ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM August 14th 2009 REGULAR MEETING


A meeting of the ICC was held on Friday, August 14th, 2009 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-two members participated.
 
Remote participants: David Baudree, Tom Barnash, Micah Bolen, Jerry Britt, Dan Cromer, Francis Ferguson, Joe Hayden, Kevin Hill, Nancy Johnson, Kamin Miller, Mike Ryabin, Louise Ryan, Ron Thomas, and A.D. Walker.
 
On-site participants: Benjamin Beach, Dennis Brown, Andrew Carey, Lance Cozart, Wayne Hyde, Winnie Lante, Steve Lasley, James Moore, and Santos Soler.

 

STREAMING AUDIO: available here.


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

New members

Brian Longworth will be providing backup for Bob Huston at IRREC.

Bob Huston on Brian Longworth

He is a network resource who will only provide support when I am not available and there needs to be a hands on interaction here.

I lost my assistant [Brian Cain] so he will fill in for emergencies when I am out on vacation or sick. The plan is that Dr. Ritenour will call the help desk first and if there is a need for someone to do something on site he will call Brian to show up and assist. He may also be called upon for printer/print queue issues or to add someone to a security group. He may also need to create computer accounts or enable them.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Videoconferencing and WAN discussion

In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside the top of our agendas.

Videoconferencing topics (previous discussion)

Polycom issues at the last two ICC meetings

Lance Cozart has been working on the issue which apparently was due to a number of separate things:

Private correspondence from Lance Cozart:


There were 3 separate issues:

  1. The Polycom had an audio problem. A new unit was installed.
  2. There was a network issue. There was a new switch installed in the rack and a new Bpop. The network ports on the switch were configured correctly. Since I did not have access I could not troubleshoot.
  3. There is an issue with the bridge. It does not support 4CIF [704 × 576 video resolution] or HD [1280x1024 on a standard or 4:3 monitor/HDTV and 1280x720 on a wide screen or 16:9 monitor/HDTV]. It will only work with low frame rate higher resolution with older compression or higher frame rate and lower resolution. I think that the bridge has reached its limit. A newer one would need to be installed to support the higher resolution and frame rate.

James Moore arrived just a tad late due to a network issue which required addressing with the help of Ben Beach at Clay County. Upon his arrival, Steve came back to this topic and briefly discussed what might be done to improve network troubleshooting for Lance. Apparently, he is stuck in the middle on resolving Polycom issues because the Polycom maintenance vendor requires that network issues be ruled out prior to becoming involved and CNS has so far not been able to help much in tracking potential network problems locations; the best they have been able to do so far is to tell Lance that the switch at his end shows no problems during periods where he is seeing lost packets on the Polycom monitoring console itself. Steve asked if a special VC VLAN might isolate that traffic in some fashion, make it easier to troubleshoot, and potentially provide Lance better access to network information.

James said that he could probably give Lance access to the same wiki which WAN Techs use. That system documents the paths and connections and might be of some help to Lance. Stars is another documentation source which may be of use to Lance. James said he would see what might be done on Lance's behalf and has plans to meet with him soon on this.

End-user Scheduling

Steve had been granted trial access to the Tandberg Scheduler and formed some opinions which he had inserted as a post-date addendum to last month's notes and which are reiterated here:

[While still under investigation, it would appear that individuals would be able to create a conference which only VCS staff or themselves could edit; this would greatly lessen the risk of opening conference creation to all. A flash demo of the Tandberg Scheduler interface is available. Furthermore, there is a setting for each individual endpoint which would allow e-mail notification when someone schedules that device. Combining that with the fact that any conference not scheduled by an administrator must be approved by VCS staff, it would appear that broad access to the TMS scheduler may be a desirable solution. Using only TMS via the web would allow removal of the web-based event/request lists which are problematic in not being synchronized with the actual schedule. VCS staff could then focus on approval (e.g., assuring sufficient capacity) and moderation (e.g., resolving conflicts among competing scheduling needs such as removing an endpoint from a scheduled conference at the request of the owner).]

Steve knows that Patrick is currently on vacation and wants to move slowly on this to make sure all aspects have been considered before pushing ahead.

WAN transition to CNS (previous discussion)

SLO to be discussed at ITPAC on August 19th

Steve plans to present the ICC Recommendation on the SLO for IFAS Wide Area Network Support. Any of you willing to speak from the viewpoint of those in the field would be most welcome.

James Moore arrived a bit late so Steve came back to this topic in order to make him aware that the ICC recommendation will be presented at ITPAC as part of a discussion and potentially approval of the SLO by ITPAC.

Steve mentioned that having James there might help bridge the gap between actual practice (for which Steve complimented James on his flexibility and understanding) and the sometimes fairly strict wording of the SLO itself that has been the cause for concern among many of those in the field.

Updates from James

James mentioned that Lake County was down this week for almost 36 hours due to a problem which turned out to be an issue with the provider. Getting such things resolved is always tricky because providers charge heavily if they send someone out and the problem turns out not to be on their end. This particular time was made more problematic because Francis Ferguson was off-site that day. Restructuring those connections with new modems in front of our routers should help with diagnosis in the future.

Lightning is a recurring issue. Clay County just lost its third router due to lightning within a 1.5 year timeframe. Putting the modems in front of the routers should lead to cheaper resolution of such issues down-the-road as well; the assumption is that the relatively inexpensive modem will take the hit instead of the much more costly router.

James has placed a large order for new router endpoints and has begun to engage providers in getting new modems for all the sites. The routers at all the CEOs will be replaced. 31 offices will be all new switch gear in addition. New WAPs will be deployed in Balm and at several CEOs.

Homestead continues to have problems in getting their 10Mbs connection. Apparently the conduit they were going to use is essentially full with cable which they are trying to figure out how to remove. That is the latest issue which has been holding things up there.

For Citra James is now thinking of going with a T1 with a balanced DSL for bandwidth instead of a 100Mps Metro connection. That would potentially reserve some dollar resources. James is going to do a traffic study for Citra to see how advisable that option might be. James noted that he often finds himself "wearing his IFAS hat" in the CNS staff meetings and proposing cost savings through re-use of existing equipment.

James mentioned that CNS is preparing an annual report for Dan Cromer and in that they will be looking at all the site connections and costs and trying to figure out where effects can best be applied next. James believes that Milton is one location that may benefit from their focus. Dan Cromer later said that this report is expected to be ready for the upcoming ITPAC meeting.


Policy


WebCT going away? (previous discussion)

Steve asked Dan Cromer if any people from IFAS were involved in this process. Dan responded that he believed Dr. Mark Rieger was involved. Dan himself has discussed the matter with Doug Johnson. Dennis Brown related that one of his faculty had participated in a teaching conference where the issue was discussed. They were told that UF was indeed moving to Sakai. Dennis believes there is one more year on the WebCT contract and the hope is to have Sakai ready to replace that when the contract expires.

[Note: Steve learned later after the meeting that some information on this project has now been posted on the UF IT site. This includes target dates for various steps in the process.]

CNS Network Monitoring System available for building networks on campus

Steve wanted to point out that CNS has a "Network Monitoring System" available. Steve did not believe this had been widely publicized. It provides a number of useful facts about CNS managed switches but does not go so far as to list MAC addresses on ports--at least currently. Steve is not clear whether or not this is the same as the self-service network management web interface which Marcus Morgan had discussed at ITAC-NI as coming for Wallplate customers. Steve had thought the proposed system was going to provide authenticated access so that each unit admin would have access to their own equipment. The site link prior does not appear to require credentials for access, though it may indeed be limited to on-campus addresses.

New myuf Market requisitioning system changeover beginning July 1st (previous discussion)

Steve mentioned that his own department (Entomology and Nematology) was going very slowly and carefully in this direction. Dennis related that his department (Horticultural Sciences) was approaching things similarly.

Winnie Lante said that there is an A&P training session on this set for next week. Ron Thomas added that the facility in McCarty G001 will be used as the originating point for this next Thursday, August 20th, 2-4PM. The organizers want to know about any IFAS sites which want to participate via videoconferencing. You can contact Glen Graham (352) 392-3893 to get put on the list.

Dennis related an issue whereby he had been instructed (as his unit's DSA) to delete some "old obsolete" roles for his people. Doing that apparently caused problems with their access to certain things. His bookkeepers, for example, could not monitor blankets accounts after the deletion occurred. Consequently, Dennis is trying to find out what roles need to be added back in and for whom.

Steve asked who Dennis's contact was on that matter and he replied that it was Jim Rauch.

Steve noted that he had just submitted a requisition for some software from SLS and had notice a mention on the bottom of the forms that these could now be attached to an order in myuf Market; so apparently some service organizations here at UF are already making good use of it.

UF IT Action Plan (previous discussion)

ITAC-NI revived temporarily?

Although the ITAC-NI committee had recently been asked to remain intact as a group until a new committee structure is finalized, no meeting has been held since May.

UF Information Technology web site updated

Dan Cromer wanted to point out that http://www.it.ufl.edu has been recently re-vamped and that it now includes a good deal of information about the reorganization including new sections on Governance and Projects.

UF Exchange Project updates (previous discussion)

UFAD/UF Exchange Object Naming Policy Document

Dwight Jesseman posted a naming policy document to the ACTIVEDIR-L list yesterday. It details the naming conventions for various Exchange-related objects in UFAD. Dan Cromer and Scott Owens were involved in reviewing that document prior.

Most of these objects are named by Scott when creating and maintaining mailboxes, so the majority do not affect the average OU Admin. Dwight did mention, however, that a particular concern is that SAM Account names match display names; those can easily get out of sync when an OU Admin changes (for example) the name of a service account or mail-enabled security group and does not attend to all the various associated fields as well.

Wayne Hyde mentioned that he might be able to develop a tool to help locate objects whose SAMA names do not match the display names.

Mike Ryabin was concerned over what he thought was a proposed change in the GatorLink username format, namely to "First.Last". Steve mentioned that he had the same concern initially. In talking with Dwight, however, he was assured that "Albert.Gator" was just used as an example and no such change in format would be forthcoming.

Mike also had a question about the naming convention for machines. Andrew Carey responded that all our machines should begin with "IF-" followed by a unit designation. This document is proposing nothing new in that regard. Steve added that he believed that most of the OU Admins that participate with the ICC are aware of the convention and follow it. There are some exceptions out there, however, where machine are named "whatever" and he suspected that Wayne will eventually be in touch regarding those. Wayne responded that a PowerTool to locate non-compliant machine names is on his list for when he gets the time.

Rehydration of attachments

Dennis Brown mentioned that he believed he had heard that a self-service attachment rehydration service was being planned for the web. He wondered if anyone else had that impression or if he was just dreaming. Steve didn't know of any such plans, but noted that it could certainly be a good dream for everyone because it could save a lot of time and effort were something like that possible. Steve suggested that Dwight might read this in the notes and comment; otherwise, Dennis could query him directly.

Office Communications Server

Most seem to still be waiting to hear how licensing will be handled. If a department has to purchase a quantity of CALs equivalent to the number of users in their OU, then Steve suspects that most units will opt out. If, on the other hand, a certain number of licenses can be purchased and doled out as needed, then this service will be much more attractive.

Dan Cromer reiterated that departments would have to pay for licenses individually, but seemed confident that a department with say 400 in their user OU could purchase say only 50 licenses just for their faculty and staff for example. Dan said that we are currently in a holding pattern on purchases and it has not been decided if departments will go through UF Exchange or directly to Microsoft for those. No new licenses are being purchased currently until the new census is done for the October re-negotiations of our CALs. At this time, new users can just be added (in fact that is being encouraged in order to get folks to try it out), but they will have to be accounted for later only if usage continues past the renewal point.

Currently, the IFAS access to OCS is handled via the IF-OCS-USERS security group. A script runs every 15 minutes which examines the membership of that group and SIP enables those users in UFAD for OCS access. Scott Owens is currently the one who manages the membership for that group, so OU Admins can send Dan or Scott requests of usernames you wish added.

The issue of bandwidth was also discussed. Testing must be done to determine what effect OCS usage might have on overall networking situation over our lesser links. Louise Ryan said that she has had no problems at Quincy, but then again Quincy has a relatively good 10Mps connection. Steve suggested that Immokalee might be a good test location and Kevin Hill agreed to participate in that. Currently he has only used OCS with audio and not video. The question is how well OCS drops back on connection speed when the pipe begins getting congested.

Dan Cromer mentioned that he is working with Dwight Jesseman and John Pankow to integrate OCS with the Codian bridge. Unless a new bridge is purchased which has additional features for SIP integration with H.323, the plan currently is to set up one or more pre-defined "conferences" in the GAL named similarly to "+ IFAS-Conference-1". OCS clients will be able to add those as OCS contacts and join a bridge-hosted VC via that method. The methods for actually scheduling those conferences is yet to be worked out.

Dennis asked about connection via Windows Mobile. Dan cautioned that the OCS server is on a private number and thus will require a VPN to be used when off our campus network. He also mentioned that he has been testing the Mac OCS client (Microsoft Messenger for Mac 7.0.2) along with Entourage 2008 Web Services Edition. That new client improves things greatly according to Dan.

Dan mentioned that the UF Exchange website has added a new section on Real-Time Communications that has documentation on Microsoft Office Communicator. There is a link there to OCS Training for Technical Support which you are encouraged to view along with Microsoft's Communicator and Live Meeting training. Dan also mentioned Office Communicator Web Access which is linked off the UF Exchange Home page. The browser-based access is limited to chat and desktop sharing for those using IE.

At Dan's suggestion, Steve intends to start using OCS at the ICC meetings for out-of-band messaging.

Steve wants to point out that the minutes of the UF Exchange Advisory Committee have been posted regularly this calendar year and are available at http://www.mail.ufl.edu/advisory.shtml.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


Projects


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Windows 7 Enterprise is now available as an ISO directly from https://vista.ad.ufl.edu/downloads/ or via the IFAS Software site (if-admn credentials required for access). MAK keys are apparently not yet available but KMS is now ready after a short delay, so Enterprise installs joined to UFAD will be automatically activated.

Near the end of our meeting Erik Schmidt posted to the ACTIVEDIR-L that Enterprise and Ultimate editions have the exact same feature sets, but that we are not licensed for and will not be receiving Keys for the Ultimate version. Consequently, Erik removed the Ultimate ISOs which had been previously posted.

Steve mentioned that the SharePoint site for Windows 7 Deployment was inadvertently deleted, but it is back now. Steve encourages folks to set up alerts so they will see any movement on that.

Andrew Carey cautioned folks to expect issues with the login scripts with regards to mapping drives, etc. Windows 7 is essentially "Vista 1.3" (according to Mark Minasi) and has all the same issues. Andrew is hoping to have our logon scripts converted to Group Policy Preferences (GPP) before Window 7 hits the streets, but he would not recommend a mass deployment at this time due to those issues.

Steve asked about the issues in moving to GPP and Andrew responded that the difficulty lies mainly in the complexity of our login script structure. We have potentially hundreds of individual scripts which must be accounted for due to the way that is currently handled. The master script potentially calls a separate script for each group a user is a member of. Steven asked if there was any way each OU Admin could help out with that for their own units. Andrew said it may come to that, but he does have a lead on a script that will read the login script, parse the information and put it into a group policy.

Kevin Hill mentioned that he uses an EnableLinkedConnections registry workaround to get his login scripts to work properly. Andrew is cautious of that approach because Microsoft may not support it and it may have security implications.

Andrew also mentioned that he is looking into Explorer alternatives which can be runas ufad\if-admn in order to provide GUI access to network resources from Vista and Windows 7. Steve has been using the portable version of SE-Explorer for that and it seems to work pretty well.

Exit processes, NMB and permission removal (prior discussion)

Nothing further was available on this topic at this time.

Re-enabling the Windows firewall

This is still planned but is pending the time to implement.


Operations


Should IFAS continue its VPN service?

Yesterday Dan Cromer raised this question:

Message from Dan Cromer to ICC-L:
"Re: [ICC-L] ICC meeting 10AM tomorrow *at ICS*"
Thu 8/13/2009 12:13 PM


One item for the agenda I meant to discuss earlier is the UF L2TP VPN. I've used it or the Cisco software install successfully now for the last month or so, including with Windows 7 64-bit version. I've long said that we should eliminate (or at least reduce the use of) the IFAS VPN when the UF provides an alternative. I'd like to make the IFAS VPN reserved for special cases only, and right now I know of no such need.

Steve pointed out that we had discussed this over four years prior and at that time the IFAS VPN had certain advantages which were believed to be useful. Steve asked if this service was currently taxing our resources and Dan replied:

Message from Dan Cromer to ICC-L:
"Re: [ICC-L] ICC meeting 10AM tomorrow *at ICS*"
8/13/2009 12:50 PM


Some of my machines using UF L2TP VPN are defined to AD, some not. Every additional service IT provides requires addition resources to maintain the service. Our human resources are very much over-taxed, so we have to prioritize which things get done and which things are deferred, sometimes indefinitely. I'm very uncomfortable that our IFAS VPN issues public IP addresses, making the clients reachable from external attackers. This violates UF policy, see node security standard item 5 at http://www.it.ufl.edu/policies/security/uf-it-sec-network.html. The original requirement for public IP for a reserved IP block for specific vendor site access is no longer valid. Using a public IP for Polycom PVX access has also generally been discontinued.

Additionally, Dennis Brown commented:

Message from Dennis Brown to ICC-L:
"Re: [ICC-L] ICC meeting 10AM tomorrow *at ICS*"
Thu 8/13/2009 12:47 PM


I'm curious to know how many people use the IFAS VPN at one time and the effect that increased load will have on the L2TP VPN.

Another thing to consider is that responsibility for everything done over VPN reverts back to the user's home department. If someone downloads copy written material (movies/music) to their home computer over VPN the local subnet manager gets a CNS trouble ticket. If we move our users to the CNS VPN will we be able to block troublesome or virus infected users from Internet access in the same manner we do with ADUC as we can with the IFAS VPNs? If not is that something we should be giving up?

Then James Moore offered his assistance:

Messages from James Moore in response to Dennis and Steve:
"Re: [ICC-L] ICC meeting 10AM tomorrow *at ICS*"
Thu 8/13/2009 2:57 PM and 8/13/2009 3:01


All valid concerns.

There should be no problem with load at all.

If we do an "/ifas" VPN, the associated netblock would be linked to the IFAS ISM. The IFAS subnet manager would get an email for security issues. We can also block the individual user from accessing the VPN and not affect their other access.

We can do an IFAS L2VPN that would have space specifically reserved for IFAS, and whose membership would be controllable via a UFAD group (username@ufl.edu/ifas). Currently we allow up to 8 groups with only users in them, but we will be rolling out improvements to that in the near future. We would be happy to discuss any additional membership requirements outside the bounds of this scope.

Steve wanted to point out that Network Services' offers both a Cisco Client and a built-in L2TP/IPsec client. The latter does not involve installation, but both are documented at http://net-services.ufl.edu/provided_services/vpn/vpn-install.html. Steve tested the L2TP/IPsec version from home last night and he was pleased to note that it does provide access to shared file resources in IFAS via UNC path (i.e., \\ad.ufl.edu\ifas). He also tested that using "logon via dialup with Windows 7 over wireless and it worked just like a wired campus connection, mapping drives and the whole nine-yards.

Winnie Lante and Mike Ryabin said that they had previously had issues accessing shared resources when using the Cisco Client and Joe Hayden commented via e-mail that the IFAS VPN was the only thing that would work for them from Camp Ocala.

While a number of ICC members had a bad impression of the Cisco Client, James Moore mentioned that he has been using it for many years and he appreciates its configurability for various tunnel configurations. James did say that the Cisco Client can support authentication to UFAD. He also mentioned that an upcoming SSL client will not require an install but rather one may use a web browser to initiate the connection.

Wayne Hyde noted that IFAS has a maximum of 60 simultaneous connections so that load should not prove difficult for CNS to support. Steve asked Wayne how much work the IFAS VPN created for ITSA and whether off-loading that to CNS would save any significant time for them. Wayne responded that if the UF IRT alerts keep coming to us then it will not free up a significant amount of time. Steve then asked if Wayne was in favor of such a move and he responded that he was.

It was decided that we would each begin exploring utilizing the UF VPN service with our users and start looking for any issues which might arise. In the meantime the IFAS VPN would remain until we were convinced that CNS could provide this as well or better. At that time we would schedule a switchover date and make sure all users were notified. James added that Chris Leopold and he could sit down with Chris Griffin to see if they are any changes which could be made in the VPN configurations in order to better support the needs of IFAS.

Wayne's Power Tools (previous discussion)

Because of resource (application pool) issues on if-srv-web, Wayne Hyde is working on moving his tools to a new VM. This promises to significantly increase the speed of his tools in most cases. There is nothing Wayne can do, however, about speeding up AD LDAP queries.

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

As with so many things in these times of inadequate staffing, finding time for implementation is proving difficult.

New MPS/DC testing -- access by unit-level administrators

Steve once again failed to ask, but Andrew certainly continues to work on this.

Core Services status

We skipped this topic due to time considerations.

ePO updates

Wayne recently deployed ePO version 4.5 which includes a number of changes to the web-based ePO console. Wayne had posted a couple of message to the ICC-L regarding this. The first of these reminded OU Admins that VSE was never been pushed out and that pushing out of the agent via login script is now ending as well:

Message from Wayne Hyde to ICC-L:
"ePO upgraded to 4.5 and other important changes"
Thu 8/6/2009 10:10 AM


ePO 4.5 is now up and running. A new management agent will be checked in next week and pushed out to upgrade existing agents.

We will no longer push the McAfee Agent via the IFAS logon script. McAfee finally added embedded credentials to the latest agent installer, but there seem to be some potential issues with the installer given the security measures McAfee recommends. With that said, OU admins will be responsible for pushing the agent and antivirus to their own machines. This can be accomplished two ways:

  1. Install the CMA and AV manually preferably when you add the machine to the domain. The CMA and AV installers are located at \\ad.ufl.edu\ifas\security-tools.

  2. Tag the systems in ePO with the PushAV and/or PushCMA tags and let the server do it for you.

Please note that the second method does not always work. For example, a system may be behind a NAT device which prevents the server from talking directly to the client and pushing the software. The client machines also may not be online during the scheduled push times.

I will be creating ePO accounts for everyone which will use your ADMN credentials for authentication. I hope to have this done before the ICC meeting next week. The ePO web console can be reached at https://epo.ifas.ufl.edu:8443.

One new feature in ePO 4.5 is that client side tasks can be enabled via system tagging. I am going to enable tagged based on-demand scans in ePO using this method. This will be discussed more at next Friday's ICC meeting, but the basic logic is you tag a system with a "Scan Weekly - Friday" tag and it will enable a client-side McAfee On-Demand scan every Friday. The difficult part will be making enough variations of the new "Scan" tag to satisfy most people's needs of daily/weekly scans at various times and days. I'd like to keep the number of tags to a minimum, so hopefully we can all agree on a few combinations.

The on-demand scan task options for McAfee 8.7i include deferring the scan if on battery or during a presentation which wasn't available for 8.5i.

We still have 289 machines running McAfee 8.0i. I have tagged all of these systems with PushAV to upgrade them to 8.7i. Once most of these are upgraded I will start tagging computers still running 8.5i.

The second post added information about how tagging will work:

Message from Wayne Hyde to ICC-L:
"ePO upgraded to 4.5 and other important changes"
Thu 8/6/2009 3:17 PM


Since ePO4 allows client tasks to be scheduled based on tags, I am changing the way the PushAV tag works. Instead of moving systems to the PushAV group where only I can see/manage systems, I am adding a client task across all OUs that will push AV87i if the PushAV tag is present.

This will make it much easier for you to see where there are problems pushing antivirus to your machines since you will still be able to see the systems in your OU. For example, if a system remains tagged for days and you know it is online then you know you have an issue.

Later the next week, Wayne shared further:

Message from Wayne Hyde to ICC-L:
"ePO 4.0 web access"
Tue 8/11/2009 11:26 AM


You may have already had web access to the ePO console, but this email is for those of you who have not used ePO and to encourage everyone else to use it daily to check the status of your machines for virus detections and to ensure all your machines have the ePO agent and McAfee installed.

To access the web console, point your browser to: https://epo.ifas.ufl.edu:8443/. You will log in using your ADMN credentials. I have added some custom dashboards to the top bar that will provide you with enough information to get started. The dashboards are accessed via the following toolbar: ePO 4.5 toolbar

Most everything in the dashboards is clickable. For example, on the “Your Systems” dashboard you can click on “8.0.0.912.Wrk” in the “Public – ePO: AV Deployment count” to bring up a list of systems that have McAfee 8.0i installed. Using this list you can tag systems with the “PushAV” tag to upgrade the antivirus from 8.0i to 8.7i. You can also see individual system details by clicking on a single line of the table, etc.

As I stated in a previous ICC email, the preferred method to installing an ePO agent and McAfee on a machine is when it is built or even when added to UFAD. But you can also tag systems in the system tree with the PushAV and PushCMA tags to install antivirus and the agent.


Message from Wayne Hyde to ICC-L:
"RE: ePO 4.0 web access"
Tue 8/11/2009 11:35 AM


One thing I forgot to mention – if you don’t have access to an OU that you should be able to manage/see, please let me know. I’m currently working with McAfee support to figure out why automatic permission sets are not working via Active Directory groups.

I had to give everyone permissions to their OUs manually, so I may have made some mistakes. I based it all on membership of the . IFAS-ADMN-XXXXX groups. Easy way to see what OUs you have access to is to click on the “System Tree” at the top. Your OUs will be under UFAD on the left.

Yesterday Wayne made some changes that will affect how one logs onto the system:

Message from Wayne Hyde to ICC-L:
"RE: ePO 4.0 web access"
Thu 8/13/2009 8:31 AM


It appears I’m having to work around some undocumented oddities in the user management side of ePO to provide better integration with UFAD groups. For those of you that have logged in to ePO, you’ve done so just by using “if-admn-xxxx” as your username instead of “ufad\if-admn-xxxx”. This is going to change in order for me to get Active Directory group mappings to work in user management.

After final configuration of new accounts Wayne offered the following:

Message from Wayne Hyde to ICC-L:
"ePO 4.5 console access fixed"
Thu 8/13/2009 1:49 PM


I’ve added a new dashboard named Deployments to the top bar. On this dashboard you will see two pie charts, two bar charts, a line graph, and a quick system search. One thing to note is the top two pie charts show the # of events for all of IFAS until you click on the success/fail colors. Once you click into the chart it will filter the events for your managed computers. So you may see 212 failures on the main pie chart (all of IFAS) but only 3 or 4 of these are for your OU. Annoying, but nothing I can do about it.

The bottom graphs are already filtered to only show your managed systems.

Once you have logged in, please verify that all of your managed OUs are showing up by clicking on “System Tree” at the top of the screen. You should see the list of OUs you manage on the left pane under “UFAD”. If you don’t, let me know and I’ll see if there are any errors in the permission groups I’ve mapped to the various ". IFAS-ADMN-" groups in UFAD.

Steve pointed out that he has tried to update the web documentation on ePO (ufad\if-admn credentials required) and would appreciate comments on how to improve that.

Wayne walked Steve through a demo of the new ePO 4.5 console showing the new arrangement. That aspect won't be covered in these notes, but if you would like to follow along, the discussion occurs at the 1 hour 46 minute point of the audio stream. Wayne reiterated most of what was mentioned in his earlier e-mails and added a number of hints on the user interface which are worth listening to.

Wayne mentioned that yet another agent will be coming out in a couple of months which promised to enable user-based policies. That will allow us to control settings based on GatorLink; thus an individual could have settings/restrictions on a given computer as opposed to one set affecting all.

Status of SharePoint services (prior discussion)

This aspect was not covered this month but will remain as a standing item for future discussion.

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...

Microsoft

The August Microsoft patches include five critical and four important updates for Windows. A nice podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".

MS Office News update

No news to relate.

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status

Steve wants to leave this matter as a standing agenda item for future discussion.


Other Topics

VoIP via Ethernet to campus

Ft. Lauderdale is now using Cisco VoIP for its phone service. Mike Ryabin is interested in the potential for routing phone traffic meant for the UF campus via the campus Ethernet connection rather than out through their local phone provider. That has the potential for eliminating a good chunk of their long-distance phone charges.

Entourage 2008 Web Services Edition

Outlook for Mac is coming with the next version of Office for the Mac; this will be a complete rewrite and not a revision of Entourage. In the meantime, Entourage 2008 Web Services Edition is now available as an update for Office 2004 for the Mac. The main difference is that the connection protocol used is "Exchange Web Services" instead of "WebDAV". Apparently, this offers a more robust connection to Exchange and folks are encouraged to try it out with their Mac users.

PDF-Xchange

Andrew mentioned that Joe Gasper is using PDF-Xchange for his unit and that Andrew is looking at its applicability to our situation in IFAS. It would be great to get away from Adobe's horrendous security update support. Joe mentions that "the free viewer handles saving fillable forms, comments, adding your own overlay of text, boxes, lines, etc., has a tabbed interface, but best of all has a portable version you can install to a shared folder"--so there is no problem with updates.


The meeting was adjourned on-time at about noon.