ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM April 13th 2012 REGULAR MEETING


A meeting of the ICC was held on Friday, April 13th, 2012 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-six members participated.
 
Remote participants: David Bauldree, Bill Black, Dan Cromer, Jen Dawson, Dean Delker, Chris Fooshee, MJ Frederick, Kevin Hill, Wayne Hyde, Marvin Newman, Scott Owens, Mike Ryabin, John Wells, Gary Wilhite, and Alex York.
 
On-site participants: Jimmy Anuszewski, Dennis Brown, Francis Ferguson, Harry Figueroa, Winnie Lante, Steve Lasley, James Moore, Scott Purcell, Santos Soler, John Sowers, and Wendy Williams.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve introduced Jimmy Anuszewski who is now providing IT support for Agronomy. Apparently, Agronomy has been without local support since Micah Bolen left. We would like to welcome Jimmy to our ranks and hope that he will feel free to ask questions should he have any difficulties getting adjusted to how things are configured within IFAS.

Steve noted that he had mistakenly thought that Dave Blackman had replaced Micah at both AEC and Agronomy. It turns out that Dave does have a dual-appointment as reported back in October, but it is with AEC and Soils.

Steve also welcomed Scott Purcell who was attending his first ICC meeting from Florida Friendly Landscaping in the Environmental Horticulture department.

Congratulations to Winnie Lante, CJ Bain, and Ron Thomas for winning Superior Accomplishment Awards for IFAS this year!

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

Replacing Polycom endpoints with some Lync-based solution - Steve's introductory comments

Replacing integrated functions with separate interdependent components

Replacing Polycom endpoints with Lync software-based solutions would require installing, configuring and maintaining a long list equipment to provide equivalent functions, including:

  • A computer platform for running the Lync client, with its corresponding security, configuration, and operability issues.
  • Cooling for same, depending on enclosures being used
  • A yet to be determined echo cancelling microphone solution (with new wiring) that fits our various room situations
  • A yet to be determined camera solution, including support for multiple cameras and pan/tilt/zoom with presets
  • Audio input and output dependencies on various computer drivers and software/hardware configurations
  • Remote keyboard, mouse, audio and camera control in many instances
  • Connection to or replacement of existing monitors and/or projectors
  • Integration with Accordent Capture Stations where needed

It is difficult to see how any conglomeration of such parts, even if they could be obtained, could have anywhere near the reliability of an integrated codec solution in either usage or manageability.

Proposed coordinated replacement would take resources that have traditionally been lacking

Without doing a site survey of every room across the state, there is no real way to determine the equipment cost of any proposed change. As we found out with the Accordent Capture Stations (ACS), local staff at many locations are ill-prepared to deal with complex A/V integration issues; some of those expensive ACS units are still sitting at remote sites unused as a result. Assistance with cost estimates and conversion would be required in many cases; coordinating that involves site surveys, creating drawings, pictures, and accurate wiring diagrams of their rooms. Continued assistance with maintenance would mean that those items would then have to be updated as changes occurred. Such coordination and follow-up has traditionally been a weakness of our centrally initiated VC plans; trying to do without that is likely the primary reason for any dissatisfaction with our current VC configuration.

Manageability and reliability concerns

Maybe Steve is missing something, but he doesn’t understand how a Lync-based replacement could be configured for automatic connection. Steve fears that lack of support for that would greatly increase local staffing loads as it would seem to remove the ability to configure things prior—rather a support person would have to be on-hand to assist.

There are other reliability issues with Lync that are of concern as well. During our experiences with using Lync for connection to bridged ICC videoconferences, that software has been reported to freeze and require reconnection fairly often. Some have mentioned that drivers might be the issue there, but unless the proposal is to insist on standardizing for a particular computer hardware platform, diagnosing such issues is likely to be a continuing headache.

Additionally, codecs like the Polycom permit controlling connection throughput while software solutions auto negotiate that with often sub-optimal results. That could have a profound effect on more congested circuits.

Standardized, centrally supportable solutions would do more to increase VC reliability

Granted that he does not know the full details of the original problem that this solution proposes to address, Steve suggests that most VC issues within IFAS stem from trying to do too much with aging equipment, insufficient video conference support staff, and no standardization of installations. Traditionally, rooms have been rigged together from parts without any standardized recommendations or guidelines; it would be better to standardize as much as possible on a well-defined set of equipment and configurations across our various installations. Steve feels that such efforts would do much more to increase overall VC reliability than what is currently being proposed.

What advantages suggested this solution?

Steve’s impression is that the costs of converting Polycom to Lync would go far beyond any itemized parts list and would only aggravate overall system reliability. While Lync may make sense in certain well-defined situations, Steve feels a dedicated codec (Polycom, Tandberg, Lifesize, Aver) is a much preferable solution for the majority of the videoconferences that are being held currently within his own unit. Steve wonders how a general Lync replacement of Polycom units came to be proposed to Dr. Joyce and doesn’t understand Dan Cromer's contention that Lync has a strong advantage over Polycom in usability when one considers all the independent parts that would be involved in shoehorning this into his own AV/VC rooms.

Replacing Polycom endpoints with some Lync-based solution - ICC discussion

A number of ICC members had chimed in on this topic via the ICC-L over the last few days:

Message from Dennis Brown to the ICC-L:
"Re: [ICC-L] Cost of converting Polycom to Lync" Tue 4/10/2012 3:59 PM


I'm sitting here looking at my 52" TV screen with HDX7000 on a cart and imagining replacing the HDX7000 with a computer. The first thing that comes to mind is that every month you have Windows updates that might break Lync. Maybe Windows isn't a good OS for video conferencing. We might want to add in the Avermedia units Lance showed us at the last ICC meeting for comparison that cost $2700 (point-to-point unit costing $1700).

Obviously Lync would be preferred for one person at one site. For my unit those make up a very small percentage of the requests.

One professor here was interested in the possibility of using Skype which comes embedded on some TVs (which include camera and microphone). Bandwidth is an issue with Skype. It would be nice if the actual video conference unit was an app built into the TV.

The best solution I can think of probably doesn't exist. I think video conference units need to take a DOS to Windows type jump. I envision a device like a Microsoft Surface where you can drag and drop locations (Fifield.1, Immokalee.2, Lake-Alfred.2) onto a bridge icon and have them connect. You'd still have a TV and/or projector plus camera and microphone. The only time we'd need to worry about ip numbers is when building a shared directory or a new unit is added. The only time we'd be called is if there was a problem. I'll keep dreaming. :-)

Message from Ben Beach to the ICC-L:
"Re: [ICC-L] Cost of converting Polycom to Lync" Tue 4/10/2012 4:49 PM


Also, some county-supported sites may not have Lync or the licenses, and some may not allow it to be installed on their desktops.

Message from MJ Frederick to the ICC-L:
"Re: [ICC-L] Cost of converting Polycom to Lync" Wed 4/11/2012 11:47 AM


All of us have some sort of Polycom model system at our sites and it is true from time to time there are connectivity issues or gremlins…but for the most part it does work. I know my Center Director is not impressed and thinks it a waste because it is hit and miss at times…not necessarily from our end but connecting via the bridge or others whose systems may have compatibility issues and definitely with Extension folks. Presently, we aid MDC Extension since they have had issues for years with their system. They run on DSL and it is problematic a lot of the time. And the fact that poor Kevin is so far away and handling various counties is not the best line of support. Also, like Ben says, some licenses and permissions to install certain programs like Lync may not be permitted. And we not only work with Extension, but USDA, International Universities, and other entities that are not UF network-based.

Also, we have events where there are multiple presenters.

While Lync is a great communication tool I do have concerns being reliant on a windows based application. I don’t think you can just do an all-out conversion for everyone. I hope Dr. Joyce understands this. Also, we have MAC’s here and want to make sure all apps are compatible.

This is what faculty and students are using here at TREC:

  • Skype
  • Movi
  • Lync
  • Go to Meeting
  • JoinMe

But mainly - Polycom PVX units at their desks (we do not offer DE class support, so students, also, use these systems on a lab computer to attend class. However, when they have content to present they schedule our main facility, Bldg. 8260’s HDX8000 and use it).

I like Elluminate. Have used it throughout my online doctoral program at NSU and find it works great. But again, the concern for most here is ease of use, accessibility, cost, computer-based app, and support.

I hope to be able to attend Friday’s ICC meeting to hear what others have to say on the subject matter.

Message from John Wells to the ICC-L:
"Re: [ICC-L] Cost of converting Polycom to Lync" Wed 4/11/2012 12:13 PM


The NW District’s primary concern with Polycoms hasn’t been the functionality, but the cost of warranties and replacements. Any technology we use is going to have issues from time to time. But the Polycom units are $5k+ a pop are a little hard on the wallet to replace. We’ve been trying different software solutions and have been seriously considering going with Movi and a nice webcam, which would allow us to push contact, join bridge conferences, and still be able to push content.

Message from MJ Frederick to the ICC-L:
"Re: [ICC-L] Cost of converting Polycom to Lync" Wed 4/11/2012 12:41 PM


Hi John...

Thanks for sharing that. What I am finding with Movi, and spoke to Patrick yesterday about the issue, is with the OpenGL version 1.2 requirement. On my machine and some others we are not able to perform the necessary upgrade from Version 1.1 to 1.2. And you have to in order to run Movi. I updated my video drivers as suggested, but it did not remedy. So I can foresee this being an issue down the road.

Dan Cromer has been tasked with providing a cost estimate

After Steve's introduction, Dan Cromer responded saying that Dr. Joyce had not asked him whether or not we should convert to Lync, rather he asked how much it would cost to do so. When Steve asked Dan who was providing the information to administration that suggested converting from Polycom to Lync as an option. Dan Cromer said that some faculty member had spoken with Dr. Payne mentioning that they had seen a demonstration of Lync at the University of Kentucky and had related that it was very robust and worked well.

Dan would appreciate comments posted to SharePoint

Dan added that we have had several demonstrations of both Lync and Polycom at UF and they have both worked well. When Joe Joyce asked Dan what a conversion to Lync would cost, Dan had told him he would have to check with the ICC members, as each site was different. Dan said that he had added "Polycom H.323 vs. Lync" under "ICC Topics for Discussion" on SharePoint and asked ICCers to all please add their comments there.

Will county networks be a problem here?

When Mari Jayne Frederick asked if this included CEOs, Mike Ryabin pointed out that some CEOs are on their county's network and may not want to support Lync. Dan suggested that Dr. Payne might have some influence there, but at this point Dan is only interested in what this would cost--not whether or not this is something which we should do.

Why replacement rather than augmentation?

When Steve suggested to Dan that someone should approach administration with the opinion that such a replacement might actually be a bad idea, Dan responded by saying that he didn't agree with everything Steve had said in his introduction to this topic. Dan said that he believes we have uses for both Lync and codec-based videoconference solutions and that we should be asking what is the best tool in each situation. Steve agrees with that completely, but doesn't understand then why the idea of "replacement" is being considered.

End user VCs w/o bridge involvement

In Dan's experience, his regular Lync on-line meetings generally work well, but he pointed out that using Lync to connect to the bridge as some do with the ICC is different situation. The advantage Dan sees with Lync is that he believes an end user can solve connection issues more readily than they can with the Polycom where Dean Delker or Patrick Pettus must get involved with the bridge.

When Steve pointed out that there would be no automatic connection to videoconferences for Lync clients, Dan responded that the end user would get an email providing the connection link. End users would be in control of the connection.

Codec-based systems make more sense in many situations

Steve pointed out that his department uses videconferencing heavily for teaching. He can't imagine Lync ever replacing his department's current classroom systems as that would entail losing required features and adding even more separate components to already very complicated AV systems. If that is the case with other locations, as Steve assumes it is, we will still need the bridge involved and we wouldn't be using a Lync-only solution in any case.

Better coordination between users and bridging services must be addressed in any case

Dan discussed some of the many options we have for videoconferencing, but added that he was very skeptical that Lync is robust enough to be able to match what we have with Polycom. At the same time, he said that we have to address the sorts of issues that led to this situation, where our VP was embarrassed by not being able to videoconference as he was expecting. Dan said he is working with Ayola Singh of the UF Computing Help Desk as well as John Pankow, supervisor of Patrick Pettus, to improve service to callers trying to resolve an ongoing VC connection issue. Such calls to Video Services recently started being routed through the UF Computing Help Desk, and the perception currently is that this has caused more delays than it has helped with response.

Dan Cromer would advise against any "mass conversion"

Mike Ryabin commented, basically saying that replacing their new and complicated AV/VC setups with Lync didn't seem very feasible from his perspective. When Dennis Brown asked if a "mass conversion" was intended, Dan responded that he was against that because of the large amounts we have already invested in codec-based solutions. Dan said that he believes what we have is working well for the most part, with the problem being more of a human/scheduling/support issue rather than the technical hardware capabilities. Dan said he would do the best he could to dissuade Dr. Paine from doing any "mass conversion."

Software- and codec-based solutions each have their place

MJ suggested that Lync should remain another option for use where it fit the situation. Mike Ryabin agreed, saying that Lync, Movi, and PVX are personal computer clients that were developed for individual participants while codecs were developed specifically for integration into classroom/auditorium settings with integrated multiple camera and microphone support. We should use whichever technology is most appropriate to the given situation.

Scheduling and evening support

Marvin Newman said that most of the issues he has seen with Polycom have to do with scheduling issues and the biggest overall issue is the lack of afterhours support for evening classes.

Schedule requests are not following posted guidelines

Dean Delker pointed out that the incident that caused Dr. Payne embarrassment involved a last minute bridge request made by Plant Pathology which Dean says has become a regular pattern with that department. Video Services requests 72 hours lead-time on event requests and Plant Pathology apparently has never provided them more than 24 hour's notice. Thus it is not completely surprising that one of these hastily scheduled events might have had an issue. Steve pointed out that Dean has been so diligent at trying to accommodate such requests that they have likely come to expect it--one of those damned if you do and damned if you don't situations for Video Services.

Appreciation for Dean Delker

Dennis Brown wanted to express his appreciation for the great job Dean does. We all really appreciate having him over there.

Can/will end-user scheduling improve coordination?

Mike Ryabin said he felt that having the long anticipated end-user scheduling capabilities would help with scheduling because sites could see conflicts immediately during original set up. Steve noted, however, that TMS is somewhat finicky at times and he suspects that its little oddities are part of the reason that this aspect has been delayed. TMS sometimes has a "mind of its own" and shifts things around when conferences are being edited. It may not be user-friendly enough to permit end-user scheduling as a consequence.

There are installations that could easily be replaced by a software-solution

Dean said that Patrick and John have often noted that there are many codecs in McCarty Hall that are little used. Apparently these are the sorts of simple configurations where a software solution like Lync could save considerable money. Dean believes it makes sense to support a "hybrid system" where both software-based and codec-based endpoints can be utilized as appropriate. He contrasted some of these installs where individual faculty had apparently wanted their own codec in their office with the situation at Entomology where their three systems are used on a very regular basis for teaching and conferencing among state-wide departmental faculty.

Promising new "Conference" camera on the horizon

Steve noted hearing about the Logitech BCC950 ConferenceCam which is due out in May of this year. It looks like this would be very easy to integrate into a software-based cross-platform VC endpoint solution that could utilize either Lync or Skype on Mac or PC in conjunction, perhaps, with Lync and/or Movi.

All-in-one Skype solution

Lance Cozart had pointed Steve to telyHD from telylabs as a potential Skype solution. At the same time we have to address the sorts of issues that led to this situation, where our VP was embarrassed by not being able to videoconference as he was expecting.

Other standing VC topics

End-user Scheduling (previous discussion)

This was discussed a bit within the prior topic.

Movi (previous discussion)

Updates not available...

Lync Migration results (previous discussion)

Updates not available...

WAN (previous discussion)

Updates from James Moore

Steve welcomed Harry Figueroa who was here for his first ICC meeting. Harry joined the WAN group a while back as noted at our October 2011 meeting. It was nice to finally put a face to the name.

Circuit upgrades in progress

Ordway-Swisher is getting new fiber; a group called NEON is setting up shop there in partnership with UF. CNS has spec'ed out some WIMAX towers to be placed out there. Part of the fiber backbone design included plans to provide breakouts for those towers. There intend to use that network to provide tracking for local wildlife. Those towers could provide other types of wireless as well should that be desired. Six towers are being planned with a phased install of two towers at a time. Windstream won the bid on the fiber installation and one of their subcontractors is putting in a new entrance facility there for both NEON and UF. They are going from 3 Mbps to a 5 Mbps Metro Ethernet circuit.

Hastings and Live Oak will be getting off their current T1s and moving to 3 Mbps Metro Ethernet connections.

Backup of MPS servers to Gainesville from a number of CEOs has been hampered by low bandwidth issues and CNS has been trying to replace current DSL connections with cable. The night-time window is insufficient to get that done in a number of cases. Another problem they've seen with DSL is that maxing out uploads overwhelms the controller doing ATM to Ethernet conversion and drops sync. When it resyncs it doesn't reauthenticate PPoE; that is only done on POST, so unless someone power cycles the box, the connection remains broken even though the carrier will see things as being "up". Next week Putnam, Collier, Hialeah will be getting new routers and switches. Baker is expected to follow shortly thereafter.

James said that Harry is working on VoIP upgrades and a full network router upgrade for Balm. James is working on new fiber at Quincy which will be going from 10 Mbps on copper to a 20 Mbps fiber connection. Quincy is going VoIP as well; this will be our first such installation to utilize call setup via VPN back to Gainesville. They are installing an SRST gateway that will basically extend CallManager features to the local site in situations where the WAN circuit goes down. All the call setup will be done locally in such instances dumping all calls onto the local PRI rather than the usual split of local versus UF.

CNS is attempting to get a new FLR circuit at Milton but is having difficulties due to new AT&T prices along with unacceptable connection solutions from other vendors. It looks like Cox Communications may be our best bet there and James is continuing to pursue that solution. The budget may not allow this to address Jay as well, but they might get a bandwidth increase there in the meantime.

Vero Beach will be getting an upgrade beginning at the start of the coming fiscal year. It will take 30-60 to get the fiber there once the project is initiated. A Shands facility there is going to partner with us on this; they will have two remote circuits into the cloud and we will share the circuit back to Miami.

VoIP Projects

VoIP projects at Balm, Quincy, Apopka, and Milton will be funded from this fiscal year budget. Ft. Pierce and Homestead will come out of the next fiscal year's budget. James has begun talks with MJ about the entry costs for that. A new building is going in at Homestead, so MJ has been working with FACOPs to make sure we get a good network in there. James will be working with Marvin Newman at Ft. Pierce to plan a full LAN and router upgrade there.

Steve asked if this meant that by the end of next fiscal year we will have finished the first round of network refreshes at all the RECs across the state. James said that this would indeed be the case. He said that they would also hope to work more on wireless, not just at the RECs, but at CEOs as well. Costs have been an issue there. They are also working on getting SNMP modules for the UPS equipment at various RECs so the appropriate folks can be notified right when devices go on battery.

Network Monitoring System access

James plans to extend NMS access to district and remote unit staff so they can view not only CPU and hardware stats, but view log files, port statistics, and error counts to assist with initial network troubleshooting. Training will accompany this. The next step that James believes is being rolled out to some departments on campus for testing is self-help. It would permit local subnet managers to change certain things on switch ports such as duplex, speed, and maybe even VLAN assignments.


Policy


New 'Trouble-Ticket' Entry Page for CNS

Steve asked if anyone had entered a trouble ticket lately, wondering how well that is working. Winnie responded that she has done that and it does work, even though she isn't really comfortable with the interface yet.

Dennis Brown mentioned missing the email notification we used to receive when one of our users submitted a ticket. Apparently such notification would have to be made manually by whoever handled the ticket originally. Auto-notification of the associated support staff via the NMB setting was a custom built feature of the prior system that is yet to be duplicated with the new system.

Migration of DNS and DHCP Services to New BlueCat Platform (previous discussion)

Updates not available...

UF File Express still in round-2 beta testing (previous discussion)

Updates not available...

Campus VoIP improvement implemented (previous discussion)

Updates not available...

UF FAX server project (previous discussion)

Since our last meeting it has been discovered that only individual accounts or service accounts may be tied to a fax number. The latter is thus necessary if you wish multiple individuals to receive faxes electronically.

John Sowers reported that he has been using both incoming and outgoing with success.

Upcoming requirements for InCommon Silver (previous discussion)

James Oulman recently reminded the UF IT community that the upcoming change to LMCompatibilityLevel will disallow LM and NTLMv1. The switch-over is coming Sunday, April 29, 2012 during the 6am to 10am Maintenance Window and is detailed in a UFAD Compliance with InCommon Silver AD DS Requirements document.

Chris Leopold wasn't available for comment but we assume that IFAS is appropriately prepared on our end.

Implementing the Mobile Computing Security policy (previous discussion).

Steve mentioned that he is continuing to encrypt laptops with BitLocker and does that routinely on all new laptops now. He asked if others had been addressing that, but apparently they aren't.

Wake on LAN support coming to campus: (previous discussion)

Updates not available...

New Secunia site license (previous discussion)

Updates not available...

KACE agent deployed to IFAS (previous discussion)

Dan Cromer said that he had been in contact with Melissa Palmer about getting regular snapshots of the Kace database. She will be providing Dan monthly updates which he will upload to SharePoint. He just posted the latest report there as "Sr_VP_for Instute of Food and Agricultural Sciences."

Domain Policy and redirect duration (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

Updates not available...

UF Exchange Project updates (previous discussion)

AutoDiscover configuration changes

Joe Gasper had reported on AutoDiscover Configuration changes that were implemented at the beginning of this month:

Message from Joe Gasper to the ACTIVEDIR-L:
"[ACTIVEDIR-L] AutoDiscover Configuration" Wed 3/21/2012 4:10 PM


On Sunday, April 1st, an additional method to the Exchange AutoDiscover Service will be enabled (DNS SRV record). This service assists with automatic configuration of Outlook based on a user’s GatorLink email address for clients without access to UFAD. A campus-networked, domain-joined, Windows client’s configuration method, Service Connection Point (SCP), will not change. Non-domain-joined clients using Outlook 2007 SP1 (released 12/07) and newer and Outlook for Mac 2011 will be able to have a similar automatic configuration as domain-joined clients. Once activated, non-domain-joined clients will receive a notification in Outlook requesting automatic configuration. Users may check “Don’t ask me about this website again” and select the Allow button. For non-domain-joined clients, you can suppress the notification by adding a registry entry (Outlook 2010, 2007) while logged on as the user; useful if you are often building such systems. Outlook for Mac 2011 has not supported the SCP AutoDiscover method, but will now be configurable by the DNS SRV record lookup method.

Example: Suppressing AutoDiscover notification for Outlook 2010:
reg add HKCU\Software\Microsoft\Office\14.0\Outlook\AutoDiscover\RedirectServers /v "mail.ufl.edu" /t REG_SZ

AutoDiscover dialog

Bring your questions to Tier-2!

Thanks,
Joe

Legitimate outgoing email being rejected as spam

One of Steve's users who deals frequently with outside clientele received a rejection message recently. Steve relayed the usual advice but also cc'd Scott Owens who provided the following message from Todd Williams of CNS Open Systems:

CNS Open Systems has recently received a small yet significant number of reports regarding legitimate outgoing email being rejected as spam. In particular these reports have involved messages being sent from on-campus to off-campus recipients. In order to resolve this issue we have been working with Proofpoint to characterize these incidents and adapt the screening process so that valid outbound mail will not be blocked. As part of this effort we have developed a procedure through which our user community can assist us in improving the situation. Based on recent adjustments we believe that valid outgoing mail should no longer be blocked; however, if you encounter this issue we ask that you please take a moment to utilize the procedure below to help us take further corrective action.

The issue in question is best described as a sender meeting with the following rejection notice from smtp.ufl.edu:

550 5.7.0 This message looks too much like SPAM to accept.

Upon receiving this message we request that you perform the following steps:

  1. Try again in order to confirm that the error is repeatable. If it is repeatable proceed to step 2.
  2. Send the exact message that was failing to report-ham@ufl.edu.
    Please do not forward the message-- simply change the To: address in the mail client to report-ham@ufl.edu and send it along.
  3. CNS-OSG will capture the message and work with the vendor to resolve the issue.
  4. If the issue persists beyond one business day after the initial report, please email open-systems-l@lists.ufl.edu to notify us of the continuing problem. Additionally, forwarding the rejected message as an attachment to the list will allow us to identify your case.

Thanks for your patience and assistance in this matter!

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Electronic Copy - Print Output Cost Reduction program (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Santos Soler reported that they now have a couple of sites running on the new cluster.

Mike Ryabin was concerned about available storage space for ACS lecture captures. Santos responded that this should not be a problem. The storage used by ACS on the web server is minimal; most of the space for those captures is taken up by the video portion which is stored elsewhere on the video server. Also, those websites are going to be moved to the new cluster. That will require a minor change on each ACS to reference the new storage location, but Santos will provide plenty of lead-time to coordinate that changeover. Things will be moved to DFS with this change so that future backend name modifications will be transparent.

General website migration will be beginning soon and Santos will be sending out emails about that. Cleanup will be expected as media files are going to have to be moved off the web server and old and duplicate/backup files should not be migrated. Santos plans to migrate the smaller sites first as they should be easiest. Though we have reduced our number of sites from over 800 to somewhat over 400, We still need to continue to consolidate.

He has run into a little problem with passing SSL to it, but is investigating. The cluster configuration includes a Network Load Balancer (NLB) at the top under which are two nodes supporting Application Request Routing (ARR). Currently the SSL information is not passing from the ARR to the web servers. This is needed in order to provide WebDAV access but Santos is confident that this known problem can be resolved.

File server migrations (previous discussion)

Updates not available...

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM (previous discussion)

MDT 2010

Updates not available...

SCCM for IFAS

Alex York said that he has SCCM 2012 RTM up and running and Kamin Miller has been actively participating with it. Alex is impressed so far, noting that permission delegation is working amazingly well. Dennis Brown said they hope to use it to manage JRE deployments soon and Steve is sure that everyone could easily get interested in that aspect. Steve said that he has barely found time to logon to the console let alone figure out how to use it effectively, but hopes that he and others can benefit from the pioneering efforts of Alex and Kamin there.

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Re-enabling the Windows firewall (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Operations


Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection? (previous discussion)

SCCM 2012 should bring closer the possibility of migration off McAfee.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

IFAS efforts toward Green IT (previous discussion)

Updates not available...

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (previous discussion)

Updates not available...

Moving away from the IFAS VPN service (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Wayne Hyde posted the following to the ICC-L because he intends to open up his VDI infrastructure for broader use.

Message from Wayne Hyde to the ICC-L:
"[ICC-L] redirected my documents / desktops ?" Mon 4/2/2012 1:48 PM


How many departments have configured redirected folders for their users? If so, do you:

  • Do it for everyone or just a subset of computers?
  • Are My Documents and Desktop redirected or just one?
  • Do you have the name of the GPO(s) handy to point me at so I can see the path structure you used?

I am going to open up the IFAS Virtual Labs up for all faculty and staff soon and would like to have it redirect mydocs/desktop to your configured location to keep a consistent user experience no matter where someone logs in.

The virtual labs will have Office 2010 (minus Outlook), Flash Player, Adobe Reader, Java, ArcGIS 10 SP4, and some more applications depending on license/install requirements. Software that uses network license servers to do concurrent user licensing (ArcGIS, SPSS) works best. Software like SAS and SigmaPlot are difficult to handle as we would need licenses to cover the entire pool. It may be possible to create a smaller pool for those apps if there is a need; I currently do it for some departments that have contributed funds to support our virtual environment over the last 3 years.

We are also creating a pool of management stations that will have the RSAT tools including Exchange and Configuration Manager, Explorer++, putty, etc.

The virtual labs require a small client to be installed on PCs (Windows or Mac) and there is also a free iPad client via the iTunes store. I will send details about how to connect after I fix the policies to handle departments with redirected folders.

Wayne then followed up with the management VDI announcement just a day later:

Message from Wayne Hyde to the ICC-L:
"[ICC-L] ICC Virtual Management Stations" Tue 4/3/2012 5:59 PM


Everyone,

I have deployed a pool of 15 management VMs for folks to use/test and provide feedback. The tools installed include:

  • RSAT tools
  • Exchange Management Console
  • VMware vSphere Client
  • SQL Server Management Studio
  • Explorer++
  • Putty

I will probably add Adobe Reader and Java in the next few days.

Please log in with your Gatorlink username (NOT your ADMN/L credentials) The first time you log in will be relatively slow as it creates your profile. Subsequent logins should be much faster. Personalization of menus/start-menu is persistent, so you can pin your favorite apps or make other modifications as you like.

My Documents and Desktop are redirected to a network share and will persist between sessions and be available from any entitled pool. I have not decided what to do about departments that redirect folders for users. You can still get to your normal documents/desktop folders via drive maps which should still get mapped for you via the IFAS logon script. Your printers should be connected as well.

To run applications with your ADMN credentials, you may have to right-click and select “Run as administrator” if the program doesn’t automatically try to elevate. UAC will ask for credentials; simply enter your management credentials and away you go.

There are Android and iOS clients in the respective app marketplaces. The iOS client may only be for the iPad while the Android client works on phones and tablets.

https://play.google.com/store/apps/details?id=com.vmware.view.client.android&feature=search_result

http://itunes.apple.com/us/app/vmware-view-for-ipad/id417993697?mt=8

Windows and OSX clients can be installed by connecting to the following URL which will auto-detect the proper client:

http://virtual.ifas.ufl.edu

The connection broker name is virtual.ifas.ufl.edu. You can use the “log in as current user” option if you are on a UFAD machine and don’t enjoy typing your password multiple times like I do. Chris will donate $200 Zimbabwe dollars to every person who does not check this box.

Mike Ryabin had mentioned connecting successfully to the virtual management stations with an Android tablet. Steve had connected with his phone once, but found the buttons difficult to operate at that screen size; still it might be useful in a pinch.

Wayne stressed that he also has Faculty/Staff pools for accessing a growing set of Windows applications such as ArcGIS and SPSS from multiple client platforms. This provides convenient access to a locally networked Windows box from any location and multiple client platforms and Wayne would like to get the word out about its availability. Wayne is also looking for suggestions on what applications people would like to see both on the faculty/staff and on the ICC Management Station pools.

Wayne has been talking with James Hardemon of SLS who is trying to get concurrent licensing for a broader range of applications, including SAS, and to also include the ability to use these licenses on virtual machines. Wayne is looking at getting Acrobat or some other third-party solution that would permit the creation of PDFs.

Wayne explained how the idle and disconnect timeouts work. You can leave programs running and disconnect to reconnect from a different client computer; there is a disconnect timeout however, set currently to two hours. If you don't reconnect within that timeframe the VM will be shut down and your work will be lost. That setting can be tweaked as seems appropriate, so please provide feedback to Wayne if you think that should be changed.

Banner pages are displayed at logon for the Faculty Staff Pool and the ICC Management Pool that attempt to explain details of usage.

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool in production (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

see the new virtual infrastructure section above...

ePO updates (previous discussion)

Wayne mentioned that the new console provides a search box on the "System Tree" page where you can type a computer name to quickly get to the details on a particular computer (after changing the Preset to "this Group and All Subgroups"). The "Threat Events" tab provides the details of detections.

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

Patching updates... (previous discussion)

Microsoft

The April Microsoft patches will include 6 bulletins (4 "Critical," and 2 "Important") addressing 11 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Forefront UAG, and .NET Framework.

McAfee provides podcasts on the highlights of each month's offerings.

Adobe

Yet another Flash Security Bulleting was released since our last meeting. This latest version of Flash includes an updater which we can only hope will do the job it promises. The bulletin announced a new version of Adobe Air (3.2) as well to address a security issue with that software.

The quarterly Reader/Acrobat updates also came out earlier this week. The good news there is that Adobe has apparently stopped bundling a FlashPlayer with Reader/Acrobat.

MS Office News update (previous discussion)

Updates not available...

Job Matrix Update status (previous discussion)

Updates not available...

Remedy system status (previous discussion)

Updates not available...


Other Topics

Too many virus alerts?

John Wells wondered if anything could be done to target UFIRT notices rather than send all IFAS notices to every IT support person. Kevin Hill noted that Outlook rules could be used for this. Wayne added that if folks did this he would strong recommend making the rule such that it leaves alerts for your IP range in your inbox. For example:

Apply this rule after the message arrives
From IFAS Incident Response Team
Move it to the ILOVEIRTALERTS folder
Except if the subject contains ‘10.251.24.’ or ’10.251.25’

This would be for the IP subnet 10.251.24.0/23 which covers 10.251.24.x and 10.251.25.x.

Wayne would also recommend excluding “Security Ticket Reminder” notices which go out once a week unless you want to search for text in the body of the emails for your IPs.

Mike Ryabin expressed concerns about UFIRTs not having the proper IP numbers or hostnames for the machine that triggered the issue. Wayne pointed out that quite often a host is no longer on the same IP or on the network when the ticket arrives, so doing a nslookup/nbtstat/ping is useless. The UFIRT notification system is not in real-time with the Network Intrusion Detection scanning; the latter creates logs that are later parsed by batch jobs that locate issues and then provide the notices. DNS changes often occur in between. Only searching the DHCP logs for the IP and timestamps will help you determine the hostname.

Kevin Hill had mentioned that it would be *real handy* if we had the ability to immediately create a non-routable DHCP reservation for those hosts we can’t identify. Wayne responded that they’ve discussed that internally before and he’ll bring it up again with the group. However, with MAC filtering in 2008R2 Wayne would prefer to just filter the host than tie up IPs with reservations. A non-routable reservation still allows the computer to communicate with hosts on the local subnet.

Wayne wanted to remind people to please mark tickets as contained or resolved as quickly as possible. Should you fix a problem but fail to do that, it reflects poorly on us via reports that are sent directly to the VP.

Results of GPO disabling for non-portable devices (previous discussion)

Updates not available...

WebDAV issue with Mac OS X Lion (previous discussion)

Updates not available...


The meeting was adjourned just a bit early at about 11:45.