. There is no protection whatsoever from damaging the database if you do not appreciate all the implications of any particular update. Common sense and caution must be used. If you damage a database then it may be, or with operation become, irretrievably damaged and require reconstruction from a backup causing possibly extreme finance damages to the owner of the data and consequences for yourself. You have been warned.

There are many commands in maintenance mode that allow you to amend the database directly and without any record and without any ability to reverse changes.

Normally, no record of the changes is made. All changes will appear to have been done by the last user at the time and date of the last normal user interface amendments.

===Available fields to clear or set===

#Client & Brand File: CLIENTS MARKET_CODE
#Client & Brand File: BRANDS MARKET_CODE

===How to clear a database field===

Assuming that a particular database field may be blank (i.e. not required for data entry) then you may clear a field as follows.

Warning: There is nothing to stop you clearing a field that is mandatory and doing this may cause irrecoverable damage to the database.

In the following example we wish to change all clients with market code “UAE to have market code blank.

First, if you don’t want to clear all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “UAE”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE

===How to set a database field===

In the following example we change all the clients where the market code is blank (has not been entered) to become “UAE”.

Warning: You can set the market code to a market code that does not exist. This will cause various problems in the operation of the system but is probably not irrecoverable.

First, if you don’t want to set all records, “select” the required records.

SELECT CLIENTS WITH MARKET_CODE “”

After a period of time, depending on the number of records in the file, it should briefly state the number of records selected and then return to the command prompt.

WARNING: If no records have been selected then ALL records will be updated by the following command!

CLEARFIELD CLIENTS MARKET_CODE/UAE

==Backup to other media (i.e. not to USB)==

[[Backup and Restore#Backup to other media (i.e. not to USB)|Backup to other media]]

== Re-ordering databases in maintenance mode ==

# Open NEOSYS in maintenance mode
# General > Backup & data management > Reorder databases
# Pressing the Enter key select/deselect the databases in the order required.
# Press F9 once and confirm that the databases are in the required order, if not go back to Step 3.
# Press F9 again and select Yes to save the reordered list.

==Copying a single record from one database to another==

You need to know the file name and record key of the record to be copied.

In this case the file is DEFINITIONS and the key is AGENCY.PARAMS

You can invent any old style 8.3 filename instead of C:\AGP.DAT in the following example

On the source computer:

F5
COPY DEFINITIONS AGENCY.PARAMS TO: (DOS C:\AGP.DAT)

On the target computer:

F5
COPY DOS C:\AGP.DAT (ON) TO: (DEFINITIONS AGENCY.PARAMS)

The (O) option is required to force overwrite of the existing

The (N) option means only copy if the target already exists. It is advisable to use it when you know that the target already exists to avoid misspellings in the command. It must be omitted if the target doesnt exist.

==Allowing users temporary login as NEOSYS in maintenance mode==

#Get them to login with any name even NEOSYS
#Get them to enter "?" for the pass without the quotes
#NEOSYS will give them a lock like "NEOSYS 123456" which they must give you. You should not log out until the next step is completed
#Follow the NEOSYS lock/key procedure using the full contents of the lock including the user name

(to allow access EXCEPT access to authorisation screen use a special number (not documented here) as the last number of the initial command)

#Give them the key and get them to enter and proceed

==Configuring upload of photoshop "cs2" jpg files==

Photoshop version "cs2" produces jpg files that cannot be viewed in Internet Explorer.

A solution is to rename the files extension from .jpg to .psjpg before uploading.

"psjpg" files are an invention of NEOSYS and IIS must be configured to handle .psjpg files as follows:

Windows Server 2003 (doesnt work on XP)

#Computer Management, Internet Information Server, Properties
#Click MIME Types
#Click New
#Extension: psjpg
#MIME Type: application/photoshop
#Click OK,OK,OK
#Restart IIS (Right click, All Tasks, Restart)

File:Win 10PRO New Installation Checklist1.odt

2021-01-31T08:08:10Z

Pratishthit: Pratishthit uploaded a new version of File:Win 10PRO New Installation Checklist1.odt

Setting up and using remote support

2021-01-31T06:45:16Z

Pratishthit: Added section "Enable remote connection to allow connection from Remmina"

==Getting agreement of client IT staff to provide remote access==

[[Letter to obtain agreement of client IT staff to provide remote access]]

==Initial Connection to the server before setting up permanent remote connection==

For remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. Use either use your customised reverse connect UltraVNC SC file or the one-time run [[link:neosys.com/help | Teamviewer]] utility. (Teamviewer is typically used)

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

==Installing and configuring SSH==
===Installing Cygwin with OPENSSH===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

Read [[Avoid Corrupting Cygwin Installations]]

#Instruct client to login to server as Administrator.
#Connect to client server via Teamviewer or customised reverse connect UltraVNC SC file.
#ENSURE that you are logged in as the local (NOT DOMAIN) administrator.
#Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
#Download source: '''Install from Internet'''
#Root Directory: '''c:\cygwin'''
#Local Package Directory: '''c:\cygwin.lib'''
#Choose "yes" to "Folder does not exist. Create new?"
#Internet Connection: '''Direct Connection'''
#Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
#Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
#Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
#Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
#Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
#Click Next and complete the installation

===Win32 Error===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

===Configuring and starting SSHD===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshs_config file? yes
.
StrictModes - no
Privilege – yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net start sshd

===Configuring SSHD to use a non-standard port number===

This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is SIGNIFICANT AND CANNOT BE IGNORED in cygwin/linux commands

open cygwin command prompt

nano /etc/sshd_config

change the Port to look like this:

#Port 22
Port 19580

Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.

net stop cygsshd
net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net stop sshd
net start sshd

To check that the server is running and listening on port 19580

ssh -p 19580 administrator@localhost

If you are asked for to confirm the server id is correct or enter password then the check is successful. No need to continue.

===Changing ssh login from “Administrator” to “administrator”===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

===Error while changing Cygwin port 22 to 19580===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Enable Remote Connection on Windows to allow connection through Remmina ===

# Open System Properties from Explorer
# Click on Remote settings
# Under 'Remote' section, check Remote Assistance (disabled on Win 2008 servers) and Remote Desktop to allow remote connections to this computer.

[[File:Win remote connection.png]]

===Opening up ssh connections to additional source ip nos===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

Enter IP numbers or CIDR format:

sshd 12.34.56.78
sshd 12.34.0.0/16

===Setting up email alerts for cygwin ssh logins===

1. Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages. MUST READ [[Avoid_Corrupting_Cygwin_Installations#To_see_what_modules_Cygwin_is_going_to_update |See what modules Cygwin is going to update]]

2. Run Cygwin and copy & paste script below into new file sshrc. Change it@neosys.com to the email ID to which the alert needs to be sent.

nano /etc/sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

3. Give execute permission to sshrc script file for all groups (owner, group, other):

chmod a+x sshrc

4.Add trusted IPs by copying & pasting text below:

cd /etc
nano trustedipnos

<pre>
#IP ranges and CIDR etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

===Quick way of adding all Support's public keys to allow Remmina support===

If a server has lost all authorised keys in .ssh/authorized_keys file, then instead of Support adding their public key individually using "./autologin.sh" use this method:

#Connect via SSH to any other client server that has support team's public keys saved.
#Then open Cygwin and type: <pre>cat .ssh/authorized_keys</pre>
#Select and copy all the text in the file. i.e public keys
#Exit and connect to the the new client and open Cygwin and type:<pre>nano .ssh/authorized_keys</pre>
#Right click and paste the copied keys in a new line below any possible existing keys ensuring that each key appears in a separate single line and then save and close the authorized_keys file.
#Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key option) in Remmina.

===Testing SSH connection to the NEOSYS server over port 19580===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

===Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

====Possible Problem 1 - Port mapping in router is using NAT====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

====Solution 1A====

Change the router configuration to not use NAT and leave the genuine original source IP number

====Solution 1B====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

===Troubleshooting sshd===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

===Reinstalling SSHD if service fails to startup===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

==Upgrading SSHD / Cygwin==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_7.7 (protocol 2.0)

Before updating Cygwin or its packages you MUST read [[Avoid Corrupting Cygwin Installations]]

===Upgrading Cygwin remotely===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

====Upgrading Cygwin with a script====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

*either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
*or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
*or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

=====Running the script=====

[[Setting_up_and_using_remote_support#Finding_the_script|Locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the version shown at http://www.neosys.com/support/upgradecygwin.cmd and ensure that the script you are using is the latest one, as the script is updated with fixes for problems faced in the past.

The upgradecygwin.cmd script will try to download the latest version of setup-x86 from cygwin.com. In case it is not possible to download the setup-x86.exe file from cygwin.com due to proxy/firewall or other issues, then follow the below steps before running the cygwin upgrade script.

#Download setup-x86.exe manually from http://www.cygwin.com/setup-x86.exe
#Place it in the same directory as the upgrade script
#Rename it to "setup-x86-manual.exe". The cygwin upgrade script will rename this file to setup-x86.exe

If you initiate the script while connected on ssh using tunnelier/remmina etc. halfway through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re-enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send the email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending the email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

=====Verifying successful run=====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

=====Dealing with reboot required=====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

=====Finding the script=====

The latest version of the script can be found in the latest version of NEOSYS. The script is installed in the neosys\neosys directory.

For older versions of NEOSYS it can be created or upgraded as follows:

Open http://www.neosys.com/support/upgradecygwin.cmd on your browser to view the script.

Then copy the script onto notepad on the server and save this as a .cmd file in the location mentioned below:

Single installation
x:\neosys\neosys\upgradecygwin.cmd

Multiple installation
x:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

where x is the drive in which NEOSYS is installed.

====How to check Cygwin version ?====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

==How to uninstall/reinstall cygwin==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

==Adding packages to Cygwin after installation==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

===Adding individual packages to cygwin without doing a full upgrade===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

==Getting Ownership and Permissions Correct==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

==Configuring Firewall/Router==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

==Configuring Specific Client Routers==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

==How to install ssh on port 19580 over vnc on port 19580==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

==Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

==Installing and configuring UltraVNC==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

==Remote Desktop Connection==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

===Changing RDC port from standard to nonstandard===

#Start Registry Editor.
#Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

#On the Edit menu, click Modify, and then click Decimal.
#Type the new port number, and then click OK.
#Quit Registry Editor.

==Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

===Error Message===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

===Solution 1===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

===Solution 2===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

===Solution 3===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

===Solution 4===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

File:Win remote connection.png

2021-01-31T06:34:58Z

Pratishthit:

Allow remote connection from system properties

Configuring NEOSYS on Windows 10

2021-01-28T09:15:39Z

Pratishthit: Prevent Windows 10 from entering sleep mode

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Prevent Windows 10 from entering sleep mode===

#Search for 'Power' in the Windows search bar and open 'Power & Sleep settings'
#From the dropdown select 'Never' for both Screen and Sleep times

[[image:Win10sleepmode.jpg]]

===Installing Telnet using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check Telnet Client if not selected already
#Also navigate to Legacy Components and tick NTVDM.
#Click OK

[[File:Win10checkNTVDM.png|alt=]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen1.jpg|link=Special:FilePath/Win10smartscreen1.jpg]]
[[image:Win10smartscreen2.jpg|link=Special:FilePath/Win10smartscreen2.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

Configuring NEOSYS on Windows 10

2021-01-28T09:12:20Z

Pratishthit: /* Installing NEOSYS on Windows 10 */

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Prevent Windows 10 from going to sleep===

#Search for 'Power' in the Windows search bar and open 'Power & Sleep settings'
#From the dropdown select 'Never' for both Screen and Sleep times

[[image:Win10sleepmode.jpg]]

===Installing Telnet using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check Telnet Client if not selected already
#Also navigate to Legacy Components and tick NTVDM.
#Click OK

[[File:Win10checkNTVDM.png|alt=]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen1.jpg|link=Special:FilePath/Win10smartscreen1.jpg]]
[[image:Win10smartscreen2.jpg|link=Special:FilePath/Win10smartscreen2.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

File:Win10sleepmode.jpg

2021-01-28T09:08:25Z

Pratishthit: Pratishthit uploaded a new version of File:Win10sleepmode.jpg

File:Win10sleepmode.jpg

2021-01-28T09:05:43Z

Pratishthit:

File:Win10smartscreen2.jpg

2021-01-28T08:56:33Z

Pratishthit:

Configuring NEOSYS on Windows 10

2021-01-28T08:56:15Z

Pratishthit: /* Turning off Windows Smartscreen Protection */

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Installing Telnet using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check Telnet Client if not selected already
#Also navigate to Legacy Components and tick NTVDM.
#Click OK

[[File:Win10checkNTVDM.png|alt=]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen1.jpg|link=Special:FilePath/Win10smartscreen1.jpg]]
[[image:Win10smartscreen2.jpg|link=Special:FilePath/Win10smartscreen2.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

Configuring NEOSYS on Windows 10

2021-01-28T08:55:41Z

Pratishthit: /* Turning off Windows Smartscreen Protection */

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Installing Telnet using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check Telnet Client if not selected already
#Also navigate to Legacy Components and tick NTVDM.
#Click OK

[[File:Win10checkNTVDM.png|alt=]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen1.jpg|link=Special:FilePath/Win10smartscreen1.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

File:Win10smartscreen1.jpg

2021-01-26T13:17:32Z

Pratishthit:

Configuring NEOSYS on Windows 10

2021-01-26T07:53:58Z

Pratishthit: Removed step to add IIS as a feature, and added a check for Telnet Client

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Installing Telnet using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check Telnet Client if not selected already
#Also navigate to Legacy Components and tick NTVDM.
#Click OK

[[File:Win10checkNTVDM.png|alt=]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen.jpg|link=Special:FilePath/Win10smartscreen.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

File:Win10checkNTVDM.png

2021-01-26T06:13:20Z

Pratishthit:

Check NVTDM and Telnet Client

Installing & Configuring Apache

2021-01-24T13:29:26Z

Pratishthit: Updated the SCP command with IT/initapache/

The majority of Apache installation and configuration is performed by ~/Nextcloud/Support/IT/initapache_v47.sh script.

(In the following commands, replace <XXX> with corresponding value)

1. If installing NEOSYS on client hosted server continue to step 2, otherwise if installing on NEOSYS hosted server i.e win3 then skip to step 9.

2. Copy the installation script to the server's D drive.
<pre>scp -P <SSHPORTNO> ~/Nextcloud/support/IT/initapache/initapache_v<LATESTVERSIONNO>.sh administrator@<HOSTNAME>.hosts.neosys.com:/cygdrive/d/</pre>
3. Open Cygwin as administrator on server. (Shift + Right click) and convert the installation script into W indows format. (Otherwise script execution will contain syntax errors "\r", due to the different characters use by Linux and windows for new lines)<pre>d2u D:/initapache_v47.sh</pre>
5. Execute script.
<pre>./initapache_v47.sh <CLIENTHOSTNAME>" </pre>
6. The script will proceed to do a number of verifications on system. If all test are okay, enter 'Y' to start installation as prompted to do so.
<pre>
Verify OK to proceed
--------------------
Port: 443
Dir: D:/neosys/neosys.net
Root: /d
-------------------------------------
OK to start? (Y=Yes)
</pre>
7. A Microsoft Visual C++ 2015-2019 installation window will popup, follow the steps to install. (If already installed like on win3, hit cancel)

8. Then you will be prompted to install the certificates from nl19/bkup. Follow the instructions to edit /distributecerts.sh. (This script simply copies latest LetsEncrypt certificate into D:/Apache24)

9. If the client is on win3, add the new client site to D:\Apache24\conf\neosys2.conf using existing clients as an example. (Make sure to arrange in alphabetical order)

10. Test if you can access NEOSYS login.

*If on client hosted server use: http://localhost
*If on win3 use https://<CLIENTHOSTNAME>.hosts.neosys.com

11. In the new client's NEOSYS/DATA folder, create a text file, enter '720' and save as 'DATA.CFG'.

For any issues check the initapache.sh script and neosys.conf file for solutions.

Uninstalling clients hosted on client Server

2021-01-03T06:12:17Z

Pratishthit: Added 2 steps for permanent deletion of a client

#Install a license covering all previous years, and periods if part year termination, in one go for all modules and with the usual seven days grace period so that the client may continue using the system for paid up periods and years without support, but not create documents related to later periods after they stop paying.
#In support home page (support.htm), strike-through the terminated client's link.
#Stop recording daily backup of the databases in google drive file once it is terminated.
#In Nagios, if the status of the stopped host is DOWN or the status of any of its services is CRITICAL/WARNING for 30 days or more, then comment out the lines in the Nagios configuration file only for the services that are not working, so that Nagios stops alerting for it.
#If the terminated client is permanently closing operations or is shifting/has shifted to another location (i.e. different IP address), then comment out all lines for the client in Nagios configuration file and delete the associated entry from Zone Edit.
#Close all processes and delete all .cmd files needed to start NEOSYS processes.
#Disable the scheduled tasks from Task Scheduler for restarting Apache and starting NEOSYS processes.

Configuring NEOSYS on Windows 10

2020-12-07T10:35:17Z

Pratishthit: /* Turning off Windows Smartscreen Protection */

==Installing NEOSYS on Windows 10==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

===Get NEOSYS process running===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

===Installing IIS using Windows Features & enable NTVDM===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check and expand 'Internet Information Services'
#Expand 'World Wide Web Services'
#Expand 'Application Development Features'
#Check 'ASP'
#Click OK
#Also navigate to Legacy Components and tick NTVDM.

[[image:Win10checkASP.jpg]]

===Turning off Windows Smartscreen Protection===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to log out of administrator and login again afterwards for the new settings to actually take effect.

[[image:Win10smartscreen.jpg|link=Special:FilePath/Win10smartscreen.jpg]]

===Excluding ntvdm.exe from Windows Defender===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

===Running AREV.EXE in compatibility mode===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

===Configuring Windows Automatic Update===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

===Enabling Task Scheduler History===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

Configuring NEOSYS on Windows 10

2020-12-06T11:37:44Z

Pratishthit: /* Installing NEOSYS on Windows 10 */

== Installing NEOSYS on Windows 10 ==

32 bit Windows 10 Pro and Enterprise (NOT 64 bit) will run and serve NEOSYS fine.

32 bit Windows Home is not fully suitable because it does not have IIS web server. NEOSYS processes will run on Windows 10 Home 32 bit but IIS will have to be configured on another computer with access to the NEOSYS folders via a share. The computer running IIS could be any version of Windows including 64 bit.

=== Get NEOSYS process running ===

#Open command prompt.
#Right click on window and select 'Properties'.
#Check "Use Legacy Console".

[[image:Win10legacyoption.jpg]]

=== Installing IIS using Windows Features & enable NTVDM ===

#Search for 'Windows features' in the Windows search bar and open 'Turn Windows features on or off'
#Check and expand 'Internet Information Services'
#Expand 'World Wide Web Services'
#Expand 'Application Development Features'
#Check 'ASP'
#Click OK
#Also navigate to Legacy Components and tick NTVDM.
[[image:Win10checkASP.jpg]]

=== Turning off Windows Smartscreen Protection ===

Even if Windows Defender is switched off, Windows Smartscreen will also block various NEOSYS files just for fun so it must be switched off as follows.

#Use windows search bar to search for "Smartscreen" and navigate to Reputation-based protection.
#Disable all the sections on this page

Make sure to logout of administrator and login again afterwards (perhaps even needs a complete reboot) for the new settings to actually take effect.

[[image:Win10smartscreen.jpg]]

=== Excluding ntvdm.exe from Windows Defender ===

Must be done otherwise performance according to FILESPEED is 10 to 20 times slower.

#Use windows search bar to navigate to 'Virus & threat protection', 'Virus & threat protection settings'.
#Scroll down to subheading 'Exclusions' and click on 'Add or remove exclusions'.
#Click + button and add process "ntvdm.exe".

Note that excluding folders or file extensions does not fully restore file speed to NEOSYS whereas excluding process ntvdm.exe does.

[[image:Win10exclusion1.png]]

=== Running AREV.EXE in compatibility mode ===

#Right click AREV.EXE in \neosys\ folder
#Properties
#Compatibility tab
#Run with compatibility for Win95

=== Configuring Windows Automatic Update ===

#Use windows search bar to navigate to 'Local Group Policy Editor'.
#Expand 'Computer Configuration'.
#Expand 'Administrative Templates'.
#Expand 'Windows Components'.
#Scroll down & expand 'Windows Update'.
#Double click on 'Configure Automatic Updates'.
#Check 'Enabled'.
#In drop down menu choose the "4 - Auto download and schedule the install" option.
#Then choose the required Scheduled install day e.g. "1 - Every Sunday".
#Time by default is set to 3:00.
#Click apply and then OK.
#Double click on "Always automatically restart at the scheduled time".
#Check 'Enabled'.
#Click apply and then OK.

[[image:Win10setAutoUpdate.jpg]]

[[image:Win10setAutoRestart.jpg]]

=== Enabling Task Scheduler History ===

Windows 10 has Task Scheduler history disabled by default, making it difficult to investigate scheduled task failures.

To enable task history, on the Task Scheduler window click "Enable All Tasks History" under "Actions" as shown below.

[[image:Enablehistory.jpg]]

Troubleshooting email not received

2020-11-18T08:20:23Z

Pratishthit: /* Troubleshooting email not received */

== Troubleshooting email not received ==

=== Was any email actually sent? ===

Possibly the server was switched off at the time the email was supposed to be sent. Check the server uptime or logs. Check NEOSYS server monitor history.

Rerun the report or program with the exact same options and conditions. Monitor the process on the server maintenance screen looking for messages that emails have been sent or not.

==== Error: The requested body part was not found in this message ====

This error appears on Windows 10 installations when the Windows display language and the Regional Format language are not the same.

To solve, In Windows Settings > Time & Language > Language make sure Windows Display language is the same as Regional Format in the Region section. Recommended language is English (US).

=== Check log for any problems sending email ===

#First step is Login to client’s server, open NEOSYS check the logs in support menu.
#It will generate the log report, check the report thoroughly and see if there is any error shown around the time that the emails were supposed to be sent.

==== Error: No logs found ====
No logs found for the date while checking the logs in support menu.

'''Error explained''':
This above error means that no error has been logged on the date you selected.

==== Error: Failed to connect to the server ====

[[Image:001.png]]

If report shows the error shown above then do the following steps to check why the email was not sent out.

This above error means that but the mail could not be sent due to an inability to connect to the outgoing email server.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Check NEOSYS email configuration ===

NEOSYS needs to know how to send email. The default configuration is mailout.neosys.com 2500

Check the configuration in NEOSYS Support Menu, System Configuration File.

=== Send a test email ===

WARNING This test requires a version of NEOSYS later than 5th Dec 2012 otherwise no error message is shown in some cases when there is in fact an error.

Check if you can send a test email. Go to maintenance mode and press F5 then type the following.

sendmail support@neosys.com

If mail server accepts the message then you will see the following.

This is no guarantee that the mail server can or will deliver the email to the recipient.

╔══════════════════════════════════════════════════════════════════════════╗
║STEP 1 OK. Mail for SUPPORT@NEOSYS.COM accepted by mail server. ║
║ ║
║Sent using: ║
║fromaddress=amc@neosys.com ║
║smtphostname=mailout.neosys.com ║
║smtpportno=2500 ║
║smtptimeoutsecs= ║
║smtpusessl= ║
║smtpauthtype= ║
║smtpuserid= ║
║smtppassword= ║
║toaddress="SUPPOR@NEOSYS.COM" ║
║subject="NEOSYS: test email test subject" ║
║body="@$4549566.TXT" ║
║ ║
║STEP 2. Now check if actually received by recipient to verify ║
║that the mail server can actually deliver email to SUPPOR@NEOSYS.COM ║
║and that SUPPOR@NEOSYS.COM can receive email from the server ║
║ ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════════════════╝

If there is some problem connecting to the mail server then you might see something like the following:

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The transport ║
║ failed to connect to the server. ║
║ ║
║ From: companyxyz@neosys.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

To solve unreliable connections to NEOSYS email server, see [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Invalid Sender Email Address in NEOSYS System Configuration File ===

The following problem might indicate that the "Sender email address" is not acceptable to the mail server - even though the message mentions a problem with "recipient addresses".

For sending email via the default NEOSYS mailout.neosys.com server the "Sender Email Address" MUST end in @neosys.com eg companyxyz@neosys.com.

╔══════════════════════════════════════════════════════════════╗
║ SUPPORT@NEOSYS.COM ║
║ Error in sendmail.js, CDO.Message.Send(). The server ║
║ rejected one or more recipient addresses. The server ║
║ response was: 550 Administrative prohibition ║
║ ║
║ From: neosys@companyxyz.com ║
║ To: support@neosys.com ║
║ Server: mailout.neosys.com ║
║ Port: 2500 ║
║ < Press any key > ║
╚══════════════════════════════════════════════════════════════╝

=== Check the size of the mail being sent to client's email account===

Email could be missing due to the reason that NEOSYS mail exceeds the upper limit of mail size on client mail server. Confirm the upper limit of mail size with client IT and check the size of email being sent by NEOSYS. For large clients a whole years report could exceed 10MB, which is the common upper limit for most mail servers. Ask client's IT to increase the upper limit of mail size to receive emails with large report from NEOSYS. NEOSYS staff can advise users to test a report attached email for a small period to check if emailed reports can actually be received by client's email or not. Also see [http://userwiki.neosys.com/index.php/Media_FAQ#How_to_handle_.22No_Response_from_the_database_server_in_600_seconds.22 whether email is received when Email Body is chosen as the Report Delivery option.]

=== Check Nagios system if any email stuck in outgoing email queue ===

Nagios Monitoring system checks and warns if there are any emails stuck in outgoing email queues on all NEOSYS servers, including imap/smtp, nl8, mailout and mailout2.

If there are any emails in the queues, Nagios Monitoring system will report the problem and you can get information about exactly what is pending and why it is, by clicking and inspecting the service in detail.

=== Check low level network connectivity to the mail server ===

To test if there is basic connectivity - from the client server to the configured email server, type the following in command prompt, on the client server.

You might need to install Windows option for Telnet on Windows 2008. A software firewall installed on the workstation may block connections selectively by program so you might be able to send email by telnet but not by outlook for example.

Assuming that the configuration is the default of mailout.neosys.com port 2500. You must use your configuration.

telnet mailout.neosys.com 2500

it will show you

Connecting to mailout.neosys.com ...

==== Successful connection ====

Blank window with some text at the top. This text can vary slightly but will usually mention SMTP somewhere.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)

Try to send an email using telnet as shown below. Type the bits in bold in the following with no mistyping since backspace doesn't work.

220 mailout.neosys.com ESMTP Postfix (Ubuntu)
'''helo steve'''
250 mailout.neosys.com
'''mail from:<clientname@neosys.com>''' (use client name which is appropriate to the situation to identify sender)
250 2.1.0 Ok
'''rcpt to:<support@neosys.com>''' (use a recipient email ID which is appropriate to the the situation)
250 2.1.5 Ok
'''data'''
354 End data with <CR><LF>.<CR><LF>
'''Testing'''
'''Testing''' (don't forget to end with a dot on a new line)
'''.'''
250 2.0.0 Ok: queued as 872B21F6
'''quit'''
221 2.0.0 Bye
Connection to host lost.

==== Unsuccessful connection ====

If there is some network connection problem or the mail server is not running then after a while it will show something like:

Could not connect to the host, on port 2500: Connect failed

If you determine that there is a basic problem connecting to the mail server then and other locations are not facing the same problem then contact the IT administrator of the network and probe if they have outgoing ports (2500 in this case) blocked or filtered on their firewall.

See [[Troubleshooting_NEOSYS_Generally#Solving_NEOSYS_smtp_server_failure|Solving NEOSYS smtp server failure]]

=== Ensure missing email is not being treated as spam by NEOSYS email server ===

Email could be missing due to the reason that NEOSYS mail server might be treating it like spam.
Escalate issue to NEOSYS IT, who will check if missing email is being treated as spam.

Preliminary Check-list and other Misc items

2020-11-18T07:54:31Z

Pratishthit: Added the language step for Win 10 installations

For Windows 2003 and 2008 - Refer to Installation Checklist to follow the order of doing it

#Make sure you have changed the default password to a strong one as per the guidelines
#Make sure that Windows is activated
#Make sure not connected to domain controller
#No services like IIS and no server roles are installed
#Installed with more than one partition (C: D:)
#Make sure the system has a static internal IP address
#Away in a secure place and secure power cable
#Microsoft network client should be disabled on all network connections.
#Make sure that the boot sequence is correct (CD,HDD,USB) - Allowing "Boot from USB" causes a severe risk of infection by boot sector viruses since the first infected USB device inserted WILL infect the server immediately as anti-virus programs are not active during boot
#Ensure the Windows CD/ I386 folder is copied to C Drive. (Not required for Windows Server 2008 and Windows 10)
#All high priority Windows updates from Microsoft are installed
#Automatic Windows update is configured to install at 3AM and can be on any day between Sunday to Thursday since Support will be available to restart NEOSYS processes after a server restart. Refer [http://techwiki.neosys.com/index.php/Installing_NEOSYS_Service#Setting_up_daily_scheduled_tasks How to configure daily Scheduled Tasks]
#Make all desktop icons visible (right click on desktop > Personalise > Change desktop icons and tick Computer, User Files, Network, Recycle Bin and Control Panel)
#Change the name of the server to NEOSYS
#In Tools > Folder Options > View – Tick Show hidden files and folders and Un-tick Hide extensions
#Check time zone and make sure it is set to the correct region of installation
#In Settings > Time & Language > Language make sure Windows Display language is the same as Regional Format in the Region section. Recommended language is English (US). (Only required for Windows 10)
#Disable Autorun (all drives) – Run > gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Auto Play Policies > Turn off Autoplay should be enabled for All Drives
#Enable Audit Privilege Use – Control Panel > Administrative Tools > Local Security Policy > Local Policy > Audit Policy > Audit Privilege Use – Tick both Success and Failure
#Disable password expiry – Control Panel > Administrative Tools > Local Security Policy > Account Policies > Password Policy > Maximum password age – Change to "0" days.
#Rename D drive name to NEOSYS
#Create shortcuts for Computer Management, D drive, Scheduled Tasks and Command Prompt in the Quick Launch area
#Use Client's/ISP's DNS and not a general service like 8.8.8.8 so that we are aware of any significant network changes.

For Windows 2008 (additional)

#[[Changing username from Administrator to administrator|Rename Administrator to administrator (A should be in small caps)]]

===Configuring the administrator account in Windows 10===

run cmd as administrator then

Rename Administrator to be administrator (BEFORE INSTALLING CYGWIN). Check in Computer management that it is successful.

wmic useraccount where name='Administrator' rename 'administrator'

Set a password for administrator and enable login

net user administrator *
net user administrator /active:yes

Installing & Configuring Apache

2020-06-29T12:48:54Z

Pratishthit: Removed the step (9) to create a windows scheduled task, since the script (from v49) will create the task.

The majority of Apache installation and configuration is performed by ~/Nextcloud/Support/IT/initapache_v47.sh script.

(In the following commands, replace <XXX> with corresponding value)

1. If installing NEOSYS on client hosted server continue to step 2, otherwise if installing on NEOSYS hosted server i.e win3 then skip to step 9.

2. Copy the installation script to the server's D drive.
<pre>scp -P <SSHPORTNO> ~/Nextcloud/support/IT/initapache_v<LATESTVERSIONNO>.sh administrator@<HOSTNAME>.hosts.neosys.com:/cygdrive/d/</pre>
3. Open Cygwin as administrator on server. (Shift + Right click) and convert the installation script into W indows format. (Otherwise script execution will contain syntax errors "\r", due to the different characters use by Linux and windows for new lines)<pre>d2u D:/initapache_v47.sh</pre>
5. Execute script.
<pre>./initapache_v47.sh <CLIENTHOSTNAME>" </pre>
6. The script will proceed to do a number of verifications on system. If all test are okay, enter 'Y' to start installation as prompted to do so.
<pre>
Verify OK to proceed
--------------------
Port: 443
Dir: D:/neosys/neosys.net
Root: /d
-------------------------------------
OK to start? (Y=Yes)
</pre>
7. A Microsoft Visual C++ 2015-2019 installation window will popup, follow the steps to install. (If already installed like on win3, hit cancel)

8. Then you will be prompted to install the certificates from nl19/bkup. Follow the instructions to edit /distributecerts.sh. (This script simply copies latest LetsEncrypt certificate into D:/Apache24)

9. If the client is on win3, add the new client site to D:\Apache24\conf\neosys2.conf using existing clients as an example. (Make sure to arrange in alphabetical order)

10. Test if you can access NEOSYS login.

*If on client hosted server use: http://localhost
*If on win3 use https://<CLIENTHOSTNAME>.hosts.neosys.com

11. In the new client's NEOSYS/DATA folder, create a text file, enter '720' and save as 'DATA.CFG'.

For any issues check the initapache.sh script and neosys.conf file for solutions.

Troubleshooting NEOSYS Generally

2020-01-16T13:54:26Z

Pratishthit: How to find the physical disk space occupied by logical files

==Solving failure to start a NEOSYS server due to disk failure message==
===Problem===
During a reboot process (which maybe due to a Windows update or even done by a support personnel) the NEOSYS server gets hung on the startup and shows a message "Boot Failure - Abort, Retry".

===Temporary solution===
This typically happens due to the USB being plugged into the server and the boot sequence being wrong - i.e. the server trying to boot from the USB first and fails. The immediate solution would be to unplug the USB and ask the client to reboot the server again and upon successfully rebooting the system, plug the USB back again.

===Permanent solution===
The above problem will occur every time the computer is rebooted, so you need to immediately talk to the IT Administrator of the client and ask them to rectify the boot sequence to make it boot first from the CD ROM, then the HDD and last the USB.
 Allowing "Boot from USB" causes a severe risk of infection by boot sector viruses since the first infected USB device inserted WILL infect the server immediately as anti-virus programs are not active during boot.

==Replicate options used & error using sysmsg Data:==

NEOSYS users will send screenshots with the error message which often blocks options used, slowing down the ability to replicate the problem.

NEOSYS when a user faces a system error, NEOSYS sends a email with the error information, including texted that cann be used to recreate the optioned used at the time.
Thus avoiding the need to ask the user to send another screenshot without the error message.

Find the form data in the raw text of the emailed error message.

[[image:Rawformdatapng.png]]

Sadly normal email view renders it useless by mangling it, treating ^ as formatting character superscript.

The form raw data will be something like this:

1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2

First prepare a command by inserting the above form data into the following command in place of %FORMDATA%. Do it anywhere you can cut and paste text.

form_setdefault('%FORMDATA%')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('%FORMDATA%'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Achieving the following command:

form_setdefault('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2')

or in old versions of NEOSYS

gro.defaultrevstr=unescape('1^^^1^3^3^^^^^^^^^^^^^^^3^^^^^^^^^18319^18319^^^^^^^^^4^^0^^^^^^^^^^^^^1}2'.neosysconvert('`^]}\~',rm+fm+vm+sm+tm+stm))

Once you have constructed the command, do the following:

#As NEOSYS user, get onto the exact same screen as the user was in when they got the message. (Using the screenshot they send)
#Press Ctrl+Shift+F12 - to get a NEOSYS javascript prompt
#Paste the command and Press Enter - to execute the command - it must confirm with "setdefaultform( ... ) = ok"
#Press Enter or click OK - to remove the confirmation
#Press Esc or click Cancel - to close the javascript prompt
#Press F8 or click Close - to refresh the form
#The form should now be filled in correctly including any hidden fields.

==[[Administering_NEOSYS_Server#Clearing_File_Locks| Troubleshooting "Document is being updated" message]]==

==Troubleshooting the "Database not available" error message==
===Problem explained===
This error appears when you try to login to NEOSYS after you enter your username and password and click the Login button.

[[image:database_unavailable.jpg]]

Error message :

Cannot login because :
Error : The (database code) database is not available right now.

If the error message appears post login i.e. when users are working on the system then check if processes are free to run user request.

[[image:not_available.jpg]]

===Solution explained===

#Determine if the processes are running. If they are running and you still get the same message that means that either the processes have [[Troubleshooting_NEOSYS_Generally#Troubleshooting_Hung_processes|hung]] and need to be [[Troubleshooting_NEOSYS_Generally#How_to_kill_hung_NEOSYS_processes|killed]].
#If the processes are not visible on the desktop, it is possible that they are running in the background and have hung for some reason. Check the windows task manager to see if any ‘ntvdm’ process is running and [[Troubleshooting_NEOSYS_Generally#If_NEOSYS_processes_are_not_visible_on_the_server_desktop|fix hung processes]].
#If not hung then the available processes may be busy running long reports and a new process needs to be started. Refer to [[Handling_Nagios_Client_Monitoring_System#Counting_current_active_users| counting current active users]] to get a sense of the processing requirements for an installation.
#If there are processes available which are not hung or busy running reports, then ensure that the URL is pointing to the correct IP address and not to a wrong one e.g. a backup server.
#If the process had not hung and no processes running, then the server might have restarted due to a power failure or a windows update and the administrator user had not logged in post the scheduled startup time of 6AM. To determine the cause of this, investigate in the Windows Event Viewer Log file.
#You can now start up the process by clicking on the respective desktop icons.
#Also check if the nightly backup took place successfully or not.
#Look into the logs at the date/time stated for the last transaction processed to investigate why process got hung. See [[Troubleshooting_NEOSYS_Generally#Inspecting_Database_LOGS_Folder| Inspecting logs]] for more information on logs.

==Fixing missing ADAGENCY.VOL==

The file contains database info required on Login Page and the directory paths of the NEOSYS programs and DATA required for maintenance mode.

===Problem===

When accessing NEOSYS Login Page: "Error: Cannot read D:\NEOSYS\NEOSYS\ADAGENCY.VOL".

This error will occur when the ADAGENCY.VOL file has been deleted (has previously happened after failed backup and after upgrading NEOSYS) or the file has become corrupt after a bad disk block was "fixed" by windows CHKDISK.

===Solution===

Manually recreate the file and its text contents (or if installation is on win3 use the nl13 snapshots).

In example below, only make changes to first line: (Maintenance mode login at dataset selection will display info)

Syntax: ZXC <DATASET NAME, DATASET CODE,,LAST BACKUP DATE>*..> (Separate each database's details with '*')

Example:
<pre>
ZXC TEST,TEST,,25 MAR 2019*XDEVTEST,XDEVTEST,,17 SEP 2018
.\ACCOUNTS
.\GENERAL
.\ADAGENCY
..\DATA\ZXC\GENERAL
..\DATA\ZXC\ACCOUNTS
..\DATA\ZXC\ADAGENCY
</pre>

==Troubleshooting "user not authorised to login from a location" error message==
[[image:IPerror.jpg]]

'''Error message:'''
xxx is not authorised to login form the location (IP Number. xx.xx.xx.xx)

'''Solution Explained:'''

Check the URL used and follow the steps below to check if it is correct and email the user accordingly.

#If the Client installation is hosted on NEOSYS server then users can use only https link to access NEOSYS.
#*Check with the client's management if this particular IP is their public IP.
#*Add IP on management confirmation (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )
#In case of Client hosted server, users should access NEOSYS via LAN using the http link.
#*There can be exceptional cases where user needs to access NEOSYS outside the office Network e.g a client installation with two companies at different locations and NEOSYS installed at one. In this case Support will have to add the IP number of the second company so that users can access NEOSYS. But before you even suggest to add the IP, get the request from their management saying that the IP number is another office location and needs to be added. (Refer to [[Procedures#Handling_User_Requests_to_add_an_IP_or_range_of_IPs_to_access_NEOSYS|Handling User Requests to add IP/IPs]] )

==Handling damaged files==

[[Handling damaged files]]

===Checking for corrupt database files===
Login to NEOSYS Maintenance. This can be done when users are online.

Press F5

CHK.FILES

or

CHK.FILES filename

''' Sizelock while performing chk.files '''

Fixing sizelock errors should not be done while other users are online to the same database.

Sizelock errors are not critical and will be fixed automatically during the nightly backup.

Sizelock errors occur if a program or process that is selecting records from a file is aborted in some abnormal way.

Error message:

These Files/Tables have a Sizelock Value of 2 or greater.
Tag/Select the Files/Tables to be Fixed.
Press F9 to fix selected files

Press F9 to proceed with fixing the selected files or press ESC to continue with chk.files without fixing sizelock as it gets automatically fixed during the nightly backup.

Refer to the [http://techwiki.neosys.com/index.php/Backup_and_Restore#Error_Message:_Size_Lock Sizelock errors in backup emails] for more information.

[[file:sizelock.jpg]]

===Determining Database File Name from Operating System File Name===

To assess the potential damage and possible remedial measures you need to know the database file name. If the message only refers to the operating system file name you need to follow this procedure to determine the database file name.

Once you have the database file name you can use CHK.FILES XXXXXXX to check if corrupt or not and various other procedures to fix the corruption.

Remember that fixing the corrupt data does not solve the overall problem. The *cause* of the corruption must be identified and eliminated otherwise the problem may reoccur and in a more serious form perhaps with unrecoverable loss of data.

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :list FILES WITH ALL CONTAINING 'REV76481' │
│ │
╘════════════════════════════════════════════════════════════════════════════╛
</pre>

[[File:DBfilenamefromOSfilename.jpg]]

==Finding out when and by whom a record was deleted==

In most cases, NEOSYS does not allow users to delete records and instead keeps a record of everything. In some cases however, things are deleted and the only way to get full details about the deletion is to search the logs. This is cumbersome, but there is a quick way to find out when, and by whom, a record was deleted. Prior to NEOSYS software versions dated Mar 2014, and deletions done before the same date, this procedure will only tell you when the record was deleted - but not who deleted it. Knowing exactly when it was deleted will nevertheless help you to search the logs for full details.

In maintenance mode F5

ED SHADOW DELETED*filename*key

For example:

ED SHADOW DELETED*BATCHES*L*JOU*2*U

Journals are stored in the BATCHES file. The key of an unposted batch is x*y*999*U where x is the company code, y is the journal type code, 999 is UNPOSTED batch number and U is just U to indicate unposted batches. Note that unposted batches are normally deleted at the time they are posted - ie converted to posted batches.
<pre>
╔══════════════════════════┤DELETED*BATCHES*L*JOU*2*U├═════════════════════════╗
║16831.60706 ║
║BRUCEL ║
║╒═══════════════════════════════════TCL - 6══════════════════════════════════╕║
║│ │║
║│ :EVAL PRINT 16831.60706 '[DATETIME]' │║
║│ │║
║╘════════════════════════════════════════════════════════════════════════════╛║
║ ║
║ ║
</pre>

Once you see the number (in this case 16831.60706) you can convert it to a time and date by typing something like

PRINT 16831.60706 '[DATETIME]'

Using this date and time you can search the logs more effectively to find out who did the deletion and in what circumstances.

==How to find the physical disk space occupied by logical files==
Running the following command in NEOSYS maintenance mode will identify disk space used per file, largest files first.

LIST FILES BY-DSND SIZE ACCOUNT SIZE FILE.HANDLE

This will include all files not just those in the actual dataset in DATA\* folders.

The file handle column shows the name of an .LK file however every .LK file has its .OV (overflow file) which is often larger than the .LK file.

[[File:Physical file sizes.png]]

==Fixing slow speed==
===[[Benchmarking NEOSYS]]===
===Investigating slow response in NEOSYS using NEOSYS logs===
If users complain about slow speed, but the server CPU performance looks normal, then support MUST investigate NEOSYS logs to find out why NEOSYS was slow at the time when the client complained about slow response.

Search NEOSYS log entries around the time that the user complained about slow response and look for log entries with high response time. Make a note of what requests took long to respond. If multiple users were simultaneously requesting long reports from NEOSYS, then NEOSYS can be expected to respond slowly for other smaller requests that were processed at that time.

Also refer to [http://userwiki.neosys.com/index.php/General_FAQ#Why_is_NEOSYS_taking_a_long_time_to_generate_a_report.3F why is NEOSYS taking a long time to generate a report].

===Investigating CPU 100% using Windows Task Manager===
Email, to support, a screen-shot of task manager APPLICATIONS, PROCESSES and PERFORMANCE screens MAXIMIZED TO SHOW AS MUCH AS POSSIBLE.

(Sort the processes to show ntvdm, waiting.exe and high cpu% processes clearly)

'''Steps:'''

#Right Click on Windows Taskbar and click on Start Task Manager [[image:starttaskmanager.jpg]] 
#Click on Processes and then click on CPU '''Note - The HIGH cpu% processes which should usually be the "process" called "System Idle Process" ''' [[image:cpu100percent1.jpg]] 
#Click on the Performance Tab '''Note - PF Usage should typically be much less than Physical Memory otherwise there is insufficient real memory in the server to handle the load''' [[image:cpu100percent3.jpg]] 
#Click on Application Tab then Right Click on a NEOSYS Process and Click on Bring to Front '''See what the NEOSYS Process is doing [[image:cpu100percent2.jpg]] '''
#Right Click on a NEOSYS Process and Click on Go to Processes '''Note the cpu% ntvdm process [[image:cpu100percent2_2.jpg]] '''
#Normally NEOSYS application screens say "LISTENING" in the bottom line and those applications should have very low cpu% [[image:normalneosysprocess.jpg]] 
#Look at the difference between the screen of running NEOSYS processes (applications actually) which are idle (listening for requests) and active (processing a request from a user)
#Note the number of cpus or cpu threads in the server from the performance screen graphics [[image:performance-taskmgr-cputhread.jpg]] 
#Take screen-shots of any and ALL hung or long running processes (NEOSYS application screens) and email them to support. Even small details on the screens and user names, the user names may give clues to what problem caused the hanging.A Typical Hung NEOSYS process will look like this: [[image:hungneosysprocess.jpg]] 
#Once all hung/long processes are closed then CPU should be low and not near 100%. If it is still 100% then check all high cpu% processes and send a screen-shot of processes sorted to show the high cpu% process names to support.

===Solving server CPU% is 100 and all users are extremely slow/stopped===

Get the screenshots of Task Manager and ALL processes on the server, the objective is to assess the true issue. No need to get the screens not in use obviously but you can send a parallel screen shot for them if you want to be pedantic or even a comment will do.

====Too few CPUs/threads for the number of users====
In Windows task manager normally, you should see one ntvdm.exe and one waiting.exe process per NEOSYS process (application). A standard installation has three NEOSYS processes per main database and plus one per test database. This is configured in Support Menu, Configuration File.

If there are MORE ntvdm processes than you expect from the configuration file, then perhaps NEOSYS is auto starting new NEOSYS processes to try and cater for a high number of concurrent users.

If the number of concurrent NEOSYS processes significantly exceeds the number of cpus/hyperthreads available in the server then processing for everybody can become so slow for everybody and almost no work gets done.

====Solution====
Stop NEOSYS creating new NEOSYS processes automatically. Create a text file with the first and only line as AUTOSTART=NO in the neosys\neosys folder something like this.

notepad d:\neosys\neosys\NET.CFG

AUTOSTART=NO

==How do I troubleshoot email not received?==

[[Troubleshooting email not received]]

==Fixing permissions errors while logging in==

===Problem===

While logging in, you get the following error message:
[[Image:login_error_message.jpg]]

===Solution===

Add the internet guest account to the security list of the data folder with the default permission of list/read/write

Make sure the read&execute permission is removed
[[Image:permissions_on_data.jpg]]

==Fixing the 'HTTP Error 500.0 - Internal Server Error' while logging in on IE on a Windows Vista system==

===Problem===
After configuring IIS on Windows Vista you will get this error message while trying to login into NEOSYS from Internet Explorer:

HTTP Error 500.0 - Internal Server Error
Description: This application is running in an application pool that uses the Integrated .NET
mode. This is the preferred mode for running ASP.NET applications on the current and future
version of IIS.

In this mode, the application using client impersonation configured with <identity
impersonate="true" /> may not behave correctly. Client impersonation is not available in early
ASP.NET request processing stages and may lead modules in those stages to execute with process
identity instead.

===Solution===

You can move the application to an application pool that uses the Classic .NET mode by using the following from a command line window (the window must be running as Administrator)

%systemroot%\system32\inetsrv\APPCMD.EXE set app "Default Web Site/neosys" /applicationPool:"Classic .NET AppPool"

Alternatively, you can use any other application pool on your system that is running in the Classic .NET mode. You can also use the IIS Administration tool to move this application to another application pool.

==Fixing the 'Class Not Registered' error message while logging in==

===Problem===
While logging into NEOSYS, you will get a popup window giving an error message saying 'Class Not Registered - Server Error'. Typically, you will encounter this error with XP Pro IIS 5.1. As usual, there's way to solve it, however the root cause of this is still unknown.

Anyway, you will get the proper message in the event log:

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 36
Description: The server failed to load application '/LM/W3SVC/1/ROOT/NEOSYS.
The error was 'Class not registered'.

===Solution===
So, what do you do ? This problem is related to Component Services, and when you open Component Services MMC, you will most probably get Error Code 8004E00F COM + was unable to talk to Microsoft Distributed Transaction Coordinator. So, fix the COM+ services first by using the following KB from Microsoft (PRB: Cannot Expand "My Computer" in Component Services MMC Snap-In http://support.microsoft.com/?id=301919):

To resolve this problem, reinstall Component Services as follows: WARNING:

#Open registry editor, locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3, and then delete this key.
#From the Start menu, point to Settings, click Control Panel, and then click Add/Remove Programs.
#Click Add/Remove Windows Components.
#Proceed through the wizard, and accept all of the defaults (including IIS)
#Restart the computer.

If the above didn't solve it, and you still receive the 'Class not registered' error message, then you need to recreate the IIS packages in COM+, try

#Delete IIS related package in Component Services MMC
#IIS In-Process Applications
#IIS Out-of-Process Pooled Applications
#IIS Utilities

Next, if you still get the message, try following before re-install IIS if you can't find Distributed Transaction Coordinator in your Services console.

Launch command prompt and run the following command.

#msdtc -install
#net start msdtc

Then try re-install IIS.

This should solve the problem

==Enabling File Security option on Win XP Professional==

===Problem===

In the Properties of any folders, the Security option does not show, hence you cannot modify the Read, Write options.

===Solution===

The solution would be to untick the 'Simple File Sharing' option from Tools > Folder Options > View:
[[Image:simplefilesharingoff.jpg]]

==%00%00%00%00 Errors==

===Error Message===
<pre>
SYSTEM ERROR in line 162. Amount "-2698.00AED" or base "%00%00%00%00" has been wrongly generated
GET NEOSYS SUPPORT. DO NOT ATTEMPT TO CORRECT MANUALLY
</pre>
===Solution===
%00%00%00%00 indicates an internal error that NEOSYS programmer has to fix. It is usually random and can be hard to replicate unlike almost all other NEOSYS errors which usually replicate reliably once you find the cause.

==B703 Errors==

The B703 error is usually always related to something too big for NEOSYS to handle.

These are the only B errors that NEOSYS cant always permanently prevent by fixing the software.

For more information, check [[Troubleshooting_NEOSYS_Media_System#B703_Errors|B703 errors]]

==Internet Explorer Menu, View, Text Size doesnt change font size as expected==

Cause: This is because the font size is now user definable in NEOSYS and View, Text Size does not override predefined font sizes.

Solution: If you are using Internet Explorer 7 you can scale the screen (including the font size using ctrl + and ctrl - keyboard shortcuts or the font size button on the bottom right hand side of the window.

You can adjust the font size on the User Details form when you login although this permanently applies to all forms not just the one that you are on.

==Uploaded jpg files fail to display in internet explorer==

Some large jpg files > 2Mb cannot be viewed in internet explorer despite being viewable in image preview, ms paint and other viewers/editors. It is not an issue caused by uploading or downloading the files.

These file appear to have been created on Photoshop CS Macintosh and may be a special type of uncompressed jpg used for production quality files.

===Partial solution===
Before uploading the files, open them in some editor like MS Paint (right click, edit) and save them. However this results in a loss of quality. Perhaps there is some program that can convert these files to a format understandable by Internet explorer without any loss of quality.

=="This document is currently read only"==

===Cause===
The user attempting to modify this document does not have the authorization key to do so.

===Solution===
Inform the user that he is not authorised to modify the document and give him the list of users within his company who are authorised to do so.

=="You have attempted to write to a read-only file"==

===Message===

Error while writing data.
You have attempted to write to a read-only file.
- or -
access to the file has been denied by the operating system.
(operating system file name: "..\DATA\ADLINEC\ADAGENCY\REV76467.OV00012618")

===Cause===

It is almost certainly due to some third party backup or other maintenance software opening the NEOSYS database files when it shouldn't e.g. badly configured third party backup scheduled to backup NEOSYS while NEOSYS is still running. Note that the exact filename varies each time.

===Solution===

This can be a serious error that causes damaged files in NEOSYS especially if the filename ends in .OV. Use the usual methods of checking for damaged files e.g. do a backup which also looks for damaged files BUT DO NOT OVERWRITE THE LATEST BACKUP SINCE IT MAY BE REQUIRED for restoration. Then fix the damaged files using the usual methods e.g. by rebuilding/using
FIXFILE or restoring databases. For more info check [[Handling damaged files|Handling damaged files]]

===Prevention===

Remove the third party backup or other maintenance software or reschedule it to run at a time that NEOSYS is shutdown. Removal of software may require hunting through the windows process list for unexpected programs running.

==Troubleshooting Hung processes==

===Investigating hung NEOSYS processes===

To find out if a process is hung, check the time on the last line of the process which would be frozen since the time it first hung. This time can be cross-referenced with the current server time and you will notice the difference in time b/w the server and the hung process. You can also find the duration of hung processes in Nagios.

Step 1

Gather all the useful and necessary information about the current state of the system by taking screenshots of the NEOSYS process windows, server time and date, process list in Task Manager etc.

Always remember to take screenshots of the whole screen, since every little detail is useful for investigation.

Send an e-mail to Support with all the investigated details.

Step 2

Request a shutdown of all NEOSYS processes, which would leave only the hung processes open.

Close the hung process/es.

Step 3

Process explorer can be installed from Microsoft Sysinternals and for a deeper inspection of the problem with a view to resolving it, should be used to gain information about what files are open.

If already installed, procexp.exe can be found on the Desktop or from Start Menu-> Programs.

In process explorer, Find -> Handle -> type d:\

Submit the complete list (maybe more than one page) to support for records.

[[Image:invhungprocess.jpg]]

===[[Troubleshooting_NEOSYS_Generally#Investigating_CPU_100.25_using_Windows_Task_Manager|Investigating CPU 100% using Windows Task Manager]]===

===[[Troubleshooting_NEOSYS_Generally#Solving_server_CPU.25_is_100_and_all_users_are_extremely_slow.2Fstopped|Solving server CPU% is 100 and all users are extremely slow/stopped]]===

===Error message: "Fatal Error in Rev Restart"===

[[image:fatal.jpg]]

===Error message: “Abort, Retry, Fail”===
====Problem====
The following messages may come on older versions of NEOSYS if there is a problem with the USB media inserted for backup.

[[image:usberror.jpg]]

This results in “NEOSYS has not checked in” message on Nagios since it hangs during the monitoring update and locks all other processes from monitoring too.

General failure writing drive F
Abort, Retry, Fail?

Not read reading drive F
Abort, Retry, Fail?

Pressing A or F results in the problem happening again in about a minute, perhaps on a different process.

====Solution====
Temporary solution is to do “Safely remove hardware” from the windows notification area. Using “Eject” from My Computer will not work.

Permanent solution is to replace the defective USB memory stick. Sometime reformatting is sufficient.

Upgrading NEOSYS will probably stop the defective media from causing NEOSYS to hang but the USB will still be useless for backup.

===Error message: "Read error in the operating system file"===
====Problem====
Nagios reports a hung process and on the server a process has the following message popup.

Read error in the operating system file "..\DATA\PT0833\ACCOUNTS\REV20049
The file does not exist or the filename is
not valid for the operating system.

[[Image:readerrorintheoperatingsystemfile.png]]

====Cause====
Some non-NEOSYS program is directly accessing the NEOSYS database files while NEOSYS processes are running and using the files as well.

*Client IT staff using a backup program to perform backup without ensuring that NEOSYS processes are shutdown.
*A NEOSYS rsync process taking longer than expected due to new USB.

====Solution====
Kill the NEOSYS process eg with the X button. It is advisable NOT to let it run further while it cannot properly access one of its files.

====Prevention====
Remove the third party program or arrange for it to operate only while NEOSYS processes are shutdown eg from 3am-6am.

===Error message: "Not enough string space - Out of Memory"===

====Message====

‘RTP27’ Line 1. [B29] Not enough string space – Out of Memory.

Not enough memory to execute Debugger; current program aborted.
Press any key to continue

[[Image:out_of_memory.jpg]]

====Cause====
Unknown perhaps related to some large document or report

====Solution====
Ask users for any hanging transactions.
None other than closing and starting another process.

Also refer [[Troubleshooting NEOSYS Generally#Enabling EMS memory on Window 2003|Enabling EMS memory on Window 2003]]

===Error message: B521===

[[Image:B521.jpg]]

Another user is currently updating indexes.
Waiting to make your updates...
If you interrupt this process,
you may have to rebuild all the indexes

B521 message is usually temporary and goes away by itself. If it does not then, as the text of the B521 message makes clear, some OTHER process is holding up the system, preventing the process with B521 message from continuing.

B521 message is a symptom of other problem so it does not itself have some one simple solution. You must find which other process or issue is causing the hold up and solve whatever problem is causing the hold up, which could be anything.

===Error message: " NTVDM encountered a hard error "===

The following error message appears:

[[Image:ntvdm.jpg]]

NTVDM encountered a hard error

====Solution====

This error is caused by missing or corrupt Windows system files (i.e. command.com, autoexec.nt and config.nt). The solution is to run a program called XP FIX which will reinstall these missing files. You can download it form http://www.visualtour.com/downloads/xp_fix.exe

Sometimes even after running the XP FIX program the error still appears. Then you need to copy all the files under C:/windows/repair to C:/windows/system32 and in the autoexec.nt and config.nt put REM before any lines there which don't have it.

====Possible fix for some NTVDM errors====

=====Error message=====

[[Image:Ntvdm1.jpg]]

NTVDM has encountered a System error.
The system cannot find the file specified.
Choose close to terminate the application.

=====Possible solution=====

#Change the TEMP and TMP environment variables to C:\WINDOWS\TEMP. This should be for the user that runs NEOSYS processes - normally administrator.
#Close all NEOSYS processes
#Logout/Login again
#Restart NEOSYS processes

[[image:Ntvdmsoln.png]]

=====Check solution done properly=====

You can check that by typing ECHO %TEMP% and ECHO %TMP% at a console prompt after logging out and in again.

Note that windows will actually set the windows environment variables to something like C:\WINDOWS\TEMP\2 for some unknown reason.

<pre>
d:\hosts>ECHO %temp%
C:\WINDOWS\TEMP\2

d:\hosts>ECHO %tmp%
C:\WINDOWS\TEMP\2
</pre>

===Error message: [[Troubleshooting_NEOSYS_Generally#Troubleshooting_the_.22Database_not_available.22_error_message|"Database not available" post login]]===

===Error message: [[Backup_and_Restore#Error_Message:_.22Cannot_backup.2Frestore_because_PROCESS1_PROCESS2_.28etc.29_is.2Fare_online.22_message|"Cannot backup/restore because PROCESS1 PROCESS2 (etc) is/are online"]]===

===How to kill hung NEOSYS processes===

NOTE WELL: If you kill actively working NEOSYS processes (those which are "listening" and not hung/crashed) there is a reasonable chance that the database will be damaged and might need a restore losing possibly large amounts of work.

====If NEOSYS processes are visible on the server desktop====

Look for processes which don't have "Listening ..." on the last but one line. The times on the left hand side are frozen as at the time of the hang.

You can then click the X to kill the process and confirm that this is OK.

Example of a NEOSYS process that has hung due to a software error resulting in a failure to handle a complex query with a lot of brand codes.

[[Image:hungprocess.jpg]]

====If NEOSYS processes are not visible on the server desktop====

NEOSYS processes are most of the time visible on the desktop (i.e. the black dos windows) in Windows 2003 OS, except in the case that the process has been scheduled to start on computer restart and no one has logged into the server. In this case it would be running in the background. TODO

You can check if there are any hung processes from the NEOSYS Support Menu, List of Database Processes.
[[Image:databaseprocesseslist.jpg]]

In this case you should follow the below instructions - however all of them need to be done within 30 seconds of starting the first instruction to avoid inconvenience to the users. It is recommend that you keep relevant windows open before proceeding with the same:

#Shutdown NEOSYS by TEMPORARILY putting a file called GLOBAL.END in the parent directory of NEOSYS (if there is already a GLOBAL.END.TEMP file then rename it to GLOBAL.END). Leaving the file there would prevent NEOSYS from starting up again. Shutting down NEOSYS from the Support menu will not work because of the hung processes.
#Use Windows Task Manager to kill all the NTVDM processes - assuming that you have closed all the visible NEOSYS processes, then the NTVDM processes in the task manager would be the hung one.
#Delete GLOBAL.END or rename it to GLOBAL.END.TEMP
#Restart the processes back again. If there are many datasets then you need to restart them all well within the 30 seconds period. Restarting a process will not be noticed by users, if started immediately.
#*Create a [[Configuring_STARTALL.cmd_command_to_auto_start_all_processess | STARTALL.cmd]] file for future cases, where you may need to quickly start many processes for clients with multiple datasets.

In case of Patsalides, where we have a thousand datasets which start "on demand" i.e. usually on login; all you need to do is start one dataset which will restart all the other datasets "on demand". If there is no response within 30 seconds then one of the running datasets will start it up so there appears to be a 30 second delay when you login to one of the thousand datasets the first time on any one day.

===Temporary workarounds for hung NEOSYS processes===
Until the error in the software is fixed users can often get their results by simplifying their requirements. For example select individual clients instead of selecting all the brands for a particular client. If the user has repeated his request (in forlorn hope that it would work finally) then the number of working NEOSYS processes will drop causing severe slowdown for other users and complete stop if all the NEOSYS processes hang.

==Fixing " You do not have sufficient privilege to access this file "==

This error message may come up while NEOSYS processes start up at the same time.

Error message on:
16 bit MS-DOS Subsystem
D:\hosts\Client_nam\NEOSYS\AREV.EXE
C:\Windows\SYSTEM32\CONFIG.NT. Error Code 0x20. You do not have sufficient privilige to access this file. See your system administrator. Choose 'Close' to terminate the application.

Close the error message window and look for NEOSYS processes for that client. In case there is no process, start the NEOSYS process.

[[image:Errormsg.jpg]]

==Fixing wrong default program assigned to open a file type==

The NEOSYS process (cmd file) might open up in a notepad, instead of the usual black colour DOS window. This may happen if a JavaScript file is opened using notepad. Support MUST be very CAREFUL when accessing .JS and .JSE files and double check that the default program remains wscript.exe and not changed to notepad/wordpad. The issue can be fixed by the following:

#Check if Windows Script 5.6/5.7 is installed, IF NOT download and install it from the Microsoft Website.
#Go to Control Panel -> Default Programs -> Associate a file type or protocol with a program and then change the default program for .JS and .JSE to "Microsoft Windows Based Script Host"

For file types that must not have any default program to open them (e.g. .vol file type):

#Right click the concerned file (e.g. ADAGENCY.vol) > Open with > Choose another app > More apps
#Select "Always use this app to open XXXX files"
#Click "Look for another app on this PC"
#Locate and select the concerned file (ADAGENCY.vol in this example). An error should appear "This app can't be run on your PC". Click OK.

==Fixing a 'Could not start' error on Scheduled Tasks in Windows Server 2000 SP4==

This error occurs because of a change that is made to the data that is stored in the credentials database when you install Windows 2000 SP4. Hence installing SP4 causes the the data that is stored in the credentials database to get converted to an SP4-compatible format. A registry key is configured to indicate that the data has been converted to the SP4 format.

Hence the Scheduled Tasks do not work sometimes. However the Scheduled Tasks works fine sometimes, but when you uninstall SP4, it does not work.

The best solution is to:

#Incase Scheduled Tasks do not work after installing SP4, then uninstall SP4 and it should be fine.
#Incase Scheduled Tasks works after installing SP4, and later after uninstalling SP4, it does not work, then install SP4 and it should be fine.

==Checking for server or NEOSYS crashes==

#NEOSYS Maintenance Mode
#General Menu, Setup, Processes
#Select the dates and the option Detailed

This report shows a list of dates and times that NEOSYS logged in but did not log out properly.

Ignore the very latest entries since they represent the current NEOSYS processes. For example, if you have four NEOSYS processes running at the time that you get the report (including any in maintenance mode) then you can ignore the last four entries.

The date and time shows for each process that has failed to shutdown correctly when the process logged in. Versions of NEOSYS from January 2008 will also show the date and time that each crashed NEOSYS process was last active (heartbeat) so that the time of failure can be known.

If you see a bunch of NEOSYS processes all started up at around the same time but all failed to shutdown correctly then the cause will be a server failure - usually power failure.

Isolated one-off failures will be related to individual NEOSYS process crashes - most commonly caused by one of the following:

#NEOSYS hanging to due to software failure
#Manually exiting a NEOSYS process on the server either by pressing Ctrl+Alt+Del or clicking the "X" close icon/box and ignoring the warning
#Random server failures eg memory, disk etc

Example:

LOGIN 22/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:52 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 23/12/2007 08:53 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:00 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:01 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 06:02 NEOSYS SERVER ADAGENCY Current workstation
LOGIN 8/1/2008 13:51 NEOSYS SERVER NEOSYS Current user session

Interpretation:

The first four entries indicate that all four NEOSYS processes started at 06am were suddenly killed probably by power failure

The next four entries indicate that NEOSYS was restarted at around 08:52 and all these processes were AGAIN killed probably by power failure

The last four entries can be ignored because there were four NEOSYS processes running at the time that the report was generated

==Searching for word/number in the database files using maintenance mode==

You can search for any word/number in the database files of NEOSYS, using the following command line:

F5
FIND FILENAME WORDWITHOUTANYSPACES

For eg:
FIND CURRENCIES 1.1
(here you are searching for the number 1.1 in the currencies file) You CANNOT search for a phrase ie include spaces like this.

Or you can also type:
FIND FILENAME <enter>
and it will ask you what you want do to search. You can enter an exact phrase with spaces.

Incase you do not know the filenames, you can enter the following command to see all the filenames in the system:

F5
LF

==Troubleshooting a Service Unavailable message on Internet Explorer when opening up NEOSYS==

===Error Message===

The following error message appears in Internet Explorer when you try to open up NEOSYS:

Service Unavailable

===Solution===

Open the IIS Manager, right click Web Sites and select properties:
[[Image:serviceunavailable1.jpg]]

Switch to the Service Tab and tick the "Run WWW Service in IIS 5.0 Isolation Mode".
[[Image:serviceunavailable2.jpg]]

You will be asked for Restart of IIS. Click yes to restart IIS. If you are not asked just restart IIS.

==Inspecting IIS log files==

At a windows command prompt:

c:
cd \Windows\system32\LogFiles\W3SVC1

or

%SystemDrive%
cd %SystemRoot%
cd system32\LogFiles\W3SVC1

then (substituting the ip number you are interested in)

find "192.168.1.55" *|sort>temp.log

Open temp.log in Excel and use Tools, Data, Text to Columns to split into columns using options "Delimited" and check split on Space.

Autowidth all columns by clicking on the top left box just outside the data to the left of column A and above column 1 then double click the column separator to the right of column "A"

Note that times and dates are in UTC/GMT so you have to add/subtract your timezone offset to get local times.

==Inspecting Database LOGS Folder==
NEOSYS log files e.g. 15123103.xml are created by the database processes and contain user requests to the NEOSYS database. Each XML file represents commands executed by each NEOSYS process.

If the database is not available according to the website then no entry will appear in that log. (The request will appear in the IIS website log but that log is nothing to do with database processes)

It is often quicker and easier to do a preliminary search for database requests using the Request Log in NEOSYS UI, although more specific details such as Session No, Host IP, Filename and DataOut/In are only available in the XML logs.

Find log files in neosys/LOGS. The file naming format is yymmdd(log created by process No.) E.g 18060402 = 4th of July 2018 process02.

Use simple text editor to view the log files.

Details found in XML log files: 
Message: Date, Time, User, Filename, WorkstationIP, HostIP, HTTP and Session. 
Request: Req1, Req2, Req.. 
Response: ProcessingSecs 
DataOut/DataIn:

===Understanding Log Entries===
Inspecting and searching through Logs file allows NEOSYS staff to answer clients queries like "Who deleted schedule XXXX" etc.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

While going through the log file you may come across a request "EXECUTE GENERAL GETTASKS NOT", this request is concerned with getting a list of tasks that the user is *not* allowed to do.

To read and understand the log file with more ease, copy the portion of the log file required to be analysed into another text editor.

The text that appears as %FE, %FC, %FD, etc. are basically separators. Replace %FE, %FD, %FC, etc. with a separator like "--".

Once replacing all these characters is done, the log file will be more easily readable and vital information will be clearer.

In the log file, you may find numbers like 17290, 17195, etc. These numbers denote dates selected or entered by the NEOSYS user. These are basically the number of days from 31st December 1967 till the date chosen by the user. For example, to convert 17290 to actual date, 31/12/1967 + 17290 = 3/5/2015. So the actual date is 3rd May 2015.

To convert these numbers to dates using maintenance mode, refer to the article [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Finding_out_when_and_by_whom_a_record_was_deleted Finding out when and by whom a record was deleted]

[[image:NEOSYS Logs.jpg]]

==Fixing NEOSYS processes that do not auto start / Recovering from incorrect advanced date or time==
This solution is applicable to live database processes only. Test database processes don’t auto-start any other processes.

===Problem explained===
After starting up the 1st process, the rest of the processes don't start up.

===Solution===

The possible cause for this could be that the system date/time might have been changed - either manually or by the auto synchronization. Do the following checks in the sequence of order:

#Check for any *.$* files (* after dollar sign should show a number, the highest being the latest one). If it shows OK, then proceed ahead.
#Check for any .end files and delete it to rename to .end.temp
#Check the System Event Viewer log for any 520 or 577 error message (refer http://128.175.24.251/forensics/timechange.htm). Also check for any out of sequence / ahead of today date or time.
#In case of no 520 or 577 error message, go to Administrative Tools > Local Security Policy > Local Policies > Audit Policy > Audit Privilege use - make sure that Success and Failure are selected under this (this will ensure that future changes to the date/time are recorded in the System Log).
#In NEOSYS maintenance mode - F5 ED PROCESSES %UPDATE% - and see what it says, incase of any text (only text, not numbers) there, that means that for sure the system date has been changed. To fix this, exit the editor by pressing the ESCAPE key and then type DELETE PROCESSES "%UPDATE%"

==Fixing starting issues with NEOSYS processes or Maintenance Mode==

===Fixing "UNABLE TO OPEN BOOT MEDIA MAP" error===

Opening NEOSYS process or maintenance mode just opens and closes the window instantly.

Running ADAGENCY.BAT from a windows CMD shows an error message

Unable to open boot media map.

Cause:

AREV.EXE is unable to access the REVMEDIA.LK file.

Possibly due to windows permissions problems. For example after using CYGWIN RSYNC without the --no-perms option.

Solution:

If cygwin rsync has screwed up the permissions you can reset the permissions for all files on the D: disk

D: disk properties, security tab, Advanced button

#Owner: change to administrator
#Check "Replace owner on subcontainers and objects"
#Check "Replace all child object permission entries with ... "
#Apply and confirm all questions
#Repeat and change BACK to Owner: SYSTEM

[[Image:Unableopenbootmediamap.png]]

===Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately===

Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately.

#Check if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does, refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

Or try: Delete the read-only file REVBOOT file (under d:/neosys/neosys folder). REVBOOT file is recreated when you start maintenance mode.

In case the above didn't fix the problem then escalate to the programmer immediately.

==Recognising and Solving Low Memory Problems==

Quick Note: Installing a server class operating system on a workstation class computer with the intention of NEOSYS serving a heavy load is likely to cause problems with low memory.

Quick Fix: Disable *ALL* non-essential features in the power-on setup menu.

===Effects===

It is speculated but not proven that low memory may cause NEOSYS to fail by hanging, causing damaged files etc.

===Checking===

F5
MEMORY

On server class machines it should say somewhere around 350Kb to 370Kb Free

Some server class machines have around 330Kb and sometimes even less with no reported problems

The actual effect of low memory is supposed to make NEOSYS slower and perhaps cause hanging and damaged files however this has not been proven in an specific case so far.

On workstation class machines it may often say around 280Kb to 300Kb.

===Cause===

Although there is plenty of real memory in virtually all computers now, NEOSYS runs in the legacy 16 bit virtual memory space of a windows mode called NTVDM. This is limited to 1Mb plus 4Mb of EMS memory.

The 1Mb memory space is shared with:

#Various non-essential windows drivers which NEOSYS automatically disables them in autoexec.nt
#Various plug and play hardware device drivers for the various adapters in the computer like video, network adapters and various other items that NEOSYS is unable to disable.

In a server class computer the hardware device drivers are usually minimally present in the 1Mb base memory and do not therefore DOESNT a low memory situation for NEOSYS.

In workstation class computers there are often many hardware device drivers present in the 1Mb base memory and this DOES causes a low memory situation for NEOSYS.

When NEOSYS is installed on workstation class computers with XP there is usually not a heavy load expectation and therefore the low memory does not cause a problem.

If Windows Server OS is installed on a workstation class computer NEOSYS may well be expected to serve a heavy load with limited amounts of memory.

Workstation class computers: hardware drivers present and EMS is installed in low memory (0000-9FFF) causing low memory for NEOSYS and possible inability to

Server class computers: Usually few hardware drivers are present in high part (A000-FFFF) of the 1Mb base memory and EMS is able to occupy the high memory leaving the low part (0000-9FFFF) of the 1Mb memory free for NEOSYS. You can find out how much memory is available to NEOSYS and whether EMS is occuping high or low memory using the following sections.

===Fixing Low Memory===

Start, Run, notepad c:\windows\system32\autoexec.nt

Every time NEOSYS starts it tries to make some changes as follow:

#replaces all lines in C:/WINDOWS/SYSTEM32/AUTOEXEC.NT starting with 'lh ' to start with 'rem NEOSYS LH ' instead.
#changes the line in C:/WINDOWS/SYSTEM32/CONFIG.NT "files=..." to "FILES=200"

The replacement is case sensitive triggered on 'lh' and 'files' so if you manually edit the files and remove the rem or change the number of files and leave the LH and FILES in uppercase then NEOSYS will NOT make further changes. This allows you to do manual amendments to the files without NEOSYS overwriting them.

Check that NEOSYS has successfully disabled all the drivers in the lines starting with LH.

They should be commented out (prefixed) with REM or REM NEOSYS as follows.

After making changes reopen NEOSYS in maintenance mode to use the MEMORY and WHO commands again.

<pre>
REM Install CD ROM extensions
REM NEOSYS LH %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
REM NEOSYS LH %SystemRoot%\system32\redir

REM Install DPMI support
REM NEOSYS LH %SYSTEMROOT%\SYSTEM32\DOSX
</pre>

Low Memory Issues in Windows 2003 server can be fixed using instructions mentioned at [http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Enabling_EMS_memory_on_Window_2003 Fixing Low Memory in Windows 2003 Server]

===Allowing DOS programs that require DOSX to run on the same computer as NEOSYS===

The automatic commenting out DOSX by NEOSYS will prevent some other DOS-like programs from running. If NEOSYS is on dedicated server then there should be no other such programs to fail. However, if you must allow DOS-like programs to work as well as NEOSYS you can do the following configuration:

#leave or restore the original AUTOEXEC.NT and CONFIG.NT files where they are
#copy them to another folder eg neosys folder
#make the necessary REM changes there by hand
#right click the NEOSYS\NEOSYS\AREV.PIF and select properties
#change the location of the AUTOEXEC.NT and CONFIG.NT files in the following location

[[image:pifsettings.jpg]]

===Checking EMS Memory Configuration===

====Inspection====

F5
WHO

press the up arrow to get to the last part/page

=====Example of Typical Server EMS Memory=====
[[image:serveremm.jpg]]

=====Example of Typical Workstation EMS Memory=====
[[image:workstationemm.jpg]]

====Correction====

No easy way

Removal of hardware adapters designed for workstations instead of servers eg graphics cards and network cards.

Many of the devices may be located on the motherboard and not relocatable except possibly by BIOS configuration or special manufacturer information.

Use windows device manager, View: Resources by Connection, Open the Memory item and look for items between 000A0000 up to 000FFFFF that might give you a clue as to what hardware could be removed or reconfigured. Actually only 000C0000 to 000FFFFF is candidate for EMS memory since 000A000-000BFFFF is mandatory video memory in all systems.

[[image:devicemanager.jpg]]

==Fixing issue where NEOSYS processes do not start-up at all or start-up and close immediately==

#Find if a file with the name global.end exists in the root directory of the NEOSYS installation. Eg D:\global.end . If you find such a file, rename it to global.end.temp - for more information on global.end and what it does refer to [[Administering_NEOSYS_Server#Closing_NEOSYS_Services|Closing NEOSYS Services]]
#If the above didn't fix the problem and NEOSYS still does not start, do a windows search for the entire NEOSYS folder for *.end (i.e. any file ending with .end extension). You may find a (databasecode).end file in D:\neosys\neosys folder which is created by the NEOSYS program during backup at 1 am and later on removed automatically. In this case NEOSYS program might have crashed during the backup and left this file behind. (databasecode).end files prevent other other NEOSYS processes starting up on the database while exclusive processes (like backup) are being done.

In case the above didn't fix the problem then escalate to the programmer immediately.

===Solving "Control Record" error in maintenance mode===

If processes dont start after you log into maintenance mode and you get an error message
<pre>
╔════[FS152]═══════════════════════════════════════╗
║ The control record "RECORDS" ║
║ is too long to be saved. ║
║ The current record length is 65539 characters. ║
║ ║
║ < Press any key > ║
╚══════════════════════════════════════════════════╝
</pre>
[[File:Record1.jpg]]

'''1'''. Press space to get rid of the error message and you should then get this menu

[[File:Record2.jpg]]

'''2'''. Press F5 and run this command (case sensitive)

DICT DEFINITIONS

or Press Alt+S and run this command (case sensitive)

EXECUTE DICT DEFINITIONS

[[File:Record3.jpg]]

'''3'''. Press Shift+F3 to get the following message
<pre>
╔══[B202]══════════════════════════════════╗
║ "DEFINITIONS" has ║
║ "QUICKDEX" installed ║
║ ║
║ Do you want to remove "QUICKDEX"? [Y/N] ║
║ ║
║ <Y >║
╚══════════════════════════════════════════╝
</pre>

Do you want to remove "QUICKDEX"? [Y/N]

'''4'''. Press Enter to choose Yes.

[[File:Record4.jpg]]

'''5.'''Restart NEOSYS to see if the problem has been solved

==Solving “page not found” or "HTTP Error 404.3 - Not Found" when downloading some file types after uploading them successfully==

A user gets this error message when trying to download a file that has been uploaded into NEOSYS.

Windows web server will not download file types that it is unaware of. You can enable the download of new file types.

===Adding Mime Types in Windows Sever 2003===

====One by One====

Follow below steps to enable the download of new file types one by one.

This process is tedious and error-prone if you have to add many types.

#Computer Management
#Services and Applications
#IIS properties
#Mime Types
#Add

The added Mime type will not take effect unless IIS is restarted. This should be done only when users are offline because restarting IIS kills login sessions and therefore forces users to login again.

Open command prompt and enter the following command
iisreset

====Many====

Window Server 2003 is unaware of all the Office 2007+ file types. To add all Office 2007+ file types at once do the following:

Stop IIS

iisreset /stop

Open the list of mime types

*Start, Run, notepad C:\WINDOWS\system32\inetsrv\MetaBase.xml

Search the file for “xlsx” and quit the editor if already inserted.

Otherwise, find the following line,

.xml,text/xml

and insert after that line the following lines. They do not need to be indented.

<pre>
.docm,application/vnd.ms-word.document.macroEnabled.12
.docx,application/vnd.openxmlformats-officedocument.wordprocessingml.document
.dotm,application/vnd.ms-word.template.macroEnabled.12
.dotx,application/vnd.openxmlformats-officedocument.wordprocessingml.template
.potm,application/vnd.ms-powerpoint.template.macroEnabled.12
.potx,application/vnd.openxmlformats-officedocument.presentationml.template
.ppam,application/vnd.ms-powerpoint.addin.macroEnabled.12
.ppsm,application/vnd.ms-powerpoint.slideshow.macroEnabled.12
.ppsx,application/vnd.openxmlformats-officedocument.presentationml.slideshow
.pptm,application/vnd.ms-powerpoint.presentation.macroEnabled.12
.pptx,application/vnd.openxmlformats-officedocument.presentationml.presentation
.xlam,application/vnd.ms-excel.addin.macroEnabled.12
.xlsb,application/vnd.ms-excel.sheet.binary.macroEnabled.12
.xlsm,application/vnd.ms-excel.sheet.macroEnabled.12
.xlsx,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xltm,application/vnd.ms-excel.template.macroEnabled.12
.xltx,application/vnd.openxmlformats-officedocument.spreadsheetml.template
</pre>

Save the file with File and Exit

Restart IIS

===Adding Mime Types in Windows Server 2008===

"The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map."

[[file:mime2008.jpg]]

This message shows when a user attempts to download a file that has been uploaded into NEOSYS and the file extension is not configured in IIS server Mime Maps.

The user may also get the below error message:

"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

[[file:mimetype.jpg]]

Solution:

Add mime mappings in IIS. Use the GUI or the servers command line.
The exact solution depends on the file type. Example for .msg files:

C:\windows\System32\inetsrv\appcmd set config /section:staticContent /+"[fileExtension='.msg',mimeType='application/vnd.ms-outlook']"

The bit that varies in the above example is:

*.msg

*application/vnd.ms-outlook

Other mime types can be found on the web eg https://www.thoughtco.com/file-extensions-and-mime-types-3469109

Getting the 2nd part right enables the user to have the downloaded file open automatically in the right application for the file extension, but only if they have the right application installed.

==Handling Neosys Automatic Upgrade Error Messages==

===Error Message===
We will receive an email from the NEOSYS client installation with the following message:

'''"UPGRADEN.EXE" does not have expected exe MZ signature'''

===Solution===
This message is a note that the NEOSYS automatic update procedure failed to download an upgrade file correctly.
This happens sometimes due to network issues but can be ignored because the file will be probably be correctly downloaded on the next automatic update check.

'''Note:''' This message is only informative to help with any problem with the automatic upgrade procedure and may be removed in a later version of neosys (currently Oct 2012)

==Handling Duplicate Login Error E-mails==

===Explanation===
When a user starts a new session on NEOSYS, any existing session is lost. If a user then tries to go back and work on the old session, they will receive a Duplicate Login Error email.

This is because any user can have only one active session to work on. For example, if a user account is logged into NEOSYS from two different browsers or two different workstations at the same time, the user will receive this error e-mail.

===Error E-mail===
[[File:dup-login.png]]

===Solution===
To avoid the Duplicate Login error e-mail, you must always logout from your active NEOSYS session before starting a new session elsewhere.

==Testing https connection==

The following procedure tests that the https server is operational and not blocked by firewall etc. It does not detect certificate errors.

From a windows command prompt use the following telnet command:
<pre>
telnet clientname.hosts.neosys.com 4430
</pre>

#4430 is the usual NEOSYS http port but replace it by whatever port is actually used for NEOSYS https on the system being tested. If there are multiple https installations on a particular server then different ports are probably used
#Replace clientname.hosts.neosys.com with the normal https login domain name of the client for whom we want to check the https service

Normal behavior is that it should open a black screen. Pressing Enter or any key returns the _ character. (Close the window using the [X] since there is no keyboard command to do so)

Hanging means that there is some connectivity issue (firewall/ip/server not running/https not installed etc)

==Troubleshooting "page not found" error while using https==

'''Problem:'''

#The https service stops working and gives "Page not found" error.
#The https connection tests fine using telnet (see article above)

'''Solution:'''

#Reinstall https using the usual procedure (currently using selfssl)
#Email clients, requesting to reinstall the new security certificate by following the instructions for [http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Generally#Fixing_HTTPS_certificate_error_when_logging_in_from_an_external_link_using_IE8.2C_IE9_and_IE10 Internet Explorer] or [http://userwiki.neosys.com/index.php/Configuring_Safari_for_MAC_OS#Fixing_HTTPS_certificate_error_when_logging_in_using_an_external_link_using_MAC_Operating_System Safari] browser.

==Installing "QUICKDEX" on some files==
"Quickdex" is a type of index that keeps an alphabetical order on small files. In some maintenance procedures you may be asked to "install Quickdex".

For example to add a quickdex to the UNITS file.

Maintenance mode press F5

DICT UNITS

<pre>
г=================Dictionary=================┐
│ │
│ File name UNITS │
│ Field name ......................... │
│ │
│ Dict type │
│ Single/Multi │
│ Data type │
│ Output format │
│ Validation patterns │
│ │
│ Position Key part │
│ │
│ Column heading │
│ │
│ │
│ Justification Display length │
│ Description │
│ │
│ │
L============================================-
</pre>

Press Shift+F3.

If it says "Do you want to remove ..." then Quickdex has already been installed and you should not continue. Press Esc to cancel, then Esc to quit.

<pre>
г=[B202]==================================┐
│ │
│ "UNITS" has │
│ "QUICKDEX" installed. │
│ │
│ Do you want to remove "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L=========================================-
</pre>

Otherwise it should say "Do you want to install ...". Press Enter to accept.

<pre>
г=[W963]============================┐
│ │
│ Do you want to install a │
│ Quickdex or Rightdex index? [Q/R] │
│ │
│<Q >│
L===================================-
</pre>

It should then say "Do you want to update ...". Press Enter to accept.

<pre>
г=[W901]========================================┐
│ │
│ The "UNITS" file has had │
│ the "QUICKDEX" modifying filing system added. │
│ There are 0 records in "UNITS". │
│ │
│ Do you want to update "QUICKDEX"? [Y/N] │
│ │
│<Y >│
L===============================================-
</pre>

Afterwards it should return to the initial screen. Press Esc to quit.

==Solving NEOSYS smtp server failure==
In case the neosys smtp server fails then we can just use the client's smtp server.

The following information is required from the client's smtp server configuration:

#hostname
#username
#password
#port no. (most likely = 25)

These details should be entered in the '''System Configuration File''':

[[image:SYSCFGFILE-SMTP.jpg]]

==Strange characters in maintenance mode==
While in Maintenance mode, pressing keys on keyboard gives strange characters. Even Enter and Esc don’t work.

This problem has been seen using RDP on:

*Window Server 2003 Web Edition
*Windows Server 2003 R2 SP2

[[image:strangecharmaint.jpg]]

Solution:

#Go to Windows -> control panel
#Go to Regional and Language Options
#Click on Languages tab then click on Details [[image:lang1.jpg]] 
#Click on Settings Tab and Change default input language to English (United States) (or perhaps something else depending on rdp keyboard) [[image:lang2.jpg]] 

==NEOSYS processes do not start after Windows Update==

===Problem===
Scheduled Task to start the NEOSYS processes fail on Servers with Windows 2008 after Windows update. Support will have to log into the server to start the processes manually
Message on the Schedule Task displays " The operation being requested was not performed because the user has not logged on to the network. The specified service does not exit ".

[[image:sti.jpg]]

===Solution===

For clients who cannot tolerate manual intervention after server reboots for any reason (e.g.need to start work before NEOSYS support is available or on NEOSYS support weekends), tick "highest privileges" and "run whether the user is logged in or not". This approach means that NEOSYS processes which are started by the windows scheduled task are not visible on the desktop and run hidden in the background and only listed in task manager, so avoid this approach on small clients (only few users). Avoiding this approach will also serve to act as an indicator of server restarts.

==Troubleshooting NEOSYS remote support port forwarding==
This assumes that you have already “port forwarded” tcp port 19580 from your public internet router to the NEOSYS server.

===Tst 0 - Check if SSH is working on the NEOSYS Server===
Type in the following command in command prompt:
telnet 127.0.0.1 19580

IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

===Test 1 - Check if SSH is basically working on NEOSYS server over the LAN===
You must know and use the NEOSYS SERVER LAN IP to do this.

telnet ???.???.???.??? 19580

[[image:tr-pf-01.jpg]]

If you have the WRONG SERVER LAN IP or NEOSYS server SSH is NOT working then it will hang for about 15 seconds and then say “Could not open connection to host …”

[[image:tr-pf-02.jpg]]

OR IF ALL OK you will see the following:

[[image:tr-pf-03.jpg]]

Press Enter to Exit

[[image:tr-pf-04.jpg]]

===Test 2 - Check if can connect to the NEOSYS ssh from OUTSIDE the office===
From any internet connected computer OUTSIDE the office test if you can connect to NEOSYS ssh service. You cannot do this test from inside the office.

You need to know the public ip or domain name of the router. If the router IP is dynamic then NEOSYS sets up dynamic name server so instead of a static ip number you will have a domain name something like clientxyz.redirectme.net.

Enter the command .. using YOUR public internet IP number (NOT the LAN ip number) or the dynamic domain name.

[[image:tr-pf-05.jpg]]

If everything is working OK you will get a black screen as follows. You will NOT get the “SSH-2.0-OpenSSH-4.7” banner” because NEOSYS ssh remote support is restricted to connect ONLY from LAN ip nos and NEOSYS office ip nos.

[[image:tr-pf-06.jpg]]

If you press Enter a few times then the cursor will just go down. You have click the [X] to close the window.

[[image:tr-pf-07.jpg]]

===Test 3 - Check that the ssh connection from step 2 was rejected===
On the NEOSYS server, check the Windows Application log to verify that an SSH connection was rejected.

The rejected ip number will be of the system outside the office that you performed the test from.

[[image:tr-pf-08.jpg]]

===Sample Email: Solving port 19580 port forwarding issues===

Some IT people know how to troubleshoot port forwarding issues but others are mostly just power users who can configure a home router. If the IT person is in the second category then it is quicker for NEOSYS support to offer to configure their router from the NEOSYS server using Teamviewer. Ideally NEOSYS should not be doing client IT work but if client IT allows NEOSYS access to their router then NEOSYS support can make a brief attempt to do the configuration. If the issue is still unresolved then request the client to get a professional IT network expert to do the job and inform them that NEOSYS will not be able to provide them any support till connectivity is fixed. Below is a letter advising a more skilled person to check connections using telnet which is a low level test.

You can usually determine the NEOSYS server LAN IP number from Nagios. If so then adjust the email text appropriately.
<pre>
Dear XYZ,

It is highly critical to fix the connectivity with the NEOSYS server because NEOSYS will not be able to provide any support until connectivity is fixed. User support issues will be delayed and remain unresolved if you do not fix this issue URGENTLY.

At the moment there is no connection from the internet via your router to the NEOSYS server and when we do the following, we get no connection.

telnet CLIENTNAME.hosts.neosys.com 19580

Normally it should connect and presents a black screen (saying SSH something after pressing Enter) which we close.

Please check that you can connect to the NEOSYS server internally by using the NEOSYS server IP address in the following command on any computer in your LAN.

telnet 192.168.?.? 19580

If you can connect to the NEOSYS server internally then please check port forwarding.

Additionally check the following:
1. Has your router IP changed? The IP we have is x.x.x.x
2. Has your server’s LAN IP changed and are you forwarding to the correct LAN IP?
3. Is the configuration really correct?
4. Check router logs for clues
5. Check NAT settings in the router

If you still cannot see the problem, do "telnet CLIENTNAME.hosts.neosys.com 19580" command from OUTSIDE your network to replicate the problem we are facing.

For troubleshooting steps refer Troubleshooting NEOSYS remote support
http://techwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding

If the problem still persists, please get a professional IT network expert to fix the issue.

Best Regards,

</pre>

===Port mapping restricted by Source IP===

On NEOSYS router, port forwarding has been setup only for specific source IP addresses. This means you will not be able to establish a TCP connection to NEOSYS server unless your server's outbound IP is mapped to the NEOSYS router. In other words unless the outbound i.e source IP/port of your server has been granted access on the NEOSYS router for all incoming connections you will not be able to make connections to NEOSYS server.

Outbound IP is used whenever a server tries to make a connection to another server outside its network. On the other hand a server receives all incoming connections using it's Inbound IP.

Therefore to setup ssh connection from a new Client server to NEOSYS server we need to grant access to its outbound IP on the NEOSYS router. See [[Troubleshooting_NEOSYS_Generally#If_Telnet_does_not_work | link]] to find the outbound server IP/ports of the server.

==Solving “Cant login … INVALID DATA PATH … permission denied”==
===Error Message===

[[image:error-invalid-data-path-1.jpg]]

'''Error Text:'''

Cannot login because:
ERROR: INVALID DATA PATH
“D:\HOSTS\HOSTNAME\DATA\HOSTNAME\~8746345.1$” Permission Denied

===Problem Explained===
When installing NEOSYS on an existing “non-clean” Windows installation, the standard NEOSYS installation procedure can result in failure to login if the standard windows folder permissions have been modified.

===Solution===
The solution is to grant IIS permission to write in the \neosys\DATA folder and subfolders as follows:

#First add the IUSR_XXXXXXX user to the list of users. (XXXXXXXX is the server name and therefore varies per server) as follows:
#*Right Click on DATA Folder and click on Properties
#*Click on Security Tab -> Add -> Advanced
#*Click on Find Now, Select the IUSR_XXXXXXX user and Click on OK [[image:error-invalid-data-path-2.jpg]] [[image:error-invalid-data-path-3.jpg]] 
#Second, for the newly added IUSR (IIS user) change the permissions as follows:
#*'''REMOVE''' the read and execute permission (for security, IIS should be unable to execute things that it might have uploaded)
#*'''ADD''' the write permission [[image:error-invalid-data-path-4.jpg]] 
#Login should now be possible.

==NEOSYS process window displays message "Upgrade Downloading"==

[[image:upgradedownloading.jpg]]

===Problem Explained===
NEOSYS thinks it sees an new neosys2.exe upgrade file on the location http://www.neosys.com/support/neosys2.exe which is accessed by http so attempts to download it.

Http proxies and various internet issues can cause incorrect info to be sent and there is actually no upgrade available. In this case, eventually it realizes that it cant find an appropriate and it stops.

You don’t have to worry about this case.

==Enabling EMS memory on Window 2003==

Normally EMS memory is provided by Windows 2003 but this can vary depending on the server hardware/bios configuration

If you get the following messages on Windows 2003

#Backup File Size is 0
#RTP27. [B28] Not enough String Space – Out of Memory

===Cause===

On servers that had no problem previously, the problem is caused by a windows update in Oct 2012 that disables standard Windows EMS memory.

The patch is issued by Microsoft on 9 Oct 2012 but the installation date in the server depends on when the update was actually installed.

http://support.microsoft.com/kb/2724197

===Solution 1 - maximum performance===

To re-enable standard windows EMS on older slower servers or servers where NEOSYS performance must be maximized.

The following link contains instructions how to remove the offending windows update

It also shows how to prevent it being reinstalled automatically by Windows.

http://www.columbia.edu/~em36/wpdos/emsxp.html

Don't forget to prevent it being reinstalled again automatically

===Solution 2 – ease of installation===

This option can also be used if Window 2003 is unable to provide EMS memory for example when the server hardware/bios configuration prevents it.

Install EMSMAGIC in the same way as for Windows server 2008

EMSMAGIC has higher memory consumption and makes NEOSYS processes slower so it is better to use Solution 1 above if NEOSYS performance is an issue.

==Fixing no output file in XXX YYY Issue==

===Error Message===

[[File:Nooutputfile.jpg]]

===Problem Explained===

The message “No output file in XXX YYY” can appear at several instances in NEOSYS, most often when generating reports or documents.

This problem is usually caused by software error and it indicates that the NEOSYS server responded without any output and without any message.

===Solution===

*Find proof to check if the data required for the report actually exists. This way we can eliminate lack of data as a cause for this error.
*Check to see if a similar issue has been fixed in latest version of NEOSYS.
*Document HOW and WHERE the problem can be duplicated by NEOSYS programmers to identify and correct the software.

==Fixing "Units file is missing" error==

[[Image:unitsfile.png]]

===Solution===

As the message mentions, the 'Units' file is missing. This error can be fixed by copying the file from any other installation, since the Units file is the same in all installations.

The Units file is found in the 'General' folder. Path : neosys/NEOSYS/DATA/DATABASE/GENERAL/

==Troubleshooting Internet Connections==

===Cannot Connect===

While investigating as to why users are not able to access NEOSYS or http://www.neosys.com/ , you can check which ISP the connection issue is on.

<pre>whois ipno</pre>

Inspect very carefully to get clues as to which ISP and which AREA of the ISP the problematic ip numbers are and which do NOT have problems

Doing tracert on windows command prompt on the user's computer may help locate which point on the route between the user and the server is blocking access

tracert xxxx.hosts.neosys.com

where "xxxx" is the client name. In this example, the output will be something like shown below:

<pre>Tracing route to xxxx.hosts.neosys.com [37.48.81.101]
over a maximum of 30 hops:

1 2 ms 1 ms 3 ms ukr.sb.com [192.168.2.1]
2 10 ms 10 ms 11 ms losubs.subs.bng2.th-lon.zen.net.uk [62.3.80.21]
3 12 ms 10 ms 67 ms ae1-182.cr1.th-lon.zen.net.uk [62.3.86.80]
4 10 ms 11 ms 11 ms ae0-0.br2.th-lon.zen.net.uk [62.3.80.42]
5 13 ms 14 ms 14 ms peering.thn.lon.leaseweb.net [195.66.225.56]
6 23 ms 23 ms 24 ms te-0-10-0-19.bb01.ams-01.leaseweb.net [31.31.32.71]
7 22 ms 22 ms 23 ms xe-11-2-3.br01.ams-01.nl.leaseweb.net [31.31.38.89]
8 25 ms 28 ms 26 ms be-10.cr02.ams-01.nl.leaseweb.net [81.17.34.21]
9 24 ms 20 ms 25 ms po-1002.ce02.ams-01.nl.leaseweb.net [37.48.95.195]
10 24 ms 22 ms 22 ms nl10r.neosys.com [37.48.81.101]</pre>

===Troubleshooting TCP/IP Connections===

====Telnet check====
telnet <hostname> 19580

If success then host is on web and port is open.
Otherwise if error: "Connection refused," then either an intermediate firewall is blocking access or the port is closed on host machine.
Action: check with client if office firewall(s) allow connection on that port and if the port is open on the host server.

====If Telnet does not work====
In case telnet does not work, login to the remote host server to investigate the issue. Run the following command simultaneously while doing Telnet from client server to the remote host to check if the TCP packets are reaching the Remote server.
<pre>
tcpdump -v 'src host client-domain-name/ip'
tcpdump -v portno
</pre>

To check if packets are sent from the client server to the remote host, you can run the following command simultaneously while trying to ssh to the remote server.
<pre>netstat -an </pre>

You can also check if the outbound ports are open from which you are trying to establish the TCP connection to the remote server.
<pre>telnet portquiz.net portno </pre>

The outbound IP addresses at times can be different from the public IP of the Client server so be sure that the public IP of the client server is the same as its source IP (which represents an incoming connection from Client to Remote server). One way to find the source IP of the Client server is sending an email from Client server to "support@neosys.com". On receiving the email in Thunderbird, select the email and press Ctrl+u. A new window Opens giving full details of the email received. The third "Received :from" gives the IP of the source.

===Troubleshooting DNS failure===

NEOSYS clients routers are usually configured to use their ISP DNS service and the ISP DNS service is supposed to contact one of NEOSYS's DNS servers to convert server names like hosts.neosys.com into IP numbers. Misconfiguration of clients routers or problems in the ISP DNS server may cause CANNOT CONNECT problems. Often the connect fails quickly and immediately since if a name cannot be converted to an ip number then the connection cannot even be attempted and therefore there is little or no timeout to wait through.

NEOSYS.COM name servers are listed publically and obtained by whois command.

whois neosys.com

Name Server: DNS1.EASYDNS.COM
Name Server: DNS2.EASYDNS.NET
Name Server: DNS3.EASYDNS.ORG
Name Server: NS12.ZONEEDIT.COM
Name Server: NS18.ZONEEDIT.COM

In order to contact NEOSYS DNS servers the ISP's have to use a global DNS to obtain the ip addresses of NEOSYS DNS servers given the host names of NEOSYS DNS servers given in the whois info

Here is an example of DU testing NEOSYS DNS servers. The NEOSYS DNS server ip addresses are listed in the Destination column.

[[File:internet.png]]

If one DNS server is down or unreachable REGARDLESS OF REASON, the ISP is supposed to use the other DNS servers. It is impossible for all NEOSYS DNS servers to be unreachable except in gross disconnection from the internet of the ISP since it is effectively impossible that all NEOSYS DNS servers which are carefully spread around the internet, to be unreachable.

In the above test one of the NEOSYS DNS servers is unreachable but all the others are reachable therefore DU should have no problem providing DNS service to its clients.

ISP are often worse at providing DNS server than the famous GOOGLE DNS servers, so re configuring client router to use GOOGLE DNS servers is a way to prove that the problem lies with the ISP's DNS service

===Additional test for troubleshooting problems with uploading===

====Verifying that upload.dll can run====

This isnt a complete test of everything. It just checks if the upload program can be run by the web server. It doesnt check if uploads work or the image directory is correctly configured with the right permissions and uploads can actually be done.

=====Error Message=====

... to be added when discovered ...

=====Test=====

Test HTTP if accessible by LAN; Test HTTPS is accessible by Internet; Test both if both are available.

On the server type the following into a browser

LAN/HTTP:

http://localhost/neosys/neosys/dll/upload.dll

WAN/HTTPS:

https://localhost:9999/neosys/dll/upload.dll

=====Expected Result=====

<pre>
Upload Error. !
Please call me from a form !!!
The first param must be Filename= name of the uploaded file, TYPE=TEXT
The second param must be Filedata= uploaded file, TYPE=FILE
The third param is optional PathData= path to uploaded file, default c:\temp\, TYPE=HIDDEN
The forth param is optional RedirectPage= name of asp who receive the results, TYPE=HIDDEN
Add others params at the end with INPUT tag.
</pre>

[[image:Uerror.jpg]]

==Patching a NEOSYS program==

Patches done to NEOSYS programs are not affected by live to test database copy, since the programs are on installation level and not database level.

The patch provided will tell you the program name and contain either a whole replacement program text or just some changed lines which you will have to find and edit.

For older versions of NEOSYS, you will need to know the file name which may be provided along with the patch or you can find it using the following code in maintenance mode:

ED VOC programname

ED VOC XYZ tells you what program name is executed and from what file, when you type the command XYZ. Normally the program name is the same as the command.

The file name will normally be BP for agency programs, GBP for general programs or ABP for finance programs.

NEOSYS programs are stored in files just like records of ordinary database files. You can edit either with "ED filename programname" or "TED filename programname". TED is better for editing source code as it opens the the code in a text editor, whereas ED opens the code in the same maintenance window.

To test patches immediately, Support may have to clear cache by pressing CTRL+F5. Refer to [[Configuring_IIS#IIS_web_page_caching|Web Caching]] for more information.

===Installing patch in live database===

In the rare case that the programmer asks Support to install the patch directly on LIVE dataset, start by typing the following command in maintenance mode before commencing:

UTIL

Follow the instructions mentioned in the [[Troubleshooting_NEOSYS_Generally#Installing_patch_in_test_database| next section]], but skip the instruction to TEST the patched program in test dataset.

The instruction to INSTALL the patched program MUST be followed BEFORE testing the patch in live dataset. Otherwise the changes will not get reflected.

===Installing patch in test database===

1. EDIT the program source code.

TED programname

If you have to edit or patch a program that starts with the word DICT. and the remainder of the program name is the same as a real file name e.g DICT.INVOICES, then you cannot omit and must type the actual source file name - in this case, "BP".

Otherwise, if you just type "ED DICT.INVOICES" hoping to edit the DICT.INVOICES program in the BP file, then you will end up editing the dictionary of INVOICES, which is not what you are trying to do. Use the command below to edit such type of programs:

ED BP DICT.INVOICES

If you want to patch line 8, i.e. the source code, of an S type dictionary then you can use TED for easier editing.

TED DICT.filename itemname

Next either cut and paste to modify the whole program or edit the program text according to the patch/instructions provided.

Save and close the program source code.

2. COMPILE it. If you get errors then check your edits are correct and recompile otherwise return the patch to programming.

In newer versions of NEOSYS, versions in and after April 2018, use the below command for compiling.

CO programname

In older versions of NEOSYS, you will have to include the filename.

COMPILE filename programname

3. TEST it. Ensure the patched program now works in TEST database.

4. INSTALL the patched program in the LIVE database.

For newer versions of NEOSYS, versions in and after April 2018, use the below command to copy from test to live.

COPYBP programname

For older versions of NEOSYS, depending on the filename that you patched, one of the following commands will have to be used.

COPYGBP programname
COPYABP programname
COPYBP programname

==Patching NEOSYS dictionaries==

A patch to a dictionary applies immediately when you save it and to all datasets regardless of which dataset you work in.

You need:

#the file name eg INVOICES
#the item name (column name) eg DATETIME_AMENDED
#10 lines of data similar to the example below.
#if the item is an S type dictionary, then either the whole, or only the amended part, of the source code of the dictionary.

ED DICT INVOICES DATETIME_AMENDED

TYPE everything below exactly on the corresponding line numbers except lines 3 and very commonly line 8, as these lines may contain multiple values separated by a superscript 2 (²). Line numbers in the below screen are only for illustrative purpose.

<pre>
╔═══════════════════════════┤DATETIME_AMENDED├═════════════════════════╗
1║S ║
2║ ║
3║DateTime²Amended ║
4║S ║
5║ ║
6║ ║
7║[DATETIME] ║
8║updated=@record<28>²created=@record<31,1>²@ans=''²if created and num(c║..actually this line continues off the screen to the right
9║R ║
10║10 ║
11║ ║
: :
: :
╚══════════════════════════════════════════════════════════════════════╝
</pre>

Press Ctrl+E on lines 3 or 8 in order to enter sub-lines.

The multiple values (on line 3 and 8) separated by a superscript 2 (²) automatically appear when sub-lines are entered.

For line 8, you will need to cut and paste the lines of below program to the Ctrl+E screen:

<pre>
╔═════════════════════════┤Field 8 of DATETIME_AMENDED├════════════════════════╗
║updated=@record<28> ║
║created=@record<31,1> ║
║@ans='' ║
║if created and num(created) and num(updated) then ║
║ createdsecs=field(created,'.',1)*86400+field(created,'.',2) ║
║ updatedsecs=field(updated,'.',1)*86400+field(updated,'.',2) ║
║ if abs(updatedsecs-createdsecs)>120 then ║
║ @ans=updated ║
║ end ║
║ end ║
║ ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
</pre>

After you save and exit the Ctrl+E screen, you will see the sublines separated by superscript 2 appear in one line in the ED screen.

Similarly, for line 3, you need to enter its sub-lines in Ctrl+E screen.

To ensure indenting remains nice (although indenting is not important and can be messed up without causing any problem) then copy the double bars at the front of the lines (if available, otherwise insert some char in position 1 of each line perhaps) and then remove them after you paste ... or just edit until the indenting is correct if you really want to.

Press F9 and/or Esc to save and/or exit from Ctrl+E screen

Press F9 and/or Esc to save and/or exit from ED

==Linux Commands==

This section is aimed teaching support, new to the Linux environment, how to navigate and use the most common useful commands.

Use google or "man <programName>" to get the manual of a program. E.g "man man" gives you the MANual for the Manual program.

"|" use the pipe command to take output of one command and input into another. E.g Cmd: " Echo "ABC" | removeA | removeC ". Output = "B"

Typically commands assume you mean the current directory, if you don't specify which directory you want the command to perform in/on.

Strings with spaces have to be wrapped in double quotation "May 14 01:30:55" before use as input to most commands.

Follow this convention in wiki to understand the syntax (structure) of the Linux commands and options.

Input wrapped in "<...>" is mandatory.

Input wrapped in "[...]" is optional.

===Searching for strings in one or many files using grep===

Using the GUI with Ctrl + F is laborious and less powerful.

Use grep command in Linux or Cygwin to search files especially when you are doing deep inspection of NEOSYS Logs.

Use the following command to search for a string in any file or directory

grep <string> [path to file OR filename] [-r]

Where "string" is the text to be searched and "-r" means recursive - check all files in all sub directories.

grep -i -a string path/file

where "file" is the type of file you are looking for and "path" is the path of the directory you are looking into. Use "" when having spaces in your string.

"-i" means ignore upper/lower case characters in the string and "-a" means treat the file type as text and display the matching text)

e.g when searching in NEOSYS logs the year/month/date is specified in the file name, so if you are looking for a file in year 2016 in the month of Feb, use

grep XXXX path/1602*

In the above command * (asterisk) is a wildcard "means replace * with any thing" and is used when you don't know what that part of the command could be.

E.g "*.jpg" means any file names that end with ".jpg"

Sample below of grep command and its output where it is searching for "Dior" in 2016 march logs.

$ grep -i Dior /cygdrive/d/hosts/test/logs/test/2016/1603*
Binary file path/16030301.XML matches

Using * (asterisk), a string can also be searched globally across all installations on the server.

Below example will search all files whose file names begin with "NEOS00", in all client installation folders inside the "hosts" folder, for log entries containing text "5th June 2016".
$ grep -a "2016 JUN 05" /cygdrive/d/hosts/*/logs/NEOS00*|less

Use the commands below to display the search string and required number of lines that come either after or before the search string, depending on what you enter in your command. It helps to get more information from files especially when you only know few words and the other information around the searched string also gets displayed.

grep -A<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines after the searched text

grep -B<NUM> string file

Above command will display the line where the searched string was found, and also display NUM lines before the searched text

See the examples and their respective outputs below:

$ grep -A2 -i "Dior" 1603*
Binary file 16032101.XML matches
Binary file 16032901.XML matches

$ grep -A2 -a "Dior" 1603*
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>
--
16030301.XML:<DataOut>DIOR%FEPOI%FE'''Dior''' Poison%FE%FE%FE%FE%FEDubai, UAE%FE%FE%FE%FEN%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEN%FE%FE%FE17584.43592%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FENEOSYS%FE17584.43592%FE94_200_49_146%FE1%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FE%FEpaulson</DataOut></Message>

Some more examples of grep below:

Use the command below when searching for more than one string 
grep -a string1 *|grep string2

Use the below command to omit the lines containing specific strings in your search:
grep -B2 -a Processing 160329*|grep -v DataIn|grep -v Message|less 
Above command will display lines containing string "Processing" and exclude lines containing string "DataIn" and "Message", |"less" displays the output in a new screen.

Use "zgrep" command to search in zip files:
zgrep string1 /path |zgrep string2 |less

===FIND===

Use this find command to list all files/directories modified after a certain date.

find [path, if omitted means = current directory] [-type f,d] [-newermt 'MM/DD/YYYY HH:MM:SS']

Or use a filename instead of date:

find -newer filename

==Managing the queue of reports being delivered by email==

In maintenance mode.

===Listing===

LIST DOCUMENTS WITH SCHEDULED_ONCE

===Clearing===

SELECT DOCUMENTS WITH SCHEDULED_ONCE
DELETE DOCUMENTS

==Reduce used disk space on NEOSYS or client hosted servers==
Non essential files getting accumulated over time can take up a lot of space on the hard disk resulting in low free space on the server. NEOSYS Client Monitoring system alerts about low free space for win3 server as it monitors the Disk Space of both C & D drive. To fix it Support team will have to create free space on the server.

Making space on the server is time taking and requires patience as you need to go through all the files/folders looking for non-essential files. Do not make any assumptions for not looking into a folder.

Non-essential files are the ones without which we can work properly and will continue to work in future.

Support team should keep in mind the below points while creating space on the server:

#Look into the drive for which nagios is alerting and dig into all the folders.
#Right click Folder > Properties > Size on Disk, to find out the size of a folder.
#On d drive majority of the space is taken by d:\hosts and d:\data.bak folder and on c drive it's taken up by the important windows/cygwin folders.
#The space distribution will give you an idea about which folders to target that can free up a good amount of space on clean up.
#Following are the non essential files/folders which can create a lot of space on removal. Use your intelligence and presence of mind while deleting files/folders because once deleted the information is lost forever.
#*Folder: d\data.bak. Check for stopped clients' backups and delete if present.
#*Folder: d\hosts\clientname\logs (where clientname stands for all the client folders in hosts) Look into logs prior to the current year and the year before and delete them. In the recent versions of NEOSYS, log folders are compressed and take up a lot less space on disk than presented as their size. You can see the difference in their properties.
#*Folder: d\hosts\clientname\downloads. This folder might contain lot of old versions of neosys.exe files. Keep the two latest versions and delete the rest. Do this for all client folders except test installation because Support maintains all the old versions of neosys.exe in it.
#*Folder: d\hosts\old. In this folder, delete all client folders that are older than 1 year.
#*Apart from above folders look for random backup.zip files present in c/d drive. This happens when Support restores data from a zip file and forgets to delete it after the restore.

To quickly get an idea of which directories consume the largest space, SSH onto server and use the "du" command along with various options, combined with command "sort".

"du" Disk Usage is used to estimate file space usage under a particular directory. Look up "sort" and "head".

Use this to find the estimate disk usage of each sub directory of every log directory in /hosts and then sort -n umerically and -r everse sort from high to low:

du /*/LOGS/*/20* --time | sort -n -r

Go to /hosts or D:/NEOSYS folder. Use command to get the estimate disk usage for all sub directories excluding directories where you know for certain files cannot be deleted.
(sort the directories by highest to lowest estimated disk usage in kb and then shows the top 20)

du --exclude={*/NEOSYS,*/neosys.net,*path/to/another/dir/that/cannot/be/deleted} --time | sort -r -n | head -n 20

===Reduce used disk space on backup servers===

If a server is scheduled to daily delete backup files older than 30 days, then there may be random files that are left behind for longer than 30 days, which are:

*any xx/xx/31 files on months than are followed by months with only 30 days, since the backup procedure deletes the previous month's file on the same day and day 31 does not exist in all months and
*any "same day last month" files that were not deleted by the backup procedure because it did not run or did not complete.

Use "crontab -l" to list all scheduled tasks, to find the how old a file must be before it is deleted.

==Troubleshooting Scripting Disabled error message on browser==
Error: NEOSYS requires You have
1. Internet Explorer 6+
or Safari 3.1+
or Firefox 3+
or Chrome 8.0+
2. Scripting enabled Scripting disabled
3. Cookies enabled Unknown

[[image:IEtrb1.jpg]]

Follow steps in given link to fix Script disable error on browsers : https://wmich.edu/helpdesk/internetenablecookies

==[[Configuring_IIS#Solving_.22Service_unavailable.22_error_due_to_disabled_application_pool | Handling 'Service Unavailable' on browser due to IIS issue]]==

==Searching for users with a particular email address==

In maintenance mode

FIND USERS XX@YY.COM

File:Physical file sizes.png

2020-01-16T13:25:57Z

Pratishthit:

Output from the command to identify disk space used per file

Restricting usage of NEOSYS to licence period

2019-10-14T11:12:16Z

Pratishthit: /* Step 1 - Generate the licence deletion text */

=== Restricting usage of NEOSYS to licence period ===
*A NEOSYS software licence key is granted depending on the last paid up invoice licence period plus optional grace days.
*The NEOSYS software prevents, after the grace period, creation of new documents not dated within the licence period.
*The NEOSYS software does not at any time place any limitation whatsoever on the use of documents already created in the system or the creation of new documents dated within the licence period.
*The intention of NEOSYS licence expiry is to allow the user to continue using the NEOSYS system normally for documents that apply to valid licence periods while at the same time, after a grace period after the expiry of the licence, to prevent them from entering new documents that are related to periods outside the valid licence periods.
*Once a licence has been entered in a database, then usage of that database is thereafter subject to licensing restrictions. (Currently there are no usage restrictions prior to entering any licence, however this may change in later versions of the NEOSYS software and no database may be used without valid licensing in place)

'''Example:'''

The last paid up invoice for software support and licence covered a licence period of one month from '''1 Oct 2009''' to '''31 Oct 2009'''.

A licence key has been installed in the database for the same period and with a grace period of 7 days.

Up to '''7th Nov 2009''' users can create documents without restriction.

From the '''8th Nov 2009''' onwards:
*Users can view and amend any document already created
*Users can create documents dated up to '''31 Oct 2009'''
*Users *cannot* create any new document dated '''1st Nov 2009''' or later

When a user tries to save a new document that 
*does not fall within a valid licence period and
*the current date is more than the number of grace days after the licence expiry date
the user will get the following message:

[[image:licence_period.jpg]]

=== Entering NEOSYS licensing information ===

If adding multiple licences to a database that currently has no licence restrictions, be careful to add any current licences first and historical licences last, so that any active users working on current periods do not get locked out , however briefly.

Use the following code in maintenance mode to view the licences already entered in the database.

CHKLIC

The list of licences is generated as shown below

[[image:licence_list.png]]

The Following steps are done in NEOSYS maintenance mode (F5).

==== Step 1 – Generate “licencetext” ====

Depending on what licence you want to grant, enter the following command. It will show a line of “licencetext” including the computerid and databaseid.

ADDLIC ''modulenames fromdate uptodate daygrace''

All parameters are required and must appear in the order shown.

Generally support should just renew the licence similar to the previous licence unless otherwise instructed. All the required parameters (i.e. modulenames, licence period and days grace) are available in the list of licences report (CHKLIC) mentioned in the previous section.

If the prior licence allows more than 7 days grace, then the days grace for the new licence MUST be determined by NEOSYS accounts team (or whoever asked for the licence to be added).

If there are no prior licences, then the module names, licence period and days grace MUST all be decided by NEOSYS accounts team (or whoever asked for the licence to be added).

''modulenames'' can be any combination of the following, separated by commas with NO spaces, or a single * to allow all modules.

*MEDIA
*JOBS
*FINANCE
*TIMESHEETS

''daygrace'' is how many days after the licence expiry before NEOSYS starts restricting creation of new documents to dates within the licence period.

Example:

ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7

The output for the above code appears as shown below:

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7 │
│ │
╘═══════╔═════════════════════════════════════════════════════════════╗══════╛
▒▒▒▒▒▒▒▒║ PLEASE GIVE THE FOLLOWING TEXT TO YOUR NEOSYS SUPPORT STAFF ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ "MEDIA,FINANCE 1/4/2016 30/6/2016 7 084505 225FAB0E" ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ What is the verification code? ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║< >║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒╚═════════════════════════════════════════════════════════════╝▒▒▒▒▒▒▒
</pre>

==== Step 2 – Request “licencecode” from NEOSYS ====

Give the complete “licencetext” (shown in the above output) to NEOSYS Admin, who will provide the corresponding “licencecode” which is a 1-6 digit number.

==== Step 3 – Enter the licencetext and licencecode ====

Either enter the same command as in step 1 and enter the licencecode when prompted, or enter the following command. The format of the command is almost identical to step 1 but adds computerid databaseid licencecode.

ADDLIC ''modulenames fromdate uptodate daysgrace computerid databaseid licencecode''

Example:

ADDLIC MEDIA,FINANCE 1/4/2016 30/6/2016 7 542684 1D63A3AC 13193

==== Step 4 – Verify that the licence has been added successfully ====

Run CHKLIC in maintenance mode to generate the list of existing licences and verify that the new licence information has been added to this list.

=== Removing NEOSYS Licences ===
If it is no longer required to restrict usage of NEOSYS to a licence period for a database, then delete the licence from that database. All licences installed in a database get removed/deleted once the below commands are followed.

====Step 1 - Generate the licence deletion text====
In maintenance mode, enter the following command
DELLIC

NOTE: In some versions, above command will remove licenses without requiring a verification code

Select Yes.

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :DELLIC │
│ │
╘════════════════════════════════════════════════════════════════════════════╛
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒╔════════════════════════════════╗▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ Delete all NEOSYS Licences? ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║───┬────────────────────────────║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ 1>Yes ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ 2│No ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒╚════════════════════════════════╝▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
</pre>

Output:

<pre>
╒═══════════════════════════════════TCL - 2══════════════════════════════════╕
│ │
│ :DELLIC │
│ │
╘═══════╔═════════════════════════════════════════════════════════════╗══════╛
▒▒▒▒▒▒▒▒║ PLEASE GIVE THE FOLLOWING TEXT TO YOUR NEOSYS SUPPORT STAFF ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ "DELETE 741701 2996420B" ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║ What is the verification code? ║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒║< >║▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒╚═════════════════════════════════════════════════════════════╝▒▒▒▒▒▒▒
</pre>

====Step 2 - Request for verification code from NEOSYS====
Give the complete “text” (shown in the above output) to NEOSYS Admin, who will provide the corresponding verification code, which is a 1-6 digit number.

====Step 3 - Enter the verification code====
Either enter the same command as in step 1 and enter the verification code when prompted, or enter the following command in maintenance mode

DELLIC ''verificationcode''

Example

DELLIC 915036

====Step 4 - Verify that all licences have been removed successfully====
Run CHKLIC in maintenance mode to generate the list of existing licences. The NEOSYS licences report should show "0 records".

Setting up and using remote support

2019-09-29T12:46:25Z

Pratishthit: /* Configuring SSHD to use a non-standard port number */

== Getting agreement of client IT staff to provide remote access ==

[[Letter to obtain agreement of client IT staff to provide remote access]]

== Initial Connection to the server before setting up permanent remote connection ==

For remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. Use either use your customised reverse connect UltraVNC SC file or the one-time run [[link:neosys.com/help | Teamviewer]] utility. (Teamviewer is typically used)

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

Read [[Avoid Corrupting Cygwin Installations]]

# Instruct client to login to server as Administrator.
# Connect to client server via Teamviewer or customised reverse connect UltraVNC SC file.
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator.
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Choose "yes" to "Folder does not exist. Create new?"
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshs_config file? yes
.
StrictModes - no
Privilege – yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net start sshd

=== Configuring SSHD to use a non-standard port number ===

This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is SIGNIFICANT AND CANNOT BE IGNORED in cygwin/linux commands

open cygwin command prompt

cd /etc
nano sshd_config

change the Port to look like this:

#Port 22
Port 19580

Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.

net stop cygsshd
net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net stop sshd
net start sshd

To check that the server is running and listening on port 19580

ssh -p 19580 administrator@localhost

If you are asked for to confirm the server id is correct or enter password then the check is successful. No need to continue.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

Enter IP numbers or CIDR format:

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

1. Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages. MUST READ [[Avoid_Corrupting_Cygwin_Installations#To_see_what_modules_Cygwin_is_going_to_update |See what modules Cygwin is going to update]]

2. Run Cygwin and copy & paste script below into new file sshrc. Change it@neosys.com to the email ID to which the alert needs to be sent.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

3. Give execute permission to sshrc script file for all groups (owner, group, other):

chmod a+x sshrc

4.Add trusted IPs by copying & pasting text below:

cd /etc
nano trustedipnos

<pre>
#IP ranges and CIDR etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

=== Quick way of adding all Support's public keys to allow Remmina support===

If a server has lost all authorised keys in .ssh/authorized_keys file, then instead of Support adding their public key individually using "./autologin.sh" use this method:

#Connect via SSH to any other client server that has support team's public keys saved.
#Then open Cygwin and type: <pre>cat .ssh/authorized_keys</pre>
#Select and copy all the text in the file. i.e public keys
#Exit and connect to the the new client and open Cygwin and type:<pre>nano .ssh/authorized_keys</pre>
#Right click and paste the copied keys in a new line below any possible existing keys ensuring that each key appears in a separate single line and then save and close the authorized_keys file.
#Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key option) in Remmina.

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_7.7 (protocol 2.0)

Before updating Cygwin or its packages you MUST read [[Avoid Corrupting Cygwin Installations]]

=== Upgrading Cygwin remotely ===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

===== Running the script =====

[[Setting_up_and_using_remote_support#Finding_the_script|Locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the version shown at http://www.neosys.com/support/upgradecygwin.cmd and ensure that the script you are using is the latest one, as the script is updated with fixes for problems faced in the past.

The upgradecygwin.cmd script will try to download the latest version of setup-x86 from cygwin.com. In case it is not possible to download the setup-x86.exe file from cygwin.com due to proxy/firewall or other issues, then follow the below steps before running the cygwin upgrade script.
#Download setup-x86.exe manually from http://www.cygwin.com/setup-x86.exe
#Place it in the same directory as the upgrade script
#Rename it to "setup-x86-manual.exe". The cygwin upgrade script will rename this file to setup-x86.exe

If you initiate the script while connected on ssh using tunnelier/remmina etc. halfway through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re-enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send the email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending the email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The latest version of the script can be found in the latest version of NEOSYS. The script is installed in the neosys\neosys directory.

For older versions of NEOSYS it can be created or upgraded as follows:

Open http://www.neosys.com/support/upgradecygwin.cmd on your browser to view the script.

Then copy the script onto notepad on the server and save this as a .cmd file in the location mentioned below:

Single installation
x:\neosys\neosys\upgradecygwin.cmd

Multiple installation
x:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

where x is the drive in which NEOSYS is installed.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Adding packages to Cygwin after installation ==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

=== Adding individual packages to cygwin without doing a full upgrade ===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

== Getting Ownership and Permissions Correct ==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

=== Solution 4 ===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

Setting up and using remote support

2019-09-29T12:40:48Z

Pratishthit: /* Configuring and starting SSHD */

== Getting agreement of client IT staff to provide remote access ==

[[Letter to obtain agreement of client IT staff to provide remote access]]

== Initial Connection to the server before setting up permanent remote connection ==

For remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. Use either use your customised reverse connect UltraVNC SC file or the one-time run [[link:neosys.com/help | Teamviewer]] utility. (Teamviewer is typically used)

If the client has already gone ahead and provided Microsoft RDP with an obvious/weak system password, then Support MANDATORY MUST get Windows reinstalled from scratch. Antivirus may not be able to tell that the server has been infected and rootkitted and therefore a scan does not prove it has not been infected.

Support MUST not provide NEOSYS support via Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime because it is a BAD idea to simply open port 3389 since an open port 3389 attracts scanners/hackers like flies.

Also, IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or the arent-I-clever "P@ssw0rd" or even blank. In this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.

== Installing and configuring SSH ==
=== Installing Cygwin with OPENSSH ===

These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain

Watch out for non-intuitive steps like clicking "skip" to install something.

Read [[Avoid Corrupting Cygwin Installations]]

# Instruct client to login to server as Administrator.
# Connect to client server via Teamviewer or customised reverse connect UltraVNC SC file.
# ENSURE that you are logged in as the local (NOT DOMAIN) administrator.
# Download/Run/Install http://www.cygwin.com/setup.exe (you might have to go to the home page http://www.cygwin.com and click the link to setup.exe)
# Download source: '''Install from Internet'''
# Root Directory: '''c:\cygwin'''
# Local Package Directory: '''c:\cygwin.lib'''
# Choose "yes" to "Folder does not exist. Create new?"
# Internet Connection: '''Direct Connection'''
# Download Site: '''http://mirrors.kernel.org''' (near the bottom) (If this does not show in the list, key in the URL in the field '''User URL''' and click on Add)
# Select Packages: Maximise window then click '''View''' once to get '''Full'''. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
# Next to the package '''OPENSSH''', click the word '''Skip''' (once!) to get version 4.4p1-1 or later
# Next to the package '''NANO''', click the word '''Skip''' (once!) to get the latest version available
# Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
# Click Next and complete the installation

=== Win32 Error ===

The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.

All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe

===Error during setup===

In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.

Unable to get setup.ini from <http://mirrors.kernel.org/>

[[File:Cygwin install error.png]]

=== Configuring and starting SSHD ===
Open the Cygwin icon to get a linux/bash command line and type:

Run the following commands: (not needed in recent versions of Cygwin so dont do this)

chmod +r /etc/passwd
chmod +r /etc/group
chmod 777 /var

Refer [[Setting_up_and_using_remote_support#Reinstalling_SSHD_if_service_fails_to_startup| here]] if you get an error while doing the above steps.

Prevent cygwin from using Unix like permissions on files it creates

nano /etc/fstab

add the line or just add ",noacl" to the existing similar line. (What is the effect of omitting this?)

none /cygdrive cygdrive binary,posix=0,user,noacl 0 0

Thereafter start with the ssh configuration:

ssh-host-config

Then on the following options type:
Only asked if running again:
Overwrite existing /etc/ssh_config file? yes
Overwrite existing /etc/sshs_config file? yes
.
StrictModes - no
Privilege – yes
New local sshd account - yes
Install SSHD as a service - yes
Enter value of daemon - Just press Enter
Different name - no
Create new privileged user - yes
Enter a password now - Invent a NEW totally random password with caps and both upper and lower case.
Re-enter the password - Enter it again. Dont record it anywhere. Forget it.

At the command prompt type

net start cygsshd

For older versions of Cygwin (Before Jan 2019)

net start sshd

=== Configuring SSHD to use a non-standard port number ===

This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.

Capitalization is SIGNIFICANT AND CANNOT BE IGNORED in cygwin/linux commands

open cygwin command prompt

cd /etc
nano sshd_config

change the Port to look like this:

#Port 22
Port 19580

Also add the last line to the following section. Refer [[Setting_up_and_using_remote_support#Solving_.22Authentication_that_can_continue:_publickey.2Cpassword.22_Error_when_connecting_to_remote_servers_via_remote_access_clients| Error when connecting to remote servers]] to see why this line is added.

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.

net stop sshd
net start sshd

To check that the server is running and listening on port 19580

ssh -p 19580 administrator@localhost

If you are asked for to confirm the server id is correct or enter password then the check is successful. No need to continue.

=== Changing ssh login from “Administrator” to “administrator” ===
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.

If you forget to do this before installing or upgrading Cygwin then you must to the following:

#Rename “Administrator” to “administrator” in Windows
#*If you cannot rename Administrator to administrator, follow the procedure mentioned at [[Changing username from Administrator to administrator]]
#In a Cygwin console do:

mkpasswd > /etc/passwd

It should come back with nothing

=== Error while changing Cygwin port 22 to 19580 ===

Error Message:

"Could not open file for writing: permission denied"

Occurrence:
Sometimes when you edit the sshd_config file through NANO.

Solution:
In SSH shell, follow these commands:

cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp
rm sshd_config #deletes sshd_config
cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config

In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.

=== Opening up ssh connections to additional source ip nos ===

Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.

In the cygwin command line, insert a line in the list of allowable hosts

DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW

nano /etc/hosts.allow

Enter IP numbers or CIDR format:

sshd 12.34.56.78
sshd 12.34.0.0/16

=== Setting up email alerts for cygwin ssh logins ===

1. Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages. MUST READ [[Avoid_Corrupting_Cygwin_Installations#To_see_what_modules_Cygwin_is_going_to_update |See what modules Cygwin is going to update]]

2. Run Cygwin and copy & paste script below into new file sshrc. Change it@neosys.com to the email ID to which the alert needs to be sent.

cd /etc
nano sshrc

<pre>
#!/bin/bash
#
#you configure this

ALERTEMAILADDRESS=it@neosys.com

#
#get the ip number without the ipv6 prefix
FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'`
#
#quit with no message if from a known host

if grep -x $FROMIPNO /etc/trustedipnos
then exit
fi

#
#get the host name by reverse lookup

FROMHOST=`nslookup $FROMIPNO|grep "name ="`

#
#get whois info about the login ip number

#and pipe it into the mail program
#"&" on the end creates a new process in order not to delay login

whois $FROMIPNO|\
email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \
mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
</pre>

3. Give execute permission to sshrc script file for all groups (owner, group, other):

chmod a+x sshrc

4.Add trusted IPs by copying & pasting text below:

cd /etc
nano trustedipnos

<pre>
#IP ranges and CIDR etc not accepted yet

#vm1.neosys.com for remote checking
85.17.154.105

#nl1.neosys.com
83.149.104.167

#nl2.neosys.com
85.17.154.66

#uk.neosys.com
78.143.212.191

#nl3.neosys.com
94.75.233.2
</pre>

=== Quick way of adding all Support's public keys to allow Remmina support===

If a server has lost all authorised keys in .ssh/authorized_keys file, then instead of Support adding their public key individually using "./autologin.sh" use this method:

#Connect via SSH to any other client server that has support team's public keys saved.
#Then open Cygwin and type: <pre>cat .ssh/authorized_keys</pre>
#Select and copy all the text in the file. i.e public keys
#Exit and connect to the the new client and open Cygwin and type:<pre>nano .ssh/authorized_keys</pre>
#Right click and paste the copied keys in a new line below any possible existing keys ensuring that each key appears in a separate single line and then save and close the authorized_keys file.
#Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key option) in Remmina.

=== Testing SSH connection to the NEOSYS server over port 19580 ===

If you cannot connect to the server using SSH, see [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting NEOSYS remote support port forwarding]]

=== Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys ===

The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.

It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.

NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).

#Look in the Windows, Computer Management, System Tools, Event Viewer, Application
#Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
#Information type sshd entries will give the ip number of successful sshd connections.
#Warning type sshd entries will give the ip number of failed sshd connections.
#Find the ip number of failed connections.

==== Possible Problem 1 - Port mapping in router is using NAT ====

If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)

==== Solution 1A ====

Change the router configuration to not use NAT and leave the genuine original source IP number

==== Solution 1B ====
The router is sadly using NAT instead of plain old port forwarding.

DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS

The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.

Sample Email to Management-
<pre>
Dear XXXX,

Support must have remote access to the NEOSYS server via SSH but currently we don’t have access.

This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server
has a list of allowed source IPs and since the router’s IP is not in the list, connection fails.

The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in
list of allowed IPs on the server.

We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be
restricted by IP any more.

Please confirm that this solution is OK.

Best Regards
</pre>
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:

nano /etc/hosts.allow

and add the line as follows but put the IP number of your router

sshd: allow 192.168.0.99

Warning

#If the router IP changes then NEOSYS remote support will fail until this line is changed
#Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack

=== Troubleshooting sshd ===

You can run the sshd service interactively to see all messages instead of having to search logs/events etc.

Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.

su sshd_server
/usr/sbin/sshd -D -p 19580

=== Reinstalling SSHD if service fails to startup ===

====Error message====
chmod: cannot access '/etc/passwd': No such file or directory
chmod: cannot access ‘/etc/group’: No such file or directory

====Solution====
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing

mkpasswd > /etc/passwd
mkgroup > /etc/group

If all else fails:

#Look in '''/var/log/sshd.log''' for errors
#Delete the following users: '''sshd''' and '''sshd_server'''
#Remove the sshd service at the cygwin prompt type '''cygrunsrv –R sshd'''
#Do the above Configuration and starting SSHD step again

Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.

== Upgrading SSHD / Cygwin ==
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.

Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.

Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd

To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service

SSH OK - OpenSSH_7.7 (protocol 2.0)

Before updating Cygwin or its packages you MUST read [[Avoid Corrupting Cygwin Installations]]

=== Upgrading Cygwin remotely ===

NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use with a script as explained in the section below.

==== Upgrading Cygwin with a script ====

The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.

WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade.

Since something may go wrong and the script might FAIL to re enable ssh remote connections, you can take one of the precautionary measures listed below.

* either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
* or ensure that client IT support is available ONSITE to provide temporary teamviewer access in the event of any problem
* or be prepared to lose the ability to provide remote support to the installation until the previous item is available

'''TeamViewer 9 issue'''

When attempting to connect to client server via TeamViewer 9 (setup via Tunnelier with unattended access) it shows the error below

[[File:TVerror.jpg]]

SOLUTION: Install TeamViewer 7 which does not give this error. Contact NEOSYS IT for TeamViewer7 commercial license. You must have the client server's administrator password to login using TeamViewer. After the upgrade, REMOVE SETTINGS for unattended access and UNINSTALL Teamviewer. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"

===== Running the script =====

[[Setting_up_and_using_remote_support#Finding_the_script|Locate the upgradecygwin.cmd script]] and run it some usual way by clicking and pressing Enter.

You MUST inspect the version of the pre-installed script against the version shown at http://www.neosys.com/support/upgradecygwin.cmd and ensure that the script you are using is the latest one, as the script is updated with fixes for problems faced in the past.

The upgradecygwin.cmd script will try to download the latest version of setup-x86 from cygwin.com. In case it is not possible to download the setup-x86.exe file from cygwin.com due to proxy/firewall or other issues, then follow the below steps before running the cygwin upgrade script.
#Download setup-x86.exe manually from http://www.cygwin.com/setup-x86.exe
#Place it in the same directory as the upgrade script
#Rename it to "setup-x86-manual.exe". The cygwin upgrade script will rename this file to setup-x86.exe

If you initiate the script while connected on ssh using tunnelier/remmina etc. halfway through the script you will be disconnected.

The script will take a few minutes to download and install any cygwin upgrades.

Once the script is finished, it will re-enable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.

You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send the email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.

*upgradecygwin.log - contents of the email that would have been sent
*upgradecygwin.err - any errors that prevent sending the email

If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.

Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.

===== Verifying successful run =====

#You must carefully inspect the email or log for "error" or "fail" and intelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
#[[Setting_up_and_using_remote_support#How_to_check_Cygwin_version_.3F|You must check the versions of "cygwin" and "openssh"]] at a minimum and ensure they agree with the latest expected version numbers.
#You must check for the word "reboot" especially in the following scenarios:

Installing file cygfile:///usr/bin/cygwin1.dll
io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied
Failed to open cygfile:///usr/bin/cygwin1.dll for writing.
Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new

mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate
incorrectly until you reboot.

note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly
until you reboot.
Ending cygwin install

===== Dealing with reboot required =====

The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.

The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.

It is quite likely that a reboot will NOT solve various problems.

Rerunning the script will not show the errors again but the problem of bad upgrade.

SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.

===== Finding the script =====

The latest version of the script can be found in the latest version of NEOSYS. The script is installed in the neosys\neosys directory.

For older versions of NEOSYS it can be created or upgraded as follows:

Open http://www.neosys.com/support/upgradecygwin.cmd on your browser to view the script.

Then copy the script onto notepad on the server and save this as a .cmd file in the location mentioned below:

Single installation
x:\neosys\neosys\upgradecygwin.cmd

Multiple installation
x:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd

where x is the drive in which NEOSYS is installed.

==== How to check Cygwin version ? ====

If you are looking for the version number for the whole Cygwin release, there is none.

Each package in the Cygwin release has its own version. You can find out the Cygwin.dll version by using the following command:

cygcheck -V

To find the version of the Cygwin Package installed, you can use

cygcheck -c PACKAGE_NAME

eg - To check the version of the openssh package you will have to type the following command in cygwin:

cygcheck -c openssh

The output should be as follows:
<pre>
Package Version Status
openssh 6.0p1-2 OK
</pre>

== How to uninstall/reinstall cygwin ==

With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.

Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd /DELETE)

To uninstall Cygwin you have to run the following in DOS prompt:

rmdir /s /q C:\cygwin

You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.

== Adding packages to Cygwin after installation ==

Adding packages causes Cygwin to also upgrade but upgrade requires a special process because it cant be upgraded remotely while Cygwin sshd server is working.

#Upgrade Cygwin
#Add the package using Cygwin normal setup program

Step 1 is NOT optional if you want to do step 2.

In the above procedure upgrade Cygwin using the script and follow the precautionary measures listed in [[Setting up and using remote support#Upgrading Cygwin with a script | Upgrade using script]], in case script fails to renable ssh remote connection. Next run setup.exe file present in D:\neosys\neosys to install the required the package.

=== Adding individual packages to cygwin without doing a full upgrade ===

You can add individual packages to cygwin without doing a full upgrade in many cases. The installed or upgraded version of cygwin should be recent since the current version of the package you want to install might not work with an old version installed cygwin.dll.

To figure out if the cygwin version is recent and will be compatible with the new package, compare the current installed version with the latest version of cygwin.

Cygwin DLL has been named cygwin1.dll and the number 1 is present in the beginning of the release name. Additionally there are DLL major and minor numbers that correspond to the name of the release and a release number respectively. The major version number gets incremented only when a change is made that makes existing software incompatible. The minor version changes every time a new backward compatible Cygwin release is made available. Therefore we need to check the major version of cygwin on the server.

In other words cygwin-1.7.1-2 means cygwin1.dll, major version 7, minor version 1 and release 2.

e.g if the current version of Cygwin DLL is 2.3.0 and latest version is 2.4.1-1 that means there is a change in the major version from 3 to 4 so we cannot go ahead with installing a new package.

Commands below to add or remove packages. Press the View button repeatedly in the installation wizard to get to "Pending" to see what will be installed.
#adding
setup-x86 -P PACKAGE_NAME

#removing
setup-x86 -x PACKAGE_NAME

== Getting Ownership and Permissions Correct ==

Installation of cygwin under domain administrator account needs to be fixed as follows:

#c:\cygwin Properties, Security, Advanced
#Change owner to: Administrators
#Tick: Replace owner on subcontainers

After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on

fatal: /var/empty must be owned by root and not group or world-writable.

Fix this in cygwin console as follows:

chown sshd_server /var/empty

== Configuring Firewall/Router ==

You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”

It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.

Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.

== Configuring Specific Client Routers ==

[[Adline Dubai - CISCO PIX Firewall]]

[[Sonicwall Firewall Configuration]]

== How to install ssh on port 19580 over vnc on port 19580 ==

Install vnc on port 19580

connect on vnc

setup cygwin sshd on port 22

test you can login on port 22

ssh neosys@127.0.0.1

change sshd port to 19580 (but it wont start)

schedule a windows system reboot in 10 mins at windows command prompt

shutdown -t 600

change vnc port to 5900 (if will disconnect you)

wait for 10 mins and try to ssh login on port 19580

== Changing user on Cygwin==

On SSH command line:

ssh neosys@127.0.0.1 (where 'neosys' is the username)

== Installing and configuring UltraVNC ==

VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp

[[Installing and configuring UltraVNC]]

== Remote Desktop Connection ==

Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.

Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.

If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.

=== Changing RDC port from standard to nonstandard ===

# Start Registry Editor.
# Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
# On the Edit menu, click Modify, and then click Decimal.
# Type the new port number, and then click OK.
# Quit Registry Editor.

== Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients ==

Some remote access clients cannot connect to ssh servers without special configuration.

For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.

=== Error Message ===
[[Image:Sshremmina.jpg]]

SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive

=== Solution 1 ===

If possible configure the client to not perform challenge response during login.

There appears to be no way to do this for remina currently

=== Solution 2 ===

On the target server:

Edit the ssh service configuration

nano /etc/sshd_config

Add the last line to the following section

<pre>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
</pre>

Restart the ssh service

net stop sshd
net start sshd

Check that you can login using password from one workstation and it will be solved for all workstations for that server

=== Solution 3 ===

On a client workstation:

#Use the autologin.sh script to configure automatic login. Refer [[Backup_and_Restore#Creating.2FUpgrading_autologin.sh| Autologin.sh]]
#For "Authentication/Login Method" choose option "Public Key"

Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.

=== Solution 4 ===

On the target server, check whether authorized_keys file contains your public key. You can do that by checking the user name displayed at the end of each key.

To view the authorized_keys file, open cygwin terminal and type

cat .ssh/authorized_keys

If authorized_keys file does not contain your public key, then copy it from authorized_keys.backup file using the below command:

cat .ssh/authorized_keys.backup

Next edit the authorized_keys file using the below command:

nano .ssh/authorized_keys

Then paste the copied key in a new line. Ensure that the key appears in a single line and then close the authorized_keys file.

Check that you can connect to the target server using automatic SSH authentication (SSH Agent or Public key)

Procedures

2019-08-21T11:54:13Z

Pratishthit: /* Get Approval */

Here are procedures to be followed by Support Staff in respect to various technical matters in day to day operations of client issues.

Once Support Staff have learnt how to follow these procedures & rules, you then start learning when and how to not follow them. Common sense trumps all rules! i.e. don't follow procedures and rules blindly all the time. Analyse the problem and solve it practically.

BUT if you are doing something off-piste deliberately, then just add an appropriate comment about why you are.

== Handling Clients with Overdue Invoice ==
In order to maintain good payment speed by clients NEOSYS needs to restrict support to clients that dont pay their bills on time, however the degree of restriction needs to depend on an intimate knowledge of the client which cannot be expected from all NEOSYS support staff. Therefore we will use a simple escalation policy as follows:

=== Overdue Support List ===
NEOSYS SUPPORT MANAGERS WILL maintain an overdue list on a whiteboard visible to all support staff. Generally, clients will go on the list immediately when their invoice is overdue and come off only after satisfactory commitment to pay have been obtained.

The latest overdue list email MUST always be starred until there are no clients left on the overdue list (apart from the permanently overdue clients). When a client is added to the overdue list, support must set up a filter to move client support emails to the overdue folder. When a client is removed from the overdue list, client emails must be moved back into the support inbox. This way support team will know that there are still clients on the overdue list and will not mistakenly provide support to those clients.

[[image:FilterOverdue.jpg]]

For the first week of each quarter of the year, normal support should be provided for server failures and backup failures (including hung processes as it could eventually lead to backup failures).

For any other support requests from overdue clients, respond with the following letter (where XYZ is the overdue client):

Dear <user>,
There is an issue with your company's account. We have requested our Accounts team for approval in order to provide support to you and other <XYZ> users.

Support staff MUST then provide the required support to the overdue client only after 4 working hours. Support Staff need not actually contact the Accounts team for approval, although that is what is mentioned in the letter. This delay in support is to encourage clients to settle their payments on time.

After the first week of each quarter of the year, respond to any support requests from overdue clients with the above letter but MUST NOT PROVIDE SUPPORT even after 4 working hours. Instead, Support Staff must refer the support request to NEOSYS Support Manager.

Managers may well instruct support to provide support on a case by case basis even if clients are on the overdue list. Being on the overdue list does not necessarily indicate a major issue with accounts.

=== Handling complaints about Licence restrictions ===

Sometimes when a client delays payment of NEOSYS invoice, support places a licence restriction for the client. In such cases, users will not be able to create and save documents dated outside the licence period. Due to this sudden restriction, clients may raise complaints about the restriction placed.

Support MUST simply inform them that licence restrictions are a default procedure followed by NEOSYS and is applied to all clients, so that the client will in future avoid delaying the payment.

== Handling Frozen NEOSYS Installations and Databases ==

Some clients retain fully operational NEOSYS installations or just particular databases even after they stop using them for some reason, either because they move to some other software, or because they terminate an operational division, or other reasons, and this can either be on NEOSYS or their own servers.

In this case, various NEOSYS upgrade and maintenance processes may be suspended, downgraded or completely skipped especially if instant access to the server is no longer available. This does not mean that it should never be done, and pros and cons need to be assessed and documented in support emails on a case by case basis.

*Upgrading NEOSYS version
*Upgrading/standardising NEOSYS database configuration and other files for consistency, security or other issues
*Patching Windows/IIS configuration for consistency, security or other issues

== Handling Links and Email Attachments ==

'''DO NOT TRUST ANY LINK OR ATTACHMENT IN ANY EMAIL EVEN FROM HIGHLY TRUSTED PEOPLE OR ORGANISATIONS'''

These days you can no longer trust links or attachments in emails from anybody - even emails from highly trusted people like your bank.

If a personal computer or intermediate email server is hacked then even genuine emails sent out from it can be infected and modified in a hidden way that can result in the recipient being infected if they click or open anything in the email.

Therefore you should know and understand how to avoid, as far as possible, getting tricked and infected via emails.

Malware authors generally rely on the fact that most people devote no time at all to security precautions so a moderate cautious approach, slowing down a little to spending some time on security, even where it is apparently not required, is enough to defeat most attacks.

=== Links ===

Do NOT click on links, especially in emails that you are not expecting, but also anywhere else that you see links, without taking various precautions. The links in an email, even from someone you know and trust, can LIE to you about what website they will open and they can lead you to websites that mere browsing can infect your computer and then others inside our network.

WHAT LINK/WEBSITE WILL BE OPENED MAY NOT BE WHAT IT SAYS IN THE BODY OF YOUR EMAIL!

Therefore, to use a link in any and all emails, first hover your cursor over it and check the status bar at the bottom of the screen where you can see exactly what website will be opened, or, to be more sure exactly what website you are opening DO NOT click links in emails at all. COPY/PASTE the link to your browser, AFTER following the below points.

*Make sure you know and trust the website being opened.
*Carefully inspect the spelling of the domain name to avoid tricky look-alike fraudulent links eg hcsb.com instead of hsbc.com
*If you trust the sender but you do not personally know the website then get independent confirmation from the sender. Reply to the email so that the sender can check the link you received has not been tampered with.

Example 1:

Below is an example of a phishing email that you can easily tell is malware

[[image:Scamscreenshot1.png]]

1. You don't expect it because it says "before your sign up is complete" ... but you didn't just sign up.

This doesn't mean that links in emails that you ARE expecting ARE safe to open. All the usual cautions apply to emails you DO expect.

2. Hover mouse over the button and check the link visually

In the example above, the email is supposed to be from Dropbox, but hovering the mouse over the button shows the below link, which is obviously wrong:

http://fxloraisdoxbraxsil.com.br/dropbox.html

3. Even if the link looks genuine e.g. something from a service that we use that we didn't expect, be careful for misspelt links that look like genuine links e.g. drobbox.com, which could trick you if you are sloppy.

Never click on links in emails unless you are absolutely 100% sure that the email and link is genuine.

Copy the link using right click copy link then paste into your browser if there is the slightest doubt.

Example 2:

In the following case, hovering over the first two links seem to go to real UPS website, BUT this is NOT sufficient to be sure since slight misspellings and other tricks can lead you to a totally different website.

However, hovering over the third "link" shows that clicking the apparent link would go to some website http://behappy.vn (Vietnam) so clearly this is a DECEPTION.

[[image:Scamscreenshot.png]]

=== Attachments ===

Please follow these rules strictly:
* *NEVER* open an attachment that you did not expect.

* *NEVER* be curious to see what is in an attachment.

* *NEVER* open an attachment if there is some other way for the info to be sent e.g. Screenshot of document.

If the rules above are followed then:

* You can open an attachment if you have requested it and if sender is unable to take a screenshot.

* You can open an attachment if you get a good explanation of it contents from sender and they are unable to take a screenshot.

It is okay to save an attached eml file and open it with GEDIT as text, as it will not trigger any virus.

This does NOT mean that you can open attached files freely. As per the procedures above, you should NOT open any unknown or unexpected attachments without CONSIDERABLE thought.

But saving and then opening files with GEDIT to get an idea of their contents even if the view is mangled is okay. Although, there is little point in opening files like ZIP in gedit.

There is no way to determine if an attachment, even from someone you know, has not been infected and is therefore, dangerous.

The only protection is to rely on anti-virus/anti-malware e-mail filters and staff vigilance!

You can check the names and file types/extensions of attached files to spot any obviously strange or unexpected attachments, but this is not very effective. The filename of an attachment could be spoofed. An attacker could potentially exploit this by tricking the user in to opening an attachment of a different type to the one expected.

Attachments ending in .jar or any other unusual extensions shouldn’t be opened without SB's permission.

If there are a lot of attached files, don't assume they are all safe, make sure you asked for each of them.

== Handling emails from unknown email addresses ==

Any sort of contact from an unknown email address must be ignored entirely, i.e. no response whatsoever from Support, as these emails could be from a fraudulent source. If the email is genuine, then the sender can surely contact their managers.

Support should keep in mind that hackers can send emails that look genuine, aiming to get private/confidential information and so should always stay alert when dealing with such emails.

== Handling junk/spam email ==

*DO NOT delete emails from Junk or Spam folder because they are used to identify future junk and spam emails.
*Any email identified as junk should be marked as Junk so that they automatically go into the Junk folder. The spam filter in the mail server will use these emails in the Junk folder to decide what is moved into the spam folder.
*You MUST ensure that all clearly junk/spam emails are marked as Junk/Spam in ALL email inboxes. In other words they MUST be moved to Junk/Spam folders and not left in our inboxes or other main folders.
*Any emails which are not clearly junk/spam emails or are similar to genuine emails, but you know are spam/junk MUST be deleted i.e. NOT left in inbox NOR moved to Junk/Spam folders.

Failing the above we will have the following problems:

*Real emails disappearing into junk/spam folders by our email server.
*More junk/spam emails appearing in our inboxes than necessary.

== Avoid burdening email servers with excessive graphics ==

Support MUST install the "Auto Resize Image" addon in Thunderbird to reduce the size of images in emails resulting in a significant reduction in email size. See [[Configuring_Thunderbird#Configure_Auto_Resize_Image| setting up auto resize image]] for details.

It reduces the burden on NEOSYS and NEOSYS client's email servers. This is especially important on long conversations about subjects that include many screenshots, since for just a simple one line reply, the email can consume many MB of space. It massively wastes the email server space and makes backups massive and generally a total waste of resources and time.

To be able to refer back to graphics in previous emails, add the SIZE column to your email program so that you can locate large emails with graphics rapidly without searching back one by one.

==Client Communication Policies==
===Client Meeting Report Policy===

After every Client meeting online or otherwise Support MUST send a Follow-Up email to the Client which is open and fully informative and not brief, stating the events during the meet and any action required by either or both parties. The email to the client must not shrink from discussing contentious issues due to a false sense of politeness or timidity to address issues face on. Obviously one should not be rude but it is not rude to address issues openly.(cc Client managers and NEOSYS Managers)

The follow-up email MUST be sent within 24 hours of completion of the meeting so that the points discussed during the meeting are fresh in all the meeting participants' minds. This means that reports for meetings on the day before the weekend MUST be sent on the SAME day.

In addition to above email if there is some information that needs to be shared internally and cannot be said in public to the client then send a Client Meeting report to Support.

Support must also update the Client Contact Record file in Google Drive immediately after sending out the follow-up email.

===Follow Up of Support Issues===

All voice/chat communication MUST also be followed up with an email confirming at least the gist of the communication to keep the whole support team updated on the issue.

If not possible to contact for any reason, then an email MUST be sent stating so and suggesting or requesting a time to connect.

cc Client managers (and/or BCC NEOSYS Managers) MAY be done if thought to be useful and/or appropriate.

===Handling Contentious Emails from Clients===

If emails requesting support become contentious, then voice, phone call or chat is REQUIRED to save time. However, client support via phone call should be done only on local or low-cost calls. High-cost international calls should not be used except in extreme circumstances.

If clients become deliberately combative or uncooperative then Support team is supposed to kick back a little but still emphasise the point. Perhaps it could be done better with a little ironic humour or a smiley. Avoid using !! while responding to contentious emails.

=== Apologising to clients for issues ===

We only need to apologise for major issues that are a) definitely our fault and b) we wish to indicate that there is some general issue in NEOSYS procedures and that we are dealing with it.

We do not want to invite bullying by some clients by seeming to lack confidence in our ability.

An explanation of the cause and possibly FP is of more value to the client, since an apology doesn’t really make any difference.

=== Discussing Pricing ===
All discussions about pricing must be done only in Sales inbox. If clients bring up pricing discussion in support emails, NEOSYS staff must respond to the client by starting a new thread in the Sales Inbox.

==NEOSYS Support Response Time Policy==

NEOSYS contracts, in the few cases where we have a written contract with the client, specifies that maximum response time is one business day generally and one business hour for complete stoppages of the system. Obviously we have to do far better than this in practice.

Support staff must inform clients of the progress of the issue if it is not resolved the same day but only if they contact at least 1 hour before office closing.

Deciding to wait on issues is fine (also refer to: [[Procedures#Handling_users_who_do_not_act_upon_standard_messages|Response to standard messages]]), but support MUST at least spend up to 5 minutes on issues to see if they can be handled quickly. Support MUST respond quickly to issues that can be handled quickly, otherwise the client suffers unnecessarily.

When an issue is fixed or a client request has been implemented in NEOSYS, Support must immediately let users know that the issue is fixed, so that clients can continue their work without any further delay. Quick and prompt responses from Support will gain the client's appreciation.

For routine requests for service where there is a reasonable expectation of delay by the client then no need to send rapid reply.

==Default Browser for support staff ==

NEOSYS supports and develops for Firefox primarily but other browsers such as Chrome and Edge MUST also be tested working fine. Support team currently uses Firefox for all work related tasks in Ubuntu which includes testing, wiki work etc.

Also refer to [http://itwiki.neosys.com/index.php/Setting_up_Ubuntu_on_NEOSYS_Support_Computers#Mozilla_Firefox Setting up Mozilla Firefox]

==Handling errors discovered by support staff ==
{{Handling errors}}

==Handling browser script errors==

If a script error is faced, support should take a full screenshot of the script error including the script name, line number, etc.

Include every detail available regarding the script error and also the steps to replicate it and escalate this to the programmer.

Chrome JavaScript Error Notifier extension shows all the details available in the initial script error message itself. In Internet Explorer, you will have to click 'Yes' on the script error message to get all the details.

== Various checks done by Support to investigate errors ==

A list of logs/reports that Support must look at, depending on the situation, to solve issues or investigate errors.

#Support inbox emails: Check old emails in Thunderbird. This is the quickest way to handle issues/errors that were handled recently.
#Logs/reports available in NEOSYS Menu
#*Request Log (Support -> RequestLog) - These logs can be checked to see what request were made and by which users etc., not as detailed as the xml logs mentioned under "Logs found on the server".
#*NEOSYS logs (Support -> Log) - Log of alerts sent out via email, e.g. backup email, login failure, etc.
#*What's New report (Help -> What's new in NEOSYS) - Contains a list of all the features added in NEOSYS
#*List of Database processes (Support -> List of Database Processes) - Status of processes windows running on the server.
#*List of documents in use (Support -> List of Documents in Use) - Currently used documents.
#*User details page (Help -> User Details) - To check logins and IPs and password reset details.
#*Version logs of files - The history of edits made to files in NEOSYS. This is available at the bottom of files in NEOSYS (e.g. Schedule file, Voucher file, etc.)
#*Usage Statistics (Support -> Usage Statistics) - Shows no. of requests made per user, per department, per database, per hour etc.
#Logs found on the server:
#*Xml logs - These logs can be checked to see what request were made and by which users etc. in detail.
#*Process logs (.LOG files) - These log files contain entries showing start of database backup, and process startup logs.
#*Process windows - Check process windows on the server for error messages or anything unusual, e.g. hung processes.
#*Procexp (Process Explorer)- Used to check ntvdm processes running for specific installations (useful on servers with multiple installations).
#*System logs (Event viewer) - Used to check for unusual system events, eg: unexpected shutdown.
#*Task manager - Checked to monitor CPU usage, NTVDM running etc.
#NAGIOS - Monitors the status of all hosts and services.

==Handling Cheques from Clients==

NEOSYS staff are not to accept deliveries from clients that might be cheques without prior instructions to accept the same. They can ask courier to wait a few minutes until NEOSYS accounts or management agrees but they may not be immediately available and probably will not agree anyway. If accounts or management is not immediate available, then cheque MUST not in any circumstances be accepted, otherwise client can cause problems in our accounts and we waste time visiting the bank to deposit.

NEOSYS payment terms do not accept cheques although clients are free to deposit cheques by themselves.

== Client Password Policy ==
All client user passwords, including their initial one, are to be obtained via the user's email address using the password reminder/reset button on the login screen. [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#What_is_NEOSYS_password_policy.3F (NEOSYS password policy)]

NEOSYS staff should never know users passwords therefore NEOSYS will not obtain and grant user passwords. The reason for this is that in the event that users lose their passwords to other people who then login unauthorised then suspicion could fall on the NEOSYS staff who know their password.

All parties concerned, including client management, client users and NEOSYS support staff, benefit greatly from trusting that if something in a NEOSYS database is registered as having been done by a particular user then it was not in fact somehow done by NEOSYS support staff. Nothing should be done that would break such fundamental trust. To achieve this, NEOSYS support staff must never log in as particular users, never ask for users passwords and generally enforce the idea that all work logged as being done by users IS done by users.

Very limited amounts of work by NEOSYS support staff either in person or remotely using teamviewer is acceptable while a user is logged as long as the user login was performed by the user themselves, the user is present and the user specifically agrees with the work being done.

=== Support requests from ordinary client users ===
Any support requests concerning inability to obtain passwords will be forwarded to known skilled users on the client staff since this is the most efficient (not fastest) way to handle such issues.

=== Support requests from senior client management ===
Any support requests concerning inability to obtain passwords by senior client management users shall be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bearing in mind that NEOSYS staff should never know user's passwords this will probably involve NEOSYS staff using the Password Reminder/Reset button to send a new password to the user.

=== User Defined Passwords ===
NEOSYS will provide user defined passwords in very special cases which must be pre-approved case by case by NEOSYS management. NEOSYS will not approve this due to the reasons mentioned [[Procedures#Client_Password_Policy|here]].

If the user login gets blocked due to multiple login failures and the user requests support team to reset the password to the user defined password again, support MUST delay the response to this request by at least 1 hour in order to force the user to be more careful when typing the password.

Currently permission for user defined password has only been granted to one NEOSYS client with several hundreds of databases.

== Handling client issues and requests==

All support issues must be dealt with through phone/email/chat. Support Staff can schedule client visits for User Training but should not schedule client visits solely for providing support for petty issues.

ALL Support staff should check all the previous day's inbound emails for reply flags once in the morning. All Support staff will therefore be held responsible for any unreplied inbound email.

Support MUST NOT waste time and delay support by investigating issues WITHOUT SUFFICIENT INFORMATION.

Support must NOT get involved in any discussion about any document that is not directly out of NEOSYS, so that Support is able to reproduce it from NEOSYS screenshots of screen options that the client used.

Support should look for similar issues when solving a particular problem to avoid similar issues in future. This saves the time and energy of Support as well as the Client.

When sending screenshots to clients, support team should economise on space by minimising to the minimum that will show the problem clearly. This is because not every user will be viewing their emails on large wide screens like NEOSYS support team. Browser windows reformat their contents to suit the width available so this is particularly effective in most NEOSYS screens.

Support team MUST be cautious while sending screenshots so that no private/unnecessary information is sent to Client. If you cannot avoid taking the screenshot without unnecessary information then you should hide it in the screenshot.

Support team MUST learn not to do silly support for people, because we have an OPEN SUPPORT policy, which some users WILL try to abuse based on either poor understanding or lack of respect.
Either way support MUST learn to deal with abuse of privileges as it will save a lot of time, which could be spent on more important issues.

{{SensitiveSecurity }}

=== Handling new emails in Support inbox===
Support MUST spend up to 5 minutes on new emails and send a quick reply to the client, to acknowledge the request or give a quick solution in case it is a petty issue or has a documented solution in wiki.

Client issues/requests should be prioritized, interrupting existing work and not wait for one hour and be dealt with quickly.

For routine service requests where there is a reasonable expectation of delay by the client, Support need not send a rapid reply but must keep the email starred in Support inbox to indicate that it is pending or being worked on.

=== Handling starred emails in Support inbox ===

When an email is received in Support inbox,
*if the email can be replied to immediately, then mark it as read after you have replied to the email.
*if the issue cannot be resolved immediately, then the email MUST be starred so that support does not forget to work on it. Once the issue has been resolved, Support should send an email to Support inbox confirming that the issue is closed. Only then should the email be unstarred.

No issue should be silently dropped without being fully resolved.

=== Handling client-sensitive information in emails ===

Support should avoid including information that could be sensitive to clients e.g. screenshots of reports that should only be viewed by client's upper management.

This can be done simply by clever cropping of images or blurring out of information in cases where cropping is not possible.

Support MUST not delay response to any client by wasting time blurring or cropping out information that is not sensitive to clients, e.g. blurring out the URL and tabs in browsers etc.

=== Handling client call back requests===

Clients who ask us to call them should be given our phone number and asked to call us unless there is some GOOD reason why we should make the effort and pay phone charges.

=== Handling login failure issues===

Users often get login failure issues due to typing wrong password and they simply won't read and act according to the error message they get. In this case, Support must send the below email to the user.

<pre>
Dear XYZ,

If you have trouble resetting password, please ask for assistance from your manager/IT Manager/Timesheet Administrator/NEOSYS-expert colleague.

Regards,
NEOSYS Support
</pre>

Local support users (TA or IT manager etc) have the LS key using which they can see the User Details page of all users. They should check all the information (usercode, registered email id, last login attempts etc) in the User Details page to find out what is the issue.

This procedure will reduce the endless mails sent back and forth to solve petty issues which could easily be solved by the client's local support.

=== Handling requests or demands for "URGENT" or "PRIORITY" support ===

Any request for prioritised action *without giving any reason for the prioritisation* should be disregarded and the request handled with normal priority. If a reason is given then you may at your discretion prioritise a response but there is no obligation to do so.

=== Handling users who login with other people's NEOSYS usercodes ===
This can cause a lot of confusion in both the client and NEOSYS support. It may also indicate that the correct NEOSYS monthly licensing fee is not being paid. There is no valid reason for anonymous logins or sharing logins between multiple users.

Therefore if NEOSYS support team get requests for support about using NEOSYS from users who are not registered properly in NEOSYS with an personally identifiable user code, name and email then the following email should be sent cc admin@neosys.com.

No exception should be granted to clients without NEOSYS management approval.

<pre>
Dear NEOSYSUSER,

Please note that in order to receive support from NEOSYS you must personally have an identifiable user code, name and email address registered
in NEOSYS.

We can create new user account for you with your management approval. This may or may not have an impact on the NEOSYS monthly licensing fee
depending on the agreement in force.

Please let us know what you would like us to do.

Best Regards,
NEOSYS Support
</pre>

=== Handling support requests from expired users ===

If expired users call for any reason including not being able to login, they must not be given any support. They should only be told that their account is expired without any reason being offered because employers sometimes do not want any information at all being passed to expired users.

===Handling support request from senior management===

Any support requests from senior client management users concerning report generations should be handled directly by NEOSYS support staff in any way convenient to resolve the issue in the quickest possible time rather than the most efficient.

Bear in mind that NEOSYS staff should not agree or offer to do client work. Support staff can advise senior management to contact a skilled user to help them with basic NEOSYS reporting. Support staff can also send screenshots of step by step procedure on how to take reports. Depending on the situation and reasons provided by senior management, support staff can at their discretion provide reports but after informing them that this is an exception and no more reports will be sent out as this is against NEOSYS procedures.

===Handling requests that involve updating NEOSYS configuration files===

Changes to any configuration file in NEOSYS MUST be performed only by NEOSYS support, because even the slightest misconfiguration of the system may cause unrecoverable errors and NEOSYS is responsible for support.

=== Handling emails with unrelated subject line ===
At times, clients forward old emails, with new issues, resulting in completely unrelated subject line. In such situations, support MUST follow the below steps to ensure that unrelated emails do not appear in the same conversation group when viewing emails in conversation mode:
#Right click the email -> HeaderToolsLite -> Edit full source
#Modify the text that appears after "Message-ID: <". (e.g. replace the first few characters with "xxxxxxxxx")
#Remove all texts that appear after "References:" and "In-Reply-To:" and click OK.
#Click Reply All on the modified email.
#Change the subject to a relevant one.
#Delete old unrelated content from the email body.

In the email reply, include a comment like "PS Please don't forward old emails for new issues, start a new email with a new subject so that emails can be traced easily."

Sometimes the client does not bother putting the correct subject line for new issues (e.g. blank subject, or "Error"). Then support should add a meaningful subject line in order to make the email easy to search for.

=== Handling emails with poor screenshots ===
Sometimes Thunderbird shows full sized screenshots in a compact format that is not easy to read. These can be resized to make them more legible. To do this, make the email editable by hitting the "Reply" button, then click and drag to resize the screenshot as desired.

If the screenshot sent by the user is genuinely small and hard to read, reply to the mail and request for a full size, clear screenshot.

=== Handling support-request emails sent to anywhere than support@neosys.com ===
Client emails anywhere than support@neosys.com MUST be ignored. This is because ALL support must be recorded in support inbox without exception so that the whole support team is aware of the issue and action taken. If client complains about the delay in support then they can be told this is because they used the wrong email address.

=== Handling users who do not act upon standard messages ===
When users do not bother to read and act on standard NEOSYS-generated messages and instead ask for help, Support staff MUST delay response time and thereafter send them an email which is the same as the message so they get the point that in future they should read the messages and handle issues themselves.

=== Handling Requests to do Client work ===
NEOSYS Support staff must not agree or offer to do work on behalf of the client.

This is because doing client work while logged in as NEOSYS breaks security rules. Support uses the NEOSYS username which has unrestricted access, so when a user requests Support to do some work which they don’t have access to, and if Support agrees to do the work, the client has successfully defeated the security rules by accessing features that they are unauthorised to access.

If a client makes a false claim about an issue in NEOSYS, i.e. if Support finds out that there is no real issue, then direct the client in the right direction so that they find out their mistake by themselves. Support MUST NOT show/explain the problem to them in detail, since you are just doing their work for them by explaining the problem and this will encourage the client to contact support for every petty issue they face.

Client work also includes [[Procedures#Handling_issues_with_totals_on_reports|Handling issues with totals on reports]].

====Requests for colour and font changes====

Support should not be spending lots of time on colour and font changes. Clients can make as many changes as they want until they are happy with a selection. Clients MUST send a screenshot of their required color/font settings (not sample screen/reports) for Support to copy and setup for all users. If Support sees them doing something bad or poor then give comments or better suggestions.

=== Handling Requests that require Approval from Higher Authority ===

The following is a list of user requests that must be handled by NEOSYS support staff only if they are approved by or come from a higher authority (manager/admin). The LIST is '''NOT''' a complete list so there may be other things which might require approval so use good judgement and/or ASK if in doubt.

*Opening new financial year
*Adding new company/dataset
*Editing alert/backup email receiver addresses
*Customising Authorisation File ({{SensitiveSecurity }})
**Adding or removing accesses for existing users in Authorisation file
**[[Procedures#Handling_new_USER_creation| Adding new user(s) to Authorisation file]]
**Expiring a user
**[[Procedures#For_HTTPS_access| Allowing HTTPS/outside office access from any IP number]]

If an unauthorized user sends one of these requests to support staff, support staff must immediately instruct the user to get the request approved by the higher authority.

===Handling User Requests to add an IP or range of IPs to access NEOSYS===

Support staff must identify if the IP or range of IPs is for http or https access.
{{SensitiveSecurity }}

====For HTTP access====
Support staff can add local IP or range of local IPs when requested by the client. Top management approval is not needed to add local IP numbers. Listed below are the IP address ranges reserved for local network.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

====For HTTPS access====
Any request for https access from any IP address or range of IP addresses (eg. 123.456.* or just *), or in other words any use of an asterisk in the IP restrictions, MUST have TOP management i.e. the company's decision makers approval. The Staff and their Managers are not the best decision makers in this affair because they usually ignore the risks and it is not really their decision. Security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc can be triggered if access from any IP is enabled. It is completely pointless to inform the staff who want the access about these risks because only their top managers could really decide that this is NOT going to be allowed. Hence the Top Management MUST be asked for approvals and at the same time WARN them about the security risks/threats behind the no IP restrictions.

=====For clients with static IP=====
Any request to add a specific IP address to the list of allowed IP addresses MUST have management approval.

=====For clients with dynamic IP=====
For clients with dynamic IP, support MUST NOT add their public IP to the allowed list as this will encourage the client to again request for access from new IP numbers every time their public IP changes. Instead, support MUST force the client to either get a static IP, install VPN or get the Top Management i.e. the company's decision maker's approval to enable access from any IP after explaining the security risks in doing so, as mentioned above.

Support MUST also mention that installation of VPN by the Company is the industry standard way of providing access to mobile staff (i.e. those on dynamic IP numbers from home or travelling) to corporate software assets like NEOSYS IN A SECURE MANNER. Installation of VPN is to be done by their own IT support. Refer to [[Procedures#Using_VPN_to_enable_secure_access_from_outside_the_office|Using VPN to enable secure access from outside the office]]

Sample Email addressed to Top Management:
<pre>
Dear XXX,

I do not recommend allowing access from all IPs because security threats like access of data by unauthorized persons or ex-employees, malicious hacking attempts etc. can be triggered if access from any IP is enabled.

I strongly recommend that you keep IP restrictions for XYZ dataset.

If you want to provide access to mobile staff (i.e. those on dynamic IP numbers from home or travelling) to corporate software assets like NEOSYS IN A SECURE MANNER, then installation of VPN is the industry standard of achieving this. Installation of VPN is to be done by your own IT support.

If you still wish to allow access from all IPs, kindly confirm that you acknowledge the security threats of doing so.

</pre>

=== Handling repeated request to allow users to access from all IPs ===

{{SensitiveSecurity }}

If the client wants temporary access from outside for some staff twice in say a six months period then support should send the below email. The real reason is because we don't have the time to be doing this on a regular basis. If at all the client asks why we no longer support the provision of temporary outside access then we can say this is because of the frequency of such requests.

Dear XXX

We have given you temporary outside access this time, as requested. Please note that we can no longer support the provision of temporary outside access. So in the future, you will have to choose between either permanent or no outside access. Alternatively, you can ask your management to install a VPN (which is the industry standard of achieving outside access to a corporate asset in a secure manner), so that you can log in to NEOSYS from outside.

=== Handling requests to create a new feature or modifying existing features ===

Many issues are small and not important but can still be considered for development because they may be easy and neatly added to NEOSYS. The aim here is to avoid development on hard issues for little benefit, or little issues that make NEOSYS more complex for little benefit.

When a client requests to create a new feature or modify an existing feature, a workaround must be given to the user, which is either a permanent solution, for example if the issue is a rare case and not commonly faced by other clients (and the workaround is acceptable to the client), or a temporary solution until some better solution is discovered or can be developed.

Support MUST check all options on all pages to look for any already existing solution or workaround to the problem before emailing the programmer.

Any request to create a new feature or modify an existing feature MUST be discussed with other clients before forwarding it to the programmer because the other clients might not be comfortable with the change as it may not be in accordance with their workflow. If other clients agree to the proposed change then support should go ahead and request the programmer to implement it.

Therefore before escalating a request to the programmer to modify a feature in NEOSYS, the approval for the same from other clients must be taken into account.

Any request to fix or modify a feature in NEOSYS must be accompanied with good reason and some basic considerations, so that the programmer knows what level of priority it can be dealt with.

When escalating the request to the programmer, support MUST avoid using "Is it possible..?" because the obvious answer to that is "Anything is possible" and because this question is only a way to avoid doing the real work of deciding whether the new feature/modification should be implemented.

=== Handling requests to add more fields to List of Invoices reports ===

Many users may ask for the List of Invoices report to be expanded to show a zillion other things, but this makes it NOT a list of invoices. Therefore other break-downs MUST be obtained from other reports in NEOSYS.

=== Updating Clients about unresolved issues ===
Support should proactively inform clients if an issue is not solved within the same day it was raised, after judging the urgency of the issue and the time it was raised. An email to the client who raised the issue, before the end of each day, is a best practice that keeps the client updated and other support staff too. This email should be sent regardless of the degree to which the issue has been resolved or if the issue is unresolved. If the issue is unresolved, the email should explain why and also explain the cause of delay.

=== Handling new USER creation ===
====Get Approval====
Support staff should create new USERS for clients ONLY when requested by an authorised person. If the authorised person is unavailable, for example on leave, then get approval from someone who is in the backup mail list.

Ideally only people who are users in NEOSYS and have authority over some task can grant or request authority to do that task to other NEOSYS users. However, if this is not the case and the requesting person has some seniority in the company (but is either not a NEOSYS user, or is not actually currently authorised to perform the task themselves) you may decide that it is not wise to proceed without some confirmation. In such a case be very respectful of their position while rejecting any request perhaps stating something like:

"Currently we have instructions to take instructions concerning authorisation only from xxx, yyy and zzz. Please could this request be confirmed by one of them?" Rewrite this judiciously to suit the occasion.

Consider that different sections of a company may have different chain of commands. For example one should not assume that a Sales Director has authority over Finance unless there is firm evidence. If there is any doubt consult NEOSYS Support Managers.

Support MUST NOT directly contact the authorised person asking for approval/confirmation because that is client work.

Clients should not be discouraged to create new users. Clients are billed as per user usage which is reviewed periodically. Over time old USERS are replaced with new USERS.

====Creating User====
Preliminary:

New user requirements :-
*Full name - (like John Smith and not generic name like Copy Writer)
*Email address - (like johnsmith@example.com and not generic address like copywriter@example.com)
*Group level / User with similar authorisation

The USER code is the first name of a user.

1. Support MUST only create NEOSYS accounts with real names and email addresses WITH NO EXCEPTIONS unless agreed by NEOSYS management.

It is acceptable, although inefficient, for one person to have multiple user accounts either concurrently or sequentially, but the opposite MUST never occur.
One NEOSYS user code/account MUST never have more than one real person associated with it neither concurrently nor sequentially.
In order to maintain efficiency, various fleeting temptations to cut corners and break the ONE TO ONE link between NEOSYS users accounts and real people MUST be resisted.
These principle remain mandatory even when pressure is exerted by people, even senior management, who may not appreciate the issues involved.
The fact that NEOSYS support does not know for certain who is the real person using an NEOSYS account does not change these principles.

2. Support MUST not create GENERIC user codes like AUDITOR or MANAGEMENT (even to grant special access to such users like read-only access) as this breaks all security rules.
Do not re-use user codes. Always create NEW user codes for NEW users.

3. Support MUST not create or modify any usable NEOSYS account that is or has been used by more than one user.

4. Support is responsible to maintain the system in good working order and not knowing who is really doing the work in the system can make support harder.

5. Support MUST not collude with clients to by-pass the principles. If asked to do so Support MUST refuse to create or update such accounts.

6. Do not hand over user codes from one person to another in a mistaken attempt to represent a hand over to a replacement. EXPIRE THE OLD USER CODE/ACCOUNT AND CREATE A NEW USER CODE/ACCOUNT.

{{SensitiveSecurity }}

7. Support team MUST NOT discuss billings with clients unless authorised to do so. Also see [[Procedures#Discussing_Pricing|Discussing Pricing]]

8. Support team MUST NOT proceed with creating new users until the group level or existing user with similar authorisation has been clearly provided by the client, otherwise the new user may end up with more than the required authorisation, which can lead to problems in future.

====After Creating New User====

Support MUST send an email to the person who requested the creation of new user, confirming that the new user has been created along with a screenshot of that part of the authorisation table where the new user was created so that the new user's user code and email id is visible. This is done so that in case there is some error in the user code or email id, it is easily visible in the screenshot and also so that the person who requested the creation of the new user is informed about the user code of the new user.

=== Handling letterhead change requests ===

Support staff should reject any requests that require the letterhead to be setup on the TESTING dataset before it is setup in the MAIN dataset.This is to reduce double work for support staff and to ensure that clients have a clear understanding of their requirements and also send the correct logo image.
The MAIN dataset can be copied to the TEST dataset for any kind of testing.

See [http://userwiki.neosys.com/index.php/Configuring_Letterhead#Changing_the_letterhead_for_printed_documents How to change letterhead]

=== Handling error messages ===

'''Important:''' Before Attempting to resolve client issues, please ensure that we have secure access to the NEOSYS server.

#The very first step is understanding client problem. Ask questions to the client until you CLEARLY understand the problem.
#If the error is familiar and does not require a screenshot, resolve the problem immediately.
#If the error is unfamiliar and/or requires a screenshot and the user has not sent a screenshot, IMMEDIATELY ask the user to send a screenshot of the problem, along with the options used (basically you need to know HOW to replicate the error and the screenshot MUST show WHAT the error is).
#If the user says "nothing happens, so no screenshot of the error", then IMMEDIATELY request for screenshots again with the exact steps to reproduce the problem using mouse and keyboard.
#Support team MUST NOT provide support without a screenshot, otherwise the client will not pay attention to support team in future and ignore requests for screenshots.
#Upon receipt of the error and steps to reproduce the error, follow the steps and reproduce the error. Also refer to [[Procedures#Addressing_Browser_related_issues|Addressing Browser related issues]]
#If the issue is unknown or you don’t understand it clearly, with the users acknowledgement use remote support to gain access to the users desktop to view how to replicate the error.
{{Handling errors}}

====Understanding Internal error messages====

Internal errors messages appear in red on screen and an email which is sent to support with more details. (Example below)

[[image:Rawformdatapng.png]]

The "ERROR NO:" line is comprised of the error number (B16), the program (MARGIN_BASE) and the line number (1). Sometimes the line number is wrong, refer to section "Misleading line numbers in error messages" below for more info.

The "STACK:" line lists the "parent" calling programs "SYSMSG,LISTEN" used to trace how and where the error originates.

The "DATA:" is a string of characters that is used to recreate the options used by the client in order to replicate the error message. See how to [[Troubleshooting_NEOSYS_Generally#Replicate_options_used_.26_error_using_sysmsg_Data: | replicate the error with the options used, using internal error email]]

==== Misleading line numbers in error messages ====

Many small NEOSYS utility programs are compiled to run faster than usual programs and will not report the correct line on errors like Variable Not Assigned.

To get the actual line number, compile as usual. ie without the (CL) options mentioned below, and regenerate the error.

Note that most of these programs should have a source line "linemark" or "*linemark" in them somewhere near the top. When single stepping in the debugger, the program will break on this line and this line alone.

To compile a GBP program DATE for speed use something like the following:

COMPILE GBP DATE (CL)

*"L" means compile without line numbers. This makes them run faster, which is important for utility programs that are called extremely frequently eg for date or number input/output conversion.
*"C" means do not generate a symbol table in GBP $GETPERIOD. It makes no difference whether you do or do not.

=== Addressing Browser related issues ===

When resolving random browsing issues that seem to be on one user computer only, support MUST send the below email asking the user to check if the same issue occurs on other user computers. Rapidly convincing the user that the problem is only on their computer gains their willingness to sort the problem out at their end, using IT people if necessary and available.

Handling random issues that appear to be on one computer is very very common and it is important to deal with it effectively, not requiring stages of "denial" by the users until they accept something has to be done at their end, and not by NEOSYS. Speeding up this process gains the confidence and appreciation of the users.

<pre>Hi xxxx

Is this error happening only on your computer? If that is the case, it may be due to an issue in your browser cache. Please clear your browser cache with assistance from your IT team if required. Then restart the browser and try again.

If clearing browser cache does not fix the issue, I recommend a full browser reset to ensure that everything works fine.

Follow these instructions for clearing browser cache and resetting browser:
http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers

Please let us know if you face the issue again.</pre>

Also refer to [[Procedures#Handling_Browser_related_issues_in_NEOSYS| Handling Browser related issues]]

=== Addressing Technical support emails ===

In the case of technical support issues, address emails to the IT person and cc the complete group of recipients of backup emails and other NEOSYS alert emails. This allows both NEOSYS and client IT staff to take credit for resolving issues that NEOSYS raises instead of working in the background unacknowledged.

Technical support issues include backup failure, server failure, missing alert email, server connectivity issues and port forwarding issues and many other issues.

For technical issues like browser configuration, clear cache, etc. support must send the user a link to the appropriate wiki article to help the user fix the problem. In some cases the user may be helpless and unable to follow the steps to fix the problem. In such cases, support MUST NOT waste time trying to help the user fix the problem, instead support MUST ask the user to get help from the IT person.

=== Acceptable report format when handling issues in NEOSYS reports ===

NEOSYS Support must only resolve issues in NEOSYS output first. This is because only NEOSYS outputs can be trusted and user versions in Excel or PDF could be copied wrongly or edited by the user.

In case users send reports in excel or other formats, get them to send the original NEOSYS HTML report as an attachment or copy-pasted in email.

=== Handling requests to create new charts or control accounts===

[http://userwiki.neosys.com/index.php/Setting_up_and_Configuring_NEOSYS_Finance_System#Creating_New_Charts_or_Control_Accounts Refer here]

=== Handling issues with totals on reports ===

If a client has a problem with any total output by NEOSYS software then NEOSYS support will advise them which other NEOSYS report or reports provide a complete breakdown of the total (if necessary, to individual transactions) and ask the client to locate any offending transactions themselves.

NEOSYS support staff will handle any issues where the total on the breakdown report does not add up to the total on the summary report.

Reconciling totals can be hard if there are many transactions involved. Regardless of how hard it may be, reconciliation is an operational task for users not for support staff since NEOSYS support staff will not get involved in understanding client transactions or data.

==== Trial Balance and Financial Statements ====

NEOSYS support staff do not have to prove or trace any figures in NEOSYS Trial Balance Reports or any financial reports. If a figure is stated to be wrong by the user, then NEOSYS support staff should ask for proof or say NEOSYS is confident that the figures are correct unless proved otherwise.

NEOSYS support staff should point out reports in NEOSYS which will support the figures in question but not actually run the reports. Support staff can suggest the users to refer to detailed ledger accounts to prove balances.

== Using VPN to enable secure access from outside the office ==
There are two ways in which a user can use VPN:
*User connects to the their office router and makes the PC act like it is on the office LAN.
*User connects to a VPN service that provides a static IP number and can therefore be authorised by NEOSYS to login.

If the client intends to use VPN to connect to their office router and make the PC act like it is on the office LAN, then it depends on what VPN protocols the client's office router supports.

The alternative is to use a paid VPN service that provides a static IP number. Getting a dynamic IP number on VPN is very cheap and there are many suppliers, but getting a static IP number on VPN services seems to be more expensive.

Internally in NEOSYS we use PFSENSE routers which support OPENVPN which is extremely flexible.

==Handling issues with Office PBX phones==

Support should check their respective Office PBX phones every morning to find out if the phone is up and working. In case Support finds any issue with their phone, immediately fix it so that clients do not lose contact with the Support team via phone. Next send an email to Support inbox mentioning the fault, cause and solution for records/future prevention.

== Running undocumented commands on Maintenance mode==

Support Staff MUST NOT run undocumented commands on ***LIVE*** database. Some commands are not documented for a reason, it could be because the commands might give an undesired output or because there is no clarity on what else could be effected by the command.

Even if the command is tested in TESTING database and the output looks okay, support staff MUST get the programmer's approval before going ahead and running the command in LIVE database as there is no guaranty that the command is properly programmed and will do no damage.

==Configuring Browsers to show Javascript errors in NEOSYS==
NEOSYS Support MUST ensure the following Settings for browsers because if NEOSYS generates any javascript error message, the same would appear in the bottom left corner of a window, which in turn helps the programmer to fix the error. This must be done after every Factory Reset.

===Internet Explorer===
Tools > Internet Options > Advanced > Browsing - the items Disable script debugging (Internet Explorer) and Disable script debugging (Other) are '''UNTICKED'''.

===Chrome===
Chrome Menu > More Tools > Extensions > Get More Extensions, search for '''Javascript Errors Notifier'''. Add the extension to Chrome.

[[image:Chrome.png]]

[[image:Chrome1.png]]
===Firefox===
Firebug add-on is used to NOTIFY about script errors because we have no other method to get any warning on screen but you should use the main firefox developer tools to investigate any errors as firebug is essentially replaced by built in developer tools.

For developer tools, go to Tools > Web Console

To enable notifications for script errors, download the add-on Firebug from [https://addons.mozilla.org/en-US/firefox/addon/firebug/ here]. When a Javascript error is encountered, the firebug icon will report the number of errors.

Set your firebug as per the second screen shot and select "Enable All Panels" as well, the tick will not appear like the other options but the option will get selected. If you miss out on any one of these steps, you will not be able to capture script errors.

[[file:firebug1.jpg|1200px]]

[[File:Firebug.png]]

==Handling Browser related issues in NEOSYS==
See [http://techwiki.neosys.com/index.php/Technical_/_Hardware_requirements#NEOSYS_Software_Browser_and_OS_Requirements NEOSYS browser requirements]

Clients frequently ask [http://userwiki.neosys.com/index.php/General_FAQ#Why_doesnt_NEOSYS_support_my_XYZ_browser.3F Why NEOSYS doesn't support other browsers]

To avoid browser errors, all new users must follow the steps given in [http://userwiki.neosys.com/index.php/Using_NEOSYS_Generally#Getting_started_with_NEOSYS Getting started with NEOSYS] before logging in to NEOSYS for the first time.

To troubleshoot browser related errors see [http://userwiki.neosys.com/index.php/Troubleshooting_NEOSYS_Generally#Troubleshooting_Web_Browsers Troubleshooting Web Browsers]

Users must clear browser cache after every NEOSYS Upgrade to avoid errors. See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS#Sample_email_to_be_sent_to_clients_who_face_issues_due_to_failure_in_clearing_browser_cache Sample email to clients who face issues due to failure in clearing browser cache]

Pop-up blockers and any 3rd party toolbars must be deactivated/switched off or else certain pages and alert messages while using NEOSYS do not appear as a result of blocking from either the pop-up blocker or toolbars with built-in pop-up blockers.

NEOSYS support must ask users to Reset browser (See [http://userwiki.neosys.com/index.php/Reset_Browser Reset browser]) if they notice any user browsers which have pop-up blockers or 3rd party toolbars installed.

Also refer to [[Procedures#Addressing_Browser_related_issues| Addressing Browser related issues]]

== Handling NEOSYS Upgrade==
See [http://techwiki.neosys.com/index.php/Upgrading_NEOSYS Upgrading NEOSYS]

==Handling auto-reply emails like Out of Office etc.==

From 28th May 2017 version, emails sent out by the NEOSYS system now contain headers that in effect request recipient email systems not to auto-reply for things like Out of Office. This is to reduce unnecessary chatter by silencing unnecessary automatic replies. There is no guarantee that recipient email systems will comply. The headers added are:
*X-Auto-Response-Suppress: RN, NRN, OOF
*Precedence: bulk

Support team should notify SB of any auto-responses that come despite their installation being patched.

In NEOSYS versions after 10th Jun 2017, emails sent by NEOSYS from the NEOSYS Help menu, i.e. manually triggered emails, do NOT indicate that OOF replies are not wanted, since if you are sending emails to people using NEOSYS, you will want to know if they are OOF.

== Using Support Tools ==
=== Website Live Support ===
www.neosys.com is equipped with a Live Support software and clients can visit the website, click on this link and chat with any of our support staff, without the need for any installation. The client has to fill in their name and enter their questions to connect to an available support personnel. During non-working hours, the Live Support icon on the website automatically displays "offline".

NEOSYS Support personnel who are authorised to provide such support, need to login to Live helper chat in Firefox using the link given below:

http://neosys.com/lhc_neosys/index.php/site_admin/

Support personnel should enter the account details as provided by their Manager.

Enable notifications for Live helper chat so that whenever there is a visitor trying to contact Support team, the Support personnel will get the notifications on his screen.

Set the Live helper chat login page as your home page in Firefox and this page must be kept open for the whole duration of working hours.

Support must always be alert and immediately reply to messages from visitors.

Use the link below to enable notifications:

http://neosys.com/lhc_neosys/index.php/site_admin/chat/listchatconfig

After setting up Live helper chat if you sign in to a new profile in Firefox, you might have to re enable the notifications after your Firefox is synced to the new profile.

=== Teamviewer ===
Since Teamviewer allows no restriction on access once a fixed pass is installed, Support must not install fixed pass on teamviewer however convenient it might be.

RULE: NO FIXED PASS TO BE INSTALLED ON TEAMVIEWER IN ANY NEOSYS OR NEOSYS CLIENT COMPUTER

Running teamviewer live from a web link is fine because it does not allow installation of a permanent password

For certain tasks that require temporary install of Teamviewer on the client servers (e.g. upgrading Cygwin remotely), use Teamviewer 7 on the server as well as Support staff computer. Contact NEOSYS IT for commercial license of Teamviewer 7. Teamviewer MUST be uninstalled after usage, otherwise it creates an additional unnecessary security risk.

To support client users who use the latest version of Teamviewer, support staff must also install the latest Teamviewer version available alongside Teamviewer 7.

== Documenting Processes in Wiki ==
NEOSYS Support staff must be in continual learning mode. This is mandatory for support staff and is not an option. Support must read, learn and understand everything in the support emails and ask questions if they don't understand. This understanding must be transferred into wiki in the form of new articles and improvements to existing articles.

For all articles related to formatting and editing in Wiki, see [http://itwiki.neosys.com/index.php/Documenting_NEOSYS_systems Documenting NEOSYS systems]

===Avoiding duplication of text in wiki===

Duplication of text in wiki is to be avoided almost at any cost. Duplication has the problem that when one copy is changed or improved in future then it is highly likely the editor will fail to update the other copy or copies and wiki will over time become an inconsistent mess.

There are several ways to avoid duplication:

#Two or more procedures which have significant areas of duplication can be rewritten as a single procedure with alternatives in the middle of the procedure
#Wiki Templates- Templates reproduce the same text in all places and editing one place edits all places. See [[How to create templates in wiki]]
#Wiki links- Only put the text in one place and put links to that in all the other places that it is appropriate.
#Place a note in all copies something to the effect that "This is similar to x, y and z". This alerts any future editor of all other places in wiki that might also have to be updated.

Future modifications in one place may or may not be appropriate to other places. The editor must decide whether to change one or all places

===Highlighting information in wiki===

To highlight particular instructions or info in wiki do NOT invent new styles which are not the way the rest of wiki is done. Instead, follow the USUAL STYLE or open a DISCUSSION with any recommendations you have BEFORE USING THEM.

Instead of using various kinds of highlighting styles like bolding and words like "Note:", use the following words IN CAPITALS especially the word MUST.

The use of the following words IN CAPITALS indicates that you are using them in a special way with formally defined meaning as explained below. Use of the words in lower case indicates that you are using the word in an ordinary commonsense meaning.

*MAY - means optional
*SHOULD - means recommended and you need GOOD reason (not just any weak excuse) to not follow to follow this recommendation
*MUST - mandatory

Only in the rare cases where the consequences of doing or not doing something are irreversible or take a lot of work to reverse then you can use your own additional highlighting methods, eg ALL CAPS, stars, color red etc.

==== Explain WHY ====

Any sentence which uses the word "MUST" in capitals, MUST be followed by a SPECIFIC REASON explaining exactly why is the instruction is mandatory; the reason MUST not be vague and non-specific meaning no more than "or bad things will happen".

WRONG way: You MUST also delete ads if deleting schedules.

WRONG way: You MUST also delete ads if deleting schedules otherwise it will cause problems in future.

CORRECT way: You MUST also delete ads if deleting schedules otherwise the deleted schedules' ads will still show in all media-diary like reports and screens

The Wrong way above gives a general reason "it will cause problems in future" which is vague and a reader may even go ahead and ignore "MUST" because there is no objective or proper side effect mentioned for not following the MUST statement. Basically he doesn't understand the point behind following a certain rule.

Whereas the Correct way gives a SPECIFIC reason for "deleting ads while deleting schedules", so reader will exactly know the trouble that will be caused if ads are not deleted. Therefore "SPECIFIC REASON" behind using the word MUST must be to the point and very informative.

==== Why explain WHY ====
The information contained in the WHY phrase is often '''extremely informative''' to the reader about things that you may otherwise not have considered saying.

The most valuable information is usually contained in the "WHY" of something. There is an apocryphal story of a company where managers could be fired if they gave instructions to their staff without providing explanation. In almost all cases it is better for the efficiency of a team of people that any instructions they follow contain the "WHY" of something. Only in few cases should staff be expected to follow instructions without being well or fully informed.

== Email Retention Policy ==

=== Generally ===

Emails are retained permanently to allow old issues to be discovered in email searches.

=== Account: backups@neosys.com ===

Only the last 365 days of emails to backups@neosys.com are kept in general to reduce the burden on servers and clients due to the heavy number of emails.

For the backups/neosys folder, only 31 days is kept due to the very high numbers of emails ~250/day.

Deletions are configured in and done by a thunderbird client in NEOSYS IT so may not be continuous.

== Use of personal email addresses by NEOSYS support staff ==

NEOSYS support staff MUST NOT use any personal email addresses for NEOSYS business.

The xxxx.neosys@gmail.com addresses that are created by support staff for themselves on joining are also considered personal email addresses and must not be used for NEOSYS business. These email addresses might be linked to NEOSYS wiki accounts but that doesn't matter because wiki is not confidential.

== Accessing NEOSYS accounts on personal devices ==

NEOSYS staff MUST NOT install NEOSYS accounts on skype/dropbox/gmail (or any other external tool) on their personal devices without written permission from NEOSYS management

== Support Staff work-in-progress documents/files ==

Support Staff must not save working files hidden on their computer. Work that is not visible is not work .
Support work should not be done privately and should be shared to all.

ALL personal working files however trivial MUST be stored in Dropbox and MUST NOT be stored anywhere in personal computer (My Documents/Desktop etc.)

The personal encrypted pass file MUST be stored somewhere in personal folder under SB NEOSYS staff in Dropbox. This is because if there is a loss of OS/Computer, it should not lead to loss of access as all the passwords saved in the file will be lost.

== Handling CLIENT/NEOSYS Servers ==

NEOSYS support staff must exercise extreme caution when working on CLIENT and NEOSYS servers. Do not risk making changes without due care and attention to the fact that the consequences of errors can be serious on working production servers.

=== Handling Javascript Files in NEOSYS ===

All the files in NEOSYS installation folder with .JS and .JSE extension are the executable javascript files which startup NEOSYS processes (in a usual DOS window). Their default program is 'Microsoft Windows Based Script Host' (wscript.exe). If a JavaScript file is opened using a notepad, the default program may change to notepad resulting in all NEOSYS processes to open up in a notepad.

Hence be very CAREFUL when accessing a .JS and .JSE file and double check that the default program remains wscript.exe. Refer to [[Troubleshooting_NEOSYS_Generally#Fixing_wrong_default_program_assigned_to_open_a_file_type|Fixing wrong default program assigned to open a file type]] in case this issue comes up.

== Handling "List of Open Ports" reports ==

This email comes to NEOSYS support team once a day showing only those client's servers which appear to have changed what TCP ports are open to the internet since yesterday. It will also come once a week showing all clients servers open ports.

NEOSYS support team should work patiently with client IT staff, over time if necessary, to close all ports that are not absolutely mandatory to be open.

Clients with highly skilled IT staff may have a variety of ports open to various non-NEOSYS servers inside their organisation. In this case, NEOSYS plays little or no role other than getting their confirmation of exactly what ports are acceptable. Any new ports that appear over time should be handled in the same way.

For clients without such staff, NEOSYS is their only real line of defence and since NEOSYS requested opening some ports, we should get all other ports closed by patiently following up until action is taken. Involving management may be the only way to get IT to act.

In particular, port 80 and 443 controlling internal or external routers should be closed. It is NOT acceptable except in HIGH IT EXPERTISE environments that critical routers should be exposed to the internet and they MUST NOT be accessible from the internet because routers that do not have their software updated can be hacked using known defects. Even updated routers can be hacked. Making it easy for client IT staff to access the router configuration from outside is NOT a good enough excuse to break this rule. Professional IT does not allow access to critical routers from the internet.

Likewise, any port 80 (unencrypted web access) and port 3389 (RDP remote desktop) open to the NEOSYS server MUST be closed otherwise logins can be monitored and there is no way to guarantee server security.

Port 23 (Telnet) is an insecure port because it is unencrypted and should never be open for usage. This is standard practice and well known by any network professional. Since the port is unencrypted, attackers can listen in, watch for credentials, inject commands via man-in-the-middle attacks and ultimately perform Remote Code Executions (RCE).

If a port is definitely required and properly approved to be open by client IT support, please let NEOSYS IT (SB) know and it will be put in the "Authorised" column so that ports in the "Questionable" column are all pending action.

The report does not attempt to detect UDP ports since UDP ports can receive information from the internet without responding in any way so there is no way to detect them reliably.

Green color shows ports that have opened since the last report run. Open ports can sometimes not be detected accurately so a port may appear to disappear in one report and reappear in the next report.

=== Why should HTTP port 80 not be open on my router? ===

It is not advisable to expose any HTTP server for any private service on your computer network or router because HTTP is unencrypted and this means that all information regarding that service, including passwords, can be observed by any malware on your LAN and internet connection. This information can then be used to install horrible software on your internal PCs.

What to do?

Use https for any internal services - and advisably on a non-standard port, not the standard https port of 443.

For example, NEOSYS service is exposed as HTTPS (not HTTP) usually on port 4430 - not the standard https port of 443.

Commercial hacking is getting really common with things like FIREBALL and CRYPTOLOCKER causing a lot of damage.

It is advisable to take basic precautions pro-actively before any attack exposes weaknesses.

== Handling Nagios Client Monitoring system ==

NEOSYS support staff on duty MUST follow the procedures outlined below in case the Firefox "imoin" add-on shows critical or warning messages for any service. Failure to schedule appropriate downtime will lead to REDUNDANT EMAIL ALERTS from Nagios every hour.

Any alert on the Firefox "imoin" add-on means that there is an issue that has not been attended to properly, and "attended to" does not always mean solved. Support staff MUST solve the problem immediately if possible.

If it is not possible to solve the problem immediately, then downtime/acknowledge the service and add a comment on the Nagios alert, explaining the problem briefly.

Support should check Nagios frequently during the day to look for any new alerts so that issues are fixed as soon as possible.

* Nagios is required to be checked first thing in the morning and any critical or warning messages need to be dealt with to resolve the same at the earliest.
* Some of the messages could be related to backup failures and the usual procedure as stated in Handling failure and warning messages on nightly backup alerts needs to be followed. In case the backup issue isn't resolved by 9:30 am, the Nagios service needs to be downtimed with an appropriate comment for a minimum of 2 hours and maximum until 1 am next day if the issue cannot be solved.
* In case of "Backup not changed" warning status which occurs if the client has not interchanged the USB before 12 noon on that day, no action is required from the support staff and a downtime with a comment like "Backup media not changed - Emailed client" needs to be scheduled until 1 am next day.
* In case any HTTPS, SSH, PING service or Host is down, immediate action is required and the relevant IT people at the client side needs to be contacted to get this resolved. A downtime of 2 hours with a comment like "Service/host down - Emailed client" is required to be scheduled with further intervals of 2 hours in case this is not resolved. Support staff shouldn't schedule downtime till 1 am next day, just to get rid of the alerts for the day. Proactive follow up with the client is required to get this resolved before the business day - more so, if there is a weekend ahead.
* In case the HTTPS, SSH, PING service or Host goes down during the day, a grace period of 10 minutes is given before the issue is reported to the client IT, in case there is any temporary internet connection issue at the client or along the internet route.
* In case the HTTPS, SSH PING service or Host is down for more than 1 day, client IT should acknowledge the problem and give NEOSYS support staff an approximate time frame before which the issue will be resolved. Set an appropriate downtime with a descriptive comment for such events.
* In case Host is down for more than 2 days and there is no progress with the fix from client IT, the client management should be notified about the seriousness of not having access to server and their acknowledgement is mandatory.

== Handling lack of remote access to NEOSYS server located in client’s premises ==

If access to the NEOSYS server is lost then we must determine the root cause by:
# Checking if the server is UP and running
# If yes, please check internet connectivity on the server
# If there is connectivity, please check the router for connectivity issues

'''Sample Response:'''
<pre>
Dear XYZ,

Please note that we have currently lost access to the NEOSYS server. The server seems to be down at the moment and it seems that
NEOSYS processes are not running on the server.
Kindly check if the server is UP and running. If yes, please check internet connectivity on the server.
Do keep us posted on the server status so we can test connectivity from our side as well.

Best Regards,
</pre>
== New Router (Port Forwarding) ==

If you have changed your router then you may notice that external access to NEOSYS is unavailable.

'''Solution:'''

Setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to the NEOSYS Server as follows:
# Port 19580 > 19580 for SSH
# Port 4430 > 4430 for HTTPS

You can see [http://portforward.com/ Set Up Port Forwarding] to learn how to configure your Router.

To see how to test/ troubleshoot port forwarding settings, go to [[Troubleshooting_NEOSYS_Generally#Troubleshooting_NEOSYS_remote_support_port_forwarding|Troubleshooting Port Forwarding]].

'''Sample Response:'''
<pre>
Dear XYZ,

You are requested to kindly setup a permanent access for NEOSYS by reconfiguring the Router / Firewall for Port Forwarding from Router to
the NEOSYS Server,i.e. port 19580 for SSH and port 4430 for HTTPS.

Once this is complete, kindly send me an email to confirm the same so that we could test connectivity from our end as well.

Best Regards
</pre>
== Creating and Handling passwords ==
=== Creating a password ===
Passwords are generated from a pass phrase and it is important to create a very difficult to guess pass phrase.

Passwords made out of a pass phrase MUST be at least 10 characters since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts.

For example, a good pass phrase would be: '''Today is a good day and it is the best time to go for a holiday'''

The password for this would be '''Tiagd&iitbt2g4ah'''

The important instructions for the above are:
#You have to take the first letter of each word and that makes your password (i.e. by using initials)
#Wherever any word starts with a capital, then you have to take first letter as a capital (eg. For Today you will take T)
#Replace '''and''' with '''&'''
#Replace '''to''' with '''2'''
#Replace '''for''' with '''4'''

=== Handling passwords ===
#Never send the actual password - always send the pass phrase
#Make sure that the password created out of the pass phrase is at least 10 characters long since using initials results in a lot of i's and a's etc which reduces the effectiveness of the password and allows hacking via brute force guessing especially since windows doesnt slow down logins even if it sees thousands of password attempts
#Pass phrases are never to be sent by email, whatever the case maybe.
#Pass phrases can be sent by chat - however they have to be broken down in two parts and sent separately over two different messengers or if you are using Gtalk then use the 'off the record' mode.
#Using SMS to send pass phrases is the best known way as of now.
#If you save the passwords on your system in an file then:
#*Ensure that you only store pass phrases in the excel file
#*Ensure that the excel file is encrypted with a master password

== NEOSYS Maintenance Window ==

The NEOSYS server is functional from 6am – 1am. There is a 5hr window gap for the system to perform updates & backups.

The 5hr maintenance window:-

1. At 1am – The server performs a data backup on a USB (for the respective clients) & once the backup has been completed, the system automatically generates an email addressed to the neosys staff & the respective clients.

2. At 2:45am – The main data over writes the test data on the server.

3. At 3:00am – The server by itself performs an update for Windows.

4. At 4:00am – The server performs a backup to the headquarters for clients, and then automatically generates an email addressed to the NEOSYS staff & the respective clients.

5. At 6:00am – The server starts up NEOSYS.

== Using NEOSYS Terminology while communicating with Clients ==

NEOSYS support must communicate in correct language to clients on finance issues in order to ensure that our records exactly represent reality. Conversely NEOSYS must not use other terminology because it can cause considerable confusion and poor quality results. In case client is new and still in training, use client terminology optionally as long as
#It is only an addition to NEOSYS standard terminology
#Only if clear that it is client terminology by putting in brackets like this "Sales Invoices (called PI by you)", where "you" means the client you are talking to or you can put the client company name instead perhaps.

The objective is over time to avoid having the support team to have to know the terminology of the client. NEOSYS support team cannot possibly know and remember it for each client therefore the client MUST over time learn and use NEOSYS terminology. The initial period is one of relearning and translation for the client not for NEOSYS.

Many users operating NEOSYS finance module do not know proper financial procedures and may not appreciate how doing something in a wrong or unusual way now may not be correctable in the future.

NEOSYS staff must follow NEOSYS procedures only. If NEOSYS procedures need to be updated then this must be agreed in advance and not AFTER the fact.

== Amending/Reposting Journal Entries ==
In certain exceptional cases, amending/reposting of journal entries is allowed for only one day to enable clients to present reports in an alternative manner.

It must be agreed with the client that reposting rights will be granted for only one day and NEOSYS Support will automatically remove it and check for CCB error thereafter.

This would be subject to NEOSYS requiring a written LETTER OF APPROVAL duly signed and stamped by the highest management of the company.

In case the client management decides to allow editing/reposting of journal entries, the following procedure is to be followed:
# Client must de-allocate vouchers which need to be amended
# NEOSYS support staff must wait for a day so that de-allocated vouchers are copied into Test database
# Authorise required users to amend and repost (without record) '''in Test database only''' ( While reposting, we have 2 options i.e. with record and without record. The 'with record' option causes the system to maintain a history of edits made. Hence, we want to repost without record so that there is no trace of the edit in the system)
# Amend a substantial number of vouchers in Test and verify them. To verify if the edits made are reflected:
# *Print all ledgers for the whole year
# *Cross-check all balances
# Once you verify the balances are correct in Test database, grant users permission to amend and repost in the Live database.
# Ask users to amend and repost vouchers in the Live database.
# Cross-check all balances for the current year.
# If you successfully verify the balances, revoke permissions immediately. Else, wait for 24 hours and revoke permissions irrespectively.

== Removal of unauthorized third-party software on client servers ==

Rule: Any third party software that is discovered by NEOSYS support staff on client servers that has been installed without the agreement of NEOSYS should be uninstalled immediately on discovery.

However purposeful a software is, NEOSYS is contractually responsible for support and there are too many opportunities for poorly installed software to cause unpredictable damage to the NEOSYS database so NEOSYS has to have a clear and safe and simple policy to ensure the integrity of client data. Installing software without prior discussion with NEOSYS by itself indicates that insufficient care and consideration has been given to possible issues.

Having unauthorized third party software on the server can possibly lead to a backup failure. For example, [[Backup_and_Restore#Error_Message:_.22LISTS_file_is_not_available.22|LISTS file not available]] error.

Any software required by client IT for some purpose may only be installed after discussion and agreement from NEOSYS support staff concerning the configuration and operation of the software.

The NEOSYS Software Licence and Support agreement requires that where NEOSYS software is installed on client servers that a dedicated server is provided and dedicated implies that no other software may be installed without the agreement of NEOSYS support.

== Configuring tunnelier to autologin on opening tlp files ==
If you have many tunnelier tlp files in a directory and connect by opening the desired tlp file the, instead of opening the file and then clicking Login you can also right click the file and select Connect.

Alternatively, you can configure tunnelier to login (connect) automatically by following the procedure mentioned below. (Even if you configure automatic login, you can still open and not login by right clicking and choosing Open)

=== Windows 8 ===

Cannot be done using standard Windows UI. Some download utilities can do it. TODO put a safe one in neosys.com/support

=== Windows XP/Vista/7/2008 ===

#Go to My Computer
#Click on Tools -> Folder Options [[image:tunnauto-1.jpg]] 
#Click on File Types
#*Select TLP (Bitvise Tunnelier Profile) [Type "TLP" to find it quickly]
#*Click on Advanced [[image:tunnauto-2.jpg]] 
#Click on Connect and Click on Set Default [[image:tunnauto-3.jpg]] 

== International v/s Indian English ==

There are some words which have completely different meanings in International and Indian English. NEOSYS Staff should follow International English only. Below are the examples of few of those words:

Word: '''Doubt'''

In the English language word "doubt" means to distrust an alleged fact on the basis of a reason, depending on the strength of the reason which may be anything from factual to feeling e.g "I have no reason to doubt him".
This usage is followed worldwide.

Some people especially from Indian origin use "doubt" when they are unaware about a fact. e.g "I want to clear my doubts about this procedure". This is incorrect. The word must be used when you do not agree on something on the basis of a reason and not when you do not have knowledge about it.

==[[ New Employee Training Checklist]]==

==[[ New Client Training Notes]]==

==[[ General Office Procedures]]==

New Client Training Notes

2019-07-01T13:36:29Z

Pratishthit: /* Job Module */

==Prior to Training – Preparation for the Meeting==
#List the modules for your own reference that you are going to train the users in (Media, Jobs, Timesheets and/or Finance) and prepare accordingly
#Get an idea of your audience with details like the number of users, their designations and what kind of access they have to NEOSYS
#Prepare handouts listing the topics to be covered in the training session. The user can use this handout to keep track of what happens in training and take notes for reference later
#Create a time-table for trainings and inform the client the same
#Contact Client IT to ensure technical details like firewall exclusions and proxies (if applicable) are configured correctly so that users have access to NEOSYS without issues
#Email training session pre-requisites to the client contact e.g. internet connectivity and projector in the meeting room
#Create an account in the Authorisation file namely Admin, with complete access to NEOSYS. This account can be used for emergency changes in the configuration of the system while at the client location

==During Training==
NEOSYS Staff are responsible to cover the whole of training superficially and not do in depth training. Show users what they need to get started and don’t allow them to slow down training by replying to in depth queries.

Onsite sessions at the client are not just "training" sessions. They are implementation sessions and need to set clear objectives for clients to start implementing the system. It is easy to squander time and resources if client staff believe they can sit back and "be trained" instead of "learn and implement". The end result of such squandering is likely that NEOSYS is asked to return again and again simply due to bad organisation.

How to train:

Training should be done in HALF DAYS and never in whole days because it doesn’t allow client staff time to IMPLEMENT THE SYSTEM. In between sessions client staff has to do work to get things.

Initial training on site is half a day per module and NO MORE because client needs to mentally get into action themselves and not sit back thinking all they have to do is listen.

There are two very different jobs that have to be done during training:

a) Embedding into knowledge of how NEOSYS works into peoples brains

b) Users working out how to use NEOSYS to perform their work since NEOSYS might not handle everything exactly as they imagine

Trainees will often slow down (a) by trying to solve every petty problem in (b). NEOSYS trainers must find a healthy balance to ensure that (a) is done before going in depth in (b). The trainer, like a good chairman of a meeting, should control who can speak and for how long. Failing to do this allows few people to talk too long and everybody complaining that the training was not productive.

Every client staff member must be given some tasks to complete in NEOSYS by themselves before they get into the next training session. The task should include getting printouts of their work. Each person’s work should be inspected and discussed at the next session.

Only ONE NEOSYS staff should conduct implementation sessions unless it is to introduce a junior NEOSYS member to on-site work. Training in parallel by multiple NEOSYS staff is a waste of resources because of the lack of coordinated implementation.

Client finance staff needs to participate in all sessions and not be given private training sessions for what has already been done for operations staff.

Care and attention will produce a quality implementation. Easy and relaxed approach will not produce good results. TAKE ACTION! MAKE A DIFFERENCE!

===Introduction===
Spend 15min in introducing the users to NEOSYS and explaining basic essential points of accessing NEOSYS

Topics to cover
* URL
* Turning off Pop-up Blocker
* Login Page
* Dataset
* Reset Password

===Media module===

Spend 20-30 min showing a complete schedule creation with 1 client and 1 brand, vehicle and supplier. Show schedule booking, certification and invoicing.

Topics to cover
* NEOSYS schedule per brand
* New schedule
* NEOSYS Codes
* Client and Brand file
* Supplier and Vehicle file
* Media Types
* Specification, Time, dates
* Gross unit, Other charges and exchange rate file
* Booking in a schedule
* Certifying ads in a schedule
* Invoicing ads in a schedule
* Media Diary
* Reports under Media menu
* Media Analysis

===Job Module===
Do 20-30min showing 1 Job, client and brand creation, estimate, purchase order, invoicing and purchase invoicing.

Topics to cover
* Creation of Job
* Client and Brand file
* Supplier file
* Job types
* Estimate
* Purchase order
* Invoice
* Purchase Invoice

===Finance Module===
Do 20-30min showing how to enter opening balances, link client and supplier to finance, Chart of Accounts, posting invoices on the journal entry screen, unposted batches, allocations, analysis codes and financial reports.

Topics to cover
* Chart of Accounts
* BL, PL, TD and TC charts
* Company File
* Link between Finance and Operations – Media and Job type files
* Automatic entries in Finance
* Automatic Accrual Accounts
* Analysis codes
* Journal entry screen – unposted batches, posting batches and doing a manual entry
* Voucher file
* Voucher allocations in Journal entry and Allocations screen, partial allocation and de-allocation
* Journal setup
* Finance Settings
* Ledger and Statement of Account
* Financial Reports
* Billing Analysis Reports

===Timesheet Module===
Do 10-15 min showing users how to select a job and enter details in the timesheet, how to avoid reminders for holidays and timer usage.
Show Timesheet administrators how to take Timesheet printouts, how to setup hourly rates, avoid email reminders for all users and change settings in timesheet configuration file.

Topics to cover

For Users
* Selecting Jobs in timesheet
* Entering details and saving

For Admins
* Timesheet approval
* Timesheet printout and approval emails
* Timesheet files (Activity, hourly rates and configuration file)
* Timesheet Analysis

===Additional Topics===
In addition to the modules, the following points have to be explained to the users.
* File lock and release in 5 mins
* Reopen and Release
* File in use/File open for viewing only
* NEOSYS maintenance window to perform backup and updates