ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM March 8th 2013 REGULAR MEETING


A meeting of the ICC was held on Friday, March 8th, 2013 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-one members participated.
 
Remote participants: Benjamin Beach, Bill Black, Bill Caltrider, Wei Cao, Dan Cromer, David Depatie, Francis Ferguson, Wayne Hyde, Al Ibanez, Kamin Miller, Marvin Newman, Joel Parlin, Javier Real, John Wells and Alex York.
 
On-site participants: Jimmy Anuszewski, Winnie Lante, Steve Lasley, Matthew Nash, John Sowers and Wendy Williams.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve was not aware of any membership changes, but he had noticed that Mari Jayne Frederick at Homestead had been selected to receive a 2013 IFAS Superior Accomplishment Award; please join Steve in congratulating her! Jackie White at Ft. Pierce was also a winner; some of you may have dealt with her in setting up videoconferences that involved IRREC folks. Sammy Chan, who replaced Howard Beck when he retired back a few years, was another recipient. Congratulations to all!

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


New "phone number" for videoconferencing assistance

Dan Cromer had reported via the IFAS-Announce-L list on Feb 27th that:

"The UF Help Desk and Video Support groups have set up a new process for immediate help with videoconferencing problems. The phone tree has been changed so that if folks call 352-392-4357 and select option 2, you will get video conferencing help. You don’t even have to listen to the menu, just as soon as you hear the ‘Hello…’ press 2. Remember that any time you are calling with a problem, others may already be on the lines, and you may either go into voice mail or get a busy signal. The groups work diligently to get all problems resolved as quickly as possible."

This number is just the 392-HELP number, but it is the availability of "option 2" for directly handling videoconferencing problems that has changed apparently.

Blue Jeans trial

The Blue Jeans system provides a cloud videoconferencing service with ability to connect multiple end points, including Skype, Lync (awaiting federation), and H.323 (Polycom), along with connection by Web browser. Dan Cromer arranged a trial of Blue Jeans, having purchased a six-month license, for 1500 minutes. Minutes overage costs are waived for the first three months. Dan also arranged to have a number of us sent Blue Jeans network accounts so we could log onto the system and try it out.

Jimmy Anuszewski reported having used Blue Jeans successfully in a few different configurations. He had one conference with simultaneous Skype, browser, and Cisco codec endpoint connections and it worked well. He is planning to use it for an upcoming defense seminar next week.

Steve said that the service does indeed seem to work well and it satisfies a huge need for integrating our current codec enabled rooms with various other videoconference connection solutions. Jimmy said that Blue Jeans even has apps for mobile devices. The main questions now seem to be what will it cost and can we afford it.

Video Services support fronted by the UF Computing Help Desk

Updates not available...

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

Dan Cromer had provided the following update...

Message from Dan Cromer:
"[ICC-L] New Jabber 4.5 (was Movi)" Tue 2/12/2013 12:47 PM


All,

Thanks to Patrick, we now have a new version of Jabber (“Cisco Jabber Video for TelePresence”) version 4.5.7.16762 in the \\ad.ufl.edu\IFAS\Software\Jabber-was-Movi folder. I’ve tested briefly with success on Mac OS X (three versions) and Windows 7 and 8. Some minor problems:

  • On Windows 8 I had to disable one sound output so that the second, with real speakers, would be used.
  • On Windows 7 and 8 I had to disable the Microsoft Webcam automatic camera controls, as picture showed as too bright and washed out. This problem doesn’t occur with Skype or Lync.

Install will run from the network location. The install doesn’t require running as Administrator, as elevated privileges are requested when needed. It automatically removes a previous version of Movi.

Dan reminded us that the licensing works for concurrent users. We can install on as many machines as we want, but only the number of licenses purchased can be used at the same time. IFAS purchased 50 licenses, and UF has an additional 25. Patrick has reported nothing near the limit so far; if it starts getting close, we’ll buy more licenses. Our price has been under $2,500 for a block of 25.

Other standing VC topics

End-user Scheduling (previous discussion)

It appears that this may finally be gaining some traction.

Message from Dean Delker:
"[ICC-L] Videoconference Coordinators" Fri 3/1/2013 11:37 AM


In anticipation letting you or a group of your people directly schedule videoconferences on TMS for your department or location in the near future Patrick Pettus wants me to compile a list of videoconference coordinators and other people who should receive email messages from TMS when a videoconference is created, or modified. We still have to work out the kinks and customize some of the messages TMS automatically generates, but last I heard we’re shooting for implementing this between Spring & Summer A semesters.

TMS only let’s us list one email address for notifications so this could be a single person’s email, or we’ll have to do some kind of AD groups with a single email each for sites which want a list of people to be notified, whether techs or not.

Obviously I know many people already, and we know who submits requests but there is sometimes turnover I’m not aware of till well after the fact. Plus you may have assistants or admin people who want to know, so I’d still appreciate everybody responding to this at rdd@ufl.edu.

Possible end-point refresh in the works

Updates not available...

Lync updates (previous discussion)

James Oulman had announced that, "as discussed at a number of Tier-2 meetings, CNS-OSG has begun to Lync enable all active Faculty, Staff and Students. A process that runs on a 30 minute interval will Lync enable all active non-Guest Gatorlink IDs. This means that departments no longer need to manage Lync provisioning through the SIP enable and Department-OCS-Users groups. Requests to Lync enable service accounts should continue via Remedy."

Various individuals reported that Lync 2013 will not connect to bridged videoconferences. Trying to access any "confID@video.ufl.edu" will cause Lync to lose connection and re-authenticate for some reason. Dan Cromer started a Remedy ticket on this issue back on Feb 24th. Patrick chimed in with the following earlier this week:

Message from Patrick Pettus:
"Re: [ICC-L] Issues with Lync 2013 and video confcing." Mon 3/4/2013 1:42 PM


Video Services does not recommend utilizing LYNC 2013 at this time. LYNC 2013 does not currently work with UF’s videoconferencing bridge like LYNC 2010 does. The LYNC 2013 client uses the H.264 SVC video codec, which is not currently supported by the bridge, unlike the H.263 codec that LYNC 2010 uses. We expect LYNC 2013 to be in wide use beginning this summer, and will offer an alternative standard procedure by then.

In the meantime, these are our recommendations for interoperating soft clients with bridge conferences:

Kamin Miller mentioned that Lync2010 will co-exist with Lync 2013. He had both on the machine he was using to attend the meeting today, but was connecting with Lync 2010. That might be a help to those want to move to Office 2013 sooner rather than later.

WAN (previous discussion)


Updates from James Moore

Updates not available...

VoIP at RECs

Joel Parlin said that VoIP has worked fine for them at GCREC. The only problem they did have was with their FAX machines. Those are connected via ATAs and functioning has been a bit "hit or miss." Usually it works okay for out-going but incoming is more problematic. Steve said that when his department went Wallplate that they did have a few issues with the ATA-connected fax machines, but that those seem to have been sorted out by CNS--at least there have been no reported issues in quite some time.

Joel said that Telecommunications is getting some replacement equipment for GCREC's existing ATAs that they hope may fix the problems.

Other WAN news

Updates not available...

Phone bills to be paid for centrally?

Updates not available...


Policy


New UF login page

Last weekend a new UF login page was implemented. Users should be warned they may need to clear their cache to get this to display appropriately, although a simple refresh (F5) might work for many as well.

Content Management System (CMS) for UF: Entering purchasing phase

Updates not available...

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

See remedy section below...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

UF wireless still too hard?

Updates not available...

UF Exchange updates (previous discussion)

Outsourcing of student email?

Updates not available...

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Electronic Copy - Print Output Cost Reduction program (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Al Ibanez shared a link that provided details on making a Shut Down tile for the Windows 8 Start Screen.

IE 10 for Windows 7 was released last week. There are some interesting twists with this release regarding how soon this will be pushed to consumers and the fact that Flash is not imbedded in this version as it is for the same version on Windows 8. Dan Cromer had pointed out that we need to learn the F12 trick (Config tools, F12 Developer tools) which allows IE10 to emulate earlier versions. This is apparently needed for PeopleSoft to work, among other things.

Some discussion ensued regretting Microsoft's decision to blend the desktop and tablet interfaces into one confusing jumble.

SCCM for IFAS

Work continues on the central SCCM plans.

Updates not available...

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

There was a surprise update on the status of the UF IT Wiki that had many wondering where our supposed "community consensus based decision making" process has gone:

Message from Tracy Gale:
"Be a Part of the New, More Secure IT Wiki" Wed 2/20/2013 1:39 PM


UFIT is launching a new IT Wiki utilizing the UF Connect platform on https://connect.ufl.edu/it/wiki

This wiki is for the entire UF community. The UF Connect implementation is part of a centrally offered and supported service. (There is no centralized implementation of MediaWiki supported by UFIT's central services.) Not only is there better protection of UF internal information, but there are more resources supporting the project, since it is part of the centrally supported https://connect.ufl.edu platform. While no sunset date has been determined, the MediaWiki Wiki currently located at wiki.it.ufl.edu will be deprecated at some point in the near future.

As we transition to the new IT Wiki, please:

  1. Move any relevant content from the old wiki to the new wiki platform
  2. Add new content to the new wiki platform
  3. Remember that, when adding or updating content on the current MediaWiki, to also add or update it on the new IT Wiki
  4. Send feedback and suggestions for improvement of the new platform

The new IT Wiki maintenance will be regular and timely, because content may be entered by only those with the ‘IT Workers’ role. A short guideline to submitting new Wiki content is available at How to Write an Article.

The IT Wiki committee leading the transition to the new SharePoint platform would appreciate feedback. To provide feedback please visit https://connect.ufl.edu/it/wiki, click Feedback on the left-hand menu, and sign in to send us your comments.

Sincerely,
The UFIT Wiki Committee

Steve wanted to point out that there was no feedback link available that he could see...at least not at the time of this writing.


Operations


Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection?

Updates not available...

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Someone raised the question on whether or not we have a solution for replacing the Accordent Capture Stations. Steve replied with a resounding "no" and said that anyone who attended last month's meeting or read those notes on this topic can easily understand the level of frustration Steve feels on the topic.

Some brief discussion ensued on the difficulty of getting things recorded via the current Video Services bridge, but it was really just a rehash of what had been said already. Basically, we know we need something but so far there appears to be interest at the IFAS IT or UF AT level in coordinating an acceptable solution.

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

IFAS efforts toward Green IT (previous discussion)

Updates not available...

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates not available...

Regarding the Anyconnect VPN, Chris Griffin recently said asked that people use https://net-services.ufl.edu/provided_services/vpn/clients/ to obtain their clients. That location has versions of Anyconnect which work directly for Windows 8. He also noted that individuals should install both the "win" and "gina-win" files in that order. Chris indicated that these details will soon be linked from new documentation.

VDI desktops as admin workstations (previous discussion)

Some IFAS IT folks have figured out that http://virtual.ifas.ufl.edu is a great way to access the RSAT tools from a Macintosh or an iPad. In doing so, however, some had tried to run a custom MSC from their desktop within a VDI session but found that their ADMN account does not have access to their regular GL’s desktop folder. The solution is to place the MSC file to your personal folder on the file server and run it from there; both sets of credentials should have access in that case.

Ben Beach had asked how access to the "ICC Management Station" VDI pool was controlled. Wayne Hyde responded that members of the ". ifas-icc" security group had that access and were the only ones who would see that offered.

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool in production (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Updates not available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Joe Gasper has been making some changes to improve PDF handling on UF Connect:

Message from Joe Gasper to SharePointUG-L:
"Change to Connect/SharePoint: PDF handling with Acrobat integration" Wed 2/13/2013 12:31 PM


All,

I’m investigating a modification to UF Connect to support a better experience with PDF files when using Adobe Acrobat 10.1.4 and later with Internet Explorer. The modification allows PDFs accessed in Internet Explorer with Acrobat installed (and IE integration enabled [ActiveX control] – default installation) to be opened directly from the SharePoint library. This enables the user to edit the PDF (comment, sign) and save directly back to the library – instead of saving locally and then performing an upload. The enhancement a collaboration between Microsoft and Adobe, it doesn’t assist other PDF readers, but should not interfere with their use (I have done limited testing with PDF-Xchange and Foxit Enterprise, and other browsers).

There are 2 libraries with test documents here:
https://test-connect.ad.ufl.edu/pdf/
(private IP, so access on campus/VPN)

Example of the new features:

Adobe Reader PDF checkout dialog

PDF checked out from Sharepoint within Adobe Reader

Joe later reported that "FoxIt and the latest Preview version of PDF-Xchange also can take advantage of this enhancement. The change is scheduled for production this Sunday." (February 24th)

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

Patching updates... (previous discussion)

Microsoft

The March Microsoft patches are expected to include 7 bulletins (4 "Critical", and 3 "Important") covering 20 vulnerabilities in the usual suspects. A risk assessment will be available here and this is a worthwhile read as well.

McAfee provides podcasts on the highlights of each month's offerings.

Adobe

Adobe released yet another update for flash back in mid-February and again just last week.

Adobe also released updates for various versions of Acrobat and Reader February 20th.

Java

Oracle released new security updates for Java Runtime. These were the third updates in the last few weeks. Current versions are now at JREv6u43 and JREv7u17. This is supposedly the last update they will release for version 6. There is an article "Java zero-day holes appearing at the rate of one a day" by Woody Leonhard that is worth a read. Someone has even put up a Days since last known Java 0-day exploit site.

MS Office News update (previous discussion)

After the problems that Winnie Lante had with activation, Dan Cromer asked Andrew Carey about the KMS registration duration. Andrew reported that our KMS registrations last 180 days. As long as a connection is made via VPN at least once about every six months, the OS and Office software should remain activated.

Should anyone have issues with remote users requiring validation for their MS products, have them run a VPN connection, copy the "MicrosoftActivate.bat file found at \\ad.ufl.edu\ifas\SOFTWARE\MicrosoftActivateBatchFile to their desktop, right-click the file, and "Runas administrator."

Job Matrix Update status (previous discussion)

Updates not available...

Remedy system status (previous discussion)

Updates not available...

Other Topics

Password resets (previous discussion)

Russell Hunter from NFREC in Quincy had related difficulties he had with getting passwords reset from off campus sites. Kevin Hill from SWFREC had responded that the UF_SEC_PWD_HELPDESK role in Peoplesoft allows an individual to reset GL passwords for your users yourself in myUFL. Donna McCraw wondered if password hints might serve as a workaround, but Dan Cromer had replied that the password hint system only works for P3 and below. Since all IT people are now P4 and in “a position of special trust”, the hint system won’t work for us.

While quite a few folks in the IFAS Help Desk and District Support have the reset capability, Dan Cromer said that only a few of those individuals could do resets on a P4 level account. Thus is it a good idea for IT support folks to not ignore the password reset emails.

Chrome device management

Nick Smith has begun to express interest in managing or officially supporting Chrome devices. Nick told Steve that Google has some good documentation on the procedures, as well as a web-based management console. It is good of Google to give consideration to this aspect as this is something that is often overlooked in recent device releases by many manufacturers.

Issue with Mac Preview and PDF files

Jimmy Anuszewski had reported the following and issue and its solution...

Message from Jimmy Anuszewski:
"Acrobat/Preview Problems" Thu 2/14/2013 1:04 PM


For some of you that deal with students/faculty that fill out PDF files using the Mac preview software, there is a known problem. After Preview saves the PDF, the fields that you filled out are not viewable in Acrobat (on any platform). The fix is attached to this email and the how to is listed below. This problem happens a lot and I've run across it several times myself. Hope this helps anyone that thought the document was blank.

Installing the Script

  1. Quit Acrobat if it is already running
  2. Download the script and then copy the ADBE_JFG_fixFields.js file into the following location
    1. Win XP:
      C:\Documents and Settings\USERNAME\Application Data\Adobe\Acrobat \9.0\JavaScripts
    2. Win Vista
      C:\Documents and Settings\USERNAME\Application Data\Adobe\Acrobat \9.0\JavaScripts
    3. Mac OSX
      /Users/YOURUSER/Library/Application Support/Adobe/Acrobat/9.0_x86/JavaScripts
  3. Restart Acrobat
  4. Look at the bottom of the “Edit” menu for “Fix Field Appearances”.

Admin workstation setup instructions

Steve noted that he had updated the instructions for setting up an Admin workstation (ufad\if-admn credentials required for access); those are now specific to Windows 7.

Configuring non-domain Windows XP for file share access

Steve had forgotten all about this but ran into the need the other day. It took a long time to come across the cause/solution from the symptoms so Steve hopes this reminder might save someone else the problem. Here are the symptoms:

  1. Windows XP off-domain
  2. Connects fine via LT2P/ipsec VPN
  3. Can't get to any file server or web server (as file system) resources
  4. Account keeps getting locked out in UFAD

This problem is related to removal of the less secure Windows authentication methods that happened before Fall 2012. Here are the details of the fix as they came from Andrew Carey back then:

We’ve received several reports of users using non-domain joined Windows XP computers being unable to access domain joined resources following this weekend’s change.

In most cases this can be resolved by setting “Network security: LAN Manager authentication level” in the computers local security policy to “Send NTLMv2 response only. Refuse LM & NTLM” by utilizing one of the three methods below:

Method 1:

Edit the Local Security Policy

  1. Click Start --> Control Panel --> Performance and Maintenance --> Administrative Tools --> Local Security Policy
  2. In the Local Security Settings Window
    Security Settings --> Local Policies --> Security Options
  3. Find the Policy "Network Security: Lan Manager Authentication Level" and set it to "Send NTLMv2 response only\refuse LM & NTLM"
  4. Restart the computer

Method 2:

Edit the registry from a command prompt (recommended for advanced users)

  1. Click Start --> Run --> cmd
  2. In the Command Prompt Window Type
    REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v "LMCompatibilityLevel" /t REG_DWORD /d "5" /f
  3. Restart the computer

Method 3:

Edit the Registry Directly (recommended for advanced users)

  1. Click Start --> Run --> regedit
  2. My Computer --> HKEY_LOCAL_MACHINE --> System --> CurrentControlSet --> Control --> Lsa
  3. Find the Name "lmcompatibilitylevel" and enter "Value Data" of 5
  4. Restart the computer

Winnie Lante said that she had seen this not just on Windows XP boxes but on some of the "Home" versions of Vista and Windows 7 as well.

Networking issues at VetMed

Winnie has a faculty member that is housed at VetMed and she has been fighting a networking issue ever since VetMed decommissioned their own DNS server and turned that over to the Health Science Center. Winnie still hasn't resolved the issue.

Vulnerability scan results for your subnets

Wayne Hyde responded to a query from Mari Jayne Frederick about the recent resumption of UFIRT notices.

Message from Wayne Hyde to the IFASIRT-L:
"Re: Vulnerability scan results for your subnets" Fri 3/8/2013 10:44 AM


IT workers in IFAS that are responsible for hosts on the UF network will remain on this list.

If members do not wish the list emails to all go to their inbox, it is fairly easy in Outlook to configure a server-side rule that moves IFASIRT-L messages to a folder but also leave messages related to your managed machines in your inbox. Two rules are needed -- the first rule looks for IFASIRT-L emails and stops processing rules if the message contains various strings. For example, the first three octets of your subnets (i.e.: "10.251.21") and partial matches of computer names in case you routinely have laptops that pop up across the statewide network (ie: "IF-ITSA"). The second rule moves all remaining IFASIRT-L emails to your subfolder.

The increase in mail load starting this week was due to a LISTSERV issue where the IFASIRT-L was held for quite some time. You may have still received alerts which were sent to your GL account in addition to the IFASIRT-L address, but no alerts only sent to the IFASIRT-L list were distributed.

When you do get a ticket for one of your hosts, please follow the procedures, standards and guidelines found at:

http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response.html

Please remember to update the ticket with what information you found about the host and what steps were taken to resolve/contain the incident.

Tickets quite often are generated a day or more after an incident occurred. DMCA violations often come in weeks after an incident. The UFIRT ticket will have a ticket timestamp (when the ticket was generated) but also have the timestamps of the incidents and possibly a hostname. If the ticket is generated close to the incident times, the hostname may be correct. Since hosts come and go and we use DHCP, quite often the current host on the incident IP address is not the host that caused the ticket. This is where Chris' DHCP Search (http://itsa.ifas.ufl.edu/dhcpsearch) will help you track down the host.


The meeting was quite a bit shorter than usual and was adjourned before 11:00 am.