Wednesday, December 30, 2009

Optimizing GPO Performance

Want to speed up the computer startup and user login process? Sometimes, it can be terribly slow to wait while login on or waiting for the server to boot up, especially when the client CSE are loading whatever GPO settings applied to them. Usually, we create single-purpose GPOs targeting at either computer setting or user setting only. If that's the case, you can disable either setting on the GPMC (Group Policy Management Console) to speed up the process.

Tuesday, December 29, 2009

Command to change Computer Time Zone

I was searching for the GPO setting to change the multiple computer time zone and I found none - not even in Administrative Template settings that supposed to set system registry.

I searched the Internet and found this "hidden command" - tzutil.

tzutil /g (To know current time zone)
tzutil /l (To get a list of all available time zones)
tzutil /s time_zone_ID (To change time zone)

To set to SG time: tzutil /s "Singapore Standard Time". Deploy it on startup script. It works on Win7 and W2K8 computers.

Monday, December 7, 2009

Windows System Resource Manager

Windows System Resource Manager (WSRM) can be used in 2 modes. Firstly, it allows application profiling, which helps identify the amount of resources (e.g. CPU, memory etc) that the applications consume.

Secondly, it can also operate in manage mode. WSRM uses its allocation policies to control how many resources applications can use on a server. If applications exceed the allocation, WSRM can be stop the applications from executing and make sure other applications can continue to operate. However, WSRM will not enforce the resource policies until the processor usage exceeds 70 percent.

WSRM can be assigned to manage 3 objects, namely processes, users and IIS application pools. WSRM is available for download for Windows 2003 and is available as a feature to be added in Windows 2008.

Thursday, November 26, 2009

VRF aware Site-to-Site IPSec

Cisco introduced new configuration guidelines for VRF aware IPSec. I spent a day worth and finally got it working. The understanding of Front Door VRF (FVRF) and and Inside VRF (IVRF) is key. Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which Cisco called it FVRF. The inner & encrypted IP packet belongs to another domain called the IVRF.

Part 1 is the base configuration without any IPSec. I'm using Loopback interface to simulate internal trusted network address (e.g. LAN). GRE tunnel is setup to bridge 2 separate LANs. In part 2, IPSec profile is applied to encrypt GRE tunnel (a.k.a GRE over IPSec).

Part 1 - Base Configuration
hostname Router1
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0 # internal address
ip vrf forwarding IVRF
ip address 192.168.255.1 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.1 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.2
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.1 255.255.255.252
!
ip route vrf IVRF 192.168.255.2 255.255.255.255 Tunnel0

----
hostname Router2
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0
ip vrf forwarding IVRF
ip address 192.168.255.2 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.2 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.1
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.2 255.255.255.252
!
ip route vrf IVRF 192.168.255.1 255.255.255.255 Tunnel0

Part 2 - IPSec related crypto configuration
Router1
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.2 key vpnkey
no crypto xauth s1/0 #exempt extended authentication for physical interface
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.2 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4 #apply IPSec to protect GRE tunnel
tunnel protection ipsec profile ipsecPro
!
-------

Router2
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.1 key vpnkey
!

no crypto xauth s1/0
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.1 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecPro



Verification
Router1#ping vrf IVRF 192.168.255.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.255.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 372/429/512 ms

Router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router1#sh crypto session
Crypto session current status

Interface: Tunnel0
Profile: isaPro
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Thursday, November 5, 2009

SID reset on Win7 image

If you want a quick SID reset on a Win7 clone, the official way is to use sysprep on "c:\Windows\System32\sysprep\sysprep.exe" and select "Generalize". Remember to perform this task before joining the machine to domain.

For corporate Windows 7 deployment, Microsoft provides a free toolkit called Microsoft Deployment Toolkit (MDT) 2010, which is specifically designed for imaging & deploying Windows 7 machines.

Friday, October 30, 2009

OU Delegation

Imagine your infrastructure now contains several OUs of computers and users and you want to delegate them to different admin groups, including the rights to set their own group policies. How do you do this?

Launch "Active Directory Users and Computer". Right click on the OUs that you want to delegate and select "Delegate Control". Select the delegated groups and tasks. For full delegation, select "Create a custom task to delegate" and select all permissions subsequently as follows:



To assign the rights to create Group Policy, launch "Group Policy Management Console" and click on "Group Policy Objects". Click "Delegation" tab on right plane and add the delegated groups as follows:

Friday, October 23, 2009

Native VHD mount in W2K8 R2

Another new feature in W2K8 R2 - you can now create and mount Virtual Hard Disk (VHD). Go to Server Manager -> Storage. Expand into Disk Management, mouse over to More Actions. Create & mount VHD just like what you do for a new physical hard disk.


What about turning on Bitlocker to encrypt virtual volume? Add "Bitlocker" feature on the Server Manager. After reboot, go to control panel -> Bitlocker Drive Encryption. Hey, the VHD is ready for you to encrypt (See picture below). Next, instead of storing the key on the TPM, we will enrol a smart card to encrypt this virtual volume. We will update again when we are ready.


Sunday, October 11, 2009

TrueCrypt on Present-V

While office applications (e.g. MS Office 07) can be easily delivered remotely via RDP, we wonder if we can have a secure vault for confidential document processing. The free open source TrueCrypt comes to our minds. You can create encrypted Virtual Hard Disk (VHD) and mount it on a logical drive. As these VHDs are file-based, they can be easily moved around and easy on back-up.

We have tested that TrueCrypt works perfectly well on Present-V and we even managed to place its symmetric keyfile into a PKCS#11 smart token for enhanced security. For quicker startup, we wrote a script (see command-line usage) that can auto-mount the VHD on the first available drive.

As the process is running on the terminal server, only one drive can be mounted for each process on each server, i.e. you can't mount 2 VHDs on the same E: drive on the same host. That would place a logical limit of 26 (alphabets) - 3 (reserved A,B,C) = 23 users (assuming 1 user = 1 process) on each terminal server. Thanks to the free Hyper-V in Windows 2008, this constraint can be easily worked around. With the in-built Session Broker, the load can be balanced among a pool of several Virtual Machines (VMs) in a DNS round-robin style.

Present-V's stumbling block

Our team has succeeded in setting up a full fledge Present-V POC, which is somewhat similar to this Microsoft IT POC, albeit in a smaller way. We have also implemented smartcard for both authentication & secure email purposes.

During the process, we learnt that the biggest stumbling block is the applications to be delivered. Besides running on a Windows Server 08 platform, the application must be able to support multi-users and multi-sessions. We found out that virtualizing those ancient legacy applications (which were built for Win9x, single user and single computer) are near impossible when those application developers were either already gone or near retirement!

Friday, October 2, 2009

Read-Only Domain Controller for Remote Sites

A typical enterprise is characterized by a HQ hub site and several remote branch offices. Should a domain controller (DC) be placed in the branch office?
  • Yes, it should. If not, all authentication and Kerberos ticketing activities will be directed to HQ, which might choke a slow & unreliable WAN link. In the event of WAN link failure, all activities will come to a halt.
  • No, it shouldn't. It poises serious security challenges. DC contains the entire domain schema, including all object attributes, such as user secrets & confidential information. If the DC is accessed or stolen, it will compromise the entire AD integrity. Furthermore, if the data in the remote DC is corrupted or outdated from a backup restore, it will be replicated to the entire domain.
What a dilemma! Windows 2008, however, introduces the new Read-Only Domain Controller (RODC). RODC will receive all Kerberos requests from the clients and redirect to the hub site. But the requested data and user credentials can also be cached locally by configuring a password replication policy (PRP). It reduces reliance on WAN links & maintains only a small subset of the entire domain (restricting to only the users & machines logging on to that particular RODC). Even if the RODC were stolen, the compromise is limited to that small subset of user credentials that you can still manage to revoke. Furthermore, you just need a forest functional level of Windows 2003. In other words, RODC is supported in a hybrid mix environment of Windows Server 2003 and 2008 domain controllers.

Thursday, September 24, 2009

Windows 2008 license saving with Hyper-V

A friend of mine (a Server Manager in a large MNC) shared with me that I can potentially save more Windows 2008 licenses using Hyper-V. Before Hyper-V, you would need to purchase a server license for each VM. For example, if your host contains 4 VMs running Windows server 2003 using VMWare, you would need to purchase 4 copies of 2003 server license.

With the introduction of Hyper-V, each edition of Windows 2008 server comes with a certain number of free VMs (with server license included!).

Number of free Hyper-V VM for each edition:
  • Standard Edition: 1 free VM
  • Enterprise Edition: 4 free VMs
  • Data Center Edition: Unlimited
For example, an Enterprise edition comes with 4 free VMs. That would mean you can have 4 instances of Windows 2008 enterprise servers for the price of a single enterprise server license, as compared to 3 additional enterprise licenses purchase if you use VMWare ESXi instead.

Look like Microsoft is "out" to kill VMWare with this huge carrot dangling. Another business partner from Dell also shared with me that he can bundle a much cheaper OEM Data Center edition if I buy new hardware from him.

With a little planning, we can actually save more on licensing if we use Hyper-V. VMWare indeed has wonderful features like v-motion - live migration, bare-metal performance etc. But not sure if we really need that, esp when 2008 also supports quick migration and R2 has improved performance significantly; AND these additional features I heard are not cheap. To me, Hyper-V is probably good enough for most pure Microsoft shops. For environment mixed with non-microsoft platforms, VMWare has cool P2V and V2V tools for Linux/Unix migration when Microsoft is still seriously lacking in this aspect (only Suse Linux is supported at this point). Conversely, one may argue that none of the Fortune 500 has deployed Hyper-V in production yet - but hey Hyper-V is only available in 2008, most servers today are still running 03.

What’s New in Windows Server 2008 R2?

Monday, September 21, 2009

Openfiler on Hyper-V

It's pretty cool to build a virtual iSCSI SAN built on RAID array of Virtual Hard Disks (VHDs) using Hyper-V. Download the ISO image of Openfiler and create a new VM to be installed from this image. Something to note for OpenFiler + Hyper-V combo: (1) choose text based installation on OpenFiler; (2) use only virtual IDE hard disks (OpenFiler doesn't detect iSCSI on Hyper-V); (3) use legacy network adaptor on Hyper-V settings. As for the rest, follow this installation guide (which used VMWare ESX instead). After setting up a iSCSI target on OpenFiler, use iSCSI initiator on Windows 2008 to connect and initialize the virtual storage on "Computer Management" as shown below.

Posted by Picasa

Running Windows 2008 R2 on Home PC

Windows 2008 R2 (64-bit only) is now available for download. I downloaded it to get rid of my old WinXP and is trying out many new features. And it's free for 180 days, which mean I could also further delay (or even skip) my Windows 7 upgrade. What more - you can also experience new Windows 7 features by adding a new feature "Desktop Experience"on the server manager.

Add Hyper-V role and build a "Contoso.com" domain at home, which is ideal for the new MCTS (Active Directory) and even MCITP (Server Admin/Enterprise) wannabes. My "Contoso.com" is built on several VMs with two domain controllers (one full + one server core), one file server, one terminal server (now renamed remote desktop services), one Vista client and one Windows 7 client. Add another free linux-based OpenFiler VM for iSCSI SAN storage that is built on a RAID array of Virtual Hard Disks (VHDs). The outcome is a full scale of virtual enterprise infrastructure running on a single dual-core PC with just 4GB RAM.

Monday, September 14, 2009

Group Policy Preferences

You may want to do these for all your corporate desktops: Want to modify the registry settings? Need to lock down all USB device storage? Want to copy or delete certain files? Want to do all these without writing logon scripts? All these are now possible with Group Policy Preferences. Preferences are new feature, along side, with policy settings on the Group Policy Objects (GPOs). Using Group Policy preferences comes at no added cost but provides several advantages. It improves IT productivity. It reduces deployment costs by helping organizations reduce image count and reduce the cost of maintaining images. It reduces configuration errors during and after deployment. It reduces, if not eliminates the need for complex logon scripts. It allows you to fine-tune settings for users and computers throughout your organization. Preferences are available since the release of the new Group Policy Management Console (GPMC) on Windows Server 2008. Note: you need not raise the domain functional level to Windows 2008. New Client Side Extensions (CSEs - the enforcers on the clients) have to be installed for clients, in order for the preferences to be effective.

1) Group Policy Preference Client Side Extensions for Windows XP (KB943729)
2) Group Policy Preference Client Side Extensions for Windows Vista (KB943729)

It is recommended that you modify or manage a GPO from a Windows 2008 or Vista SP1 with Remote Server Administration Tools (RSAT). If you try to modify the GPO from a Windows Server 2003 or XP workstation, you will not see the new Preference capability.

References: http://www.microsoft.com/grouppolicy/

Saturday, September 12, 2009

Microsoft Virtual Desktop Infrastructure (VDI)

Besides RemoteApp, Microsoft Virtual Desktop Infrastructure (VDI) is introduced as part of Remote Desktop Services (RDS) in Windows Server 2008 R2. User sessions are executed on the client VMs (i.e. Windows Vista or Win7) residing on backend infrastructure i.e. Hyper-V hosts.

MS VDI comes in 2 variants: (1) static 1 user to 1 specific VM, (Personal Virtual Desktop); OR (2) many users share a pool of VMs (Virtual Desktop Pool) with common image.

For the former (personal virtual desktop), each user is assigned to a fixed client VM that can be personalized and customized by the users. These changes are available to users each time that they log on to their personal virtual desktop. For the latter (virtual desktop pool), a single image is replicated across many virtual machines. As users connect to the shared virtual desktop pool, they are dynamically assigned with any client VMs. Because users may not always be assigned to the same client VMs whenever they connect, any personalization and customization made by the users are not saved. If you choose dynamic virtual desktop pool and users still need their personalization and customizations, you have to consider roaming profiles and folder redirection as well.



Present-V Smart Card & Printer Redirection

Present-V supports smart card & printer redirection, even though the application is running on the backend server and the smart card/printer is located at the client desktop.

The same device middleware (or drivers) must be installed on both the server and the client. If you use ActivClient smart cards, ActivIdentity must be installed on both server and client, so that the server can locate the matching device driver. Whenever the application requires smart card access, TS would re-direct the I/O to the client local devices. Also, ensure that the Device and Resource Redirection is enabled, which is allowed by default.

Overall, it is how device redirection work:

Present-V Single Sign On (SSO)

Recently, I have worked with the interns to setup a cross domain Present-V POC, with the Exchange infrastructure on one domain and the windows clients & terminal server on another. Initially, winxp users need to keep logging in with password to launch remoteapp, while win7/vista users are able to launch remoteapp with Single Sign On (SSO). A deeper search reveals that SSO to Terminal Services 2008 uses the Credential Security Service Provider (CredSSP). CredSSP delegates credentials to defined target servers and is native to Windows Vista. Windows XP SP3 includes CredSSP but it is not enabled by default.

To enable SSO, here is the solution. Take note that SSO can only be used for password authentication (i.e. not smart card authentication)

Present-V Introduction

Microsoft Server 2008 Terminal Services offers a new feature. Instead of showing entire server desktops to the users, it can just present the application GUI. (Otherwise, showing multiple desktops can be confusing.) Hence, you can now have individual virtualised applications running on the backend terminal service, as if they were local applications running on your PC. Microsoft called it Presentation Virtualization (Present-V in short). The virtual application is known as "RemoteApp".

Step-by-Step guides are available here.

Typical deployment scenario that allows remote access over the Internet:

Thursday, September 10, 2009

OSPF stub behavior for Multi-VRF router

In an earlier post "Multi-VRF OSPF router becomes ABR automatically, even when it is not", the sub-command "capability vrf-lite" is added to the OSPF router process for Multi-VRF routers. This works perfectly fine when it is not supposed to be an Area Border Router (ABR).

When new OSPF stub or totally stub area is added to this router, the multi-vrf router will not inject any default route to new stub areas. As it is effectively an ABR, remove the the "capability vrf-lite" command. Do "sh ip ospf process" to verify that it is injecting default route into the stub area.

Wednesday, September 9, 2009

New T1/E1 card not detectable

When I slot in a new Cisco MIX-enabled T1/E1 Port Adapter into my new C7206VXR router, the card is not detected. The command "show controller" does not reveal the port adaptor.

As the card can be either T1 or E1 (i.e. there is no default), I have to use the card type command in global configuration mode:
(config)# card type {t1 | e1} slot subslot

Multi-VRF OSPF router becomes ABR automatically, even when it is not

Once I enabled vrf-aware OSPF (e.g. Router OSPF 1 vrf TEST), it made the router an Area Border Router, even though it was simply an area router (area 1) and didn't have a network statement for area 0.

Remote_R3#sh ip ospf 1
Routing Process "ospf 1" with ID 191.200.9.2
Domain ID type 0x0005, value 0.0.0.1
Start time: 00:17:34.712, Time elapsed: 00:26:21.840
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Connected to MPLS VPN Superbackbone, VRF TEST
It is an area border router
<--- cut off -->

As a result, none of my area 1 routers were accepting routes to the backbone subnet from the real ABRs (configured for area 0 and area 1).

To resolve it, I have to apply "capability vrf-lite" under the OSPF router process on all my area 1 vrf-aware routers. This command tell the router not to perform PE specific check.

Wednesday, September 2, 2009

Understanding Active Directory Groups

In the world of Active Directory, there are various types of groups. Group is used to group up individual objects, which otherwise would be difficult to manage. The first type is the Local group, which only applies within a single computer - this should not be used in a domain. The next type is the Domain Local (DL), which is used to manage permissions or ACLs to resources e.g. confidential folders that can only be accessed by HR group. Global Group (GG) is used to define business roles, such as HelpDesk, Sales, Marketing etc. However, GG membership is only contained within a single domain. To workaround this constraint, Universal Group (UG) is introduced to cross multi-domain within the same forest. For example, an MNC has 3 different domains and each domain has a GG named Managers. Let's say there is a big project that requires collaboration among the different domain Managers GG. A new UG named "Big_Project" can be created to include the 3 GG within forest.

To manage numerous groups, a process called nesting (or adding groups to other groups) can be used to create a hierarachy of groups. For single domain, AGDLA is recommended: Accounts are members of Global Group, which in turn, are members of Domain Local groups, which are added to Access Control Lists (ACL) to provide the level of access granted to various resources. For example, assign Sales accounts to the Sales GG and Audit accounts to Auditors GG. Both global groups are assigned to a DL called ACL_Sales_Read. This DL can be assigned with read permission to access a folder that contains all Sales information.

For cross-forests, note that only Domain Local (DL) may include memberships of any domains outside a forest. If you need to assign permission to users at trusted forests, use DL to assign the ACLs.

Sunday, August 30, 2009

NAT Load Balancing with multiple ADSL


Recently, we switched ISP and migrated 3 x ADSL links for an Internet LAN. The above diagram is a simplistic diagram The route to the Internet was load-balancing among the 3 links. We were happy about the result until some users complained of slow Internet access at peak hours. I investigated (sh ip nat translation on EXEC mode) and realised that all the PAT (Port Address Translation) entries were only overloading on the first outside interface (Dialer 1) instead of all 3 dialer interfaces. In other words, all traffics were taking on the public IP of the first link, which the return traffic must be returned via that link only (main bottleneck).

To workaround this, I used route-map classification instead of just ACL for NAT target. After configurating, the "sh ip nat translation" would show that the entries were taking on the 3 different public IP addresses evenly.

#load balancing default routes
ip route 0.0.0.0 0.0.0.0 dialer 1
ip route 0.0.0.0 0.0.0.0 dialer 2
ip route 0.0.0.0 0.0.0.0 dialer 3

#cause outgoing packets to overload on its outgoing interface
route-map d1-nat permit 10
match ip address 88
match interface Dialer1

route-map d2-nat permit 10
match ip address 88
match interface Dialer2

route-map d3-nat permit 10
match ip address 88
match interface Dialer3

# User LAN inside address
access-list 88 permit 192.168.1.0 0.0.0.255

# NAT operations
ip nat inside source route-map d1-nat interface Dialer1 overload
ip nat inside source route-map d2-nat interface Dialer2 overload
ip nat inside source route-map d3-nat interface Dialer3 overload

#Bringing load-balancing PAT to effect
interface fa0/0
ip nat inside

interface dialer 1
ip nat outside

interface dialer 2
ip nat outside

interface dialer 3
ip nat outside

Reference: IOS NAT Load-Balancing for Two ISP Connections

Bandwidth Measurement using Cisco Netflow

Netflow is great and handy to measure the amount of resources used in a typical Cisco network. Netflow comes with 3 versions: v1, v5 and v9. The most common version is v5. Recently, I have to justify for the amount of bandwidth upgrade for our Internet access - with a breakdown of the Internet application usage e.g. http, ftp, p2p etc. I configured the Internet router to keep pumping netflow data to a Netflow collector. I used an eval copy of PRTG network monitor (http://www.paessler.com/prtg)

The setup is amazingly simple:
On the router,
interface [WAN]
ip route-cache flow
ip flow-export version 5 peer-as
ip flow-export destination [Server IP] [UDP port]


Make sure that the Netflow collector is also configured with the matching server IP address and UDP port number. Few days later, I presented this chart to get my boss to agree on the bandwidth upgrade.

Calculating number of voice calls


How many voice calls can a WAN link support given the amount of bandwidth, codec, packet header, payload and cRTP? This is a sample CCDA question on voice. Well, I have come up with a simple calculation. See below sample questions:

Q1) Given a VoIP network with these attributes:
Codec: G.728, Bit rate: 16 Kbps, WAN Bandwidth: 256 Kbps, Packet Header: 6 bytes, Payload: 40 bytes, CRTP: Yes

How many calls can be made? Ans: 13
Amount of b/w per call = [voice overhead + packet header + payload] * 50 pps * 8
= [ 2(cRTP)+ 6 + 40 ] * 50 * 8 = 19,200 bps
Number of calls supported = Total bandwidth / bandwidth per call
= 256,000 / 19,200 = 13 (round-down)

Q2) Given a VoIP network with these attributes:
Codec: G.711, WAN bandwidth: 768Kbps, Packet Header: 6 bytes, Payload: 160 bytes, CRTP: No

How many calls can be made? Ans: 9
Using the same formula,
Amount of b/w per call = [voice overhead + packet header + payload] * 50 pps * 8
= [ 40 (no cRTP) + 6 + 160 ] * 50 * 8 = 82,400 bps
Number of calls supported = Total bandwidth / bandwidth per call
= 768,000 / 82,400 = 9 (round-down)