IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM November 3rd 2004 REGULAR MEETING
A special joint meeting of the ICC and the ICC-AD subcommittee was held on Wednesday, November 3rd, 2004. The meeting was chaired and called to order by Steve Lasley, just after 2:00 p.m. in the Entomology conference room 1014.
PRESENT: Nineteen members participated. Remote participants: Mike Armstrong, David Ayers, Kevin Hill, Nancy Johnson, Joe Spooner and Joel Parlin. On-site participants: David Bauldree, Dennis Brown, Marcus Cathey, Dan Christophy, Dan Cromer, Marion Douglas, Joe Hayden, Chris Hughes, Dwight Jesseman, Jack Kramer, Winnie Lante, Steve Lasley, and David McKinney.
STREAMING AUDIO: available here.
NOTES:
Agendas were distributed and the meeting was called to order by Steve Lasley at 2pm. This meeting was our first attempt at using two separate conferences: one for the Polycom (audio/visual) and a second for data only via NetMeeting. The NetMeeting portion seemed to work fine and remote users were able to see the same screen as was being projected at the meeting. The video portion of the Polycom conference did not work, however, and we hope to get that resolved by our next meeting. Instructions for the new setup are documented on the ICC website in the meetings section.
There were no actual new ICC members to introduce. Steve noted, however, that he had been in contact with Donna McCraw, a programmer with business systems whom he had not met prior although she has been with IFAS for quite some time and with UF for over 20 years. Steve mentioned wanting to get the business software group more involved in our organization and suggested that it would be good to have Donna present, if willing, what she has been learning about the new Cognos query and reporting software.
Steve pointed out that he always includes notes to the last ICC meeting on the agendas to encourage members to recap where we are in our discussions.
Discussion started with the four recommendations which had been proposed, both at the last ICC meeting and at last Thursday's ICC-AD meeting, for presentation to ITPAC tomorrow morning.
The first of these was the recommendation for "A new IFAS e-mail address naming convention". One problem that Steve noted with the proposed removal of all but a single "@ifas.ufl.edu" address is that some people (Dale McPherson for example) have what are essentially service e-mail accounts as extra aliases on their user account. Chris Hughes said that these should be pulled out into separate e-mail service accounts, but it will be difficult to identify these and handle them smoothly during any transition. Since end user input will be needed to fix these, it was suggested that a list of aliases could be sent to people at some future date asking that they identify any such aliases so that they can be fixed. While moving users to a "GLID@ifas.ufl.edu" address convention will solve many of the problems, service e-mail accounts are a separate issue in that Gatorlink will not allow them. This means that we will have continuing namespace conflicts between e-mail service accounts and gatorlink IDs unless we make a new Exchange domain (ala "@contacts.ifas.ufl.edu") for such accounts.
To help alleviate the pain for endusers in changing their e-mail addresses, we discussed the options for using custom bounce messages that would notify an outside sender (and this would only work for messages coming in from the outside via SMTP--not for internal messages) on where to look for the correct new address when a message arrived addressed to an old, now invalid, address. This will be difficult and require programming expertise that we do not currently have. We would need to either have Microsoft PSS create a DLL ($$$) or we would have to build an event sink to capture these events. The latter is a very tricky Exchange programming task that would require considerable specific expertise in such things. There is also the question of whether this would be a spammer's tool--but that aspect is simply unavoidable. That effect could be minimized by only sending customized bounces for messages that had been addressed to what were previously valid addresses. The entire issue is quite thorny, for sure, and may simply be intractable.
Chris Hughes mentioned that another option would be to forward using a smart host. If the e-mail address wasn't available it would try to connect to another e-mail server--perhaps something like the Mercury Mail Transport System--that would send a message telling the sender how to contact the desired individual. This would require, however, that we disable the recipient message filtering which was just recently enabled and which prevents an ill-addressed message from going into Exchange. This might make the cure worse that the disease.
To top this all off, Dwight mentioned that he felt the internal addressing issues were a bigger problem in this regard. Internal IFAS communications can overcome this factor, however, but not the issue of outside/infrequent contacts losing the means of reaching our people via e-mail.
To solve the namespace conflicts, Dan Cromer proposed working it out with UF that IFAS could "take-over" or reserve certain aliases for IFAS use. The majority did not see how this was a workable solution--even if UF allowed it. Even if such work-arounds could be accomplished, the cost in continuing lost efficiency and lost productivity for managing our Exchange environment is too high a price to pay. This is one of those (albeit rare) situations when a painful one-time change is warranted and should be promoted as strongly as possible for the good of all. This is not a matter of simple convenience for IT, but rather a one-time fix that can finally give us an e-mail system that is managable and smoothly upgradable. This issue is exactly what made the recent migration so painful and if this is not fixed the problems will simply continue. That is no way to run our e-mail service and that aspect needs to be clearly communicated to administration or we will continue to be stuck with a system that trickles out untold continuing pain for our users just for the sake of not inconveniencing them this one final time. To support this effort, it would behoove us to: 1) try and put a dollar price on the continuing costs--keeping in mind there will be yet another migration down-the-road and 2) qualify the continuing annoyance factors that the resultant issues will continue to trickle out to our users. This is one of those issues where anyone who really understood the details would have to admit the change is needed--the onus on us is to make those details understandable.
Steve asked Dan Cromer about how the need for maintaining two directories (UF and IFAS) relates to this issue, as it is terribly expensive (and error prone) to maintain such shadow systems. Dan said that the plan is to make certain that the UF and IFAS directory liaisons be the same person for each unit to assist in the coordination of these two systems. He envisions this evolving to where the IFAS directory demographic info will eventually be imported into PeoplSoft (once that has replaced the current UF Directory) and only a couple of external fields will need to be maintained in relation to that--one of those being "specialty". PeopleSoft's "Campus Community" is apparently being planned to replace the current UF Directory. Dan pointed out that having our own IFAS Directory website helped people in locating contact information and that this justified its continuation as a shadow system. Chris Hughes expressed concerns regarding this site meeting legal privacy requirements, but Dan felt that this was not a problem.
Chris Hughes relayed that the expected date for extending Gatorlink usernames from 8 to 16 characters in length is June of 2005. This is not a firm date, however, and waiting on that may not be a big selling point either way in pushing our proposal.
After all the discussion, the bottom line was that Steve will take our recommendation to ITPAC and hope to convince them of the need. Due to these notes being written after-the-fact, I can now point you to what ITPAC decided on this. (Isn't time travel fun?)
The next recommendation for consideration was that for "Changing IFAS IT e-mail client support". Dan wanted to get POP out of this, based on prior recommendation of ITPAC. Steve felt that, since client support for POP would be discontinued (certainly for the most part) by this proposal anyway, there would be no harm in continuing that service for those who might have a use for it and who could configure their own clients accordingly. Note of personal opinion: The arguments that POP encourages e-mail loss don't really hold much validity, as all retrieval methods require eventually moving messages off the server to some locally control storage--unless we are going to say everyone gets unlimited e-mail storage space, which is simply unwise. Even with MAPI, people need to eventually move messages to local personal folders and see that they are archived to removable media of some kind. To ignore this and act like user education on these issues can be avoided is simply the wrong tactic.
The issue of supporting only the latest version of Outlook lead to other concerns with Office 2003 in general. Dennis Brown related that his faculty were specifically concerned with Powerpoint 2003. They told him that Powerpoint documents they'd created in Powerpoint 2003 could not be displayed with the older Powerpoint that they'd run into in their travels and that in their opinion Powerpoint 2003 was not widespread enough to switch yet. They said that a lot of faculty would be caught unprepared while on the road with Powerpoint 2003 documents. Dennis doesn't think mixing Office products on the same computer is a good idea. Dennis suggested that we support Office 2003 and Office XP; he doesn't believe that two similar products would be that great of a burden to support. Steve pointed out that Office 2003 allows older versions of Word, Excel and Powerpoint to remain on the system--it only requires that older versions of Outlook be replaced. Also, a custom install could be done to not install the newer versions of Word, PowerPoint, etc. Chris Hughes mentioned the "Pack and Go Wizard" as a solution to the problem Dennis mentioned. PowerPoint 2003 has greatly improved this feature, replacing it with a "Package for CD" utility. This utility not only includes the PowerPoint viewer (as did the former version) but also makes it simple to burn the presentation and any related files directly to CD. Either version of the utility will guarantee the presentation will go on even if the target computer doesn't have PowerPoint installed at all.
That said, backwards compatibility to Office XP and Office 2000 is not much of a problem with Office 2003.
Dan Christophy of the HelpDesk was concerned about the need to upgrade Outlook and the burden that would put on the HelpDesk. Chris Hughes pointed out that AD makes such upgrades much easier and that this should not be the problem Dan envisions. Dan's concern is a bit ironic since the proposal is intended primarily as an aid to the HelpDesk. Kevin Hill felt that limiting user choices for the purpose of making things homogenous and easier for maintenance from IT's standpoint is not the direction we should take. Kevin, Jack and Steve all feel that this move would be contrary to our personal service-oriented approach to end user support.
Steve asked for a show of hands to indicate who wished that this issue be brought to ITPAC and a somewhat underwhelming majority supported that. Again, due to these notes being written after-the-fact, I can now tell you that ITPAC supported the recommendation, with some amendments, and point you directly to what ITPAC decided on this.
The third recommendation we covered was "A UF-level solution to correct Display Name field problems affecting Exchange Global Address Book functionality". This recommendation came from last week's ICC-AD meeting. Chris Hughes proposed the implementation that ended up as our recommendation. Dan Cromer mentioned that we are trading allowing people to completely control their e-mail display name (the text that a recipient sees as being who the message came from) for an alphabetically sensible GAL. Dan demonstrated the advanced GAL search, however there is a simpler solution as well. Steve Lasley pointed out that there is really very little reason to view the GAL directly at all if one uses the "check name" keyboard shortcut in Outlook. To do that, one can type a name into an address field of a new message in Outlook and the press Alt-k to get an excellent list of likely candidates. (The Ctrl-k keypress works similarly in the default editor, but Alt-k works even if you are using Word as your e-mail message editor.) In any case, the majority wished this to be brought to ITPAC. Yet again, due to these notes being written after-the-fact, I can now tell you that ITPAC supported the recommendation without change, and point you directly to what ITPAC decided on this.
The final recommendation we considered was on "Acquiring a Microsoft Support Contract for IFAS ITSA". Chris Hughes covered the various levels of Microsoft support that are available. Cutting the chase on this, I can report that I moved at ITPAC that this recommendation be endorsed by the ITPAC. The motion failed to obtain a second and therefore died. All of us in the ICC realize the value of such support and truly hope that ITSA can successfully obtain the support and tools necessary for them to do their job effectively. If such matters are to go before ITPAC in the future, we will have to somehow transform that committee into one that is much better informed all around about IT budgeting priorities, and who see that as their responsibility. An IT Charter might further elaborate the role of ITPAC in such matters and be one means to that end.
John Sawyer had a number of security-related items to raise/report on. Firstly, Virusscan has had a number of unique problems with upgrades that he wanted to report on and was seeking further examples of from the ICC. There are permissions on a registry key that are required for one of the McAfee DLLs to be upgraded. Some machines apparently were missing these permissions after the migration: Marcus Cathey had two machines, Dan Cromer and Nancy Johnson each had one, for example. John intends to provide documentation on this matter and would like to hear from those who run into it. Chris Hughes suspected this is an artifact of manual migration and warned that such machines might have other problems.
John also found some cases where the McAfee framework service would not start. Stopping the framework service and deleting a particular folder in the All Users profile fixes this apparently.
PatchLink was messed up for 55 days by a couple of bad updates and John will get an extension on our contract as a result. John is doing PatchLink training via WebEx, so get with him to schedule a time.
The multi-purpose servers will be going out this week (at least physically) and will act as proxy distribution points for patches at remote sites. GPOs will be set to change this on remote clients so they check the closest proxy. The multi-purpose servers will also be ePO repositories as well.
John has been investigating security-related GPOs, using AD to protect machines against spyware and adware deployment. Mark Minasi has a good article on this (check out http://www.minasi.com/archive.htm and look for the October issue). John wants the ICC Network Security committee to continue to investigate ways to prevent such infections. The next meeting is planned for December 9-10 to coincide with the next time that the ICC and ICC-AD meetings will be set for the same week.
John noted that he had receive no response on discussions regarding Firewall and IPSEC policies, but wants to readdress that as well.
Tools to help implement UF security policy, such as log management (central repository for reporting and archiving) is another item for consideration. Microsoft's Audit Collection Services (ACS--formerly MACS) is one possibility. This includes agents that run on the servers (or clients) and push event logs straight to a central server where they are stored into an SQL database.
John has developed "Malware and Incident Response" training which he will make available to us. Last month he gave a presentation on this to the Florida Association of Educational Data Systems conference and he used that as the basis for the class. John will teach one class for the HelpDesk and District Support, and then will offer a second one for all ICC members and any other interested persons. The class covers tools and techniques for identifying viruses and malware. John also mentioned that he has a large library of security-related reading materials that he will make available to those wishing to borrow them. He is just finishing up his GIAC Certified Incident Handler (GCIH) certification based on Track 4 from SANS. John's paper and exam results for this certification soon will be posted to http://www.giac.org/GCIH.php and John has two copies of the extensive study materials for that which he is willing to make available. We are very lucky to have John's expertise in-house and you are all encouraged to take advantage of his generous assistance before we lose him to some more appreciative audience.
Chris Hughes suggested that we form a committee to begin drafting an IT Charter and volunteered Joe Spooner as chair. Though I have received no official word from Joe, the indication was that he would accept this position.
Dwight Jesseman raised the question of end user information notifications from IT and how they should be done. Considerable discussion followed. Dwight realizes that notifying the ICC does not get the message out to all end users and wants a better way of contacting them than just using the IFAS-ALL list. Steve pointed out that this is a public relations and communication problem that requires actual staffing by technical writer/communication specialists to address properly--even if we can only afford OPS positions for that. We can only really reach those who want to hear and that this could be best handled via an opt-in method. Such a method has already been planned in a fairly detailed fashion and approved by the ITPAC. Something like the ITPAC approved ITinTouch list could solve Dwight's dilema while greatly improving client relations. It would require actually applying resources to the problem, however, and we get no response from upper IFAS IT administration to support such an effort. Until that happens, this situation will not improve.
Dwight related that we were really close to having a working trouble-ticket system that Jenny was developing. When Jenny left, that effort died (as well as the server on which it resided). Dwight now believes that an ITSA developed method is not supportable and maintainable. We are now left with looking for a new means of doing this, but we (again) do not seem to have the resources to actually proceed. Kevin uses WN Help Desk by wickett.net and recommends it as a good and inexpensive solution. Chris Hughes reported that Mike Armstrong is working with Chris Leopold, apparently, to combine efforts on such a thing--as CREC is interested in solving this problem as well. Mike responded separately that this characterization is perhaps a bit strong. Mike has been accumulating other organizations' experience and vendor recommendations on this issue, and when he saw that IFAS-IT was also concerned about the problem, he wrote Chris L. and suggested they share their progress, if any, and try to pursue a common solution. Mike is somewhat overwhelmed with other issues right now, so he can't claim much progress, although he has been able to narrow the field somewhat, largely due to cost considerations.
Kevin and Chris H. spoke about the AD migration and remote server deployment. District Support staff will be picking up the servers (DCs and general purpose) by the end of the week for deployment to counties and RECs. Bridgehead servers have not been ordered yet by the UFAD project, which is a continuing problem; load issues may arise. The next ICC-AD meeting will be held Thursday the 18th in Fifield at 2pm.
We are still trying to replace Jenny. According to Dan, the job will be posted as soon as Chris Leopold finishes writing the job discription.
Dwight addressed a list of modifications he needs to make with the Exchange servers. He wanted to inform everybody and make sure we all were aware and had not problems with them:
- Change default SMTP mail queue and temp mail folder location on the front-end servers for performance reasons.
(Microsoft's performance analyzer recommends that these not be on the C: partition.)
- Make Boot file modification for front end servers.
(Dwight needs to remove a switch from the boot.ini file.)
- Change outbound back end SMTP virtual servers to smart host to front end servers.
(Right now outbound messages via a MAPI client go out directly from the Exchange server. This may
cause problems in the future with planned anti-spam methods such as sender ID. Such outgoing
e-mail will appear to be forged as they won't have originated from the front-end servers.
Dwight's proposed change will fix that problem.)
- Apply connection filter for SMTP virtual servers.
(Currently, the connection filter is set at the UFAD level. This filter has a couple of options that
can be placed in it, one of which is for a reverse black list (RBL) such as spamhause.org. We all felt that UF should be asked to remove
the RBL and that will be so requested. Deny and accept can be set on addresses and IP#s here as well. Currently we have this configured to accept any messages sent to our listserv so it is never marked as spam.)
- Modify contacts display name.
(Contacts display names will be reformatted as "lastname, firstname - IFAS". This way IFAS contacts will be clearly distinguished from contacts with other units at UF as per UFAD policy.)
- Modify distribution and security groups display name.
(The display name should be changed from the current underline prefix to ". IFAS-distribution_list" as recommended by COE and in cooperation with other units within UFAD. It should be mentioned that Dwight realized he needed to notify the users of this change, but again had issue with how to accomplish that. Dan Cromer wanted this to go before ITPAC tomorrow as an information item.)
- Change applicable contacts to users with an established email.
(Dwight wants to mail-enable user accounts for our personnel currently set as contacts and who use an outside e-mail address so they can be included in our e-mail organization in that manner. Dwight would also like UFAD eventually to mail-enable all acounts. That way everyone at UF would show up in the GAL and you could mail to anyone.)
- Change lists query attribute 15 or auto group.
(Lists will be dynamically created by the Managed By code rather than the department code. He is thinking, perhaps to use the autogroups to populate the list.)
- Create lists for contacts and distributions lists.
(Dwight wants to create a list for distribution lists and for the contacts.)
- Configure GroupShield 6 including blocked attachments.
(Dwight needs to implement this to ensure most active content is disallowed to prevent virus propagation.)
- Defrag of mailbox stores as needed.
(Just needs doing.)
There were no objections to Dwight's desired changes, except the distribution list change needs ITPAC approval prior.
Chris Hughes reported that IMF is currently set to 5. ICC supported that without hesitation.
The meeting ran late and was adjourned at roughly 5:15pm.
|