ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM June 10th 2011 REGULAR MEETING


A meeting of the ICC was held on Friday, June 10th, 2011 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Fifteen members participated.
 
Remote participants: David Bauldree, Bill Black, Dan Cromer, Kamin Miller, Marvin Newman, Mitch Thompson, and John Wells.
 
On-site participants: Dennis Brown, Andrew Carey, Francis Ferguson, Winnie Lante, Steve Lasley, Chris Leopold, James Moore, and Santos Soler.
 

STREAMING AUDIO: available here


NOTES:

Remote connection issues...

There was some confusion in connecting via streaming for which Steve apologizes. Conference IDs of 7831XXX are on the first bridge at http://128.227.156.82:7734 and conference IDs of 7832XXX are on the second bridge at http://128.227.156.83:7734. The ICC Meetings page had the correct link but his emailed instructions did not. That will be corrected next time. There were also some reports of difficulties connecting via OCS. Please note that entering confID@vcs.video.ufl.edu into the OC contacts search field at the top, "7832000@vcs.video.ufl.edu" for example, seems to work sometimes when the "+ Video Portal 1" route does not. Again, please check the ICC Meetings page for the most up-to-date instructions.

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve noted that Javier Real is moving to Microbiology and Cell Science and Catherine Karow is taking over at Plant Pathology who has a new Chair. Catherine worked part-time with Javier for a while but began full-time duties yesterday while Javier started at Microbiology Monday.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling (previous discussion)

Updates not available...

MOVI (previous discussion)

Steve mentioned that he had tried MOVI and it seems to work well. He is not sure why he would use MOVI over PVX other than the fact that PVX is apparently no longer supported and does not seem to work with some of the newer processors. Another reason might be that there is a Mac version of the software. Steve mentioned that Mike Ryabin reported MOVI as needed video drivers which included OpenGL. One of the systems he tried to install it on failed as a result; on another system he was able to upgrade the video drivers and get it to work. Steve added that the video quality with MOVI seemed excellent.

Lync deployment (previous discussion)

Dan Cromer said that there hasn't been any more movement because there hasn't been any pressure from Tim Fitzpatrick, John Madey, or Elias Eldayrie. The fact that the Cisco solution (CUPC) is not yet available out of beta apparently may be part of the slow-up as well; CNS wants to compare that to Lync as it prefers a Cisco solution. Basically, Dan says he needs to bug John Madey to get some movement going. Exchange 2010 migration has been put ahead of Lync production deployment in any case; Lync is a planned service, however, and that is not in question. What IS in question are the SIP trunks to support phone numbers for calling into a Lync conference. Dan is fairly confident we will get at least some of those, though CNS does not want to support two phone systems and are arguing against doing that universally. Dan continues to argue that Lync seems to make more sense on a cost basis but he has yet to get a satisfactory response on the issue.

Dan mentioned that he has replaced his office POTS phone with a softphone (Cisco IP Communicator)

WAN transition to CNS (previous discussion)

Updates from James Moore

James reported that he is still working through the CEO upgrades. John Wells will be travelling to Marianna soon to assess some of the areas which A. D. Walker had been handling. James is continuing to have difficulty stopping billing on an old circuit no longer used at Ft. Pierce; Personnel changes at DMS have apparently hindered James's efforts.

The circuit at Immokalee has been upgraded to a 20Mbs connection and the testing/initial problem correction is finally done. They are pulled into the same port in Tampa as Lake Alfred, Plant City, and Balm. When more bandwidth becomes necessary we won't have to pay for any more cross-connects, etc. All that will be needed it to turn up the bandwidth. These are all on a 1Gbps Ethernet interface on the upstream-side.

While Immokalee is at 20Mbps, most of the sites are at 10Mbps burstable to 100Mbps. Lake Alfred has a straight 100Mbps from Brighthouse, however. When Steve asked what 100Mbps burstable really meant, James responded that with AT&T this meant that you could pretty much go up to that rate whenever needed. James said it is very rare, however, for these connections to approach 10 Mbps unless videoconferences or replication are ongoing.

James is shipping out the router for Belle Glade on Monday; they will have a 10Mbps connection. It took a long time to get the fiber run out there but that is done and James has the IP info and is ready to go.

James is preparing next year's budget with a target of mid-July for having that finalized. Homestead is number one on his list and he will be looking at Ft. Pierce and Quincy as well for getting the LAN replacement installed. Currently they need to get the details of port counts, physical paths, terminations, etc. in order to plan for that.

Quincy is on a deadline for getting some sort of a better circuit to support VoIP. Come December 1st, their current phone system will no longer be supported by their carrier. Chris Leopold asked if changes were planned for the phone system at Marianna. James responded that they were happy with that phone system and planned to keep it for the time being. They did have a brief QoS issue due to an update that caused a loss of compression on the voice traffic, but that has been resolved.

James is getting together details of a potential phone upgrade for Immokalee. Both Immokalee and Quincy have primarily POTS lines, so moving to VoIP could provide considerable on-going cost savings for those two sites. Apopka and Homestead are investigating this as well.

James mentioned that wireless is the other big issue. He is trying to figure out budgeting; Dan Cromer is having conversations with Joe Joyce to figure out how many extra funds might be allocated for wireless rollout this coming year, as James's budget is primarily going to three REC upgrades.

Steve asked when James thought we would get to the point where CNS was replacing things that they had put in--a refresh in other words. James said that they had promised a very conservation nine-year refresh originally, but he thinks this has come down considerably--though he could not predict exactly when we would get to that point.

Chris Leopold asked whether the acquisition of Foundry by Brocade might lead CNS to be more willing to talk about other vendors' switches. James believes that CEOs and non PoE environments (Vero Beach, Ona, etc.) can stay on Brocade. CNS wants to stay with Cisco where VoIP and PoE are needed, however. Brocade was deployed at Belle Glade and what was deployed will remain there, but James does not envision deploying any more Brocade at RECs. James said that Cisco and HP are probably the two vendors they would consider for RECs; he said he certainly has no bias against HP. Chris was happy to hear the James would consider HP as Chris realizes that the cost savings over Cisco could be considerable. That said Dan Miller is not willing to go on record as supporting HP over Cisco, so only time will tell.

Chris asked James for help in upgrading a good number of small non-wallplate location on campus and James thought that returns from wallplate installations might help out there as he doesn't believe CNS is trading those in to Cisco any longer and they should be available. Chris hopes to get those standardized on HP 2600 series so he can use SSH rather than Telnet for remote access.

Allan Burrage apparently couldn't make it for this meeting, but Steve asked Andrew Carey for an update on how Lake Alfred's move to UFAD was coming. Andrew responded that network-wise things were pretty much complete, but they having been having some VoIP issues that are still being addressed. Andrew has been working with Scott Owens and Allan on the mail migration. Andrew got involved due to the need for PowerShell scripting with that. Getting Exchange accounts moved over was deemed high priority because Allan was very concerned about the health of their local Exchange Server. The Entourage users were moved first and that seemed to take a good bit of strain off that server. Andrew's plan is to move 120 mailboxes this week and another 120 next, with the remainder following that. Mail migration should be complete by the end of June.

Steve asked if they were logging into UFAD yet and Andrew responded that this is on hold until the Exchange migration is completed. They have deployed an SCCM distribution point and Allan is working on his plan for OS deployment. Allan envisions re-building machines on Windows 7 with Office 2010 and joining those to UFAD rather than simply migrating machines; it is believed that process will be intensive but overall more trouble free and will provide a perceived benefit for the users in this major transition.


Policy


myUFL changes on May 10th: affects on end-users (previous discussion)

Updates not available...

New Secunia site license (previous discussion)

Yesterday, Joe Gasper gave a presentation on "Secunia at UF" at the SCCM Support Group Meeting (a recording is available at least for a while). Prior to that meeting he provided links to screenshots of the Secunia GUI interface and videos on patching and how to connect Secunia to WSUS/SCCM.

Andrew Carey gave a brief synopsis of that saying Joe originally expected to be farther along when he first agreed to presenting. Unfortunately, he had only received the software about a week prior and was not able to prepare a demo in that brief period. The plan is to provide the reporting portion centrally, while the actual patch distribution will be handled through existing WSUS servers in the various units. As far as Andrew can tell, it is mostly done through GPO; you basically apply a GPO which allows Secunia to inject the patches that you select into your WSUS server for distribution. The clients would pull those down from there--just as they currently do with Microsoft patches.

Steve asked if there were any issues Andrew saw that would make it difficult to incorporate our WSUS with this. Andrew did not believe so because Joe operates under a very similar setup to what IFAS uses and he seems quite confident.

Andrew cautioned that it appears updates must still be packaged for each application--they don't come directly down from Secunia and it is not like you just click a checkbox and are ready to go. Andrew believes a lot of that work will have to be done by each WSUS admin, though cooperative interaction should make that process easier overall. Steve noted that he has seen ongoing discussion of issues on the Patch Management list regarding difficulties with patching various things via SCCM (Flash and JRE being prime topics). Clearly, this will not be a "magic bullet" for third party patching, but the reporting alone will be of great value and it is assumed that most of the patch issues can eventually be resolved via cooperation among the various WSUS admins' efforts.

The question arose at the SCCM meeting about why Joe's group was heading this effort rather than CNS. The answer was that Joe's group is really just running the reporting server and everything else happens at the unit level.

Steve asked about the use of Secunia Personal Software Inspector (PSI) on non-domain joined machines. That was apparently part of the licensing as well. Andrew responded that UF will get its own "cloud space" for that so we will be able to get reports on such installs as well. Once Joe is ready he should provide more details on how to get the software for that. Andrew suspects Joe is planning on a real demo of all this by next month's SCCM meeting.

Andrew pointed out that Shawn Lander has been using Secunia as a patching solution at Engineering for some time now, so UF does have local expertise on this already--which is always a good sign.

Dennis Brown asked about how the reporting would be handled. Andrew responded that each OU Admin should have access to the central reporting server console with the permissioning being such that they can see only their own systems. This would allow distributed access to all the accumulated information about which machines are vulnerable, etc. for a particular unit. This system is agent based, so a Secunia agent will be installed on each managed machine (and Chris Leopold will have another programming job for his IPCC application).

Dennis also asked about the presentation by 1E. Andrew responded that this company has a number of products that are basically focused on energy savings by allowing centralized control over computer power states -- with Wake on LAN and managed sleep. Since individual departments currently would not see the costs savings it was suggested that this would have to be considered centrally in order to really take off. Alternatively, smaller units might decide to do this on their own because the costs would not be too great and there is at least one unit on campus already using this--the Provost's Office. Something the size of IFAS, however, is another animal entirely. The products were interesting, however, and there are clearly a number of very good solutions out there IF they could be paid for.

Update on domain policy and redirect duration (previous discussion)

Steve noted that there will be another ITPAC meeting later this month on June 20th. He still hasn't heard from Wendy Williams on how her committee is progressing on this issue. Ultimately, it is not really an IT decision though it would definitely help with management and consolidation if we could stick to the original policy decision. Steve noted once again that his department consolidated nearly four dozen web sites according to this policy without incident and he feels the concerns over maintaining individual domain references longer than one year are greatly exaggerated. Santos Soler said that he believes they will stick with the current policy but entertain exceptions in individual cases as warranted by the situation.

CNS working to implement NAC for UF wireless (previous discussion)

Andrew mentioned that the requirements of many units for access to WSUS, SCCM, ePO or other patch management systems through the NAC has held this up indefinitely. Andrew also mentioned hearing that Elias wants to unify the solution across campus rather than having three different solutions depending on which building you were in. Currently Housing and HSC have much more sophisticated solutions, however, and UF as a whole may not be able to afford what those units already have in place.

UF Exchange Project updates (previous discussion)

Exchange 2010 migration status

The ICCers have moved over now without any real issues. Dan Cromer reported that the next step is to get the Blackberry users moved over because they need to move to a newer BlackBerry server at the same time for those systems to continue to work together. Dan has sent out emails to past Blackberry users (149 users at $23/yr) and is trying to determine how many of those are still active on that platform; he doesn't want to pay for those who no longer need a license. As of noon on Monday he is going to turn off the accounts for those who have not responded and then at 10AM on Tuesday he plans to give the list of BlackBerry users to Luis Molina who can migrate those to Exchange 2010 at his convenience. Meanwhile, either Dan Christophy or Matt Wilson will move the BlackBerrys to the new BES.

Once that is all done we will begin to move the rest of the IFAS accounts over. Luis wanted to do that by mail store; there are six of those. Dan plans to send us the lists of who is expected to be moved when so we are aware.

This migration should be transparent for the most part. The only people really affected will be those with mobile devices or using Entourage. The server specified will have to be changed back from "legacy.mail.ufl.edu" to "mail.ufl.edu". In some cases that will not work; the next hostname to try in those cases would be "outlook.mail.ufl.edu". The plan is to get this all done before the end of June.

Winnie Lante asked if we could get the documentation updated to help with this transition; when someone is in a panic and she can't get to them, that is where she generally sends them. On looking, it appears that the documentation does provide some of these details currently, though not in every instance. Dan Cromer noted that Fran McDonell has retired from her position of running the UF Computing Help Desk and has been replaced by Ayola Singh-Kreitz. Dan said he would ask her or Kiem Tran if we could get these all updated for Exchange 2010.

Proofpoint configuration options changed

Updates not available...

Centralized FAX service via Exchange (previous discussion)

Steve remembered seeing something about this in the notes from a Shared Infrastructure committee meeting. Andrew later pointed us to those. Apparently CLAS is doing a pilot targeted for late summer under the supervision of Scot Matusz. Dan Cromer said that this is indeed a planned service which has been approved by Governance. Dan suspects this is awaiting the new fiscal year for purchasing hardware.

Sakai e-Learning System now in production (previous discussion)

Updates not available...

IT survey is coming (previous discussion)

We will keep this topic on our agendas until some resolution occurs.

Alternate IFAS domains in e-mail

Updates not available...

Electronic Copy - Print Output Cost Reduction program (previous discussion)

Updates not available...

myuf Market (previous discussion)

Steve wants to keep this on our agendas in case discussion seems warranted.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


Projects


New web cluster

Santos mentioned that we are awaiting the new virtual server hardware prior to implementing the new web cluster. In the meantime, however, had numerous topics related to the web server which he wished to discuss...

Urchin 7

Santos reported that he has created a test installation of Urchin 7. It is going to require a great deal of manual configuration because of the move to the new virtual server cluster, however. He currently has about seven testing sites available for a number of individuals who are looking at the various features available.

Steve mentioned that one of the reasons provided at ITPAC for not wanting to consolidate was that Urchin did not provide the same level of statistics for sub-folders as is it did for sites (and Dave Palmer felt Urchin was insufficient overall). Steve asked Santos if he felt the new version would address some of those concerns. Santos said that he hoped further evaluation would prove that to be the case. This version is a bit slower than the current version, but it definitely provides more information.

PHP + MSSQL

Santos mentioned that a new version of PHP has been released which will require people to update their MSSQL database references in code on various web pages. Steve asked which departments used this extensively and Santos replied that IFAS Research (i.e., Brian Gray) was the heaviest user of PHP. Santos said he would be contacting those affected individually to get those fixes in place.

Front Page Extension forms

Santos reiterated that FPE is going away. It is not enough that such pages aren't in active use; rather, he wants to get all references out of the code so he can ensure a smooth transition to the new server.

Media, Flash and Video files

We have two media servers, one of which is used for WMA and WMV. These include things like the ICC audio recordings and the Accordent captures. As mentioned previously, Santos also wants to get such files off the web server and moved to the media servers. We have another server for Flash, mpeg, mp3, mp4, etc. Santos asks that people locate such files on our web sites and arrange with him to move those. Winnie Lante has already addressed this for her unit; apparently, they had a great deal of those. This is important because Santos does not intend to copy any such files to the new web server.

Password protection for non-gatorlink access

Santos plans to implement this via service accounts. Those service accounts can then be added to security groups which are permissioned for access at the folder level (i.e., Anonymous user denied access and security group provided read or modify access as appropriate). The credentials of the service account can then be distributed to those requiring access.

MPS/DC refresh

The email migration for Lake Alfred has kept Andrew busy the last couple of weeks and that will continue for a couple more. All the components have arrived for the expanded MPS servers being deployed at six RECs as discussed last time. Those are being built and hopefully will ship out soon. Andrew will continue to provide priority to failing MPS servers as needed throughout our other sites; please email him about any problem machines and he will get to them just as quickly as possible.

New SQL cluster

Updates not available...

New virtual infrastructure being planned and spec'ed out

Chris Leopold mentioned that the infrastructure equipment is on order based on two Cisco Nexus 6548s to provide 10Gbps connections. We are getting ten R710s each with 192GB of RAM. We are also getting two EMC VNX SANs; one for VDI and one for file storage. Hardware should begin arriving in 4-6 weeks after which they will start racking and getting busy. Setup and testing will take a number of weeks prior to beginning the transition. The file server will be the last thing moved because we are awaiting the availability of Windows Storage Server R2 (possibly August). This will support a number of nice features including single-instance storage. Chris mentioned that we do have one hard deadline in that we must be off our old EMC SAN by December because it is going to be traded in.

IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Updates as available...

Steve had discussed his recent success with using MDT 2010 for OS deployment back at our May meeting. He reported having built new OptiPlex 990 SFF boxes and Latitude E6420 machines with this setup and that all the drivers worked first time; Steve was very pleased. Basically, it now takes Steve just a very few minutes of work (and maybe 30-40 minutes actual time) to go from bare metal to a fully patched Win7 machine (either x86 or x64) with Office (either 2007 or 2010), joined to the domain and with the latest Flash, JRE, IrfanView, McAfee agent and VirusScan. Steve can't recommend this highly enough and would be glad to help anyone wanting to investigate this for their own use.

Andrew Carey initiated a brief discussion on the new Dell bundles. Winnie Lante seemed to like the SFF machine due to space savings (can fit under the monitor and stay off the floor) and lack of expansion needs for most of her users. Steve and others mentioned, however, preferring the mini-towers feeling they would have fewer overheating and power supply problems plus could be more readily upgraded and repaired once warranties expired. Current discussion on the CCC list seemed to agree.

Steve did caution those who might not be aware that the OptiPlex 990 SFF machines do not have a parallel port; this might necessitate a printer upgrade in some instances. Steve tried a usb to parallel cable adapter on one machine w/o success--though this might work for others.

Steve mentioned that these Dell standard configurations were the result of a committee run by Elwood Aust; Joe Gasper was on that committee. While Steve mentioned it would be nice to have both a mini-tower and a SFF version available, Andrew responded that the issue is that the fewer bundles we standardize on, the better the price Dell will provide.

Dennis Brown asked for feedback on the responsiveness of the Dell 4-hour service contract. The ITSA guys said that the response is excellent, though they cautioned that the four hours doesn't start until the problem is diagnosed and the part dispatched. Those generally come from Jacksonville and replacements can be onsite in as little as two hours in some cases. If you need it, this is well worth the cost.

UF SCCM Support Group

See the above section on Secunia

Exit processes, NMB and permission removal (prior discussion)

Updates not available...

Re-enabling the Windows firewall (prior discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (prior discussion)

Updates not available...


Operations


Print server (previous discussion)

Scanner folder

Santos Soler noted departmental copy machines are scanning to a folder on the print server currently. He mentioned that some folks are better than others at cleaning out this folder. He proposed a script that would clean out those folder each Sunday evening. Chris Leopold pointed out that the VP's office are heavy users of that and Chris doesn't have a problem keeping things for say a month. Santos said that he would contact them personally to get their feedback before proceeding.

Recording lectures for Distance Education (previous discussion)

Protected access for captured lectures

Steve would like to address this issue once Santos is available for discussion.

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations. Dennis Brown mentioned having used the site successfully and Steve added that he had utilized it just yesterday. Santos prefers that we use this rather than e-mail him separately.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

IFAS efforts toward Green IT (previous discussion)

Updates not available...

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (prior discussion)

See VPN discussion below...

Moving away from the IFAS VPN service (previous discussion)

Steve mentioned that he has been trying to evaluate Net-Services VPN services in order to determine whether he believes they are a suitable replacement for the IFAS VPN. Steve believes that the L2TP VPN is on-par with the IFAS VPN in terms of ease of use and he likes that it does not require any installation--rather it simply involves configuring Windows itself. Steve had noted last meeting that the L2TP instructions are incomplete and do not cover configuring Windows 7 clients.

Steve had asked Dan Miller whether or not it might be possible to get those instructions updated, but that led to an interesting exchange. Dan Miller provided Net-Service perspective on the direction of their VPN services showing great preference for the AnyConnect client as follows:

CNS introduced L2TP support a few years ago to handle "major" clients which were not supported by our primary Cisco IPsec client (primarily 64 bit OSes). Cisco has since released an SSL based client which provides all the features and functionality of both the IPsec and L2TP clients and supports a wide variety of operating systems, including 64 bit OSes. It is also far more secure and easy to troubleshoot than the L2TP client. It is fairly lightweight and supports "auto-update" so it imposes a very small burden on the user. Once you install the client for the first time, you are always guaranteed to have the latest supported version.

L2TP has become a support issue for CNS for several reasons:

  1. The MS client (as well as others) are not well maintained by the vendors. Typically you only see updates to the client as a part of major service packs which are few and far between. Every major version of the client has also had issues, some of which have cause instability in our concentrators.
  2. The client is very difficult to troubleshoot due to a lack of sufficient logging on the client side. Furthermore, its difficult to repair as there is no method to "reinstall" it on Microsoft or Apple platforms.
  3. The L2TP client uses a simple shared secret in our implementation. There is no further man in the middle protection, so there is a non-trivial risk of a man in the middle type attack. The client supports no hybrid certificate based methods where the concentrator provides a certificate to verify itself to the client. All certificate methods require symmetric certificates which would be a huge issue to support. Both the Anyconnect and IPsec clients support a hybrid certificate based authentication.

Moving forward, it is our intention to only maintain the L2TP features for those major platforms that have no other VPN capability. Examples of this would be the Android smartphone. All other platforms with available Anyconnect clients should use that client. As a result, we will be adjusting our website to reflect this policy and maintaining l2tp docs only for platforms which have no anyconnect support. This does not mean we will be turning off the L2TP support for any platform in particular, but we will not be actively supporting it, and if there are significant service affecting issues (for instance a new version of the L2TP client on Windows causes crashing on the concentrators) we might have to restrict access to the platform until the bug is resolved. In addition, we will be slowly ending support for the classic Cisco IPsec client in favor of the newer Anyconnect client.

Steve has since learned that AnyConnect does not authenticate to the domain in as integrated a fashion and hence would require considerably more work, set-up and end-user support than either the IFAS VPN or L2TP. Consequently, if CNS wants to discourage use of the L2TP solution, then for ease of use/support Steve's recommendation would be for IFAS to consider keeping VPN in-house at this time (while moving it to private IP).

Dan Miller made clear his intention to push for AnyConnect via Governance, but Dan Cromer wanted further investigation of the security concerns which Net-Services had raised for L2TP; Dan was of the opinion that L2TP might provide adequate security for most situations--particularly when restricted data was not involved.

Steve said another option than choosing between L2TP and AnyConnect which he had mentioned to Dan Miller is that OSG could easily provide the same VPN service we do in IFAS, but for all UF. Chris Leopold said he believes there are better choices and much prefers pushing for Direct Access as a forward looking service that would provide great benefit to our users and support staff as well. The problem is that net-services seems to develop solutions without open discussion; there seems no good way to push for alternate solutions that might better suit the vast majority of our users. Additionally, though OSG and net-services are both under CNS, those two groups don't seem to have much interaction either. This is concerning because even if we convinced OSG to support a Microsoft solution it is not clear that they wouldn't be seen by network-services as competition rather than as a cooperative alternative with valid justifications.

Chris Leopold said it would be nice to be able to bring DirectAccess into the discussion at some point and Steve agreed that getting any alternative to AnyConnect on the table would be a good thing; there is currently very little opportunity to promote alternative solutions. Network-services seems to have decided on AnyConnect without broad discussion and Steve would like to figure out how to get them to focus more on user needs rather than developing a solution that fits with their vendor choice of what they can support. Steve just doesn't know how to be effective in pushing for things like DirectAccess within the current climate.

Dan Cromer mentioned that we have lost the ITAC-NI which was the place where this should have been discussed. Dan said he believes there is a culture that we need to continue to fight against wherein CNS makes decisions on the best technology for everyone without broader consultation and open discussion. They consider themselves to be networking experts, and they are; however, their service-oriented perspective often excludes consideration of valid user-oriented concerns and opportunities.

Dan provided one other example of this culture/mind-set that was supported by Elias's predecessor, Chuck Frazier. Mike Conlon's crew was planning the hardware for the Exchange Server implementation when Dr. Frazier said that this should not be their concern; rather CNS should provide those services and Conlon should just pay for it. Consequently, CNS spec'ed out different hardware that turned out to be unnecessarily costly and did not address the real needs. Dan feels Elias strongly backs transparency and if we continue to push we can eventually change the culture to something more productive and responsive to all.

Steve is a bit concerned that the Shared Infrastructure Advisory Committee is chaired by the head of the very group they would, for the most part, be advising. Steve asked Dan if he felt the committee's membership consisted of individuals who would strongly promote alternate views. Dan responded that he believed Scot Matusz, Eric Olson, and Charles Benjamin would all be strong advocates for alternative solutions and would support a push for greater transparency in some of these decisions.

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (prior discussion)

Updates not available...

Computer compliance tool in production (previous discussion)

Steve complimented Chris on his latest version as it solved all of his issues of not responding to logoff events and interfering with the running of certain legacy programs. Chris offered that he would be glad to incorporate it if anyone wished to develop a better system tray icon for the IPCC program.

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Core Services status (previous discussion)

see the new virtual infrastructure section above...

ePO updates

Updates not available...

Status of SharePoint services (prior discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...

Microsoft

The June Microsoft patches included sixteen bulletins (nine "Critical" and seven "Important") covering vulnerabilities for Microsoft Office, Windows, and associated applications.

McAfee provides podcasts on the highlights of each month's offerings and another podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".

Adobe

A new 10.3.181.23 version of Flash Player 10 ActiveX was released last week to address some security and performance issues.

The quarterly security updates for Adobe Reader and Acrobat will be out next Tuesday.

Oracle

Oracle released a critical patch update for JRE on Tuesday.

MS Office News update

Updates not available...

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status (previous discussion)

Updates not available...


Other Topics

usage of the UF IT Alerts Dashboard page by IFAS

Updates not available...

RODC issues at remote sites (prior discussion)

Updates not available...

UAC settings egregious for users?

Updates not available...

PDF-Xchange (prior discussion)

Updates not available...


The meeting was adjourned a bit early at about 11:45 AM.