IFAS COMPUTER COORDINATORS
NOTES FROM April 11th 2008 REGULAR MEETING
A meeting of the ICC was held on Friday, April 11th, 2008 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.
PRESENT: Twenty members and guests participated.
Remote participants: Bill Black, Francis Ferguson, Kevin Hill, Claude King, Joel Parlin, Mark Ross, Mike Ryabin, Louise Ryan, Mitch Thompson and A. D. Walker
David Baudree, Benjamin Beach, Dennis Brown, Andrew Carey, Dan Cromer, Joe Hayden, Wayne Hyde and Steve Lasley
Guests: Mike Conlon and Erik Schmidt
STREAMING AUDIO: available here
Agendas were distributed and the sign-up sheet was passed around.
Steve reported that we had one new member since our last meeting. Evin Safdia has replaced Richard Faulk at WFREC. Steve has sent Evin a welcome message but has yet to hear back.
Steve asked that the ICC join him in congratulating Joe Hayden who was announced as a 2008 Prudential Davis Productivity Awards Winner. Joe received a Distinguished Cash Award of $1,000 for developing a maintenance and utility trouble reporting system.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
The outsourcing of IFAS IT to CNS: Update
CNS has made separate proposals to take over both the IFAS IT WAN group and the IFAS IT Server Administrators group. Steve and Chris Leopold were permitted to review the proposals and provided Dr. Joyce with a technical response, particularly to the Server Administrators proposal. It is Steve's understanding that Jennifer Xu is providing a review of the WAN group proposal as well.
The response prepared by Chris and Steve has been forwarded to Tim Fitzpatrick for comment and we are currently waiting to hear back. Apparently the driving concern at the VP level is to reduce the proportion of our salary expenditures for staff relative to faculty. Steve is concerned that this focus might ignore service/cost aspects and that we could end up with commoditized IT services over which we have decreased control and for which we would pay more. If that occurs, a trend is likely towards redistribution of IT innovation out to the various units (for those that can afford it) rather than the more cross-cooperative arrangement which the ICC has long sought to nurture here within IFAS.
Update from yesterday's UF IT Advisory Committee for Network Infrastructure meeting
The agenda included the following:
Comprehensive IT risk assessments will be REQUIRED soon
Steve asked if anyone had attended Achilles training and could tell us what that entailed. No one had, but Dennis Brown related that John Sawyer had told him this training was for IT workers but is about compliance, risks and controls to manage those risks.
UF Exchange Project updates
Steve noted that Andrew Carey, Scott Owens and he (along with Joe Gasper, Chris Hughes and Fran McDonell) attended an informational meeting on EMC's EmailXtender last week. This product had been proposed to provide hierarchical storage management for our UF Exchange implementation. The idea is to pull attachments off the expensive Exchange storage and onto less expensive disks external to that system, while keeping that process transparent to the users. Since an estimated 80% of an average user's space is taken by attachments, removing these from the mailboxes would not only save on expensive disk storage but would greatly improve the efficacy of our users' allotted quotas on Exchange.
At that meeting, Dwight Jesseman along with Mike Kanofsky, presented an overview of the product and how we might utilize it in our environment. Two EMC folks were on-hand to answer questions and provide details from their perspective. A number of problems were noted, however:
- Can't open archived attachments from message preview--must open message in its own window first
- Proposed Outlook COM add-in changes icons for archived messages (lack of this for OWA)
- Entourage and IMAP users left out until at least next version (expected in the December timeframe)
- "Rehydration" procedures would be needed to provide mailbox as .PST to departing employees
- Lack of synchronization between mailbox message deletions and archived messages in second tier storage (concerns that deletion of a message by user will not remove archived attachments)
When Steve mentioned these issues to Mike Conlon prior to the meeting he had replied that deployment has been delayed due to these problems, which need to be resolved. It is their intent for this system to be transparent and that will be the criterion applied to whatever solution is eventually used.
Split DNS solution for UFAD problems
Steve wants to leave this as a standing agenda item, but realizes that a solution will be a very long time in coming due to the complexities involved.
SharePoint Production Sites
Prior SharePoint discussion.
Ben Beach related that deployment is going as planned. A number of people are beginning to use it or to explore its use. Joel Parlin and Louise Ryan have been involved with it as has Soil and Water Science. Ben is rolling it out to parts of his district as well.
Steve mentioned having created a couple of workgroup sites. He wants to move those users to Office 2007 prior to actually introducing that to them but hopes to do that before too long.
Dennis Brown asked Ben about moving information from an existing WSS implementation into the central IFAS system. Ben replied that there was an export/import function which should make that easy to do. The intermediate format of such a transfer is a ".bkf" file.
Virtualization of Core Services
Wayne Hyde said that they are continuing to virtualize as many servers as they can.
They also have a large project in progress which will utilize a new product from VMware called Virtual Desktop Manager. This will provide virtual WinXP desktop machines for various labs within IFAS. CALS and Soil and Water Science had been using Windows Terminal Server which does not provide a very good desktop experience. This project involves the purchase of a couple of new servers and some software. They are testing currently, attempting to create templates that would supply the various software applications that these labs require.
Wayne briefly explained how the Virtual Desktop Manager software acts as a broker between the client and their virtual desktop session. The client connects to the broker and then access is handled in various fashions. You can configure different types of pools. For example, you can have a dedicated pool whereby a particular VM is assigned to a user so that they always get it whenever they log in; if you have ten people and ten VMs then you can assign one person per VM. For student labs where you might have 50-100 students fighting over 30 desktops, you would use a non-dedicated pool. In that situation, when you log into the broker it will connect you to the first available desktop; once you log out, someone else can then take over that machine.
The software will permit you to have, for example, 50 desktops total but only five running at first. Then if five people log on it will boot up five more sessions. That provides capacity on demand.
Access to the virtual desktops is controllable via AD security groups. They will implement multiple virtual labs, one each for CALS and Soil and Water Science.
They are also going to look into providing some virtual desktops for ICC people to use as administrative machines. This would involve creating a WinXP template that included all the ADUC tools; that would allow OU Admins to remote desktop in and have all the management tools available.
The virtual desktop project has been funded primarily by CALS and Soil and Water Sciences. Forestry may become involved as well. When Steve asked about what level of contribution a unit would need to make to become involved, Wayne responded that he wanted to get the current clients going before looking at expansion; he does believe, however, that further expansion will be very feasible. Wayne mentioned that they are still testing to make sure all aspects of the project will function as desired. It looks, however, like this will be a very good solution. It will be particularly useful for distance education where students at remote sites can have local access to all the data we have centrally via remote desktop from, perhaps, a less capable machine at their own site.
Wayne mentioned some other nice features of this configuration. Since users can disconnect without logging off, a researcher could connect to start a long analysis and then connect back later to view the results. In other situations, abandoned sessions might be an issue, but this could be handled via group policy. A virtual machine can be configured to log you off after a certain idle period.
Joe Hayden asked about the costs involved and Wayne responded that it would vary greatly depending on the resources a particular virtual desktop might require and the software it would be running. GIS labs, for example, have pretty hefty requirements. An administrative workstation would require considerably fewer resources. The hardware running this involves PowerEdge 2900 servers with 48GB RAM and 8 CPUs. Depending on their resource needs you can run maybe five VMs per CPU as a rule-of-thumb. The servers are about $8,000 each with the ESX software approximately doubling that cost. $16,000 divided by 8 CPUs with 5 VMs each comes to about $400 per VM. These servers are configured as a cluster, currently with seven big servers; this should provide considerable excess capacity overall.
They are expecting to support 30 VMs for CALS lab and 10-20 for Soils. Even for the resource intensive needs of their particular applications, the costs will run under $1000 per VM with considerable reserve capacity. Though that cost approaches that of stand-alone boxes, the management aspects are greatly improved. Combining that with the distance access advantage and the capability to support less powerful client machines--including thin clients--the virtual desktop solution is believed to be well worth the investment.
Wayne brought up the recent discussion on the CCC list regarding saving power. The use of thin clients and server-based virtual desktops has an enormous potential for power savings overall.
Progress on the new file server
Wayne reported that they had made the decision to wait for Win2K8 before deployment. Secondary to that they needed to wait for EMC's PowerPath product to support that platform in order to connect the servers to the SAN. The new version of PowerPath became available just one week ago; consequently, Wayne has configured a test Win2K8 file cluster which he is evaluating now regarding aspects such as Volume Shadow Copy. For VSS, Wayne plans three snapshots a day M-F (7am, 11am and 3pm) and then one snapshot on S+S. There are a number of minor details with the scheduling of the snapshots and the timing of those with weekend backups which Wayne is currently dealing with. Wayne hopes to be able to migrate to the new platform within a couple of weeks.
Steve again reminded folks that Wayne would like to know about any Mac users who utilize the file server. Dan Cromer believes that Macintosh users wishing to use the file server should buy DAVE (~$100). In any case, Mac users are likely mapped currently directly to IF-SRVV-FILE03. Once the switch is made we will have to educate them to go to either IF-SRVC-FILE1 or IF-SRVC-FILE2. Those two names should then be in effect for a long time.
Wayne has configured WSUS 3.0 to push out IE7 to CALS, Entomology and Hort Science. Steve noted one issue he had seen with ArcGIS 9.1 needing a patch to work with IE7; this is nothing new but did affect one of his users. Units are urged to consider moving to IE7 as soon as can be arranged, but Wayne realizes that there are circumstances where IE6 may still be desired/required and is not pushing this out to all.
Kevin Hill asked about whether Vista SP1 would be pushed and Wayne said he did not want to do that due to its extremely long install time (up to two hours). Wayne wants to leave that update to the various OU Admins. Dan Cromer mentioned having trouble installing Vista SP1, but Steve has installed it without issue on two Vista Ultimate machines he has at home as well as on his Vista Enterprise machine at work. Andrew Carey has also been successful with that on Vista Enterprise. Mike Ryabin asked about problems with Vista SP1 noting that he had seen a local computer repair truck with a sign that advertized downgrades to Windows XP ;-). Steve noted that there have been driver issues with SP1 but that he hadn't personally seen those. Kevin Hill reported that he has roughly 20% of the machines at SWFREC running Vista and hasn't had many problems.
Mike Ryabin reported that he has had issues with Outlook's search feature not working with Vista and Office 2007. He reported that it mysteriously began working, however, several months later. Some suggested that indexing may have been slow or had problems, but Mike had spent a great deal of time researching that aspect to no avail. Joe Hayden mentioned having pared down the indexing scheme on one machine and it still took the better part of a day for search to work correctly.
Kevin Hill asked Wayne what version of ePO console we were currently using. Wayne responded that he had us at ePO 4.0, but that he was still in the process of getting that configured to roll-out to OU Admins. Kevin was looking to get some reports on which of his machines were checking in properly and asked Wayne how best to accomplish that. Wayne replied that once he gets users and permissions worked out in ePO 4.0, OU Admins will be able to do this for themselves. Wayne is configuring rules so admins can push out ePO agents or anti-virus; he just needs to get that documented so he can send the information out to the ICC. He won't have time to work on this again until after next week, however, due to other deadlines he is facing. Wayne mentioned that ePO does a true synch to UFAD and will mirror our structure; it will not have the problem of the earlier version where machines kept going to the "lost and found" group, which complicated monitoring considerably.
IFAS WebDAV implementation
No progress on documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on agenda as a standing item.
Vista Deployment via SMS and WDS
Steve mentioned that, while it doesn't relate directly to Vista deployment per se (that is WDS), Andrew Carey has been investigating moving to the use of Group Policy Preferences (GPP) to replace a number of the functions which our login scripts are currently performing. It is believed that may be the best way to handle some of the Vista issues as well and may have implications for a power-saving implementation. To investigate this one needs Vista with SP1 and then must install and activate the Remote Server Administration Tools (RSAT). A short video is available that can help introduce people to the potential this new tool might hold for us.
Andrew said that login script issues are what have been holding him back from telling everyone to consider a move towards Vista. We have about 180 Vista machines in IFAS currently and the great majority is not getting their login scripts. There have been printer issues as well. Although Microsoft hasn't come right out and said it, Andrew believes they intend to drop how those are generally done currently and push people toward Group Policy Preferences. Andrew says that these look like they will work fine for us but he hasn't had the time to investigate fully. He does have a test going currently to handle printer mapping but he hasn't been able to get drive mapping going yet. A potential downside is that you need to install the GPP client extensions and those are not supported on Windows 2000; those are being pushed now via WSUS, however, so they are already on many of our XP and better machines. The neat thing about GPP is that it can control basically anything that you previously could only do locally on the client such as Control Panel functions or any registry setting.
Exit processes, NMB and permission removal
Prior exit procedure discussion.
Dan Cromer related that exit procedures are now beginning to be addressed more closely at the UF level. The problem is going to be brought to the attention of the ITAC-DI committee. This matter is being driven by the issue of how UF Exchange will handle mail at exit as well as the automatic affiliation-based removal of Gatorlink accounts.
Re-enabling the Windows firewall
Steve wants to leave this matter as a standing agenda item for future discussion.
Computer scripts for disabling and deleting computers with old passwords
Steve asked where we were with this and Andrew replied that the deletion aspect has remained disabled. Andrew has no plans to re-enable computer object deletion; he initially only did so to fix what he believed was a scripting error missed by his predecessor. Discussion ensued on how disabled computers do not seem to actually be dropped from the domain until perhaps 180 days later--which is contrary to much of the early discussions on this topic when the scripts were being developed. This has allowed most issues to be resolved simply by re-enabling those in ADUC.
Report generating system
Some of you may have noticed that the “Computers with passwords older than 83 days” and “Employees added to the IFAS OU” reports have not been sent out since around the beginning of February. Andrew investigated that and it appeared the reports were currently supposed to be generated on if-srv-sql01 (our out of date out of warranty SQL 2000 server.) The data for the reports is also on SQL02 (our soon to be out of warranty SQL 2005 server) but it looks like reporting services was never completely setup on that server. Andrew has spoken to Matt Wilson about this and Matt has agreed to setup reporting services on if-srvv-sql05 (our relatively new virtual SQL 2005 server) so we can move the databases and reports there.
There had been brief discussion on the ICC-L about password management and updates on our Polycom systems. Patrick Pettus had responded with a number of ideas and issues worthy of discussion.
Steve mentioned that a record of equipment maintenance status should be maintained as part of the Polycom certification information gathering process. That appears to have been omitted but relates to the matter of firmware updates and where those can and cannot be applied.
Dan reported that they have agreed on an algorithm for passwords. District support folks are supposed to be visiting their various units and changing to the new scheme. Patrick can handle others remotely via the web interface if he already knows the current password.
There are five critical and three important Microsoft patches this month. There have also been recent updates for Quicktime and Flash Player.
Public folder file deletion policies and procedures status
Dan asked about the status of this. Wayne mentioned having a developed a PowerShell script so that it is very easy to delete files of whatever age range. He is considering wiping anything older than 2 weeks on the IFAS public share. Steve asked if notices were still being sent when someone placed files in that area. Wayne responded that this had been turned off but would be re-enabled when we migrate to the new Win28K cluster. While we haven't really had a huge issue of space on the public share, there are security concerns with not knowing what has been placed there.
On a separate security-related topic, Wayne has recently found a very excessive number of computers for which various admins have added their Gatorlink accounts to the Local Administrators group. While this may be understandable on their own workstation, doing that on other user's machines is a very bad security practice. We have the IF-ADMx accounts to handle those needs. Wayne plans to send out private e-mails to OU Admins who have been doing this on a regular basis. If people need assistance in utilizing their IF-ADMx accounts, please get with Steve Lasley. He has developed some documentation (IF-ADMN credentials required for access) which can assist in learning the proper administrative procedures and would be glad to provide whatever assistance might be needed.
Remedy system status
Dan mentioned that they have enabled an e-mail feature for Remedy that he wants to announce IFAS-wide; Dan has sent a proposed announcement on this for review by Joe Joyce. Sending e-mail to firstname.lastname@example.org (or email@example.com or firstname.lastname@example.org) will automatically create an e-mail ticket in Remedy for initial handling by the central Help Desk. The http://support.ifas.ufl.edu web site still works for the same function. The e-mail text will go into the Remedy ticket, which will be created with a topic of "Other". If the sending user address is @ufl.edu, the GatorLink username will be populated into the ticket.
Dan said that this would be included as part of the first official announcement of the Remedy system for IFAS. Steve mentioned that such an announcement had been held off previously because every time the matter was raised here, most of the discussion revolved around how poorly the system works. Dan still feels he needs the data it can provide in order to justify Help Desk staffing levels. Steve asked if the data gathered in the past year or more has been useful in that regard but received no answer.
Kevin Hill mentioned that his biggest problem with the system is not knowing who best to assign issues to. Steve thinks that relates back to the need to keep the Job Matrix properly updated.
Special guest: Mike Conlon
The ICC has had previous discussions on recommendations for Barracuda spam score settings. Since our last meeting, Joe Gasper had provided data updates which were incorporated into last month's notes. Andrew Carey also provided further pictorial data indicating that a small number of IFAS mailboxes account for the great majority of both blocks and quarantined messages. This supports the premise that the great majority would see little effect from moving the default blocking score to 9. From ensuing e-mail and phone exchanges with Mike Conlon, Dr. Conlon agreed to attend today's meeting to discuss this topic.
Mike Conlon arrived with Erik Schmidt right on time at 11am. Since we had just finished covering the rest of our agenda, the floor was turned directly over to Mike. Before getting to the spam discussion, Mike wanted to provide updates on a few matters which were discussed at the recent UF Exchange Policy Advisory Committee meeting.
UF Exchange Policy Advisory Committee updates:
The number one issue that is raised to the UF Exchange group isn't spam but rather the new PIN policy for mobile devices. Every time people with mobile devices are brought onto the system UF Exchange receives negative feedback on the need to enter a 4-digit PIN. The policy committee reviewed this matter and Mike showed them the existing policy along with the rationale for that. After that presentation, the committee was strongly in favor of leaving the policy as it stands.
The ITAC-ISM Committee had wanted a complex password, but their recommendation has not been implemented. UF Exchange believes a 4-digit PIN is an appropriate middle ground between protecting the university's data and not greatly inconveniencing the user. The UF Exchange Policy Advisory Committee supported leaving things as they are. Mike mentioned that all policies are always on the table for discussion. The UF Exchange group is always open to modifying something they are doing with the system in order to improve it.
UF Exchange Policy Advisory Committee updates:
Automatic provisioning and de-provisioning of mailboxes
This was another matter brought before the committee. There is a desire to reduce the amount of manual effort needed to maintain e-mail at UF. They believe they can use the same method for UF Exchange as they currently use for Gatorlink accounts.
The Gatorlink model
Gatorlink accounts are based on the UF Directory and the affiliations people hold there. If any affiliations held by an individual lead to a Gatorlink entitlement (and those affiliations are well-defined) then that person may create a Gatorlink account for themselves. For example, the "Employee" affiliation provides such an entitlement while the "Alumni" affiliation does not. Affiliations are multi-valued and people may have many affiliations. If ANY of a person's affiliations lead to Gatorlink account entitlement then that person may have a Gatorlink account. If NONE of a person's affiliations permit that, then they will not have an account. Our automatic systems respect affiliation changes in essentially real-time; thus when the affiliations go out-of-scope for a Gatorlink your account is deactivated automatically. That process takes only about 15 minutes from the time a Directory Coordinator removes the last affiliation which entitles a person to have an account.
On the intake side Gatorlinks are created by the individuals. When someone attempts to create an account and they enter their UFID and identifying information, they are looked up in the UF Directory to see if their affiliation should allow that process.
Extending the Gatorlink model to UF Exchange
Thus the process is fairly simple. There is an entitlement process based on directory affiliation with an intake that is manual and executed by the user. The de-provisioning is automatic. They are proposing the same thing for UF Exchange. Affiliations which entitle a user to have a mailbox would be identified and if any of an individual's affiliations lead to that right, then there would be a process by which an individual could get that created. When a user attempted that process the affiliations would be checked in order to allow or deny that happening. When the affiliations go out-of-scope for a mailbox, that individual's access to that mailbox will be removed.
Accounting for inevitable errors
Following a few minutes of interruption from to a remote participant inadvertently sending music into the videoconference, Steve asked what would happen if a Directory Coordinator accidently removed the last entitling affiliation. Mike responded that this was an important topic. In the case of Gatorlink accounts, we keep those around for 13 months precisely to make sure that an account wouldn't be removed inappropriately. In the case of e-mail, the matter is a bit more complicated because someone must be a steward of the e-mail.
If the person to whom the mailbox belonged is not in the picture, someone else has to take over the stewardship--and it isn't going to be UF Exchange. They have talked to various user groups and one of the current common practices is to have the mailbox go to the current supervisor of the person who is no longer available. In the instance where a mistake was made, the automatic process would assign the mailbox to the supervisor who would then realize and catch that as being a mistake. That is a good thing because it makes the loop fairly tight on correcting the problem.
Mike mentioned that he has personally and mistakenly fallen out of employment scope with UF twice in his long career--missing paychecks as a result--so he is well aware of problems whereby one can become invisible to UF via error. Consequently, they will develop an operational procedure to ensure that the mail has a legal owner at all times and is available to be restored in the event of an error.
UF Exchange Policy Advisory Committee updates:
Exit rights and procedures
That leads to the next topic of how does a person leave and when they leave what do they get. Units vary significantly on what they do for people that enjoyed a service previously but who is no longer affiliated with the university. In the current legal compliance climate there is an increased interest in ensuring that people who are no longer affiliated with the university do not cart off the university's property, including intellectual property that may be present in e-mail.
Long existing procedures may require modification
Mike related that back when he was an e-mail administrator his unit had perhaps the most liberal policy on campus in terms of continuing to use e-mail after leaving. They were incredibly service-oriented toward departing people and for all the right reasons; you want to maintain your research relationships and have good relationships with everyone who has left the university. In the current climate, however, there is increased interest in not participating as an institution in processes by which we would divulge UF's intellectual property to someone who is no longer affiliated with the university. What that probably means is that we will put the onus on the individual to assure that they do not take any UF property, intellectual or otherwise, when they leave.
Thus there may be a policy statement developed that clarifies what a departing employee is and is not entitled to via the severence processes. It will also likely state that once you are no longer with UF you will have no access, so you must take care of these matters prior to that time. That is the direction Mike believes we are heading in this regard. What is actually being done, however, is that the committee discussed the issue and has now referred the problem to the ITAC-DI Committee as this is an issue which affects much more than simply e-mail. It has to do with contact to UF's intellectual property after an affiliation ends. What do people get and how do they get it? How they actually get it is the last concern; the first concern is what are they entitled to get. Once we understand what they are entitled to get then we can design a process by which they can get it.
If things go as Mike suspects, it will likely be left to the individuals to take care of these matters. System administrators that participate in this by offering assistance may have to concern themselves with the potential for inadvertently helping someone leave with intellectual property. Thus our future processes may be considerably different than those which we currently have. Operationally we are currently doing nothing about this; rather we are continuing to do whatever it is that we are doing until there is a policy statement which says we really need to change those procedures.
Handling e-mail retention rules
Joe Hayden asked about the state e-mail retention requirements and how we can deal with those. Mike responded that the way UF handles retention of any documents, electronic or otherwise, is to leave that as the responsibility of each individual. The UF Exchange system is designed so that the individual can execute that responsibility. You can retain things permanently or you can set rules that move message to locations where they are deleted automatically after certain time periods.
While all the tools are there, UF Exchange doesn't get involved in what the user does with those tools; they have merely created a machine which an individual may use to meet their responsibilities for record retention. If you have documents, you are the document manager and you are supposed to retain those things according to the state's rules. Mike understands how difficult that is and how difficult those rules are. When someone leaves the university the responsibility changes and what many departments do is have the supervisor become the custodian. Though we run the machines, IT staff should never be the custodian of the e-mail; that responsibility is left to the end-user.
UF Exchange blocks/ IFAS didn't
Mike apologized for not initially understanding that IFAS had thought about this matter pretty carefully. He noted that we have had the ICC committee for years and have had a carefully considered and long-standing IFAS policy against e-mail blocking of which he was unaware.
Feeling out of control
Mike related his e-mail story which some of us have heard many times. He has been responsible for running e-mail systems since e-mail was invented. The only time he was ever on an e-mail system that he didn't run was when he was on the OFA e-mail system for four years--and he didn't like it because he had always been able to control the parameters of the e-mail system that he was on. When he came upon a system that he couldn't influence, that was a problem for him; he liked a system where he had some control. Steve commented that Mike must thus have some empathy for our situation and Mike responded that he had a lot of empathy for us.
Mike gets too much e-mail
Mike said he also had a lot of empathy for receiving mail, although he receives too much. When he first got on the OFA system he was number two in e-mail flow and number two in retained e-mail. He later became number one in flow and actually retained less because he was trying to be a good steward. Mike is currently down to about 1.5GB in his mail store, so by IFAS standards he is certainly no longer in the top ten on retention.
Most user complaints to Mike concern spam which was delivered
Mike mentioned that he is a statistician by training, so he tends to look at the entire system and how it is functioning overall. When it comes to spam he realizes that he is building an imperfect machine. Spam control measures, whatever those might be, either deliver an e-mail to your inbox or do not. There is a lot of mechanization behind that simple statement. From the user point of view all that really matters is whether or not a message gets to the inbox. Mike is a busy guy and if it is not in his inbox then he doesn't get it; while he does look at his quarantine because the e-mail lists make doing that easy, he never looks at his Outlook Junk E-mail folder. Mike said that he understands that individuals are different and that there are two kinds of errors which can be made; they either fail to deliver something that you wanted or we deliver something that you don't want. When it comes to user feedback Mike hears far more complaints that they have delivered something unwanted; Mike admitted that the ICC has been on the other side of things.
Specific examples of false positives
Mike has recently received specific examples of messages which were blocked that might have been delivered. He did have to say that quite a number of unwanted messages would have to be delivered in order for the user to get those few as well however. Some people simply don't get a lot of e-mail, so if everything was delivered to those users there would be little effect and perhaps they wouldn't care that they had to pick through their messages to locate the ones they desired. If IFAS has users who want things that way then UF Exchange is going to talk about how to go forward on that.
Clarifying the trade-offs involved
Mike just wants to make sure that we understand that, in the examples he received, it would be somewhere between nearly and completely impossible for a machine to make that call. There is no way to set parameters to say get me this stuff over here which looks exactly like that stuff over there that I don't want; that is, send me the Delta Airlines stuff but not the Continental Airlines stuff. What is going to happen is, if they want the Delta and not the Continental they are going to get both. Then Mike assumes he will get an e-mail from that person saying he didn't want the Continental.
An appropriate default
Mike said he realizes we want to have an appropriate default and he wants that too. We have about 3700 users on the system now. We will have 6000 by June and maybe 12,000 by this time next year. There are two sides on the default issue. First of all, what is the impact to UF if you've got the default wrong? There is a secondary aspect there in that whatever the default is it is wrong for somebody. The questions then become how many of those people are there, who are they, what is the impact and how are we all going to fix it so we get appropriate settings for everybody.
Some have suggested to Mike that the current defaults are designed for power users and he agrees. Mike also knows that if we set the defaults in certain ways the power users get killed. He doesn't like that because those are the people who pay the bills and who hire and fire us; when Mike thinks about impact, that is pretty high impact. Mike doesn't want to mess with the Provost's e-mail or that of the VPs. He said that IFAS is worrying about people who only get 8 e-mails and ought to get 10; Mike is worrying about people who get 100 e-mails and they should not get 150.
Changing the defaults
So, if we are thinking about changing the defaults--and we may change those--then we have to think about the support consequences. Those are going to fall on those senior people and we are going to have to be darn good at taking care of them. Maybe we can be, but that is where Mike's concerns lie. He cannot simply announce that he is changing these parameters and by the way you power users will be getting killed. Mike has to be very careful about that because that would be real impact to UF. If we change the defaults then we are going to have an outstanding support plan for executing the change.
The Exchange Policy Advisory Committee will need to be involved
Mike stated that any change would have to come from the Exchange Policy Advisory Committee. Mark Rieger said IFAS wants blocking turned off, but Mike is going to need something more specific than that. What the committee wants to receive from IFAS is a one-page proposal that says: here's the problem and here is the proposed solution--please do this. That should go to the committee through Mark Rieger for their consideration. When that is considered and if the committee approves that, then Mike is going to come back with an action plan. That plan is going to involve identifying the users with high flow and their individual support people. The support people will be directed that they must personally contact the affected users and make sure that they are in control of their Barracuda settings because when the defaults are changed, the support person is going to need to change things back for those users. Mike cannot let VPs, Deans and Chairs come in contact with what would happen to them if we change the parameters as suggested.
How to proceed
Mike understands that we might want to change the defaults for the majority that don't have high mail flow problems and agrees that this might be a smart thing to do. If we do that, however, there is going to have to be an outstanding action plan to get it done. So that is where things stand. Thus, IFAS should write a simple proposal firming up all the details which have been covered rather loosely by e-mails and have Mark Rieger present that to the committee. Mike believes that the committee will be sympathetic to the fact that e-mails are being blocked which people wish to receive and believes we will get there.
Joe Hayden asked if there was any granularity to providing different defaults for different groups. Mike responded that this was not possible. We would have to have a single default and then provide individual support for changing the settings of those for whom the defaults were unsuitable. Mike really believes it all comes down to flow levels. If you don't get many e-mails then you don't care for the services being offered; if you do then you want these services. If you are an individual with high e-mail flow then you don't have time to sort through things. You want a system that will do that for you with the understanding that you might lose something. It just comes with the territory; when you get that much e-mail you simply do not have time to sort through it--because you are in meetings all day. The current defaults are set to keep the quarantine down to about 10/day for such individuals--we can claim they have time to look through that many. They don't have time to pick through their Outlook Junk E-mail folder or anything else. If we change the parameters and that quarantine number becomes 85 then they are out of business.
Erik Schmidt quantified this by saying that they had calculated that turning off blocking would increase quarantine sizes by 3.5 times for the average user. Erik said this would not be a problem for low flow individuals, but could be a great problem for high flow individuals. [Note: The figures which Erik presented are not even close to agreeing with Joe Gasper's findings which calculated that change as moving from 0.46 to 0.53 daily average quarantine per user. Perhaps Erik's figures do not account for the fact that 86% of Barracuda blocking is not done via block scoring but rather by other block methods; maybe Erik equated a block score setting of 10 with eliminating all blocking--which is by no means the case.]
Different strokes for different folks
Mike hopes we can arrive at defaults which we believe are good for some large set of people because we thought through the impact and we understand the support issues and we really understand how to make the change. We need to provide documentation for the various cases as well, noting what settings might be appropriate for various situations and how to make those changes. The current defaults may be what we end up recommending for high-flow users. IFAS may have default suggestions which are appropriate for the larger set of low-flow users. We need to document those various situations so we can make proper recommendations for various situations.
Mike Conlon spam article
The last thing Mike wanted to mention is that he is writing an article about spam which is currently at about seven pages in length and is somewhere around half-way complete. This is not really for publication, but will go on the web site. Mike is looking for reviewers (of which he could have many) or co-authors (of which he could have very few). If someone has a particular interest in this area he would be glad to take on a co-author, but certainly wants input from those willing to review that document.
Suggestion for handling non-default cases
Steve mentioned that he had heard it was possible to script Barracuda spam score settings. If that is the case, then the high-flow users could be handled during a default change by scripting them back to the more aggressive settings. Mike said that this was something they would consider in developing an implementation plan for a change in the default settings.
Concerns over reports of setting changes reverting to the defaults
Mike also mentioned that he is concerned about several reports that score changes have "spontaneously" reverted back to the defaults. That would be disastrous for our high-flow users if we did change the defaults; Mike needs to make certain that such a bug doesn't exist prior to moving ahead.
What about people who have already changed from the defaults?
Dennis Brown asked that, if the defaults were eventually changed, would there be some way to exclude those who had already made changes? He asked because this is what has been stopping him from sending out an e-mail to all his users explaining that, should they want to see e-mails currently being blocked, they can set their score to 10. He wouldn't want to do that if a later change would override things. Erik responded that this would need to be tested, but he believed that custom settings would not be affected if the defaults were changed.
Joe Hayden pointed out that he would rather handle the upfront support issues of the minority than to try to deal with individual settings for each person in the majority group. Mike responded that this is likely where we are heading, but he cautioned that we are going to have unhappy users regardless. Overall, Mike does not think these changes will make a big difference in the overall happiness of our users. He does believe, however, that if we are going to change the default that we ought to do it now while our user-base is relatively low. Consequently, Mike is anxious for this to come to closure.
Dan Cromer added that he has his block value set to 10 and gets about 8 messages quarantined per day. He is wondering if the majority of IFAS e-mails, perhaps because we have been on Exchange so long, involve messaging within the Exchange system itself. IFAS may not get near as much outside e-mail as other UF organizations.
At this point we were approaching noon and Mike had to leave for another appointment.
Question on managed folders
Kevin Hill mentioned that RECs were being migrated this weekend and he had some questions regarding managed folders. He realized this involved the Inbox but didn't understand things beyond that. Erik responded that this management is limited to only four folders and only affects e-mail, not calendar items, tasks, etc. Inbox and Sent Items are being managed and messages older than 365 days are being aged out to deleted items (retaining any existing folder structure) each day. Messages in Deleted Items are removed after being there 30 days. Messages in the Junk E-mail are retained only for 14 days.
Kevin asked if there was any special significance in the "Retain permanently" name. Erik responded that the name really made no difference but that this was suggested as a method to help unify support responses to e-mail retention questions.
Question on Junk E-mail folders
Wayne Hyde asked Erik if they had considered eliminating the Junk E-mail folder to simplify things. Erik suggested that this might be another thing to bring to the advisory committee.
Question on the rationale behind tagging
Steve asked Erik about the rationale behind tagging, as it was Steve's feeling that this was yet another level of complication that is unnecessary. Erik responded that it makes it easier for people to filter items into their Junk E-mail folder. Steve suggested that putting those in quarantine would serve the same function. Erik countered that, since tagged items were less likely to be spam, delivering those gives users the opportunity for viewing those more readily without having to view the quarantine. Erik mentioned that this again is a setting that is under individual control. Steve said that he feared this is where we are headed and that we will have to touch each individual or at least inform them of the situation and give them the opportunity to make changes and assist with those.
Question on Barracuda documentation
Ben said that the http://www.mail.ufl.edu site needs to have documentation available on the default settings and how to go about changing those. Dan Cromer mentioned that Fran is working on that. Dan heard about that at the support meeting on Wednesday and was wondering if it has been published yet.
Responses to Mike Conlon's presentation
Kevin Hill said he had wanted to respond prior to Mike leaving, but wasn't able to do so. He feels that handling low-flow vs. high-flow users differently is fine. However, he doesn't believe that any high-level IFAS administrator would dictate policy for the rest of their department based on their personal needs to keep their inbox clear. It went against his personal support philosophy of treating all users with equal respect, to consider providing special treatment for someone based on their ranking in the organization.
Wayne Hyde also mentioned that the assumption that high flow users are all upper administrators is not necessarily true. Joe Hayden added that many high-level users have secretaries filtering things for them so that by the time they see it any junk has already been removed. Joe feels it is the researchers who drive IFAS and those are the people who need to be handled most carefully--not necessarily the administrators. From his experience, when such individuals find that they are having e-mails blocked they will turn very vocal indeed.
The meeting ran a bit long and was adjourned at about 12:15pm.