ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM December 11th 2009 REGULAR MEETING


A meeting of the ICC was held on Friday, December 11th, 2009 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-two members participated.
 
Remote participants: David Baudree, Bill Black, Dan Cromer, Francis Ferguson, Diana Hagan, Wayne Hyde, Joel Parlin, Mike Ryabin, Louise Ryan, A. D. Walker, Wendy Williams, and Matt Wilson.
 
On-site participants: Benjamin Beach, Micah Bolen, Dennis Brown, Andrew Carey, Dwight Jesseman, Winnie Lante, Steve Lasley, James Moore, Daniel Solano, and Santos Soler.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve had no membership changes to relate, but Winnie Lante reported that Stewart Colins has accepted a position with Nuclear Sciences. Andrew Carey noted that Stephen Clay has left FAWN as well. A graduate student of Dr. Xin's is apparently filling in on a temporary basis.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

Newsletters of interest:

Steve wanted to point out several IT-related UF newsletters that can help IT support staff keep in touch with technology changes and innovations at UF:


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling

Steve assumes this is still a plan in progress, but Patrick Pettus was not available to comment.

Codian bridge replacement being investigated

Last month Steve neglected to ask Dan Cromer if any movement had occurred on this and he wished to revisit the topic for an update. Dan reported that he is working with Fedro Zazueta to create a proposal for some funds via the Office of Sustainability which would be presented to Ed Poppel for consideration. The proposal involves using videoconferencing to cut down on travel. Dan obtained a great deal of assistance from Irma Velez who gathered data on travel to and from East Campus for Bridges business.

Chuck Frazier has said that he will match the sustainability funds being sought. If obtained, a good portion of those monies would go for Enterprise Client Access Licenses (ECALs) for everyone. That would permit OCS to be used across the board. Another good sized chunk would go to a one year payment on a three year lease for the new bridge. This funding request also includes several round-table camera end-points, both for Bridges and HR here on campus.

Connecting to a bridged VC via Office Communicator

Yesterday Dan Cromer made some new developments available on connecting OC to bridge conferences.

Message from Dan Cromer to Video-L:
"Re: ICC meeting 10AM tomorrow *at ICS*" Thu 12/10/2009 1:36 PM


Central video support has implemented an alternative connectivity method connecting to bridged video conferences using Microsoft Office Communicator (OC). OC access must be specifically requested in the comments for any conference when this service is needed. This will be available for the ICC meeting Friday, December 11th. This feature, though it has been tested, is unsupported by Codian. In general, for those using a PC to connect to a video conference, using PVX is a better first choice, followed by viewing the video and audio stream using a Web browser, and calling the conference at 352-273-4999 for voice input. Using OC saves the cost of the phone call. I'm planning to write up more complete documentation, but here is a first draft:

  1. The UF Codian test video bridge has been registered with Microsoft Office Communicator (OC). Add it to your OC contact list by entering "AT-CDMCU-3" in the "Type a name" search box near the top of your contacts list. Right-mouse click to select "Add to Contact List", adding it to an appropriate group in your contacts.

  2. In your contacts list, right-mouse click the "AT-CDMCU-3" contact and click to select "Start a Video Call" from the context menu. When the AT-CDMCU-3 Conversation window opens, the screen will show the Codian menu, and the auto-attendant will respond with "Please enter the conference number followed by the pound key, or press star to create a new conference." This window does not allow direct mouse interaction, so the OC dial pad must be used.

  3. Click the "Display dial pad" icon on the tools toolbar in the conversation window, which is third from left on the second row of toolbar icons, and pictures an index finger poised above keys. The first icon on the left in this row is the "End call" icon.

  4. Using the OC dial pad, click the number shown on the screen for the conference desired, followed by the pound ("#") key. You should then be connected to the conference.

Any PC content (H.239) sent to a video conference isn't available via OC, though can be seen through a Web browser connection to the conference stream.

It turns out that a number of people used OC to connect to today's ICC meeting and they were able to see the content Steve pushed as well.

WAN transition to CNS (previous discussion)

Updates from James Moore

James reported that he should be available via e-mail over the holidays, so we can contact him as needed. Nick Smith is having a lot of LAN issues at Jay, so James plans to push their LAN upgrade to coincide with the router upgrade at Milton. Jay has been working off a conglomeration of old equipment (hubs, etc.) hung off a single HP4000 managed switch.

The first of next week James will be working with A. D. Walker to get the new router landed at Mariana; that is waiting on a WIC module. This will be the first site with two Internet connections where traffic is prioritized for voice and video over general data.

James will be working with Mari Jayne Frederick on the LAN in Homestead--which still doesn't have its new Internet connection. He also plans to get most of the LAN equipment configured for Joel Parlin in Balm and Plant City prior to the holidays; right after the break a full LAN upgrade is planned.

Citra continues to have coordination issues in getting migrated to a newer T1 connection. Those are slowly being worked out.

James has ordered 35 routers for various CEOs. He also said that Entomology's building 940 should get a Cox cable modem connection before Christmas and Louis Ryan has a new site coming up in Walton that should be done in that timeframe as well.

James noted that Ben Beach and Chris Leopold had been in Belle Glade recently deploying some network equipment (see photos).

James is still working with Comcast to get good pricing on new connectivity for Immokalee and Belle Glade. Jay will be getting a secondary Internet connection so a bigger router will be deployed there; this was unplanned, but money is available.


Policy


Financial Systems Upgrade

Steve noted that this is one of the large projects that currently has the attention of UF OIT.

ITAC-NI still meeting (previous discussion)

This month's ITAC-NI meeting was skipped at the request of Dan Miller. Previous meeting minutes are available via the web.

Course Management System Conversion to Sakai 3 (previous discussion)

Steve noted that a recent Academic Technology newsletter had an article by Doug Johnson on this move to Sakai.

myuf Market (previous discussion)

Steve wants to keep this on our agendas in case discussion seems warranted.

UF Exchange Project updates (previous discussion)

Dwight Jesseman's experience in Redmond

Please join Steve in congratulating Dwight Jesseman for earning certification as a Microsoft Exchange 'Master'. Impressive!

Dwight talked a bit about his 3-week experience in Redmond where he obtained this extremely special certification. He reported that it involved some very long days; no time off for the weekends. His hands-on experience at UF with Exchange proved very valuable as it gave him a deep working knowledge of the subject. Most of the other participants were consultants who did not have Dwight's day-to-day management experience. He was particularly impressed, however, with their wide breadth of experiences involving all sorts of unusual and unique configurations. His favorite of those involved a group running public folders across shipping container freighters floating around the world and keeping public folder replication in sync as they crossed time zones out on the ocean.

There was a lot of material presented in the mornings followed by labs in the afternoon. There was preparation for the tests all week long and they were given homework continually. Dwight spent each night consolidating his notes for the day so he wouldn't get behind. It was run much like a military bootcamp; if you were late you couldn't get into the room, for example.

Junk E-mail folder will no longer be populated by Exchange

Dwight Jesseman mentioned that one of the reasons he came today was to let us all know about a coming change involving their spam handling methods.

Currently within the entire Exchange organization by policy all messages are stamped with a Spam Confidence Level (SCL) and messages scored 5 and above are moved to the Junk E-mail folder. The hub transports within Exchange 2007 also are involved in the processes; this is where the IFAS and UF listserv messages have their SCLs set to zero so they don't end up in Junk E-mail.

Over the last year the Exchange group has been looking at situations where valid UF messages wind-up in recipients' Junk E-mail. The fact that mail relaying through ufl.edu is permitted internal to campus makes it difficult for Exchange to decide how to handle many of its incoming messages. A question about such false positives from the Law School brought this issue to a head and a decision was made to continue to score messages, but not deliver them to the Junk E-mail folder.

This new scheme would put the responsibility back on the clients. An individual could create rules that handle messages according to their SCL scores and/or turn on their Outlook client's Junk E-mail options. (This would be a change from current recommended practice of setting the client to "No Automatic Filtering".)

At Mike Conlon's instruction, this policy change will have to involve prior notification of our "heavy users"--similarly to the previous change in the Barracuda defaults. Consequently, Dwight took last week as a snapshot and determined the average number of messages sent/received across our 7500+ users. Dwight will be sending this data out to the support folks in the various units letting them decide who is a high flow user and determine what options, if any, should be taken for those. At this point Dwight expects the change to be implemented sometime in January. Afterwards, anyone getting messages in that folder can attribute it to the settings of the local Outlook client Junk E-mail options.

There are some reports of e-mails from whitelisted addresses being quarantined by Barracuda

Steve has noted this with one of his users and has documented one confirmed example. He was waiting on a recurrence before asking Dwight to make a call to Barracuda on the issue, but Dwight proceeded anyway. So far the folks at Barracuda cannot find an explanation.

Centrally funded Enterprise CALs not part of new Campus Agreement

Steve noted that the new agreement which was negotiated in November does not fund ECALs. Dan Cromer's previous news on funding efforts offers some continued hopes here, however. ECALs may be needed for such things as IFAS joining centralized Sharepoint effort.

New version of Barracuda pending

If you were observant you might have noticed a different Spam Quarantine Digest was delivered on October 12:

New spam quarantine digest

Notice the new "DELETE ALL DISPLAYED EMAILS" feature. On that day the Barracuda servers had been upgraded to firmware version 4.0.1.006, which account for this change. Unfortunately, the new version caused problems and they quickly reverted back to version 3.5.12.025. Plans for the upgrade are on hold until issues are resolved.

Office Communications Server (prior discussion)

While Dan previously announced his hope to fund 2000 OCS licenses for IFAS, his request apparently was not approved. That led to seeking alternative funding sources for meeting licensing needs for IFAS to join centralized SharePoint.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


Projects


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Status of login scripts with Vista and Windows 7

Message from Andrew Carey to the ICC-L:
"Login script updates" Thu 12/10/2009 3:30 PM


On Sunday, I will be updating the IFAS login script to address the incompatibilities with Windows Vista / Windows 7 and GPO login scripts. Following this update all Windows Vista and Windows 7 users should regain the ability to map network drives via login script while Windows XP users should not notice any change. Also, a new version of the printer mapping script that runs as part of the IFAS login script will be put into production.

The following enhancements have been made to the printer mapping script:

  • The script now accepts the print server name as a command line argument rather than being hard coded as it was previously. This will make it easy to use the same script to map printers on the new MPS servers as they are deployed.

  • The script now enumerates the printers on if-srv-print that a user has access to and compares that list with the printers that are installed on the local computer. If a printer that is installed on your local computer is not returned as a printer that the user has access to on if-srv-print, it is removed from the local computer. Only printers that are mapped from if-srv-print are subject to deletion (in other words, printers shared between computers or locally attached printers will not be deleted.)

  • The script now includes a Debug option which can be used to troubleshoot printer mapping problems. After a user is logged in, opening a command prompt and running “cscript \\ad.ufl.edu\netlogon\ifas\printers.vbs if-srv-print /debug” will run the script in a verbose mode which outputs status messages to the console as the script runs.

Please let me know if you have any questions.

Steve did a few tests on a Windows 7 x86 box with great results. The initial printer list looked like:

Original printer list

After adding himself to a group with rights to \\if-srv-print\eyn-hp6p followed by a logoff/on the list changed to:

List after permission change

Steve did have prior access to EYN-hpp4015tn, so he isn't sure why it wasn't listed originally. He can only assume the new script works better that the prior one. After removing himself from access to eyn-hp6p and performing a logoff/on, the list reverted just as expected:

Reverted printer list

At this point, running the test script via cmd-line with the /debug switch, Steve received this output:

Printer script debug output

The script is hard-coded to exempt from deletion three public lab printers with broad access which don’t map via this login script because they are not listed in the directory. Those are reflected in the debug output.

The script then pings the print server for availability; that ensures mapped printers are not deleted due to network or server problems and the script quickly exits if the server is not reachable.

At this point the script determined printers which Steve had access to on if-srv-print along with those locally installed. EYN-hp4300pcl6 was locally installed and not listed with if-srv-print; it was on the exclusion list, however and therefore not deleted. The other local printer, EYN-hpp4015tn, appears from the output to be re-installed, but it actually is just left alone; it would have been installed, however, if it wasn't already present locally. If access had been revoked for a locally installed printer served by if-srv-print, that printer would have been uninstalled.

Sometimes one might see other printers in the list, but which do not install; this is due to a mismatch between NTFS permissioning on the printer queue itself and on the print queue object in UFAD. If you do see those, please contact ITSA so they can correct the situation; this doesn't really affect anything client-side, however, other than accounting for "extra" printers in the debug output. Andrew Carey explained how this occurs to Steve via private communication prior to the meeting:

When creating a new printer on the print server, we set NTFS permissions on the printer which allows users to print to it and directory permissions on the print queue object in UFAD (the path to the print queue object for eyn-hpp4015tn is: ad.ufl.edu/UF/Departments/IFAS/-Central-IT/Servers/Building 120/IF-SRV-PRINT/IF-SRV-PRINT-EYN-hpp4015tn - HP LaserJet P4010_P4510 Series) which allows the printer to be “seen” and mapped at logon. By default, the permissions on the print queue are set to read for authenticated users – leaving it this way would mean that the logon script would attempt to map every printer on the print server every time a user logged on which would increase the load on the server and increase logon times. So we change it so that only the printer group for a printer (. IFAS-EYN-hpp4015tn) can read (“see”) the print queue. It is when this change of permissions on the print queue object does not happen that you see other printers in the list which do not install.

Steve hopes to document these changes to the login script (ufad\if-admn credentials required) sometime next week.

Mike Ryabin asked how this would affect the situation at remote sites. Andrew responded that all the remote MPS servers are currently print servers and it is expected that this script will be expanded to include remote locations as the new MPS systems are rolled-out (the script takes the print server name as an argument in order to support doing that). However, no site is forced to use the MPS as their print server if they don't want to and that will remain the case. Steve pointed out that using the IFAS print server has been extremely advantageous to him; he appreciates being able to add individuals to a security group and have the printer automatically map.

Windows 7 deployment - MDT demo

Micah Bolen has reported to Steve a couple of weeks ago that he had just completed his first LTI using MDT, bootable media, and a network deployment share. His test install included joining to the domain and restoring user state all in one step. As his next step he was working on adding applications into MDT. Steve had asked if he was willing to do a demo.

Unfortunately, Micah had difficulties with the demo. Micah said that he was going to document this in any case and he hopes to make screenshots of the process available at a later time.

The next Monday Steve received the following from Micah:

I am ready to move beyond a demo. Therefore, I have copied instructions ('Performing a Lite Touch Installation of x86 Windows 7 on a New Computer.docx') as well as all of the necessary resources to \\ad.ufl.edu\ifas\software\deploymentshare$, so anyone with an IF-ADMN-gatorlink account should be able to use them. I made this a read-only share, but you can make a copy of it and import into MDT and/or WSIM to make your own customizations. Of course, you will then need to reference your modified deployment share when following the instructions.

I thought that it would be best to wait on documenting how to perform a PC "refresh" (restoring user data) until cheaper network storage is available or if I can figure out how to automate a hard-link migration.

Also, this deployment share does not address driver issues because the Dell machines that I have been using for testing did not require that I manually install drivers- Windows just did it for me (lucky me). I was happy to find out that my Dell machines, for which an installation of Windows XP required the manual installation of network drivers, Windows 7 did not. Furthermore, once a network connection was established, the operating system did a superior job of going out and downloading the rest of the necessary drivers. I assume that this advancement in driver installation will steadily become the norm.

You will notice that Microsoft Office 2007 is available when you get to Step 16. In the near future, I plan to add all the other standard software applications (Adobe Reader, Flash Player, McAfee, etc.) to the deployment share.

One last note: I highly encourage everyone to verify that my instructions work as described before delivering any new computer to an end-user.

Windows 7 deployment - SCCM

Daniel Solano continues to investigate SCCM and is getting close to having something useful. Daniel is excited how SCCM allows maintaining just a simple base Windows OS image and supports adding everything else (applications and drivers) on top after the fact. This simplifies image maintenance tremendously. Only the network drivers are needed to bootstrap the entire process.

Daniel could use some help as well. He has been going it alone up to now and has only a single test machine. He is interested in finding folks with machines available to help test things, so please get with him if you are willing. He would need you to assign a static IP# to the machine and make sure a particular service account is added to the machine's local Administrators group.

Micah pointed out that two of the challenges which he was hoping to address are how to handle applications which may require the un-installation of an older version prior and how to keep installations "quiet" so users aren't prompted for input. The challenge here is that each application is different.

Daniel has created a bootable WinPE 3.0 WIM image with Remote Desktop and scripting support which he would be glad to share. Next week he hopes to have that available via PXE boot. This is the first step toward bare-metal OS deployment via the network.

Andrew mentioned that USMT integrates into SCCM. If we can figure out how to make that piece work, individual machine migrations would be greatly eased. There was some discussion about hard-link migration vs. storing that data out on the network temporarily; storage space would be a concern.

Regarding Windows 7 deployment in general, Steve would like to point out that Microsoft has made Deploying Windows® 7 Essential Guidance from the Windows 7 Resource Kit and TechNet Magazine available for free download.

Exit processes, NMB and permission removal (prior discussion)

Nothing further was available on this topic at this time.

Re-enabling the Windows firewall

Wayne Hyde has been working on a scheme for letting each OU control application of a centralized Windows firewall GPO. He plans to use the same scheme to allow OU Admins to control deployment of certain things (e.g., IE7 or IE8, large Service Packs, etc.) via WSUS as well. By default, the most restrictive firewall rules would be applied, but via populating a security group, OU Admins could address special cases.

Wayne has created an OU under IT called "TEST" and under that he has a "Firewall" OU where he's testing applying policy or firewall and WSUS via security groups:

OU for firewall and WSUS testing

He plans to make use of a number of GPO features, including: GPO link order (allowing trumping of GPOs linked higher up in the hierarchy), security group filtering (to permit OU Admins to control what machines are involved) and WMI filters (to control which platforms are affected).

Wayne wants to tighten the firewall rules to permit workstation file and print sharing only within the local subnet. We currently have between 600 and 700 machines within IFAS that are sharing printers and a greater number sharing files. File sharing concerns Wayne, but at this point he is trying to create a policy which works with what we have. Things are complicated, however, by the fact that some units span subnets. He may create a separate security group to control setting less restrictive firewall rules to address certain departments such as WEC.

Wayne is currently busy with infrastructure projects, however, so further work on this will have to be deferred until next year.

Services Documentation: Is a Wiki the way? (prior discussion)

Apparently, Academic Technology will not support secure sub-sections for the new UF IT Wiki. Consequently, Steve's hope for porting his IT/SA Services Documentation (ufad\if-admn credentials required) to that platform are thus dashed. Steve is still interested in planning for the long-term status of that important info; he noted that his tenure with UF will not extend past March of 2015 and he would like to move to a broader-based support model for that.

The new IT wiki is getting some press, however. Steve's main concern is that a clear commitment must be made by administration that this potentially valuable resource will be supported down-the-road. That is a bit of a "chicken and egg" matter because there may be little commitment until information is added and the usefulness of this resource is proven. Diana Hagan has created an IFAS page and along with Ben Beach has begun to populate that with links to various IFAS-related IT information.

Dan Cromer stated his belief that administration has committed to this project at the highest levels and Diana Hagan has been authorized to utilize some of her time to help with documentation efforts there. If anyone has any bulk content they’d like to post to the UF IT wiki, they can send her the file or the URL, and she’ll see if they can work it into their EDIS production team workflow.

There was some discussion as to who could access the site. Ben thought it was only accessible to IT staff, but that would mean it would be as inappropriate for end-user documentation as it is for unit-restricted documentation. Steve notes that the UF UT Wiki:About page specifies that the site is open to all employees; if so, then this may be the location for end-user documentation--with the caveat that most students would be excluded.

Dan Cromer pointed out that the paradigm envisioned for use within the Wiki does not involve a hierarchical structure, but rather search would be used to locate topics. Steve mentioned that it would take him some time to become accustomed to that; he has generally been used to a combination of structure and search.

Steve mentioned that he still wants to find a place to port his documentation prior to ending his tenure at IFAS in roughly five years. He would like to move this to a Wiki where updating could be handled by multiple folks as he feels that would give it the best chance of being maintained and growing for the long term. Daniel Solano suggests that Steve begin using SharePoint for this, pointing out that SharePoint could serve all the same purposes as the current ICC web site, but in an easier fashion. Steve prefers to wait until details of a IFAS merge with a centralized SharePoint are worked out. His main concerns are that what he ports be secure from loss and that it not have to be ported yet again for quite some time.


Operations


Membership of “. IFAS-ICC” email distribution group to be narrowed to ICC members only

This implementation will formalize what has been Steve's intention since August of 2005. This matter is also the reason for the extra verbiage that is appended to the monthly meeting notices which are sent out both to the ICC-L and the ". IFAS-ICC" distribution list. If we all agree then that wording can change somewhat, but announcements will continue to be made via both methods in order to reach all interested parties.

Andrew pointed out that we all need to be aware of this so we realize that the ICC distribution list scope has been narrowed. General questions should continue to go via the ICC-L in order to reach the broadest audience; the ICC distribution list would be appropriate for outage notices or other matters of concern to local IT admins.

Dwight mentioned that the ICC meeting notices are sent from that list and was concerned that me might not get them as a consequence. Steve will request that the ". IFAS-ICC-fans" security group be mail-enabled so he can add others such as Dwight into those notices using that group; the idea is for that group to contain all ICC-L subscribers who are not in the ". IFAS-ICC".

P2P and its relation to security concerns

Mari Jayne Frederick had posted a question to the ICC a week ago regarding P2P software in relation to identity theft. This came from TREC's HR person who had attended a recent IFAS Fiscal, Administrative and Support Personnel (FASP) meeting. That person also related that "UF does not have P2P encryption because it is too costly". Steve was curious about the underlying issues.

Donna McCraw attended that meeting as well and speculated on the source of the concerns. Apparently, Susan Blair from the UF Privacy Office gave a presentation to FASP on safeguarding sensitive information. Donna reported Susan mentioning that someone installed P2P software in order to share some family photos, and accidentally shared the entire hard drive. Susan recommended against having P2P software installed. She also discussed VPN, so Donna thinks some attendees may have confused P2P with VPN--that may somehow explain the mention of encryption.

When Mike Ryabin responded that he believed P2P traffic is monitored by UF IT Security, John Sawyer answered that this is only done in a limited sense. They don't monitor for content (because they can't with many P2P protocols). Instead, they monitor for traffic and notify when it is seen since there is limited legitimate use for it. At this point, it is just a warning. Of course, bad things happen when they've sent notifications repeatedly and then get a notification from the RIAA/HBO/Universal/etc about the sharing.

IFAS efforts toward Green IT (previous discussion)

Green IT project at WEC

In case people missed it in last month's notes, Steve wanted to point out Tom Barnash's e-mailed mention of a WEC Green IT project.

Recommendation request on the horizon?

Steve asked Dan Cromer if he had a timeframe he was looking at with regards to an ICC recommendation on this matter. Dan responded that he didn't have a particular timeframe nor was he even sure a recommendation/policy need be called for; we can implement things as seems fitting outside any such formal structure.

Potential substitute for WOL with Dell boxes?

Steve noticed a post this Tuesday to the Patch Management Mailing List that mentioned:
"For those that have a mostly Dell shop, and cannot use WOL, the Dell Client Configuration Utility works wonderful [sic] to configure an "Auto On" in the Dell BIOS that's independent of WOL. You can use this utility to configure the BIOS settings into a deployable EXE to clients."

Steve wasn't aware of Dell BIOS settings for waking up computers. He asked if anyone in the ICC had used this utility, which would seem to be most useful when using the Dell Management Console to manage machines overall.

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future?

Chris Leopold had reported to Steve that this would have to been implemented at the UFAD level. Andrew said that the need for IPv6 might be a deal-breaker. Steve responded that IPv6 is being routed at the core currently and CNS has a plan for getting that implemented across UF.

When Andrew pointed out that we would need a population of Windows 7 boxes in order to take advantage, Steve noted that some of our county sites who currently require VPN might be good candidates for early adoption; a relatively small number of machines would be involved in such cases.

More information is available in the DirectAccess Early Adopter's Guide.

Moving away from the IFAS VPN service (previous discussion)

Steve asked Wayne Hyde if a timeframe had been set on moving the numbers handed out by VPN to private IP. Due to staff time constraints that will have to wait until next year.

VDI desktops as admin workstations(previous discussion)

This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.

Wayne's Power Tools (prior discussion)

Wayne has been considering developing tools to report on machines which are sharing files and printers. He is also interested in providing a way to look at software installations across all machines in an OU. This latter issue resulted from earlier P2P discussions. If only Wayne could clone himself! [w/o extra pay of course]

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

As with so many things in these times of inadequate staffing, finding time for implementation is proving difficult. Steve did want to remind folks that Andrew has a good plan for dealing with this which he simply has had no time to address.

New MPS/DC testing

Steve planned on asking for an update.

Core Services status

Updates as offered

ePO updates

New agent available for testing; new VSE patch, hotfix and engine being pushed

Status update

Status of SharePoint services (prior discussion)

IFAS throws financial support behind centralized MOSS

Mike Conlon is asking a number of units to provide monetary support for a second FTE so that centralized SharePoint services may proceed. To that end, Dan Cromer has pledged $6000 per year (including $3000 for the remainder of this fiscal year).

The new service is being called UF Connect. Units that contribute to UF SharePoint will receive the following services:

  • SharePoint 2007 service and capabilities including distributed service administration and access control
  • Upgrade to SharePoint 2010 anticipated within the next twelve months
  • Unlimited creation of workflows, and work spaces
  • Full integration with UF Active Directory and UF Exchange, including OCS and presence
  • End User support by the UF Help Desk
  • Platform, developer and integration support by UFAD
  • Off site system backup, disaster recovery and hosting by Computing and Networking Services
  • Enterprise class item level restore capability using AvePoint
  • Enterprise scale architecture developed in collaboration with Microsoft
  • Optional university branded templates for rapid professional grade work space deployment

There are no usage fees, rather this is an annual rate. The remaining cost of the service, approximately 2/3 of the total cost, will be provided by UFAD.

Mike Conlon has stated that, with significant adoption, SharePoint will be added to the list of services provided and funded by RCM. Should that occur, unit support would end and the service would be offered to all of UF.

There are many issues to be worked out with regards to migrating our current SharePoint into the centralized serviced according to Ben Beach. Apparently our structure (12 databases involved) was a surprise to Michael "Buck" Buchholz (the current 1 FTE assigned from the UFAD group), as the plan was to offer units a single database each. The size of our database(s) may be an issue as well; it is already larger than many envisioned. Ben also said that we wouldn't necessarily have to use MOSS (with comes with CAL requirements); rather we might continue to use basic SharePoint Services. We will know more as discussions evolve.

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...

Microsoft

The December Microsoft patches included 3 critical and 3 important updates for Windows. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".

Adobe

An update to version 10.0.42.34 is available for an Adobe Flash security vulnerability.

Aging out of old MS OS versions

Microsoft will officially end support for Windows XP SP2 and Windows 2000 on July 13, 2010. While Microsoft will likely continue to issue important security updates for XP and 2000 after this time, it will no longer issue service packs or other non-critical updates.

Malware mapping

You might be interested in McAfee's latest Mapping the Mal Web report. The five riskiest top-level domains are .CM (Cameroon), .COM, .CN (China), .WS (Samoa) and .INFO. With sites hosted in the Cameroon domain there is a better than one-in-three chance that malware lurks within. That sounds scary enough until you realize that .COM is only marginally better.

MS Office News update

Microsoft has released the Beta version of Office Professional Plus 2010. Articles are beginning to emerge on what's new in Office 2010 and not so flattering early impressions of Outlook 2010.

Dwight reported that this is a one-way street; once you move to Outlook 2010 there is no going back. Dwight said he didn't have the details, but apparently if you upgrade (for example) to Outlook 2010 on your laptop, your copy of Outlook 2007 on your desktop will no longer connect. The only remotely similar mention Steve was able to find on this was here.

Note: later the next week after Steve asked for clarification Dwight responded: "I have 1 report that it was a problem and 4 reports that it is not a problem to have OL 2010 beta and OL 2007 and OL 2003 connecting to the same mailbox. I cannot find any MS reports of it being an issue."

Dwight spoke briefly about his plans regarding Exchange Server 2010, which will involve a new deployment--not an upgrade.

One major change with Exchange 2010 involves the way clients connect to the mailbox servers. Currently our Outlook clients make a direct connection to the associated mailbox server, while our CAS server hosts things like OWA, ActiveSync, Outlook Anywhere and IMAP. With 2010, the CAS server will also host the MAPI Outlook connections. This allows for a flexible configuration and easier resolution of single database server failures. The database servers can be configured as redundant groups so should one server fail the database can be brought up on another and the CAS server can simply direct clients to the new resource. A single database going down will no longer require migrating the server.

Another major change will be in our disk structure. Currently we are using RAID 10; we will be moving to JBOD. The new system will involve very large (1-2TB) SATA disks which will each encompass an entire mail store. We will probably have four clusters (nodes) in the Database Availability Group (DAG) with two in one data center and two in another, load balanced. Via the use of these considerably less expensive disks, the Exchange FC storage requirements will go down drastically. Dwight hopes this upcoming change can lead us to the eventual removal of our Mail Meter archiving scheme.

Yet another change will involve splitting each user's storage between an on-line mailbox and an on-line archive. Such a separation permits managing the size of the .OST (off-line storage) files on the clients; the trade-off is that messages within the on-line archive would only be available when connected (and of course via OWA).

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status

Dan Cromer said that Adam Bellaire, who developed the IFAS Remedy implementation, has been on family leave for several months. Upon his return in January Dan hopes to get Adam to adapt our site to the new UF interface and configure that so we can shuffle tickets back and forth with CNS with regards to the WAN, etc. Dan is hoping to get feedback from the ICC on that as it progresses.


Other Topics

Centralized FAX service via Exchange

Dwight wanted people aware that they are trying to build-up grassroots support for a centralized FAX service based on XmediusFAX. There are currently two deployments here, one in HSC and the other with PeopleSoft.

How it works

In-bound FAXes (to particular numbers) reach the XMediusFAX server which then forwards the FAX to your e-mail inbox. Sending an out-bound FAX requires sending a message to a special "[fax#]" address with the material to send as an attachment; there is an extensive list of attachments which the system can handle. Alternatively you can just place text in the body of the e-mail message. You can also have the in-bound FAX go to a distribution list. Dwight also mentioned that there had been some discussion about VoIP users being able to use a single number for both voice and FAX, with the system distinguishing between the two in-coming types and routing accordingly.

Besides using Outlook, there is also a web interface at http://fax.ufl.edu.

Steve asked about the costs but Dwight had to defer on answering that; then Steve asked about the financial support model--separate from the actual costs themselves. Dwight responded that this would be a monthly fee and that there would be associated long-distance charges as well. Steve pointed out that will their new VoIP deployment at Entomology, FAX machines were already costing us $11/month each [ATA charge]; that cost could certainly be applied to this new schema.

Dwight knows that the College of Law is interested currently and he is trying to locate others. He said that interested parties should contact Erik Schmidt and express that along with the number of lines which might be needed. This would allow Erik to make a business case for further adoption. Many of the ICCers believed their own units would be interested and Dan Cromer added that he is watching this closely. Cost is the main concern, but he is very much in favor of it. He feels it should be offered at the UF-level as a central service, but he is even willing to investigate pricing on an XMediusFAX service for IFAS.

Dan suggested to Steve that he might develop an ICC recommendation on the matter which we could all support and raise to ITPAC for further consideration.

Clearing IE cache cures campus VPN woes?

Dan Cromer asked Louise to relate how she had fixed a problem which Pete Vergot was having connecting with the Campus VPN. Apparently, clearing the IE cache (cookies? history?) somehow fixed the problem and Dr. Vergot was able to connect.

Keyboard short-cuts

Steve wanted to point out a complete listing of Windows 7 keyboard short-cuts which he had heard about. Some of those are completely new to that platform. He also recently learned about the KeyXL online keyboard shortcuts database which is a cross-platform collection of keyboard short-cuts.

SMB v2 re-enabled?

SMB 2 had been disabled on our file servers due to a remote code execution vulnerability. Steve meant to ask if that has been reversed now but forgot (again).

PDF-Xchange (prior discussion)

We did not discuss the matter this month, but Steve would like to leave it on the agenda.


The meeting was adjourned two minutes early at 11:58 AM.