IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM October 9th 2009 REGULAR MEETING
A meeting of the ICC was held on Friday, October 9th, 2009 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.
PRESENT: Twenty-one members participated.
Remote participants: David Baudree, Benjamin Beach, Bill Black, Micah Bolen, Andrew Carey, Dan Cromer, Dean Delker, Francis Ferguson, Chris Fooshee, Chris Leopold, Louise Ryan, Mitch Thompson, and Wendy Williams.
On-site participants: Dennis Brown, Winnie Lante, Steve Lasley, Travis Lee, Kamin Miller, James Moore, Daniel Solano, and Santos Soler.
STREAMING AUDIO: available here.
NOTES:
Agendas were distributed and the sign-up sheet was passed around.
Member news:
Steve related that Luke Spreen, OPS tech at FSHN has left that department. Kamin Miller also brought along Travis Lee who is currently assisting him at PLP.
Right before the meeting, Steve learned from Lance Cozart that he and Marion Douglas are moving to Building 162. Dan Cromer explained that this is being done in order to consolidate IT personnel across the newly merged units. For one thing, this will move Lance's videoconferencing support closer to campus. Help Desk staff, would already reside at that location, will be assisting with the optical disc duplication operation and Lance and Marion will both be assisting with various Help Desk functions. This is part of the cross-training referred to in the reorg announcement.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
Videoconferencing and WAN discussion
[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside the top of our agendas.]
Videoconferencing topics (previous discussion)
End-point documentation / help brochures
Steve had the opportunity to grab one of the "Videoconferencing Guides" which Dan Cromer had mentioned that Patrick Pettus has been working on. These are full-color fold-overs with endpoint and support contact information along with basic operating instructions on one side:
and other important conferencing information on the back:
End-user Scheduling
Steve assumed this is still a plan in progress, but Patrick Pettus was not available to comment.
Codian bridge replacement being investigated
Dan Cromer related that a bridge replacement is being investigated. One option includes a new bridge from Tandberg (which Cisco recently offered to buy, BTW) that will bridge SIP and H.323. This would thus support interoperability between our Polycom equipment and Office Communicator clients.
The missing piece in that is content; there currently doesn't seem to be any system available which will bridge H.239 (aka People+Content) with Office Communicator's shared desktop. The only work-around at this time is for a "human router" to display content out to both simultaneously via a single endpoint connected via both pathways.
Centrally funded Enterprise CALs still on table
The rapidly increasing usage of OCS, particularly among the CEOs, has led to further interest in this. Negotiations are currently underway with Microsoft for renewal of our contract in November and there is still some possibility that this might be managed centrally. That has the potential for providing licenses for all to utilize OCS (as well as MOSS and numerous other MS technologies).
WAN transition to CNS (previous discussion)
Info on port security for Wall-plate
Steve mentioned that his department has gone Wall-Plate and he recently received his first e-mailed "Notice of Disabled Port". This seemed to be a false-positive which was resolved without CNS intervention by moving a computer off a phone's data port. What Steve found most interesting was an included link to User Guidelines for Wall-Plate Networks. This is also linked off the "Announcements" section of the Wall-Plate site and contains some useful information on what may trigger port security and why--including an example notification e-mail.
Updates from James Moore
James arrived late because he has been a bit under the weather. This section was actually covered later in the meeting, but Steve decided to keep the notes in their usual spot for consistency.
Currently James is focusing on circuits and hardware budgets. He is getting together a list of routers and WAPs which need to be acquired for the CEOs, but needs to leave a portion of the funds available for emergencies (overnight shipping, etc.).
There are issues with the Hastings router, it has dropped connection recently. They are not sure of the cause, but the plan is to go ahead and replace that unit since that location has had a couple of lightning hits which fried the provider's electronics. James asked Dennis Brown, who has users there, to keep him informed of any problems that may be noted in the meantime.
FLR and Level 3 continuing working to try to get an AT&T interconnect to Pensacola arranged for Milton. Citra is awaiting the addition of conduit (or cleanout of existing conduit) in order for the provider to run the fiber connection there. Mari Jayne Frederick in Homestead has just received quotes for getting the fiber connection completed there as well, so hopefully both of these sites will have upgraded connections shortly.
The hoped-for Comcast business cable connection for Marianna has fallen through because their distribution only carries TV at that location. James is trying to work a deal to get Ethernet down-the-road, but for now will have to rely on DSL. The cable connection is much more desirable because it would be symmetrical (same rate up/down); the problem with DSL is getting decent upload speeds (which are limited to 768Kbps). When voice and video are moved to the T1 there and the remaining traffic is moved to the DSL, there are likely to be issues due to upload speeds being decreased by one-third (even though download speeds will be enhanced).
Kevin Hill at Immokalee has put James in touch with a Comcast representative that had approached him. Comcast has arrangements with local municipalities around the Tampa LATA area that will allow Comcast and Brighthouse to work together to get a relatively inexpensive interconnect to FLR for the SWFREC. Usually such a two-provider solution is prohibitively expensive.
Louise Ryan reported that she has had two separate incidents where CNS has asked local unit staff (not IT staff) to call the phone company in order to resolve connection issues. James apologized saying that this should not happen and he would correct that; it's just a matter of better communication within CNS so all are aware of proper procedures. CNS should contact the providers on the affect unit's behalf and negotiate the solution for them.
Policy
Partial recording from the 2009 ITSA day now available
Steve was hoping that recordings of all presentations would be available, but it would appear that this is only available for Michael St. Neitzel's talk. A PDF of Kevin Johnson's presentation, is also posted.
2009 UF IT Awards Recognition Program (previous discussion)
Steve reminded folks about this new program being instituted by our Interim CIO, Chuck Frazier. This program intends to recognize a number of IT staff at UF each year. Everyone is encouraged to nominate deserving peers in one of three award categories:
- collaboration, innovation and leadership
- exceptional customer service, and
- outstanding work behind the scene.
Nominations are open until October 14th and a recognition ceremony is planned for October 29th at the fall UF IT Assembly in Emerson Alumni Hall.
See http://www.it.ufl.edu/awards for further details.
Are these being advertised widely enough?
In talking with Mike Ryabin prior to the meeting, Mike had mentioned that he thought supervisors of IT staff should be included in this announcement as well since those are the ones most likely to nominate unit IT staff for consideration. If those supervisors aren't aware of the awards program then deserving individual unit IT staff members will stand a much greater chance of being overlooked.
Dan Cromer said that he would recommend that a notice be sent to the DDD list in order to better propagate information about these awards and to address the concern which Mike had raised.
ITAC-NI temporarily resurrected
Steve and Dan Cromer attended an ITAC-NI meeting yesterday. That committee hadn't met in six months and it was assumed that a new committee would be formed by now. In lieu of that, we will continue to meet. Steve is still acting as secretary and he expects to have the October meeting minutes ready sometime next week. There were updates on the new East Campus Data Center (ECDC), the Wall-plate project, and wireless deployments among other things.
Course Management System Conversion to Sakai 3 (previous discussion)
Steve pointed out again that the UF IT web site now has a Projects tab which includes documentation on a number of ongoing projects, including the CMS Conversion to Sakai.
myuf Market (previous discussion)
Is it IE8 compatible as is claimed?
Steve referred back to last month's notes where he had added several comments received after the meeting. The IE8 issues with this service apparently relate to jumping out to outside vendor sites during the purchasing process; not all vendor sites are compliant even though our main system is. Also there are still important sites out there which are not IE8 compatible. Those will undoubtedly eventually work themselves out, but it would appear to be too early to migrate all to IE8 currently. That is a shame because it appears to be a better and more secure browser than IE7.
Steve also mentioned that he had heard some confusion on whether or not IE8 could be uninstalled. Apparently, as long as WinXP is at SP3 prior to adding IE7 or IE8, then those can be uninstalled.
UF Exchange Project updates (previous discussion)
Attachment blocking change to OWA
Steve had noted to Dwight Jesseman that OWA blocked .XML attachments while Outlook did not. Dwight confirmed this and went through the processes to get .XML approved to be downloaded on OWA. That change was implemented September 28th.
Office Communications Server
Using this at our meetings will obviously involve a learning curve. The drawback we discovered today was that audio could not be sent out via both Polycom and OCS without producing a terrible echo. Consequently, Steve muted the mic on his laptop. Next time we will see if we can try connecting to the bridge for both OCS and Polycom.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
Projects
IFAS WebDAV implementation
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM
Transitioning from login scripts to GPP
Steve asked Andrew Carey what the ICCers could do to assist in moving us to mapping via Group Policy Preferences rather than via login scripts. This is important because of issues with our login scripts for Vista and Windows 7.
Login script cleanup needed
Andrew responded that it would help greatly if OU Admins could clean up things a bit. There are many scripts out there which map to non-existent resources--servers which have been decommissioned long ago like if-srv-file01 and if-svr-file02. Those should either be corrected or removed. If anyone needs an explanation of how our logins scripts work, you are encouraged to look at the explanation within the IT services documentation (ufad\if-admn credentials required).
Several standard drive letter mappings also suggested
Andrew also mentioned that it would be useful to standardize on drive letter mappings (see long prior discussion) for personal and unit shares so that these could be handled at the IFAS OU level for all and so that we would need fewer mapping scripts overall. There was some discussion about this causing drive letter conflicts with local devices, but as long as we choose carefully, those should be able to be minimized. Steve offered U: for the personal (user) drives and T" for the unit drives. While Steve doesn't map websites for his users, a number of people suggested that standardizing on W: for those would be a good plan.
ICC cooperation can make this work
Steve said that he would make an effort to raise these issues via the ICC-L next week and see how far and fast we can move with this. Andrew's time is very limited and we all need to assist in order to get this accomplished.
Windows 7 deployment
Daniel Solano, mentioned that he and Santos worked together on the new DHCP server which is now in production (IF-SRV-DHCP01).
That project has freed up some older hardware which can be repurposed to SCCM. Andrew has been using SCCM in a limited fashion and was deploying a Win7 image yesterday via SCCM which Ben Beach had made for the District Support laptops. Those images would need broader driver support, but Andrew intends to talk with Daniel Solano about working on that for wider deployment.
Steve pointed out that he would like to get some documentation together for folks on creating and maintaining their own images--basic how-tos on using WinPE, ImageX, DISM, etc. Perhaps this could utilize the Windows 7 Deployment SharePoint wiki site. He would also like to locate individuals to volunteer for looking into deployment of various third-part apps via SCCM. The difficulty is in knowing how to plug-in other interested ICCers to this system so the work load might be distributed somewhat. Nurturing that kind of interaction could prove very valuable for all in Steve's opinion.
[Note: Chris Hughes shared the following after the meeting notes were published: "We are reworking our SCCM environment. We will be distributing and patching all software using SCCM on our new Windows 7 clients. I’d be happy to pass on the documentation for settings up the applications once we have it completed. This might help IFAS out with common things such as Adobe Acrobat Pro 9, Adobe Flash, Adobe Air, Adobe Shockwave, and Java. We currently install and patch these with MSI’s and scripts, so we have a lot of the work setting up the MSI’s completed. We are also going to talk some more with UFAD about a central SCCM to support installation and patching of common applications for campus."]
Exit processes, NMB and permission removal (prior discussion)
Nothing further was available on this topic at this time.
Re-enabling the Windows firewall
Though Wayne Hyde wasn't available for comment, limited testing has been done without issues being noted. Steve mentioned that he has several machines in his office for which Wayne has enabled that without issue. Steve suspected that Wayne could do this for a subset of other's computers should they wish.
Dennis Brown asked if there had been any testing on whether enabling this would mitigate the vulnerability which reopened this discussion. Steve said that he wasn't sure, but believed implementation of this additional layer in our defenses to be wise in any case and long overdue.
Services Documentation: Is a Wiki the way?
Steve mentioned that he has tried to fill in the gaps on this (ufad\if-admn credentials required) until a better solutions could be implemented. Daniel Solano has begun to add some things to a Wiki on SharePoint. Daniel prefers Flexwiki due to its power, but it is also more difficult to learn. Since the issue will likely be getting folks to participate, Daniel made the good point that the simple SharePoint interface might be the best place to begin.
Dan Cromer reminded folks of the new UF IT Wiki (based on MediaWiki) and wondered if we could shoe-horn into that in some fashion. Steve sees the ability to control access as being very important. Steve asked who was in charge of the UF Wiki and Dan replied that there really wasn't strong central support at this time. Dan did say that he would look into whether or not we could have a secure portion of that for our own use. Steve feels that until that is available, we would need to implement this in-house. As a starting point we might link to our documentation from the UF Wiki, however.
While on the subject of Wikis, Steve mentioned noticing that the UF Help Desk has a Wiki now as well. That Wiki is apparently separate from the UF IT Wiki as well.
Steve offered that he would port his current documentation into SharePoint if we could decide that this was the way to go. We first need to get the permissioning right though. He suggested that the ". ifas-icc" security group might be the logical one on which to base access. Steve believes he had talked Wayne into using that for access to a potential VM desktop admin workstation solution as well.
Operations
Disabling autorun via the “IF Co-Managed Computer” GPO
Wayne Hyde had announced the intention back in late September:
Message from Wayne Hyde to ICC-L: "new WPT" Wed 9/23/2009 10:35 AM
Unless I get a good reason against doing so, I am going to disable autorun via the “IF Co-Managed Computer” GPO. You have until 3pm to make your case. If absolutely necessary, you can override this change via your “IF- Computer” GPO.
The changes to the GPO will be:
Computer Configuration -> Administrative Templates -> Windows Components -> Autoplay Policies -> Turn off Autoplay
The issue with Autorun.inf still being executed if this policy was set has been fixed by a MS update that is installed on most IFAS machines and is pushed via WSUS. Of course this only means that some users will double-click on every .exe file on their memory stick…. *cough*
|
A number of folks had already done this for their own OUs. Users just need a bit of training on how to deal with it when a CD installer doesn’t pop up automatically, but that’s a minor issue.
DHCP server change
As Santos has mentioned via the ICC-L, we are now supporting DHCP on new hardware. The server name is now if-srv-dhcp01, for any of those who use the DHCP MMC plug-in to manage or at least view their departmental DHCP configuration. The old if-srv-dhcp is still hosting DFS and WDS, but the plan is for the latter to be replaced by SCCM. Daniel asked if anyone was still using WDS and Steve responded that Mark Ross was the last person to use it as far as he knew. Kamin Miller, who replaced Mark at Plant Pathology, responded that he had used it only a single time back when he first started.
Moving away from the IFAS VPN service
Questions of need remain
Steve pointed out that there remains some anecdotal evidence that the IFAS VPN is the only available VPN which works in certain situations at certain locations. The problem is elucidating those and trying to find a repeatable issue which can be escalated to CNS for solution. We certainly don't want to remove our VPN service prematurely.
The IFAS VPN assigns public numbers currently
Steve also wanted folks to understand that the IFAS VPN currently hands out public numbers. Your users should be aware of this and make sure they have their firewalls enabled when using it; a better solution may be to migrate them to either the built-in L2TP/IPsec or Cisco Client supported by UF.
Steve also suggested that IFAS might either move their VPN service entirely to private IP or resume the split which we had implemented previously where vpn2.ifas.ufl.edu provided public numbers and vpn.ifas.ufl.edu provided private IPs.
Chris Leopold said that public numbers were needed for some departments for certain remote services. James Moore asked Chris Leopold if had spoken to Chris Griffin about this. Chris responded that he had but wasn't able to clearly recall what the issue was with UF supporting our needs there. His best recollection was that UF was unable to assign a small range of known public numbers specifically for use by IFAS, but he would have to revisit that to make sure.
Dan Cromer mentioned that there is another way to assign specific public IP addresses which he had been discussion recently with Wayne Hyde; that is to use a proxy server. This would involve some configuration on the client side as well, but implementation is a matter of priorities, however, as we currently have more work than we can handle.
VDI desktops as admin workstations
Wayne Hyde has been working on creating a Virtual Desktop solution in order to provide a standardized management workstation for use by the ICC. Wayne wasn't available to speak on this and discussion is still a bit premature because licensing issues still need to be addressed. However, Chris Leopold did mention that this technology has looked good in testing. Besides the licensing, there are a few other issues. Windows 7 and Windows 2008 hosts cannot use the web interface; rather you must install the VMware View client (which installs to C:\Program Files\VMware\VMware View\Client\bin\wswc.exe).
Chris Leopold did provide a quick demo. Some of the screens are shown following. Connection is done via a web portal:
which leads to a logon screen. The idea is to logon via your Gatorlink credentials:
That will lead you to a screen where you may choose the "ICC Management VM":
after which you will be running a "remote desktop-like" VM as a regular user (on Vista currently):
Wayne has set up a pool of two-five VMs with two being the minimum. The system is configured to always have one VM available, so with two folks logged on it will create a third VM automatically. After logout, the VM being used will be destroyed and another created if one is not available. Closing will leave you logged on, but Wayne will create a policy that will boot such folks off after a short time. These VMs are linked clones which use a snapshot (the replica + source) and then keep their own delta's from the snapshot. Consequently, they are very parsimonious with system resources.
These VMs will have the RSAT, the Sysinternal tools, an icon for a run-as cmd.exe, and some third-party explorer replacement which can be run with elevated credentials for gui-based remote file management. He also intends to have shortcuts to a bunch of useful stuff like the WPTs, ePO web console, etc.
Wayne's Power Tools (previous discussion)
Wayne recently announced a new "OU Computer tracking" power tool:
Message from Wayne Hyde to ICC-L: "new WPT" Wed 9/23/2009 10:35 AM
Someone requested the ability to show all of their OU computers and the current logged on user. While we don’t have this exact information, I added a power tool page to pull Lansweeper computer login info for all of your OU computers. We don’t track when a user logs off the computer and this information is only pulled when a user logs on and runs the IFAS logon script. So a user that is listed as the most recent logged on user may have logged off already.
The page will let you select how many recent users to display for each computer (latest/5/10/25) and the OU to check.
The table will show the computer name, IP address, User’s domain, username, and login time. User’s domain should always be UFAD unless a Lansweeper scan was triggered while a non-UFAD user was logged in. The computer list is pulled from AD and then each computer object from AD is queried against the LS database to get the login information.
You can also track single users and single computers via the other pages in the navigation bar (track user logins, track comp logins)
The tool is “OU Computer tracking” on the navigation bar. The current direct link is: https://itsa.ifas.ufl.edu/ouadmin/oucomps.asp.
|
Folder permissioning on the IFAS file server
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age
As with so many things in these times of inadequate staffing, finding time for implementation is proving difficult. Steve did want to remind folks that Andrew has a good plan for dealing with this which he simply has had no time to address.
New MPS/DC testing -- access by unit-level administrators
Steve once again failed to ask, but Andrew certainly continues to work on this.
Core Services status
This topic remains as a standing issue, but was not discussed this month.
ePO updates
McAfee 8.7i Patch 2
Wayne Hyde announced this patch via the ICC-L late last week:
Message from Wayne Hyde to ICC-L: "McAfee 8.7i patch 2 available" Thu 10/1/2009 11:36 AM
Patch 2 has been released for McAfee 8.7i. I have placed the .zip containing the patch at: \\ad.ufl.edu\ifas\SECURITY-TOOLS\VirusScan-8.7i-patches
Once I’ve tested it on enough systems I’ll check it in to ePO and start pushing to existing 8.7i clients. Please feel free to manually upgrade some of your machines to make sure there are no major issues.
Some of the improvements from the readme:
- Improvements were made to the way that the CommonShell scanner interacts with file I/O. This improves performance with on-access scanners within the product.
- VirusScan Enterprise 8.7i Patch 2 now has the ability to report compliance to the newer versions of Windows Security Center.
- The VirusScan Enterprise 8.7i extension has improved support for ePolicy Orchestrator 4.5 with Firefox 3.0 and Internet Explorer 8.0.
Standard IFAS policies / notes:
Clients with 8.0i and 8.5i do not automatically get upgraded to 8.7i via ePO or by their own auto-update. In order to upgrade a machine to 8.7i patch 2 from 8.0i/8.5i, you must tag a system with the “PushAV” tag in the ePO directory or upgrade manually. UFAD clients that are managed by ePO that already have 8.7i will be auto-updated to patch 2 once the patch is checked in.
It is the responsibility of the local IT support person to ensure that McAfee AV software is installed on their managed systems. McAfee 8.7i should be installed on a machine before or as it is being added to UFAD. The McAfee agent should be installed immediately after adding a computer to UFAD. Computers already in UFAD that do not have AV and/or Agent installed should have it installed as soon as possible via an ePO push tag or manual install.
|
Status of SharePoint services (prior discussion)
This aspect was not covered this month but will remain as a standing item for future discussion.
Public folder file deletion policies and procedures status
Nothing further was available on this topic at this time.
Patching updates...
Microsoft
The October Microsoft patches will include eight critical and five important updates for Windows. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
"Must read" blogs for this month: "Summary of Microsoft’s Security Bulletin Release for October 2009" and "Assessing the risk of the October security bulletins" (with thanks to Susan Bradley).
Adobe
Adobe plans an update for Adobe Reader and Acrobat.
MS Office News update
No news to relate.
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Remedy system status
Steve wants to leave this matter as a standing agenda item for future discussion.
Other Topics
Ekiga video conferencing application
Dennis Brown wanted to mention having discovered Ekiga, an open source VoIP and video conferencing application.
Removal of redirects for consolidated web sites
Steve forgot to mention this at the meeting, but he received a notice yesterday from Solar Santos which indicated a couple of redirections which are scheduled to be removed at the end of the month. While this removal is consistent with the IFAS Domain Name Policy it somehow took Steve a bit by surprise having forgotten the issue. Steve's unit consolidated over 50 sites approximately one year ago and he is just now realizing that the procedures for removal of the redirections were never really well worked out. Further, Santos has inherited this process without any clear idea of what sort of notification Mark Ross and the policy architects had already made.
Steve feels that it would be good to institute a couple of guiding principles:
- 30 days notice should be made which details exactly when the removal is planned to occur
- removal of redirects for course sites should be done between terms
Disabling SMB v2
SMB 2 has been disabled on our file servers due to a remote code execution vulnerability and it is recommended that you consider doing this on any Vista machines you might have as well.
PDF-Xchange (prior discussion)
We did not discuss the matter this month, but Steve would like to leave it on the agenda.
The meeting was adjourned early at about 11:45 AM.
|