ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM June 11th 2010 REGULAR MEETING


A meeting of the ICC was held on Friday, June 11th, 2010 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Thirteen members participated.
 
Remote participants: David Bauldree, Bill Black, Andrew Carey, Dan Cromer, Kevin Hill, Kamin Miller, Marvin Newman, Louise Ryan, and Wendy Williams.
 
On-site participants: Micah Bolen, Dennis Brown, Steve Lasley, and James Moore.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve had no new announcements of people coming or going.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling

We are still awaiting details about the reported plan is to provide some subset of individuals access to schedule their own videoconferences on TMS.

Office Communicator infrastructure status (previous discussion)

Although it wasn't expected, Patrick Pettus was able to get the OCS connection to the gateway working in time for the meeting. Dan Cromer sent out the following message on this a bit prior to the meeting:

Message to the ICC-L from Dan Cromer:
"RE: ICC meeting 10AM tomorrow *at ICS*" Fri 6/11/2010 9:22 AM


Good news.

The bridge has now been set up to use Office Communicator. You'll need to add the AT-CDMCU-2 (may as well as AT-CDMCU-1 at the same time) to your contacts, then you start a video conference to that contact, and use your "dial pad" to select conference 2030. I'll document more about using the production bridges later. Basically, you'll need to find out the conference ID. The prefix is always 783. The fourth digit is 1 or 2, telling you which bridge the conference is on, and the one you need to connect to. The new conference ID for ICC is 7832030, so for the next 12 months is scheduled there on bridge #2. Use the last four digits as the OCS conference ID to connect to any production video conference now.

THANKS PATRICK!

Dan

Apparently, things are now set up so that we will no longer have to schedule a particular videoconference to be available via OC; rather, one can add in a contact into OC for each of the two bridges and call the appropriate one to join an ongoing bridged conference via the conference ID.

Dan mentioned that some final configuration of OCS is awaiting Dwight Jesseman's return from TechEd. For example, we need to get connection from off-campus working again without a VPN.

New VC gateway status (previous discussion)

Dan also commented on the need to create user objects for each of the H.323 (Polycom) end-points so anybody with an OC client could call an end-point directly. The details of that are yet to be worked out. Admins will likely create those objects in their own OUs, but we need to agree on a naming convention, etc. Such SIP enabled accounts would then be entered into the gateway. One potential problem will be the lack of feedback for OC users on whether the room an end-point appears free in is or is not being used for some other purpose. Meetings could be subject to interruption, for example.

Dan wanted to be clear that OC can now be installed on any faculty or staff machine as the licensing has been covered centrally.

Micah Bolen asked if it was possible to put OC on individual's personal computers. Steve said that it was but required installing a certificate. Dan Cromer has written up some excellent instructions on this on the IT Wiki.

Micah also asked about a client for the Macintosh. That is available along with all the Windows components at \\ufad-file.ad.ufl.edu\data\ufdi\public\OC. It does require a VPN and it will not work with LiveMeeting.

Recording lectures for Distance Education (previous discussion)

Equipment is being deployed and many locations have at least had the hardware delivered and hooked up to their Polycom system. There are many details still awaiting resolution, however.

This system will store the overall look and feel of a recorded session on the web server (the html, etc. That will then link to the media server for the stored video. Presentation content is stored on the web server as a series of jpegs. Consequently, the permissions to be used for connecting to these resources for uploading need to be carefully considered. Most unit IT staff hope that instructors can handle the recording themselves as we do not have the time/resources to do that for them. Ron Thomas uses a service account, but his Accordent device is in a separate room; that likely wouldn't work for most locations as it would be difficult to assign responsibility to an individual. Steve isn't sure what the answer will be.

Dan said that he has talked to Dr. Rieger and Dr. White about units not having the staff to run these Accordent devices. He doesn't know what will be done about that, but he has certainly raised the concern on our behalf. Steve thanked Dan for that and reminded folks that Dan was blind-sided by this just like the rest of us. Even Wendy Williams, Director of IT for CALS, heard nothing of this before department chairs were notified by the Deans.

Micah pointed out that Academic Technology has already solved this problem using Mediasite. It would appear that IFAS may be re-inventing this particular wheel in a most awkward fashion. Micah was under the impression that there is some management component for the Accordent which was purchased as part of this, but no details were available. Santos Soler indicated to Steve after the meeting that Remote Desktop does not work with these systems apparently and he had heard some mention of using VNC for management.

Marvin Newman mentioned his concerns over not having the time to run these systems on top of whatever else he does. He asked whether there will be instruction in the use of the equipment and Steve responded that he heard that instruction was a planned component though he had no details.

Steve wondered what we could do to get the powers that be to consult with IT on such projects before going blindly ahead. Wendy Williams said that she will be meeting with Dr. Barrick to see what I can find out about the story behind accordant and pass along some info about trying to include the ICC or ITPAC.

Issues with Articulate software provided by the Dean

Steve noted that he had placed a copy of Articulate which had been provided by the Dean's office onto a departmental laptop so folks could try that out. Steve immediately ran into issues which he reported to Ron Thomas via e-mail on April 14th:

Hi Ron,

It might be worth mentioning (to the IT community) that Articulate's activation process appears to be per user as well as per computer--at least that's what I seemed to experience. I installed and activated with my OU Admin account and then was re-prompted for activation when logging on with my GatorLink, As far as I can tell this means that sharing it with multiple users as you suggest will require jumping through some hoops.

One option might be to let people logon with their GatorLink accounts and use the demo version. If they need it longer than 30 days I assume deleting their profile would give them a fresh 30 days; that could be done automatically by making users members of the Local Guests groups on the computer so they would get a temporary profile. Depending on how the software is written, that might keep users in "forever demo" mode though they would have to be warned that their local files would go away at logoff (or when the profile was deleted if this was done by hand). Not a great option IMO.

Another alternative that occurs to me is to let them logon with a service account for which the software has been activated. There are security concerns with allowing service accounts to logon of course; we handle that with our laptops via a check-out system so that we can attribute use during a given time to a particular individual. I was going to go with that route until I tried one other option.

The final option that occurred to me was to copy an activated profile over the default profile (system properties, advanced tab, user profiles, settings button); I tested this out on our WinXP laptop installation and it seemed to work. Any new user logging on for the first time gets a copy of the default user profile as their starting point and should not prompted for activation. This method (i.e., copying over the default profile) is not "Microsoft supported" even on WinXP, however; on top of that, Win7 even removes the user interface for doing that. Regardless, that is what I am doing for the time being with our copy on WinXP.

Please correct me if I am missing something obvious here or if you have had a different experience. If the above is indeed true, then Articulate's licensing scheme is quite different from most in the industry (and rather annoying IMO).

Thanks,

Micah Bolen mentioned that the written licensing is pretty specific about this product being licensed per user rather than per machine. Steve would like to hear Ron Thomas's take on that since the licenses were negotiated and paid for through him.

In any case, after getting over this hurdle and having made the software available to his folks for some time, Steve received reports of extreme slowness when opening components such as Quizmaker. Steve at first suspected a ThrottleGate issue but that did not pan out. He then searched the Articulate forums and found a reference to fixing random crashing in Quizmaker which he tried to no effect. He then tried a repair -- again without effect.

Finally, Steve noted a report about McAfee causing this issue. He went into the On-Access Scan Properties of the local VirusScan console and set an exclusion on the Articulate program folder (All Processes-Exclusions tab). The effect wasn't immediate, but it soon fixed the issue; Quizmaker had been taking 5-15 minutes to open and it now opened in seconds.

Steve's point was that this software seems to be a rather fragile "house-of-cards" and he isn't sure that promoting it widely is doing our faculty any great big favor.

Videoconferencing documentation being posted via SharePoint

Steve mentioned again this documentation. Lance Cozart continues to develop it.

New Elluminate system status

Dan Cromer had forwarded to the Elluminate-L list a notice announcing new versions which would be available soon. We will be upgraded to this new version during the regular maintenance window on Saturday June 26, 2010 from 10:00pm until Sunday, June 27th at 2:00am US Eastern (UTC - 04:00).

The notice specifically mentioned the following points:

  • This upgrade does not affect your previous recordings, user accounts and room links. Recordings will continue to play in the version they were created in.
  • Your users will automatically download files relating to the new version the first time they join one of your V10 sessions. This download may take the user between 1 and 5 minutes (depending upon their Internet connection speed). Please be sure to notify your users of this update.

Updated documentation, user guides and live/recorded training sessions will be available and they will have new references in their Support Knowledge Base.

Dennis Brown asked if anyone was championing the use of Elluminate or if end-user training was available. Dan Cromer pointed out that Elluminate had excellent on-line training readily available to all. Dennis mentioned that he was impressed with the quality of the Accordent recordings he had seen.

Micah mentioned that he tried an anonymous LiveMeeting via the web interface and it seemed pretty good. Steve mentioned that Elluminate may have an advantage in the support of teaching however. It does appear to be underutilized overall.

WAN transition to CNS (previous discussion)

Dan Cromer related that new circuit upgrades are pending for Belle Glade Immokalee, Milton and Vero Beach. Additionally, LAN upgrades are being planned for various RECs. There is considerable work to do at both Lake Alfred and Immokalee. Dan also wanted to mention that, because WAPs are going to be replaced with enterprise-level devices, REC staff should refrain from purchasing any more consumer-grade wireless access points in the meantime.

Updates from James Moore

James was busy with some emergent issues at Hamilton County and arrived late, but was able to provide his update. Immokalee and Homestead are both getting new LAN equipment from the bottom up. Both of those sites are very large and complicated with many buildings involved. Immokalee especially has a large amount of consumer-grade equipment and Kevin Hill has been preparing the details need to determine port counts needed. James said that Homestead is a very large installation, just under CREC in size.

Lake Alfred is getting a refresh using Cisco equipment and the other RECs may go with Brocade as a less expensive option. A lot of that depends on the VoIP model chosen and whether or not they need PoE.

Both Homestead and Immokalee are exploring their options for VoIP. There are two basic models that might be followed: a local CallManager Express and PRI (like Ft. Lauderdale) or a UF campus solution utilizing an SRST router (like Lake Alfred).

A new LAN has been put in place at Ona Cattle Research facility. Steve was surprised to hear of the facilities there; apparently there is a very beautiful new building there.

CNS has been doing a lot of year-end spending toward the WAN. They have also been reusing a lot of quite high-end used Cisco equipment supplied from the campus Wall Plate refreshes. James mentioned that he can ship overnight for $50-80 and that is how he has been getting switches out to remote places. Steve asked if CNS was using more used Cisco equipment than they were Brocade (formerly Foundry). James responded that they went with Foundry for the CEOs. Their main concern is getting a more homogeneous set of equipment at each location so that management is simplified.

There are still 41 CEO offices to finish up the router connections for as well. Steve asked how the documentation is coming and James responded that this is coming along but still a work in progress. Structured cabling is still the challenge in many places.


Policy


Alternate IFAS domains in e-mail

Steve wants to keep this on our agenda for future discussion. He believes there is no advantage to having multiple aliases and that we should move towards removing those if possible.

CIO

Elias Eldayrie is now on the job as our new CIO. Maybe we could invite him to an upcoming ICC meeting once he gets a bit settled?

Identity Management (IdM) Interface Training

Steve wants to remind everyone of the "UF_PA_IDM_NETMGR" role which will allow you to set NMB for your users. Your Department Security Administrator can do that for you.

ITAC-NI still meeting (previous discussion)

Another meeting was held yesterday which covered a number of interesting topics. The committee heard from Matt Grover on the case for sunsetting 802.11b wireless in order to improve overall performance for UF wireless. The committee recommended following a course which would remove that by the first of next year.

Matt Grover also detailed a CNS plan to provision a new SSID using WPA2. This move came from the need to improve the experience of those using wifi connections from mobile devices. Since this system can cache credentials, phones and other mobile devices which go to sleep won't require reauthentication each time they wake up. Additionally, this will provide a secure connection (as opposed to the wide-open UFW) which could replace the need for a VPN when using wireless at UF. Each access point can handle multiple SSID and an individual could connect to whichever they had access to and that suited their need.

A brief update was also provided on CNS progress and plans for campus wireless and NAC. Posture assessment was considered to be the eventual goal but is still quite a ways down-the-road.

Finally there was some discussion on ways to implement WOL in support of the Green IT effort, and an update was provided on the status of a centralized purchasing and distribution of SSL certificates.

In amongst all this, the most concerning thing heard was an indication from Tim Fitzpatrick that some of the recent announcements from the UFAD group (centrally funded Windows Server licenses in particular) were done with one-time monies and that there is no plan in place for that to continue. Tim seemed to believe that coming up with the money for that would be quite problematic considering our current financial climate.

In today's ICC meeting, Dan Cromer responded to this saying that Tim doesn't have the money to pay for all the server licenses, but Dan says that Mike Conlon is confident the funds will be found. Analysis indicates that this would continue to be a cost saving measure overall.

The minutes of yesterday's meeting should be ready by sometime next week.

Course Management System Conversion to Sakai 3 (previous discussion)

Steve reminded folks of Doug Johnson's announcement of a CMS Transition web site. A pilot test is apparently now in progress.

myuf Market (previous discussion)

Steve wants to keep this on our agendas in case discussion seems warranted.

UF Exchange Project updates (previous discussion)

The Active Directory group had a number of announcements in this quarter's IT Connections newsletter. Those included: Microsoft Campus Agreement Licensing Changes, UF Exchange E-Mail Service Upgrades, and Office Communications Server.

Centralized FAX service via Exchange (previous discussion)

Steve wants to keep this potential service in everyone's minds as it seems a logical direction for all to take. At last week's Green IT Open Forum, Dan Cromer mentioned that some centralized faxing solution might be expected as part of the overall Green IT efforts.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


Projects


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Windows 7 deployment

Steve reported that Daniel Solano has been struggling with SCCM and that the problem isn't Daniel, but rather SCCM itself. Apparently the upcoming version is a great improvement.

Steve mentioned that until SCCM gets sorted out he is currently making his own images for manual deployment via WinPE boot. He can customize things exactly as he wishes and deploy to a new box in less than 15 minutes. There is a bit of command-line involved but it is not rocket science. It allows you to have your image set up exactly as you want it and once that is ready you can wipe and restore a machine (sans data of course) in less than 15 minutes.

Micah Bolen mentioned he has put considerable effort into migration. He has tried all sorts of methods but has found Windows XP to Windows 7 Easy Transfer Tool to be quick and easy. You just save the ".mig" file that is generated to an external hard drive, reload the OS and the applications, and finally double-click on the ".mig" file to restore all the profile settings. Steve commented that he has been concerned with such tools carrying over too much baggage; Micah responded that via the ScanState command line you can exclude stuff in the XML files and get quite granular via that method.

Exit processes, NMB and permission removal (prior discussion)

Nothing further was available on this topic at this time.

Re-enabling the Windows firewall (prior discussion)

Wayne Hyde reported that the upcoming Forefront Endpoint Protection 2010 (FEP) will allow management of the windows firewall from System Center Configuration Manager (SCCM). Wayne plans to investigate FEP as a replacement for McAfee. Microsoft's move to converge endpoint security with management via SCCM may provide us an added bonus if things work out.

Dennis Brown mentioned that he uses UF Security's self-service vulnerability scanner to find client-side vulnerabilities. He runs that on all the machines which go across his desk in order to makes sure they are fully patched. On occasion he gets a machine that is not on UFAD and has a firewall enabled; in those cases the tool sees nothing. Steve thanked Dennis for reminding him of this. Steve has been encouraging his users to make use of the free Secunia On-line Software Inspector which does something similar but may not be as robust.

Services Documentation: Is a Wiki the way? (prior discussion)

Steve skipped over this topic but will keep it on our agendas.


Operations


Enabling pass-through authentication for http://*ufl.edu and https://*ufl.edu via GPO (prior discussion)

It appears that this will be left to the discretion of each OU Admin.

Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only

You are reminded that the ". IFAS-ICC" email distribution group does not include the broader audience which the ICC-L will reach. Plan your e-mails accordingly.

IFAS efforts toward Green IT (previous discussion)

Status update

Dan Cromer hosted a Green IT Open Forum last week. Those of you who missed it can still view the recording.

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (prior discussion)

Steve wants to keep this topic on our radar.

Moving away from the IFAS VPN service (previous discussion)

Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.

VDI desktops as admin workstations (previous discussion)

This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.

Wayne's Power Tools (prior discussion)

OU Technical Contact email groups have been created

As reported last month these groups are being used for out-of-compliance reports. Wayne intends to use those groups for automatic FSR reports concerning file server space usage (duplicate/large files/etc.).

Computer compliance tool in production (previous discussion)

Accessing the out-of-compliance information

Since our last meeting, Matt Wilson created a nice front-end to the out-of-compliance information which is reachable via http://itsa.ifas.ufl.edu/compliance. (if-admn credentials required). While this lets you easily see what machines are or have been a problem, it doesn't show you the log details which indicate what triggered the compliance failure

Some people have apparently had issues accessing the actual folder structure at \\ad.ufl.edu\ifas\out-of-compliance folders. Doing that requires using if-admn credentials and elevating Windows Explorer on Vista or Win7 lies somewhere between difficult and impossible. Since text files are involved, one of the easiest things to do is "runas /user:ufad\if-admn-GL notepad" and use that to navigate to those folders. Other options are to use a third-party Explorer substitute (Explorer++ or xplorer2) or run WinXP in a VM and use Windows Explorer with that.

Steve wants to mention that after you believe you have fixed the problem you can do the following to check immediately without having to logon again and checking the compliance data:

  1. Press the Windows Key + R to get the run box, type "cmd" and hit Enter
  2. At the cmd prompt enter: "\\ad.ufl.edu\netlogon\ifas\IPCC.exe \\ad.ufl.edu\netlogon\ifas /s"

If you were successful then you will see the message "Successfully copied existing log file to history location and deleted log file".

E-mail notifications

Dennis Brown had indicated to Chris Leopold that he would appreciate some control over who gets the weekly (currently each Tuesday at 6 AM) compliance e-mails. As it is now, If you have an IF-ADMx that has control over an OU, you will be notified (automatically) via your GL account email. Chris has been thinking about adding a mail-enabled global group under the local OU that will allow for the OU admins to add folks without IF-ADMx account to receive these emails but not removing IF-ADMx accounts from the notification.

Seeking input for next version of IPCC

Chris Leopold is looking for suggestions regarding the next version of the IPCC app. He plans for the next update to check for:

  • BITS service (should not be disabled)
  • Update services service running
  • XP SP3 installed on XP machines

Steve mentioned that there seems to be a timing issue with some slower machines where the McAfee service is still at "StartPending" at the time IPCC runs. This leads to false positives. Steve has also had a couple of cases where the McAfee service was stopped for some reason; after starting that things went back to normal. He is still trying to figure out what is going on there.

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OUAdmin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

New MPS/DC testing

Andrew Carey had related that he has been concentrating lately on getting more MPS/DCs ready for deployment. The next of those will be in Dixie County which has been without a DC for about 2 years now. Authenticating over the wire has been made problematic by poor connectivity and that office is very anxious to get a local DC back.

Core Services status

Data Protection Manager planning

Wayne has begun looking into Data Protection Manager as the hub of a new backup solution for ITSA.

ePO updates

Status update.

Status of SharePoint services (prior discussion)

IFAS migrating to centralized MOSS

Status update.

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...

Microsoft

The June Microsoft patches included ten bulletins overall. Six of the bulletins affect Windows (two Critical and four Important). Two Important bulletins affect Microsoft Office. One Important bulletin affects both Windows and Office. Finally, one Critical bulletin affects Internet Explorer. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".

Adobe

There a new version of Flash was released yesterday, version 10,1,53,64. This addresses a vulnerability which was being actively exploited and you should consider upgrading ASAP. Previous mitigation involved installing Flash 10.1 RC which was supposedly not vulnerable. If you had done that, you now will have to first uninstall that before you may install this latest release (wonderful).

There is also an un-patched vulnerability in Acrobat/Reader. Mitigation for that involves deleting or renaming two DLLs: authplay.dll and rt3d.dll. Those may be found in "%ProgramFiles%\Adobe\Acrobat 9.0\Acrobat\" or "%ProgramFiles%\Adobe\Reader 9.0\Reader\"

Apple

Apple released Safari 5.0 and Safari 4.1 for Windows and Mac OS X to address multiple vulnerabilities.

MS Office News update

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status (previous discussion)

Steve asked again if anyone had any issues with using the new system.


Other Topics

PDF-Xchange (prior discussion)

Steve wants to keep this on our agenda for possible latter consideration and noted that Micah Bolen has been using this product for his units.

Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL

Santos was not available to report on whether or not he is moving towards supporting such things.


The meeting was adjourned early at about 11:25 AM