IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM June 9th 2006 REGULAR MEETING
A meeting of the ICC was held on Friday, June 9th, 2006. The meeting was chaired and called to order by Steve Lasley, at 10:01 a.m. in the ICS conference room.
PRESENT: Nineteen members participated.
Remote participants: Tom Barnash, Trish Capps, Francis Ferguson, Chris Fooshee, and Mike Ryabin.
On-site participants:
Dennis Brown, Dan Christophy, Marion Douglas, Diana Hagan, Joe Hayden, Chris Hughes, Dwight Jesseman, Winnie Lante, Steve Lasley, Ligia Ortega, Richard Phelan, Marshall Pierce, Mark Ross, and Joe Spooner.
STREAMING AUDIO: available here
NOTES:
Agendas were distributed and the meeting was called to order at approximately 11 AM.
New members:
Steve mentioned that Dwight Jesseman's recent posting on the ICC-L concerning Polycom passwords, prompted Trish Capps, Educational Media Communications Coordinator at WFREC in Milton to sign-up with the ICC. Trish has a background in cognitive science with considerable experience in usability testing. We were very pleased to have Trish join with us in this meeting and look forward to her continued involvement. Maybe she can encourage Richard Faulk, who provides IT support for WFREC, to participate as well. The more the merrier.
Recap since last meeting:
Steve pointed folks to the notes of the last meeting, but did not go into any particulars of that.
A visit with Ligia Ortega about the IFAS Web Team:
Ligia began by saying that, traditionally, there has been no over-all management of the IFAS web presence. There are over 700 websites in IFAS and they are each doing their own thing. This has created a lot of confusion for our clients and has obfuscated the fact that IFAS is a single (though large) entity. Because of the lack of uniformity, people often don't realize they are using IFAS resources when visiting our various sites. It also makes it difficult to demonstrate to the legislature the true depth and scope of our IFAS programs. As a beginning point for solving this issue, Solutions for Your Life was created as a resource for our extension agents. This site is intended as the hub for all IFAS Extension information.
Originally, Solutions for Your Life was intended as a solution for Extension only. Our new Research Dean, Dr. Mark McLellan, is very interested in this same format for IFAS Research Administration. Dr. Kirby Barrick, new dean of UF/IFAS College of Agricultural and Life Sciences has agreed that this format would work for departments as well, but it is currently not mandated. The only thing left is for Jimmy Cheek to approve this for becoming the "look and feel" for IFAS.
There is currently no mandate for an IFAS "look and feel", partly because of changes that are coming regarding web presence at the UF level. Ligia is very hesitant to adopt a mandatory standard at this time because of concerns for changes which might be pushed down from the UF level. In the interim, Ligia is providing templates for websites which meet various guidelines (accessibility, etc.). Over 70 offices have requested the templates currently. Ligia is finding that assistance is needed in implementing those in many cases, so a quick out-of-the-box solution is not possible.
Steve asked if it was mostly county extension offices (CEOs) that were asking for these. Ligia responded that the requests have come from across IFAS. HR has asked for them, as have several departments.
In response to a question from Joe Hayden, Ligia reported that, though her office is physically under ICS, she really works across all of IFAS. Her interest in all aspects is evidenced by her participation in the ICC. Steve asked about the organization of the web team, referring to a proposed organizational chart from page "D4" of the 2005 IT TaskForce Report. Ligia stated that they are still in transition. The challenge with Solutions for Your Life was to get good content. A lot of footwork was involved in meeting with people across IFAS to get the best content possible. While doing that, they were also busy cleaning up the templates, which had various problems at the time Ligia accepted her position and are now HTML Strict, providing clean markup that is free of presentational clutter. They did an internal launch in March to make IFAS, particularly the extension agents, aware of this project. At this point they are involved in making the templates available throughout IFAS and assisting in their implementation. The style sheet for these are going to be housed on their own servers so they can control that aspect, and Ligia believes ICCers may soon begin to get questions from their units about these matters. Thus, Ligia felt the timing was good for her to present this information to us.
Ligia stated that they have developed "goal and focus" teams to assist in keeping the content for Solutions for Your Life up-to-date. These groups are composed of faculty members and extension agents from all IFAS departments.
Dwight Jesseman raised the issue of allowing website redirects. At the May ITPAC meeting this practice was seen as useful, but Dwight felt that it was contrary to the best interest of IFAS regarding marketing the IFAS "brand". Chris Hughes believes there is a clear UF policy on this, but the policy to which he referred is honored by the sort of redirects that were discussed at ITPAC; those were redirects from a purchased domain to a UF domain that is within the policy guidelines. However, there is an issue in that http://solutionsforyourlife.com is not a redirect. It was suggested that it should be implemented in such a way that the resultant address displayed was http://solutionsforyourlife.ufl.edu. Ligia indicated that that was certainly the intention. It is notable, however, that IFAS is still nowhere in the address in any case.
Ligia outlined her current staff for us. They have a "web writer". Sarah Graddy is currently handling that position, which is in charge of researching content, making sure that things get placed in the correct position and working with the various contacts for that information. Scott Weinberg is their web designer. He helps, for example, with the Flash pieces that are used on the site and currently he is assisting with training on how to use the templates. Jennifer Hugus, who has a background in instructional design, is also involved in this training. Liz Felter also comes to their meetings each week. She has numerous contacts throughout IFAS Research and Extension and serves as an invaluable liaison in locating IFAS contacts for various content topics. Ligia also has a couple of OPS employees who are assisting the smaller CEOs in getting their content published.
Ligia then spoke of the intention to get a content management solution for IFAS. Currently, they are in the needs assessment stage of that project. Ligia has been asking various people what their needs are in that regard and one of the topics that has been raised repeated is the need for a secure space for workgroup activities. The requests involve a means for collaboration and file sharing--most of which involve the need for shared databases. Ligia soon plans to send a request for input on this to all of IFAS. Mark Ross mentioned that SharePoint was a solution for that and Dennis Brown said that they had implemented it on their own in their department simply because it wasn't available centrally. Steve reminded the ICCers that they can exert influence in their own departments to see that the needs which they personally might feel are important are addressed. It is this ground-up method of influence where we can be most effective. Ligia's goal is to find something that is easy to use that meets most of the needs out there. She was careful to note that she intends to involve IT in this to make sure that the solution is something which we can actually implement and maintain long-term. Ligia feels that, after initial input is received, we will need a committee from all corners of IFAS on this issue--including people from the technical side. They hope to finish the needs assessment over the summer, do some testing late summer or early fall, and implement in winter or early spring.
Ligia said that there have been discussions of a content management system at the UF level, but the timeline on that is quite hazy and far off. There has also been talk of creating a new position to oversee web matters for all UF.
In response to a question from Steve, Ligia said that Jack Battenfield, Director of External and Media Relations chairs a web oversight committee that has been shepherding the Solutions for Your Life project since prior to Ligia's involvement. Joe Spooner is another participant in that.
Dwight asked for a demonstration of how to get to the various county extension sites via Solutions for Your Life. Those are available from the "Local Offices" link on the main menu, which goes to http://solutionsforyourlife.com/map/index.html. From there, the various CEOs are linked. The individual CEO sites are being moved to the new template, but that is still a work in progress.
Ligia also mentioned that the main IFAS website http://ifas.ufl.edu will be turned into more of an "intranet". This will become a place for announcements and information for internal use.
Policy
IT Governance sub-committee status report
Chris Hughes reported that the committee has not met again yet, but he hopes to meet soon to digest some of the information from the IT Reorg Retreat. Steve mentioned that if Polycom access is provided, they might want to use the Radvision and notify the ICC, as there may be a number of folks that would be interested in listening in.
Recommendation: autogroups for *selected* roles
This issue is on the agenda due to Mike Conlon's mention at the 19 May 2006 ITAC-AD meeting (ref. audio stream) that autogroups would be created in UFAD for the various UF Security Roles. By themselves, such autogroups would be of minor use to IFAS, but if selected roles could be cross-referenced to OU we could make great use of them. An example might be for contacting all IFAS Directory Coordinators. Dan Cromer had mentioned to Steve that the ICC could assist by suggesting a few roles that would be most useful. Dan would then forward our recommendation to ITAC-AD, of which he is a member. Please look at the available roles and consider which one might be most useful for us. This is another opportunity for the ICC to influence for the better how things function within UFAD--so let's take advantage of that.
Projects
IFAS Remedy System
Steve mentioned that there is an issue with e-mail notifications. When submitting a ticket at http://support.ifas.ufl.edu on behalf of one of his own users, Steve noticed that the Help Desk does not receive e-mail notification. This is in spite of the fact that Steve has http://remedyassign.ifas.ufl.edu configured to assign tickets to the IFAS HelpDesk (see The IFAS Remedy System -- ufad\if-admn credentials required). Notification should always go to where the assignment is made, with optional notification to the OU Admin if so configured. In Steve's case, he gets the notification (as expected, since that option is selected) but the HelpDesk does not (though the ticket is assigned to them).
Dan Christophy had asked Dan Halsey and Dwight Jesseman to look into this, but without result. Separately, Steve has e-mailed Adam Bellaire on the matter because he feels it is a logic problem at that end; unfortunately, Steve has likewise received no response. Steve encouraged Dan Christophy to try to continue to follow-up on the matter. It was also suggested that we begin a list of other features which we would like to be considered. Dennis Brown, for example, mentioned that tickets are often closed w/o notification to either the user or the OU admin. Currently such notification would have to be handled manually by Help Desk personnel--and in Steve's experience it often is. It might be better, however, to have the system implement an automatic notification to the person who submitted the ticket and optionally (again based on the http://remedyassign.ifas.ufl.edu settings) to OU admins.
One other small annoyance, which could be corrected by Daniel Halsey were he willing, is that the list of admins on the main http://remedyassign.ifas.ufl.edu page are not in any reasonable order. This makes it hard to find your own entry from the long list available.
Vista TAP and Vista Deployment via SMS and WDS
Chris Hughes reported that WDS is set up to deploy Vista to all of campus--with the exception of Mark Ross who has his own RIS server. The process is enabled via our DHCP server which will respond to PXE boot requests. The process has a few glitches currently and the automated build is not 100%. Machines built via WDS are populated into UFAD at "ad.ufl.edu\UF\Departments\IFAS\-Central-IT\WDS builds" (viewable via ADUC on an Admin Workstation). All OU Admins have rights over that directory and may go in and move machines to their own OU after they have been built. As part of the build process, the SMS client is also installed on all these machines.
With the SMS build, OU Admins may add programs to the machine as well. If you go to the Control Panel > Programs you will see a selection for "Get Programs". Chris said there will be an option to install all available programs, but currently FrontPage and Office are set up there. The Office install is minimally configured to set up Outlook to work with our Exchange server. OU Admins can set up their own transforms using Group Policy on their OU. Further packages will be added as testing progresses and WDS will be added to remote sites sometime after August 1st when the server software and hard drives are upgraded on the multi-purpose servers (MPS).
The process for trying this system out is fairly simple. You first should ascertain that the machine you are using is capable of handling Vista. Then you go to the BIOS setup and configure the machine for PXE boot. This is usually an option for the network card that is not on by default. Once that is done, you press F12 during restart (on Dell machines anyway) to get a boot menu. You select the on-board network controller which will do a PXE boot to the DHCP server that runs WDS. You will get the message "Press F12 for a network service boot". That initiates the transfer of a Windows PE image to your machine that is the setup program for Vista. The build process takes roughly 20 minutes on campus and may be slightly longer off-campus because the MPS are slightly slower. Currently the process ends in an error, but once MS fixes things, the machine will end-up logged on to the desktop as the "if-svc-wdsuser" service account.
The image has a few problems. The administrator password is not set properly, so you will have to reset that password. Also, the first login does not work properly. Though there is not an automatic login at this time, all OU Admin accounts will have access to log on to the machine. When you move the machine to your own OU, all your normal group policies will take effect. McAfee VirusScan currently does not load and throws up an error after login. Until that is resolved, we won't be pushing Vista out to real production for users. The current WDS build does not correctly identify 64-bit machines, so it loads the 32-bit version of Vista. There are open incidents with Microsoft for all these problems and Chris will notify the ICC-L as they are resolved.
Chris hopes that every unit will take the opportunity to test this system and let him know what works and what doesn't, along with what problems you might have with the build process and what you would like to see improved. Currently we just have a fresh install, but an upgrade install will be made available. The coming BDD tools will do a user-state backup of the machine, a full Ximage backup of the machine, then reload the machine and restore the user-state onto the machine. If any of that fails, it will restore the backup image to the machine. This is a process that will be set up in SMS. If you add a computer to a group it will launch that process and then you may take it out of that group the next day.
For SMS installations, units will have two options: an advertised option and an install option. These two options are implemented via security groups that exist in UFAD at "ad.ufl.edu\UF\Departments\IFAS\-Central-IT\software" and are prefixed with either ". IFAS-SOFT-ADVERTISE-" or ". IFAS-SOFT-INSTALL-". If you add computers as members into the advertised group, the software will show up in all your user's Add/Remove programs. If you add computers as members to the Install group, it will automatically install those programs at the first available opportunity. Thus, you may easily deploy software to all the computers or to select computers in your unit. We need to remind people that they need to be licensed for software before they install it--especially if they have a lot of it advertised in their Add/Remove programs.
A VHD image base install should be available soon, hopefully by next Tuesday, that may be run using Virtual PC. This should give folks at remote sites a means of testing Vista prior to WDS deployment being supported on the MPS.
Steve asked Chris how much work went into this on his end. He would only say "lots". This system runs basically off two machines, the SMS server (which is on the MOM backend) and the DHCP server. Each of the remote sites will also have a DHCP server involved which will also be an SMS remote distribution point. Currently, SMS software downloads the entire package and installs from the local source. Chris is debating if it should rather just install from the SMS server and is currently leaning that way. With Vista, all images and patches are in a WIM format. This format supports merging packages together. When a patch comes out, you simply do an "xcopy file1 + file2 /m" to merge the files and install the package. There will be a script so that whenever a patch is downloaded to the SMS server, it will be applied via that method so that when you build a new image it will be patched with the latest patches. For the Office applications there are two options. One is to update the SMS package and re-advertise it, which would push the updated patch out to all clients that had it installed. Another option is to have WSUS do the patch after the machine is built. Chris intends to configure things so that machines in the WDS folder will contact WSUS on boot-up and do updates. Since non-MS packages would have to be updated in SMS anyway, Chris thinks that doing updates that way, for consistency's sake, might prove to be the best option.
Dwight asked if the need to place machines behind a firewall during build time would be necessary and Chris replied that it would not because WDS builds from a patched image.
Joe Hayden asked about firewalls and their effect on this. Chris said WDS works over TFTP, which would have a potential for problems with firewalls--though exclusions would no doubt be set; but the download of software with SMS uses BITS which is just HTTP traffic.
Mark Ross reported that, beyond the issues he had running an older version of SMS, RIS was also difficult to configure. This was made more difficult by Dell's use of Broadcom and Intel NICs that are non-standard and have problems with RIS. Joe Hayden also mentioned that his work with SMS was somewhat frustrating. Chris said that the newer version of SMS is improved and SMS 4.0 will go even further.
Removal of WINS
Chris Hughes reported that removal of WINS is still pending. The script has turned out to be a lot harder than Chris had anticipated.
New IFAS IP Plan
Steve noted that Chris Leopold wasn't able to attend today to speak to this matter, but mentioned that most of us had likely been working with Dwight to get this done. Steve mentioned that his old subnet is now completely free except for one public address used by Joe Hayden for the HVAC system.
Steve did want to point out that he plans to use the Project title links in the agenda to refer to the most recent prior related discussion section from the ICC notes. Those note sections will in turn link back to the previous discussion and so-on to provide an easily accessible history of our discussions regarding that project. Currently, that has been implemented for the "Remedy" and "New IP Plan" projects on the latest agenda.
Re-enabling Windows firewall for IFAS (GPO: IF-Firewall-Windows Clients)
This is still waiting on the IP renumbering.
Move to IF-SRV-WEB
Marshall Pierce was available to speak on the progress of the web server migration. He related that the project is proceeding fairly well. There were some issues with the original migration process copying over to the incorrect path on the new server. Steve asked about feedback from web admins. Marshall said he doesn't think most of them are as thorough as they should be in their testing. Marshall estimated that \\if-srv\web02 is 50% complete and he intends to start on \\if-srv-web01 prior to finishing that. Marshall intends to do the worst-case sites first because Chang is leaving soon. So far Chang has not modified any sites, but that should quickly change. Marshall believes there will be less to fix than most of his colleagues expect.
Exit processes, NMB and permission removal
Prior exit procedure discussion. Dan Cromer was unavailable to speak on this topic, but Steve had heard no news of progress.
listserv confirm settings
Steve had heard no news on the matter, however, Dwight mentioned that Dan Cromer had e-mailed Dr. Larry Arrington trying to encourage him to get the deans to move on this.
Operations
Correcting out-of-compliance (Gatorlink credentials required) IFAS computer names
Chris Hughes had wanted to reinforce the fact that the remaining roughly 400 machines that are out of compliance will be forcibly renamed very shortly. The deadline was June 1st and it may very well be done on Monday. Once that is done, a reboot will be forced on login for those to enforce the name change. Chris is aware of one exception which may need to be granted for Joe Hayden,
Easing client access to \\ad.ufl.edu\ifas for co-managed computers
Marshall Pierce had mentioned at a past staff meeting that he wished to re-visit the drive letter mapping standardization issue. He did not seem too anxious to follow up on it at this time, however. He mentioned that the 4H Blue Ribbon program is the only application that would really be affected by this.
Mark Ross again noted that drive letters are going away and there may be better ways to handle this. Steve asked if Chris Hughes intended to implement a script he developed to add a Network Places shortcut to \\ad.ufl.edu\ifas for co-managed computers. Joe Hayden said he didn't want that, and so it will be left for each unit to do that for themselves, if they wish, by adding it to their local login scripts.
Joe Hayden complained about a large number of printers showing up for his users yesterday. Chris Hughes was concerned that this wasn't reported so that it could be fixed. Steve and Dwight didn't see how it could even be possible.
The only known time such a thing might have occurred was during a problem a couple of weeks ago where the power went off in Columbia County and the DC was off for the weekend. When the DC came back on line, it did so before the router was on line. Through a process called printer pruning, the DC decided that the printers had been unavailable for 24 hours and removed them. Once those changes were replicated to campus and the print server saw they were deleted, it added them back in. The security settings that had been on the printers were no longer there, so anyone who logged on got all those printers installed.
Once someone reported the error they went in and corrected the permissions and also disabled printer pruning on the print server. They have considered temporarily adding a script to remove inadvertently installed printers, but have not done that yet. Chris may add that Monday for a short while to help clean up any problems that may have occurred to date--and then do that once a month or so to eliminate any continuing problems.
Once a printer is created on the server, the permissions must be modified in the UFAD advertisement to remove authenticated users. Consequently, there will always be a slight window of opportunity for someone logging on to hit things at just the right time to get an inappropriate printer installed. Chris mentioned that a delay could be added whereby the script checks to see if the printer had been created in the last 5 minutes, and if not, skip the installation. This would also delay the process a bit, of course. No one seemed to feel it was important to pursue that.
Polycom maintenance & security standards and procedures
This topic was added due to recent discussion on the ICC-L. Steve didn't know how important the issue was to everyone, but he felt that perhaps we need to get Patrick Pettus and Justin Stone involved with Wayne Hyde to review security procedures for Polycom units--especially the Windows-based iPower 9000 series units. In Patrick's defense, he doesn't have a background in PC desktop support and security--though perhaps Justin will bring more expertise in that area now that he has joined that group. It is likely that nobody had really been assigned the security responsibilities before now, and that matter should be investigated and corrected. Steve thinks this will be simple to correct via better communication among our various IT sections.
Mark Ross mentioned that this is an issue with any embedded OS devices, as the vendors generally do not encourage patching and the like. Trisha Capps chimed in from Milton saying that it was an extremely important issue to her in trying to use that equipment to support students in the "hinterlands". She said that they could use all the brainpower they could possibly get in moving to some solutions. Trish also agreed with Mark that vendors should be pressured to provide us better security options. She also mentioned that she and Richard Faulk had talked about password security on Polycoms with Patrick and he agreed with the points Steve had made via the ICC-L about universal passwords being unwise.
Joe Hayden mentioned that he is seeing more and more of these "unpatchable" embedded OS devices--yet they are often on public IP so remote vendors can provide support. A brief discussion followed discussing various methods of securing such devices through ACLs on managed switches. Anyone having such issues would be wise to discuss such them with Wayne Hyde to see what options might be available.
Chris Hughes did a little web research and found that Polycom does make stateful-inspection firewall devices and does have documentation on their site detailing the port requirements. He mentioned that this may be an issue that we are just not keeping up on as to what is available from Polycom. Steve wondered if perhaps Claude King might have further information along these lines, because he seems to keep up fairly well with Polycom technical issues.
Steve pointed out that many of those responsible for the Polycom units at remote sites are not IT-oriented. Examples include Trish Capps at Milton, Robin Koestoyo at Ft. Pierce and Wendy Meyer at Homestead. Many did not realize that they could simply put the IP# of their Polycom into the address field of a web browser and access a web interface to that device. Without passwords, anyone could manipulate those from anywhere. Perhaps we need to do a better job in keeping them informed of these issues. Involving them in the ICC is a start and Steve is very pleased at Trish's participation.
Other Discussion
Joe Spooner's marvelous web gadgets:
Joe didn't really mention it, but you should be aware that his RSS to HTML processor in now in production.
Joe demoed another gadget that he is working on: an IIS-friendly ASP.net-driven Gatorlink authentication system. This system was based on something that Randy Switt had done. Joe has gotten the blessings of the UF Security group for the implementation and they are basically just waiting on documentation before putting it into production. Joe will notify the ICC-L of that when it is available.
This system works best on IIS6 and involves enabling ASP.Net 2.0. The application itself is a "dll" and access control is handled via a "gatorlink.xml" file in each directory so that web admins would be able to control access themselves without having to bother Marshall. The system works by looking at the path being accessed for anything with "secure" in the path and then forcing redirection to the Gatorlink authentication page. They are looking at the option for having a separate login page so you can control the look and feel.
Chris Hughes was interested in extending the application so it could read NTFS permissions and believed he had a solution for that. That would make the system much more powerful for our purposes because it could then work against UFAD accounts and security groups rather than just individual Gatorlink accounts.
Finally Joe talked about a form to email processor that he has been using at CALS and is now preparing for general IFAS-wide use. They intend to use some kind of IP filtering so that use is restricted to IFAS only. This forms method could replace hard to use methods that some have tried to implement via Dreamweaver or FrontPage with varied success.
The meeting was adjourned just a bit late, at about 12:15 p.m.
|