Nate Silva

When downloading an .EXE file in IE, it loses its file extension

Internet Explorer has odd behavior when downloading certain files. If you have an .exe file, but it’s served by a URL with a query string, IE will lose the file extension.

An example might be easier to understand.

Let’s say you’re using Amazon S3 to serve your downloads. You’ve got a file, myfile.exe, that your customer wants to download. Using S3 you generate a URL that allows them to download the file, and you can set the URL to expire after a certain time. The resulting URL might look like this:

https://nate.s3.amazonaws.com:443/myfile.exe?Expires=1210007779&AWSAccessKeyId=1HHMQMPRV9GFWH6BTP82 &Signature=5dfcG5OC9BSkDFSzjxQGjlbKNi0%3D

Notice that the URL contains /myfile.exe followed by some query string parameters (everything after the question mark is the query string parameters).

Most web browsers will interpret this as being a request for the file myfile.exe.

Internet Explorer will interpret this as being a request for a web page served by an application on the server called myfile.exe. The resulting download will be called myfile (instead of myfile.exe), which doesn’t work.

There’s a workaround, which is to add the filename to the end of the query string, like this:

https://nate.s3.amazonaws.com:443/myfile.exe?Expires=1210007779&AWSAccessKeyId=1HHMQMPRV9GFWH6BTP82 &Signature=5dfcG5OC9BSkDFSzjxQGjlbKNi0%3D&filename=myfile.exe

There’s no reason in the HTTP standard why this should be required; it’s just a way that Microsoft developed to work around the bug in IE.

More information, including Microsoft’s creative interpretation of the HTTP standard, can be found in Knowledge Base Article 221805. The article says the bug is fixed, except not for .exe and .dll files! This is another case of inconsistent behavior in IE.

How to get some HP network printers to work with Mac OS X Leopard

Some HP network printers — such as the HP Color LaserJet 3600n and 3600dn — don’t have what Apple calls “modern” printer drivers. As a result, you may not be able to print over the network. This will happen if both of the following things are true:

• The printer doesn’t have a modern driver.
• You are not using Bonjour to print; for example, if you are on a different network subnet than the printer.

The correct driver won’t even be available in the driver list. Apple has a list of supported printers; an X in the right-hand column indicates modern drivers.

The good news is that there’s a solution. For this to work the printer must have built-in networking and it must be an HP printer (Canon and Epson owners see my note below).

1. In System Preferences, open the Print & Fax Preference Pane.
2. Click the plus sign to add a printer.
3. In the dialog that appears, click the “More Printers” icon at the top.
4. In the More Printers dialog, choose “HP IP Printing” from the drop-down list.
   • If your printer is on the same subnet as your Mac, you should see it listed. Select it and click Add.
   • If you don’t see it listed, click the “Manual” tab and enter the printer’s IP address, click “Connect”, then “Add”.

That’s it. Most of the time the printer model will be automatically detected and you won’t even have to select a driver.

Note for Epson and Canon owners

The steps above are for HP printers only. But the “More Printers” dialog also offers options for “Canon IJ Network” and “Epson TCP/IP” printing. I have no way to test these, but if your printer has built-in networking choosing one of these may work for you.

Engineers and early adopters vs. the customers

“We thought it was a mistake and made our engineers check the logs again,” said Vic Gundotra, head of Google’s mobile operations.

Google receives 50 times as many searches from iPhone users than from any other mobile handset. It’s the very definition of usability: how many people actually use their phones to browse the web. Apparently only iPhone users.

Products that are popular with engineers and early adopters—the previous generations of smartphones, loaded with features—aren’t necessarily what customers want. They want usability. It looks like Apple has figured that out.

Time Machine only runs if your MacBook is plugged in

Time Machine is a great feature of Apple’s computers. It backs up your Mac every hour, as long as you have a backup disk connected to the USB or Firewire port. Because it only needs to back up whatever changed in the last hour, it only takes a few seconds to do.

But on my wife’s MacBook it was not doing automatic backups:

The “Next Backup” field just contains two dashes.

The solution was easy: plug in the computer.

It turns out that Time Machine doesn’t run automatically when your notebook computer is not plugged in. It does this to preserve battery life. As soon as you plug it in, the “Next Backup” time shows up and automatic backups will continue.

Notes on using Cocoa-Python in Mac OS X Leopard

I’ve been looking at Leopard’s amazing new Cocoa-Python support. It uses PyObjC 2.0 to give Python programmers access to the Cocoa frameworks that Mac OS X is built on.

Working from the Apple tutorial, which is based on an older version of PyObjC, I was able to build a working application. But I hit a few roadbumps and those are what I want to document here for other would-be Cocoa-Python programmers.

The first problem was figuring out how to instantiate my Averager object in Interface Builder. I found the solution on the macosxhints Forums:

1. Drag an instance of NSObject from the Library into your xib file.
2. Click on the new instance of NSObject and bring up the Identity Inspector (⌘-6 or find it in the Tools menu).
3. Set the object’s class name to your class name, which is Averager if you’re following the Apple tutorial.

The second problem was this error:

This was caused by not importing the Averager class. To fix it, add the following to your main.py file:

from Averager import *

Some tips:

• The debugger console window (Shift-⌘-R) is your friend.
• Beware of Xcode’s tab handling. You can force it to use spaces under Preferences > Indentation.
• If you are doing the tutorial and you get “ValueError: invalid literal for float()”, it’s because you’ve passed something that doesn’t look like a number — most likely a comma. Python’s split method only recognizes lists separated by spaces. In the debugger console you can see what exception is raised. You can of course catch the exception and handle it in your Python code.

How to make readline support work in IPython on Mac OS X Leopard

Many Python programmers use the IPython shell for interactively testing their code.

But if you recently upgraded to Mac OS X Leopard then you may have noticed that a key feature — tab-completion — doesn’t work.

It doesn’t work because IPython uses the GNU Readline library, and Mac OS X doesn’t include that. Instead, OS X ships with a similar library called Editline.

You can make IPython work with EditLine by adding the following lines near the top of your ~/.ipython/ipy_user_conf.py file:

import readline 
readline.parse_and_bind ("bind ^I rl_complete")

Note: You must be using a recent version of IPython. You can install the latest version by typing sudo easy_install ipython from the OS X command-line.

(Found in this message thread on the Pythonmac-SIG mailing list)

How to fix an SSL certificate error in Exchange System Manager

For the longest time I’ve had this error in Exchange System Manager when managing public folders:

This can happen when using Outlook Web Access if your webmail URL doesn’t match the server’s internal name. Exchange System Manager expects your SSL certificate to match the server’s internal name. OWA users — including Windows Mobile devices — expect the certificate to match the server’s public URL.

One solution is to manually change the SSL certificate every time you need to manage a public folder, then change it back when you’re done. That gets old quickly.

Another solution, suggested in a knowledge base article, is to turn off SSL for the IIS Exadmin virtual root. This didn’t work: SSL was turned off for Exadmin but the problem remained.

Here’s an alternate solution that works:

1. Run adsiedit.msc.
2. Navigate to: CN=Configuration > CN=Configuration,DC=YOURSITE > CN=Services > CN=Microsoft Exchange > CN=YOURDOMAIN > CN=Administrative Groups > CN=first administrative group > CN=Servers > CN=YOURSERVER > CN=Protocols > CN=HTTP > CN=1 > CN=Exadmin.
3. Right-click on CN=Exadmin and choose Properties.
4. Find the attribute called msExchSecureBindings and click Edit.
5. Remove the value :443: from the list.
6. Click OK twice to close the dialog boxes.

(Found on Jim McBee’s Mostly Exchange Web Log)

How to make Safari work behind a SonicWALL firewall

Do you have a Mac behind a SonicWALL firewall? Do you find that some URLs (like certain pages at the New York Times) won’t load in Safari, but they work in Firefox? Is the problem worse when you’re behind a secondary router, such as a wireless router?

If so, Edward Marczak of Tech Zendo has the solution for you.

The basic solution is to access the SonicWALL’s hidden diagnostics page at http://your.ip.address/diag.html and turn off the checkbox that says “Enforce Host Tag Search for CFS”.

It turns out the SonicWALL drops some web connections where the HTTP request headers are split across multiple packets. It does this to make it harder to bypass content filtering, but it can cause Safari’s legitimate traffic to be dropped.

Thanks Edward!

Followup: 2007-10-10

This support document from SonicWALL explains the problem in more detail. WebKit (Safari) is waiting for a TCP ACK before sending out the next packet; apparently it is not supposed to do that.

Technorati Tags: mac, networking, safari, sonicwall

How to add the S&P 500 index to your Dashboard Stocks widget

The Stocks Dashboard widget that comes with Mac OS X is nice, but it doesn’t display the S&P 500 index by default and there’s no easy way to guess the ticker symbol.

To add the S&P 500 index to your Dashboard Stocks widget, use ticker symbol SPX.X.

Update: For OS X Leopard, use the symbol ^GSPC.

(Found on MacRumors Forums)

How to configure a SonicWALL so you don’t have to use split DNS

Here’s a problem I see sometimes: you’ve got a small LAN and a NAT firewall. Let’s say your web server is www.company.com with an IP address of 192.168.0.5. Via NAT it also has an external address of 3.3.2.5.

You want the PCs on your LAN to be able to see www.company.com. When they resolve the name using DNS they get the external address 3.3.2.5. Unfortunately your firewall doesn’t let them access that address or any address in the DMZ. They can only get to the web server using its internal address of 192.168.0.5.

What many admins do in this situation is to set up “split DNS”. That is, they set up an additional DNS server just for the LAN clients. This server gives out the internal IP addresses instead of external ones. This setup sucks because it means you have to keep track of names and addresses in two places. If anything changes you have to update your real (public) DNS and the internal DNS server. If you add a host name to one but not the other some clients won’t be able to connect.

Another option is to use WAN port loopback. Most firewalls support this but I’ll give instructions for SonicWALL, since that’s what I’m familiar with. SonicWALL calls this feature “DNS NAT Loopback”.

Using SonicWALL SonicOS 3.x:

• Create a new NAT policy with the following parameters:
  • Original Source: LAN Subnets
  • Translated Source: WAN Primary IP
  • Original Destination: (the server’s external IP address)
  • Translated Destination: (the server’s real/internal IP address)
  • Original Service: Any
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Original

If you do this, you should use a different domain name for your internal network. Many companies already do this: using a .local domain name seems to be common with Active Directory. Clients can resolve www.company.local to get the web server’s internal IP address. If they resolve www.company.com, they’ll get the external address.

For clients that are always on the internal network (anything not a laptop), you’d point them to www.company.local for the web site, mail.company.local for mail, and so on. That way they don’t have all their traffic to company servers routed out and back in through the firewall.

For laptops you’d point them to www.company.com for the web site and mail.company.com for the e-mail server and so on. They are location-independent and don’t have to change their configuration depending on whether they are in the office or on the road.

So if you have to maintain a DNS zone for the internal network (.local or whatever), why not go ahead and do split DNS? My answer is that split DNS requires you to maintain another DNS zone, one that can get out-of-sync easily. The zone for your internal network is probably updated automatically with Active Directory or dynamic DNS. The extra zone you would add for split DNS has to be maintained manually. And the extra zone would need a copy of all of your company.com DNS records — with IP addresses modified as appropriate.

Finally, you may be worried about the amount of traffic that is looping back through your firewall. Will this slow it down? Think about which IP addresses need to be looped back. They are the external IP addresses of servers which are available from the Internet. For most small companies this means the e-mail server. Maybe the web server (if it’s not hosted offsite). Everything else — your file server, Windows domain controllers, and so on, doesn’t have an external IP address. That traffic stays on your LAN and never gets looped back. So for a typical small company the additional traffic is minimal.

More information: SonicWALL Tech Note: Configuring DNS NAT Loopback