IFAS COMPUTER COORDINATORS
NOTES FROM October 8th 2010 REGULAR MEETING
A meeting of the ICC was held on Friday, October 8th, 2010 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.
PRESENT: Sixteen members participated.
Remote participants: Andrew Carey, David Bauldree, Bill Black, Dennis Brown, Dan Cromer, Francis Ferguson, Marvin Newman, Scott Owens, Mike Ryabin, and John Wells.
On-site participants: Micah Bolen, Wayne Hyde, Winnie Lante, Steve Lasley, Chris Leopold and Santos Soler.
STREAMING AUDIO: available here
Agendas were distributed and the sign-up sheet was passed around.
Steve noted that Kamin Miller no longer works for Plant Pathology, but is now working OPS with Dennis Brown for Horticultural Sciences while interviewing for an IT Intermediate position.
Jon Brush, from the UF Computing Help Desk, will be Kamin's replacement at Plant Pathology.
On behalf of the entire ICC, Steve extends our deepest sympathies to Nancy Johnson for the recent loss of her husband, Bob.
In case you hadn't heard, John Sawyer will be leaving UF for a new position with InGuardians. John started with IFAS working OPS for Environmental Horticulture and moved to ITSA as our ISM prior to Wayne Hyde. John has been with the UF Security office for the past five years and is now spreading his wings. He will remain in town working from home with frequent traveling. We wish him the best of luck.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details
Videoconferencing and WAN discussion
[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]
Videoconferencing topics (previous discussion)
Polycom maintenance renewals
The last major batch of Polycoms was purchased by the VP nearly three years ago and maintenance renewal will be left up to each unit. That has been discussed with the Administrative Council and Dan Cromer plans to send out a note to them today listing the options for those wishing to renew.
Dan mentioned that he had been to a Tandberg "Show and Tell" yesterday and it was interesting to see some of their new stuff.
Dan Cromer said that it is still planned to allow at least some folks access to TMS to schedule their own videoconferences. This is just one of those projects that is moving very slowly. If the ICC feels this should be a higher priority, Dan offered to see if he couldn't get that sped up a bit.
Office Communicator infrastructure status (previous discussion)
Dan Cromer related that with its next version OCS is being renamed to Lync.
New VC gateway status (previous discussion)
Update as available...
Recording lectures for Distance Education (previous discussion)
Updates as available
As was discussed on the Accordent-L list, new skins are available but one apparently has to submit a ticket to Accordent support to get those.
WAN transition to CNS (previous discussion)
Connection of UF and IFAS Remedy systems with the CNS Remedy system
Updates as available...
Updates from James Moore
James reported that his two major projects currently are CEO upgrades and an upgrade at the Lake Alfred CREC. A team of folks from CNS (Pete Mauro, Nancy Watson and Bruce McIntosh) is assisting James with the CEO upgrades while James focuses on a VoIP upgrade at Lake Alfred for the next two weeks or so.
Three and one-half weeks from now CNS is going to do a "forklift" upgrade at CREC replacing the WAPs, the switches and the router. They will be installing a new voice gateway as well. They will be moving from their own CallManager to using the one on-campus and their wireless will us campus controllers as well.
Steve asked if CREC was on UFAD yet and Chris Leopold responded that a number of their services were not. That is being planned for after the new network infrastructure is in place.
Steve asked if moving to UF CallManager would give them more potential points of failure for their phone system. James responded that they have a local PRI; the one change is that the phone features will come from the CallManager here on the UF campus. The gateway they will be installing is an SRST router that can provide what is basically an extension of CallManager features during a WAN link outage.
CREC will be keeping their local numbers but calls back to campus will cost less. CNS will be paying for their local PRI and they will be paying the same $12/phone/month as campus units do. Mike mentioned that this option wasn't available at the time he moved to VoIP at Ft. Lauderdale, but was pleased to know that this might be available in the future. It wouldn't be cost effective until they needed a refresh of their local CallManager Express and licensing, however.
CNS is looking at the details at each CEO to see whether or not some can get better connection deals. Since moving to different providers requires renumbering they hope to coordinate such changes with the router replacements so that district support staff need only make one visit per site. This won't always be possible, but it is a goal.
In many cases Polycom is not handling being NATed behind DLS routers well; consequently, James is working on a new design. CNS has been filtering communications from the Polycom on the VPN tunnel so that it would go through the Internet rather than be forced back through campus on an encrypted tunnel. They also filter the traffic from the dynamic NAT pool to ensure it gets a static NAT translation (see NAT vs. PAT). While you would think this would work the Polycom somehow gets confused in communications with the UF bridge and starts trying to communicate via private numbers which either breaks the call or results in uni-directional video.
Most CEOs have a /29 of public IP space, which leaves six usable IPs. James is going to break those into two /30s. One of those ranges will be used for the SVI which is the communication between the DSL router and the Cisco router. The other range will be routed on the inward-side of the Cisco router and the router will statically assign each Polycom with their public address (rather than using a DHCP reservation on the MPS as has been done prior). That will take NAT out of the equation.
James said that Polycom communication rates have to be turned down in many cases and that this is something which must be considered at many CEOs until circuits can be improved. Steve asked if Microsoft OC has caused any problems, because it tries to grab as good of a connection as it can. James said he is keeping an eye on that but has not noted issues so far; the potential is certainly there for this to become a problem, however.
The details of the new connection for Immokalee have apparently been worked out with Comcast and that should be moving ahead. Belle Glade is very close as well and James expects to have that on-line in about four weeks or so.
Alternate IFAS domains in e-mail
Steve wants to keep this on our agenda for future discussion. He believes there is no advantage to having multiple aliases and that we should move towards removing those if possible.
Updates from the October 4th ITPAC meeting
Steve passed around a handout from ITPAC which Elias Eldayrie had provided describing the proposed Governance structure. Steve noted that the chairman of ITPAC will be invited to sit on the IT Policy Council. Elias likes the IFAS ICC/ITPAC structure and does not intend to change things which are already working. Steve wants to invite Elias to an upcoming ICC meeting but would prefer to wait a bit until some of these beginning details have been all worked out.
Dennis Brown, who is the new ICC representative to ITPAC, reported that the CIO covered four basic points, the first of which Dennis missed. The second one was governance and the third was funding. Dennis said that Elias wants to move away from a chargeback model for IT services. The fourth point was engagement.
Al Wysocki raised the question of the Polycom maintenances needing renewal which Dan discussed with the committee. It was also decided that an announcement should be made about the Accordent.
The use of social media such as Facebook was discussed. Extension folks noted that IFAS is well behind other places in making use of that. Blogs were discussed as well. IFAS doesn't have a good blogging solution currently though some are looking into Wordpress for that.
Dennis added that the minutes are not yet complete but he can share those once they are available.
Identity Management (IdM) Interface Training
Steve wants to remind everyone of the "UF_PA_IDM_NETMGR" role which will allow you to set NMB for your users. Your Department Security Administrator can do that for you.
Sakai e-Learning System now in production (previous discussion)
Steve noted that Sakai can upload single files directly, but if you want to upload multiple files or folders you need to configure WebDAV. That function apparently does not work with Windows 7 machines, however; or at least Steve was unable to get it to work and the instructions only cover XP and Vista. Steve was able to connect from Win7 via a free evaluation copy of a third party application called WebDrive, however. The cost of that is $59.95.
myuf Market (previous discussion)
Steve wants to keep this on our agendas in case discussion seems warranted.
There have been a number of printing issues noted with the new UF portal which was recently implemented. Wendy Williams reported via the ICC-L that small printouts on IE8 could be solved by clicking on the little arrow next to the printer icon in IE on the right upper side, selecting Page Setup and unchecking Enable Shrink-to-fit. Marvin Newman reported there are still other issues such as the bottom 1/3 of the page being cut off in printouts of the weekly time card calendar.
UF Exchange Project updates (previous discussion)
UF Exchange upgrade
UF Exchange is moving to version 2010 starting the evening of October 29th and should be complete by Monday, November 1st. Entourage users will need to upgrade to Office 2011 for the Mac because UF's Exchange 2010 service will not support the WebDAV access method utilized by Entourage. The good news is that the new Outlook client within Office 2011 appears quite superior.
Dan Cromer said that Outlook 2011 for the Mac looks quite good and mentioned that documentation on connecting with that to Exchange should be available soon at http://mail.ufl.edu.
Once the switch is made those with mobile devices who had to change settings from "mail.ufl.edu" to "legacy.mail.ufl.edu" previously (when the mail stores were moved) will have to change things back again.
Barracuda load issues
This issue was mentioned last meeting and Steve had noted that he had indeed stopped getting daily Barracuda reports until just recently. Dan Cromer reported that a Barracuda setting termed "fingerprint analysis" had been disabled in an attempt to address the backlog issue on the Barracudas. They also had added a trial third device which would cost about $10,000 if it was purchased.
Over the long term, however, there has been discussion about dropping Barracuda and relying solely on the OSG's ProofPoint application. That system apparently has many of the features of Barracuda which just have yet to be implemented here, including providing the ability for users to control their own settings. Dan said that he configured his own Barracuda settings to not block/quarantine at all for the last week and has seen very little increase in the amount of spam delivered to his inbox.
Centralized FAX service via Exchange (previous discussion)
Dan Cromer noted that Elias wants ROI figures developed for this proposed service. Erik Schmidt will be working on that once he returns from extended leave. The overall value of such a service would seem to Steve to be a no-brainer but Elias is right to have estimates in hand before proceeding.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
IT survey is coming (previous discussion)
Dan reported that the survey is still being refined but that he will let us know as soon as he has something on that. Steve asked if they had considered backing off on some of the detail which they initially were wanting. Dan responded that they were working on a batch upload process to make data entry easier.
There has also been some discussion about collecting the MAC addresses from all the switches and trying to correlate those with inventory.
Decision coming next week on campus-wide Distance Education software solution (previous discussion)
Dan said that he had apparently misunderstood the intention here and this was not as he had thought when he mentioned this to us at our last meeting. This is not a replacement for Elluminate or Accordent or anything like that. UF is contracting with Compass Knowledge Group out of Orlando for converting classes to Distance Education. This company will convert revenue generating classes (based on an analysis they will do) for a percentage of the take. With this move UF is basically out-sourcing the creation of distance education courses. Compass Knowledge Group will be the preferred vendor but any department could still handle things otherwise as well.
Micah Bolen said that Ag Education has hired some people to develop modules for professors' presentations.
Negotiations underway for the Microsoft Campus Agreement
Chris Leopold expressed concern about server licenses and whether they would be continued to be paid off-the-top. Steve is equally concerned with the eCALS along the same lines; those are what permit the wide deployment of MOC/Lync, SharePoint, Forefront Edge Protection and a host of other potentially important services.
IFAS WebDAV implementation
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM
Windows 7 deployment
Nick Smith had mentioned previously to Steve and Micah that he has been using the Microsoft Deployment Toolkit extensively and feel quite comfortable with it now. Nick had offered to share his distribution point with others should they wish to get a quick "leg-up" on using that.
Micah said that he has stopped considering using these tools for widespread deployment at this time. Rather, he is using this opportunity to move peoples' files to the server, basically one machine at a time. His goal is to get his users away from using local storage.
Chris Leopold said that he had been playing with SCCM a bit (we have lost Daniel Solano who was our previous "expert" on this) but he found it to be quite buggy and doesn't believe a new version is due anytime soon. Steve knows that folks are using SCCM very successfully, however. What we really need is to get someone trained on that; the overall savings would be tremendous--not just in OS deployment but with regards to third-party application deployment and keeping those things fully patched across all our systems.
Exit processes, NMB and permission removal (prior discussion)
Nothing further was available on this topic at this time.
Re-enabling the Windows firewall (prior discussion)
Update as available...
Services Documentation: Is a Wiki the way? (prior discussion)
Steve skipped over this topic but will keep it on our agendas.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Replacement print server aftermath (previous discussion)
Steve asked if there were any major issues remaining; his unit had just a couple small glitches which Santos Soler resolved promptly. Chris Leopold said that these were mostly issues with the initial settings for the HP universal drivers and those should have been corrected by now. Multi-purpose devices need to be configured locally to point to the new print server as well; that can generally be down via a web interface.
Chris has worked with the Help Desk to get them up-to-speed on adjusting printer settings. ITSA is taking over the creation of print queues from the Help Desk as well.
Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Dan reminded folks that the plan is published on the IT Wiki. Elias has requested ROI (Return On Investment) studies on the last three items:
- Replace paper use with electronic forms and e-mail, using electronic signatures
- Replace paper fax use with desktop and server fax environment
- Replace high-energy-use desktops with virtual desktop infrastructure (VDI)
The preliminary analysis of VDI indicated that this would not be cost effective at this time except in certain special instances.
The Green IT plan will be brought before the IT Directors group at a retreat in November. That group consists of about 30 individuals from across campus. That group will develop priorities and an implementation plan.
Creating guest GatorLink accounts: singly or in bulk (prior discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
Can IFAS support DirectAccess in the future? (prior discussion)
Steve wants to keep this topic on our radar.
Moving away from the IFAS VPN service (previous discussion)
Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.
VDI desktops as admin workstations (previous discussion)
This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.
Wayne's Power Tools (prior discussion)
There was nothing new to report this month.
OU Technical Contact email groups now in use
You should now be getting automatic FSR reports concerning file server space usage (duplicate/large files/etc.).
Computer compliance tool in production (previous discussion)
Update as available...
Folder permissioning on the IFAS file server
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
New MPS/DC deployment
Chris Leopold said that this deployment is being handled in stages. Deployment and basic configuration of the hardware is just the first step. Once that has been done at a site, the migration from old to new must still take place. Once the hardware deployment gets to a certain stage then Andrew can publish a schedule so that district support will know approximately when to expect each site to go live with the new configuration.
Twenty servers are already out there and they have just created ten more which will be delivered shortly. Another ten are on deck to begin work on as well. Chris has a target of about six weeks for getting the hardware delivered at each site after which the site-by-site completion schedule can be firmed up.
Core Services status (previous discussion)
Data Protection Manager planning
For the implementation of DPM, ITSA has obtained a whole new backup system which includes three DPM servers, three tape libraries and 200 tapes. One will be used to backup remotes sites to Gainesville, a second will backup the file cluster and the third will backup the rest. It turns out that the new LTO 5 tapes are rather expensive and even dropping from an 8-week to a 6-week retention as Andrew would like may prove too expensive. Wayne would be okay with less retention (perhaps three weeks) since he feels they only really need to provide Disaster Recovery. The volume shadow copies will allow individuals to recover their own files from the file cluster for 32 days. This will include two snapshots a day at 7:30 AM and 12:30 PM.
Chris expressed his appreciation for the monetary support that administration provides his group and he hopes they realize that ITSA provides an absolutely phenomenal with the limited budget provided compared to other groups on campus. That said, they are moving from LTO3 tapes ($25/400 GB) to LTO5 tapes ($150/1.5 TB). In the past ITSA has had an 8-week tape retention with 6 month archives (retained one year currently). They would like to continue that, budget willing, but Chris has determined that the tape cost alone for each 10TB would be $18,000. Dropping retention down to six weeks reduces that to $13,500.
Overall, this means that we will have to balance our recovery goals with the available budget. Chris will be working with Dan Cromer on this and may have to go begging for additional funds. Steve asked if they keep records on how often they have had to go to tape. Chris responded that it is not very frequently though he had done so just last week. Steve noted that on one hand the cost per incident was enormous; on the other hand, it is difficult to gage the value of the data which has or might need to be recovered.
Wayne mentioned that our RPO (Recovery Point Objective, or the point in time to which data and systems can be recovered) will be only 12 hours worst case. The RTO (Recovery Time Objective or time to recovery) will be fairly long, however, due to the sheer amount of data vs. available bandwidth. It took 48 hours to replicate all of our data from the file cluster to DPM. Should our file cluster get "cratered" this copy time will directly affect how soon we could get back on line. That could not be improved in any case without inordinate cost (mirrored SANs, etc.).
Winnie Lante asked about potential cost savings by cleaning up duplicate, inappropriate and unnecessary files. Of course, the savings there could be substantial, but it mainly depends on user education and compliance. That is a hit and miss proposition at best and not something on which we can really rely. Single-instance store may be possible in the future if we move the file cluster to the Windows Storage Server platform. DPM will allow removal of the tapes from the file cluster which will in-turn allow us to change things at our next file server refresh.
Wayne pointed out that they absolutely want people to store their data on the file server. That said there is a lot of clean-up the OU Admins can and should perform, including making sure that storage is removed when folks leave. Policing the unit folders should likely get highest priority due to the potential for inappropriate sharing of restricted data. Wayne has begun delivery of FSRM for some units and will try to get those out for everyone before too long. Those reports can help OU Admins determine where storage savings could most easily be gained.
Winnie asked if quotas were available and Wayne responded that he could implement those as folks desired. Steve pointed out that he has seen quotas lead to folks getting external hard drives and storing everything locally, however, and that is not really desirable.
Wayne said that in about 3 weeks he will stop VSS on the file cluster and move that over to DPM. That will involve changing from 3 to 2 snapshots a day with a 32 day overall coverage (rather than the current 21 days). That will free up 2 TB of SAN storage for virtual servers, etc. They just have to figure out the tape backup retention period. The new tape system will improve our backup window from about 36 hours down to 16 hours, plus the backup will be offline against DPM and not impinge on the file cluster performance.
Wayne announced that ITSA is purchasing a new SQL cluster (backed-up by DPM) to replace/consolidate enterprise production and test SQL services. Hopefully that will get done within a month or two. This will involve removing some virtual SQL test servers to free-up resources there for more critical needs.
Patch four is now available for VSE 8.7i. Wayne plans to put that to a test branch and eventually get it pushed out. Both Steve and Chris have installed it without noting issues, though Wayne said some issues have been noted via the McAfee forums.
Status of SharePoint services (prior discussion)
IFAS migrating to centralized MOSS
Updates as available...
Public folder file deletion policies and procedures status
Nothing further was available on this topic at this time.
An out-of-band patch was released September 28th to address "a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems".
The October Microsoft patches will include 16 bulletins (4 Critical, 10 Important, and 2 moderate) addressing numerous vulnerabilities in Windows and Office.
McAfee provides podcasts on the highlights of each month's offerings.
There has been a Flash update since our last meeting which addresses another critical vulnerability.
Similarly, more patches for Adobe Reader and Acrobat arrived earlier this week to address another critical vulnerability.
MS Office News update
Office 2011 for the Mac is now available. [smb://if-srvc-file2.ad.ufl.edu/DATA-U/Software/Mac]
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Remedy system status (previous discussion)
Steve wants to keep this item on the agendas in order to address potential future concerns.
UF IT Awards and Recognition
Dan Cromer attended this town meeting yesterday and would encourage everyone to attend these in the future. They are a good way to meet other IT folks from across campus and at the very least provide good food.
Steve asked if any IFAS folks won an award and Dan responded that none did, though IFAS had more nominees than any other unit. Dan noted that UF has over 1000 IT folks and IFAS accounts for perhaps 67 of those. There are only 3 awards given each year, so it is a simple matter of not enough awards to go around.
Unlike last year they decided not to list all the nominees; apparently the feeling was that this might disappoint folks who were not nominated.
GLauth going away November 1st
Santos Soler wanted to remind everyone that we need to switch over to using Shibboleth by the end of this month. This affects a number of IFAS web sites, but most are hopefully already aware of this need. Dan believed they were going to start having these meetings twice a year instead of just once, though the awards themselves will remain yearly.
PDF-Xchange (prior discussion)
Updates as available...
Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL
Updates as available...
The meeting was adjourned on time at about noon.