IFAS COMPUTER COORDINATORS
NOTES FROM April 9th 2004 REGULAR MEETING
A regular meeting of the ICC was held on Friday, April 9th, 2004. The meeting was chaired and called to order by Dennis Brown, at 10:00 a.m. in the ICS Conference Room.
PRESENT: Ninteen members participated. Remote participants: David Ayers, David Bauldree, Marcus Cathey, Chris Fooshee, Tom Hintz, Steve Lasley and Joel Parlin. On-site participants: Mike Armstrong, Jenny Brewer, Dennis Brown, Dan Cromer, Marion Douglas, Kevin Hill, Chris Hughes, Dwight Jesseman, Jack Kramer, Winne Lante, Mark Ross, and John Sawyer. More to be added once sign-up sheet can be examined.
STREAMING AUDIO: part 1 and part 2.
Dennis Brown began by introducing Winnie Lante of the School of Forest Resources and Conservation and Marion Douglas of ICS and welcoming their participation in the ICC as new members.
Dennis briefly went over the notes from the recent ITPAC meeting, noting particularly that movement on AD has been funded and that making sure everyone has a Gatorlink account is a high priority within IFAS.
Kevin Hill briefly discussed the status of the AD project and particularly what had transpired at the ICC-AD meeting the day before. Kevin mentioned that we have $90,000 to spend for non-lease purchases before May 1st. WAN requirements for VPN connection are being investigated. Departmental OU structures are under discussion. The timeline was worked on; among the county districts, the Northwest and the South districts are scheduled for first rollout among remote districts. The rest will be scheduled later after more is determined about how this can best be handled. The development of an IFAS AD Charter document has been tasked out to Jenny Brewer and Steve Lasley who hope for good input from all on that. The main point of this document will be to provide formal details and methods of coordination between central IFAS IT and the various unit admins--including safeguards and documentation which units feel necessary for them to join into this process. A presentation on AD will be made to the department heads as well as to the county extension directors. There is concern that the county offices need to be alerted to the need for housing servers in support of this project and it is important that this word gets out so the rollout is well coordinated.
Jack Kramer mentioned that many computer illerate employees might benefit from a kiosk that provide a simpler interface getting paystub info and to doing timecard and leave submissions. It was agreed that this would be doable. Dennis mentioned that many of these sorts of things have already been taken into consideration by those developing these procedures and that he would look into it more and report back. Dan Cromer said that while each department is in charge of the methods they use, many can continue to submit timecards on paper as they do now. Someone within the department may be designated to enter this info online for them. See http://www.bridges.ufl.edu and particularly here for details. Dennis has made Omniforms versions of the old timecards, both one per page and otherwise available for download.
John Sawyer discussed the status of the Patchlink implementation. The server has arrived and John is making the plans for setting that up and beginning testing with at least 2-3 sites on campus as well as a couple of remote sites. He is not yet ready for volunteers on that, however. John met some Patchlink employees at SANS 2004 in Orlando and they seem to be very interested and eager in helping with our rollout. John said that the HelpDesk would not be managing PatchLink and that support staff should call him about that in the future. John also said that our Patchlink license would be extended at no cost because of the problems we have had in rolling this out quickly. Patchlink supports WAN distribution points, answering a concern that remote sites may have for its use; it works much as does ePO in this regard.
As for SANS itself, John reported that he got a major data dump--much like drinking from a fire hose. He got a lot of ideas and plans that he would like to implement. One of these is to document baseline security settings for machines as per The Center for Internet Security's Benchmarks for various operating systems. They have automated tools to assist in this process. John wants to take UF's minimum standards, adapt them to IFAS's needs, and then create an .inf file that can test for compliance. No Cat Auth developed by the Western Sonoma County Internet Cooperative was used at SANS to provide simple wireless and wired Internet access. John intends to give the ICC temporary checkout access to informational materials he acquired while at the conference.
Jenny Brewer gave a brief status report on the new ePO implementation. She is still concerned with machines that are missing from ePO--particularly for those units not having an IT person. Jenny is waiting on an IMM to be published from the ITPAC recommendation on "Centrally-based software installations" before she feels free to add ePO agent push to ifasdom logon scripts. Jenny would accommodate opting out of that. Jenny showed the login scripts and described how they work.
Jenny reported that the anti-spam configuration appears to be working well. Less than 1% of the 20k per day that are blocked are retrieved. E-mails that weren't blocked that you might want blocked should be placed in the "spam" public folder in Outlook. Whitelist requests should be forwarded to the spam admin, email@example.com. Gatorlink is dropping active attachments now, and will be using SpamAssassin before too long, but no details were known.
Jenny talked about the deal she wrangled with Mark Reisman to set up a minimum standard desktop (OptiPlex 170L) and laptop (Latitude D600) configuration for IFAS purchases. These low-end configurations are available on the Dell Premier site.
There was some disussion on the ERP machine requirements, indicating that 800MHz is not a minimum configuration for running most things--so upgrades are an option in many cases as well as purchasing new machines such as the ones Jenny has kindly spec'ed for us.
Jenny also encouraged people to try out the ICC sharepoint site. She has created security groups for the ICC to facilitate applying ACLs to future shares. This is not on a permanent server yet, so expect some up/down time.
Jack Kramer asked if sharepoint could be used as a solution for IFAS to the e-mail attachment problem and Jenny indicated that she believed this was supported by Exchange 2003, where only a link would be sent and the actual attachments would be dumped into sharepoint. That would be a good thing. Sharepoint has a number of features that might help with information dissemination in the future.
Mike Armstrong had asked for a discussion on being better prepared for ITPAC when recommendations are being made. Mike thought that the privacy concerns raised by ITPAC could have been easily answered via either NTFS permissions or the encrypting file system and that this wasn't made clear at ITPAC. Jenny responded that NTFS permissions had indeed been mentioned. Mike's point, however, was that we didn't appear well organized and professional in our presentation. The last thing we want is for ITPAC to start wordsmithing our recommendations and that is a common tendency that can only be stopped through careful planning. (Personal note from Steve Lasley: In all fairness to Joe Hayden, he was doing me a favor by presenting our recommendations in my absence and should not feel too responsible for how things went. I regret that I could not have been there to help steer things in a better direction.) Mike thought we might even consider a mock jury type of exercise to help prepare in the future. Better informing ITPAC ahead of time might also give us an opportunity to answer their questions prior to an actual meeting; Dan and Steve will try to improve that aspect in the future. Steve has sent such information to Ann and Jim Syvertsen in the past, but those were never relayed to the ITPAC members; we will try to see that this gets done in the future. Steve Lasley pointed out that the actual IMM is not written by ITPAC, and there remains a chance to address the privacy concerns w/o including the ambiguous wording change that was hastily made at ITPAC. If IFAS IT could develop a supported encryption method that was well documented, privacy concerns could be completely accommodated w/o limiting the administrative access that central IT needs to meet UF IT Policy requirements. It was generally felt that the end result wasn't as bad as was the process that got the wording changed in the first place.
There was a brief discussion on requiring admin access for IT admins as raised at ITPAC by Joe Hayden. The general concensus was that this is inherent in in the right to centrally install software and no explicit stating of this is needed. With Active Directory, such access will be enforceable and any change made by an end user will soon be overwritten anyway.
In a discussion on managing users and machines--particulary those not belonging to IFAS, Chris Hughes pointed out that you can create a UFID for any entity and that with a UFID you can create a Gatorlink account. Providing controlled access for all should thus be quite simple.
Dan Cromer re-iterated that ICCers should spread the word that everyone is going to absolutely need a Gatorlink account. You should also become very familiar with http://my.ifas.ufl.edu, http://www.bridges.ufl.edu, and http://my.ufl.edu.edu. You should go through the on-line training for doing your timecards, not just for your own use, but so you can help those within your department.
There was a discussion on POP3 support. Kevin Hill proposed keeping it unless a good business reason for halting it could be given. Winnie Lante has some well-informed users, including her chairman, that simply prefer POP3 and want to use it. E-mail backup was raised as a possible reason for dropping POP3, but it was pointed out that users of MAPI and IMAP clients also move e-mail to local folders to keep their accounts from filling up. (Personal note from Steve: POP3 is a protocol; it does not lose e-mail.) There are client-side anti-spam applications that work with POP3 but not IMAP. Client-side filters/rules in Eudora and Outlook Express require POP3 to function and won't work under IMAP. The "one less thing to support" argument was also given. Authentication security for POP3 and IMAP is perhaps a more important issue than dropping POP3 per se. Dan Cromer asked for a vote on whether POP3 would be continued, but support for it from the HelpDesk would be dropped. No real concensus was reached on all this. Continued discussion via the ICC-L is encouraged.
Jennifer Van Doren, Extension Administration, maintains a page of Extension office addresses and phone numbers. It is updated each month with information from the District Directors' office. Jennifer's page is at http://extadmin.ifas.ufl.edu/Extlinks.htm. The problem of getting good information about IFAS and IFAS IT onto the official websites was discussed. Much of this is a non-technological problem, but IFAS could use a person whose job it was to coordinate the updating of such information--a person who would create a contact network that could provide better flow of accurate information from our widely distributed facilities and enter and organize it for dissemination via the web. This function would include rallying the liaison troops to keep the IFAS Directory information up-to-date. Leaving this to all end-nodes w/o coordination is a sure recipe for failure.
Dwight gave a quick overview of the changes he had made to webmail, removing support for non-secure logon. This was done because pop-up blockers were interferring with the unsecure method, although the security reasons naturally support this move as well. He asked support staff if this had caused problems for any of their users, but none were reported. Macintosh clients will work with this. You can install the certificate but have to click a box each time a new window comes up saying, yes I agree to go through this secured connection. Sessions can be kept open 2 hours before one must re-authenticate. Chris Hughes recommended purchasing a certificate at about $100/year/site to make this process go more smoothly. This will be recommended to Chris Leopold.
John has some cheatsheets on command syntax for built-in tools that he got at SANS and which he plans to publish for our information.
The meeting adjourned a bit after noon.