IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM June 8th 2012 REGULAR MEETING
A meeting of the ICC was held on Friday, June 8th, 2012 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.
PRESENT: Fourteen members participated.
Remote participants: Bill Black, Dan Cromer, Kevin Hill, Scott Owens, Mike Ryabin, John Wells, and Gary Wilhite.
On-site participants: Jimmy Anuszewski, David Blackman, Dennis Brown, Winnie Lante, Chris Leopold, Steve Lasley, and Alex York.
STREAMING AUDIO: available here
NOTES:
Agendas were distributed and the sign-up sheet was passed around.
Member news:
Annie Ferguson has replaced Nancy Johnson as IT contact for 4H. Her title is "State 4-H Information Management Coordinator." Steve has heard back from Annie and she indicated that she would love to join in on one of our meetings and looks forward as serving as a sort of liaison between Florida 4-H and IFAS IT.
Steve also mentioned that Tennille Herron, the new ICS Web Manager, stopped in to say hi just before the meeting. She was unable to make it today, but is very interested in meeting everyone.
Chris Leopold said that the search is on for a new IT support person at CREC and he will be participating in interviews for that position on Monday.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
Videoconferencing and WAN discussion
[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]
Videoconferencing topics (previous discussion)
Replacing Polycom endpoints with some Lync-based solution (previous discussion)
Updates not available...
Other standing VC topics
End-user Scheduling (previous discussion)
Updates not available...
Movi (previous discussion)
Updates not available...
Lync Migration results (previous discussion)
Lync as a unified communications solution
Dan Cromer has been pushing for this for quite some time through various committees and apparently John Madey will soon begin investigating the actual implementation of tying Lync to a phone number so it can be used to make and receive telephone calls. Dan has volunteered his group as test subjects.
Dan also mentioned that an eventual move to "Gig to the desktop" may have cost implications with our Cisco IP Phones which are 10/100 currently. Upgrades of those could get very expensive. Chris Leopold suggested that it might be good to hold off on moving to Cisco VoIP at some of the RECs until this Lync investigation plays out. Chris said that CNS has been pushing Gbps switches for new REC installations, supposedly to better support VoIP. Dan responded that we are moving ahead with Cisco VoIP at Quincy and it is already done at Balm. Apopka, and Immokalee are next in line and Milton and Jay after that.
Considering the potential cost savings, Chris asked Dan if each site might be able to have input on such decisions. Dan responded that it would already be too late for the sites mentioned, but that he wants to consider it for the future.
Steve noted that his department's Cisco 7940 VoIP phones have crummy hook switches which are beginning to go bad already. Either the contacts corrode or the spring that brings the phone "off-hook" when you pick up the handset requires adjustment. It is not easy to disassemble/reassemble these to fix the issue, but Steve was provided a good tutorial by Rick Swineford (Sr. Telecom Tech) and would be glad to assist others should the need arise. Steve believes the switch is now more robust on the newer model phones.
Entomology to test AVer codec for its recording capabilities
The recording capabilities may allow this device to serve as an inexpensive IP recorder; Steve is still testing. One drawback currently is that the capture is done in a proprietary format and requires a Windows-based application for viewing. Steve has suggested to Wayne Hyde that this might be a good VDI application as it would be a great way to introduce that technology to folks. In his department, for example, Steve would like to capture all departmental seminars with the AVer and make them available for viewing via http://virtual.ifas.ufl.edu. That would open up archival access to seminars via a myriad of devices, including handhelds.
The other drawback is that the playback software doesn't seem to allow skipping to a particular location in the recording. You can play and pause but that seems to be about it. Even so, Steve is excited about the potential for recording bridged VCs from his office and making the recording available to student, staff and faculty. The cost-savings (compared to Accordent) and flexibility (compare to recording on the bridge) of such a solution might be able to overcome the other drawbacks.
Promising new "Conference" camera now available (previous discussion)
Dan showed us the Logitech BCC950 ConferenceCam he recently purchased ($200 via Dell); this is the combination speaker-phone/camera that was mentioned back at our April meeting.
It appears to be a good choice for software-based videoconferencing (Lync, Skype, Movi, etc.) in small conference room settings. The camera is HD, has an in-built H.264 encoder, as well as a remote for pan/tilt/zoom control of the camera.
Dennis Brown asked if it would pan to a speaker like the Polycom CX500 HD. Dan said it would not but that it did have face tracking software which he had not yet had the opportunity to try.
WAN (previous discussion)
Updates from James Moore
James could not make it to today's meeting, but Chris Leopold was able to relate that the connection to Live Oak was upgraded earlier this week, which involved a re-numbering.
Steve asked if Live Oak was a CEO. Chris Leopold explained that it is an REC that was formerly associated with Marianna and Quincy but has since been relegated separate REC status. Ben Beach rather than John Wells is now providing District IT support for Live Oak. Steve notes that it is not listed on the Solutions for Your Life "Find Your Local Office page".
Dan Cromer also reported that he is preparing to install new UF-managed Cisco WAPs at all CEOs. Wi-Fi security will be enabled at that time. The policy for remote sites does allow a shared frequently changed WPA2 password for broad wireless access at conventions and the like; there will be no open Internet access however.
Policy
Shared IT Infrastructure Advisory Committee
Dan Cromer had notified us via the ICC-L that the Chairman's notes for the May meeting were now available. Dan also shared an update to the SIAC strategic plan.
There was some comment about the budget cuts mentioned in these notes. Dan said that these cuts would not affect IFAS IT other than indirectly' the refresh period for Wallplate is being lengthened from four to five years, for example. Dan also noted that the FTE loss was within vacant positions, which sounds like good news compared to forcing any layoffs.
Steve related an experience he had with Wallplate recently. Steve needed more ports than were currently available in one of his wings, so he went to the Wallplate web site to see if he could find any cost details. That site seemed very out-of-date now, so Steve emailed Sheard Goodwin (who had managed the Wallplate installation at Entomology). Sheard estimated the cost of 24 10/100 ports at a bit over $620, which seemed fair. After turning in a ticket for this, however, Patrick Kyle indicated that he would swap out a 24-port switch for a 48-port switch at the cost of $1400. That was sticker shock! Eventually, the price was "dealed down" to $820 ($620 plus $200 overhead) but this led Steve to suggest that various upgrade costs should be documented somewhere and kept up-to-date so that everyone can be on the same page.
Kevin Hill reported having had sticker shock on price estimates for horizon network runs. He was getting quotes in the $140 range. Steve responded that he should feel lucky because single drops on campus run $250, with some price break when running multiple drops to a single location.
IT Reporting Relationships (previous discussion)
Dennis Brown asked about this matter, noting that the VP's message to the Administrative Council was distributed to the ICC-L but no other details had been forthcoming. Steve noted that he had asked Dan to expound on this matter at our last meeting but Dan had completely avoided the main issue which that message had seemed to suggest: namely that there is a plan afoot to centralize unit IT staff under Dan Cromer, removing them from direct responsibility to their units.
Dan Cromer was reluctant to respond, but replied that different options are being considered and that he wasn't at liberty to discuss them. He did say that he had developed a proposal based on the VP's wishes and then amended it in consultation with Joe Joyce. He has developed an organizational chart which he needs to take back to Dr. Joyce. It remains a "study" and whether or not anything will change is still very much undecided.
Dan did feel comfortable in saying that the move toward centralization (which he would rather refer to as collaboration and consolidation) is happening on multiple levels. IFAS has a business hub in Fifield and there have been discussions on moving that to a "Shared Services" organization with the idea that shared services can be more cost effective rather than each unit having its own finance and HR personnel. There is discussion about extending that model to student support services and IT as well.
Dan feels we ought to be thinking about such things. He offered that, if we provide him our input on how we can be better organized to support things, he would take those suggestions into consideration.
With regards to IT support at Entomology, Steve feels the current model is working extremely well as is and that moving to a more centralized model is extremely unlikely to improve the service experience for his faculty and staff. He believes his chairman and faculty would back him up on that as many of things Steve does could simply not be managed via a centralized model. Units lacking in IT support might be improved through such a reorganization, but those units with superior support would necessarily be pulled down to the lowest common denominator. Steve believes his department fully realizes and appreciates what they have currently and believes they would vigorously oppose such a change--for good reason.
New 'Trouble-Ticket' Entry Page for CNS (previous discussion)
The new Remedy system is now scheduled to go live Wednesday, June 13th. On-line tutorials are available, as discussed at our last meeting.
Dennis Brown asked if this change would affect us for things like requests for DHCP reservations. Chris Leopold said that the DHCP reservation request form sends an email both to remedy and to IFAS ITSA. Chris said that they might indeed have to make some code changes on the form to make sure it submits things to Remedy correctly. The problem with the Remedy system currently is that tickets aren't forwarded on to ITSA for quite some time (hence the double mailing by the form).
Migration of DNS and DHCP Services to New BlueCat Platform (previous discussion)
Updates not available...
UF File Express essentially done but not quite in production (previous discussion)
Dan Cromer said that the announcement was imminent and would likely be made through the UFIT News site.
UF FAX server project (previous discussion)
Dan Cromer had shared a method of using SharePoint to access in-coming fax messages as detailed by Mike Bielby:
- In ADUC:
- Created a service account called EHS-SVC-FAX-TEST
- Put it in Enable Mailbox group
- It got the mailbox, address is EHS-SVC-FAX-TEST@ad.ufl.edu
- In SharePoint:
- Created a library
- Assigned it the address ehs.testfax@connect.ufl.edu
- This put it in the group ad.ufl.edu/UF/Groups/SPEmailConnect as a contact
- Gave EHS-SVC-FAX-TEST contribute permission.
- In EMC:
- Found EHS-SVC-FAX-TEST and opened mailbox properties
- In Mail Flow Settings, Delivery Options, selected Forward to: and browsed to ehs.testfax
- I did not check ‘Deliver message to both forwarding address and mailbox’, that may be a problem with the fax software
- In General, selected ‘Hide from Exchange address lists’
Upcoming requirements for InCommon Silver (previous discussion)
Andrew Carey reported last Sunday that "implementation has been delayed due to some inconsistent results seen while verifying the effects of applying the InCommon settings / GPOs. They have backed out of these changes and will announce a new date to re-apply these settings once further testing to identify the source of the inconsistencies has been completed."
Chris Leopold mentioned that he wasn't sure of the problems to which Andrew was referring, but he had gone through the logs and noticed issues with 6-7 machines all of which were Macintosh. Those may be running older versions of OSX--Chris wasn't sure what the issue might be, but we might expect a small number of problems initially once this switch is truly "thrown" for good.
Implementing the Mobile Computing Security policy (previous discussion).
Updates not available...
Wake on LAN support coming to campus: (previous discussion)
Updates not available...
New Secunia site license (previous discussion)
Updates not available...
KACE agent deployed to IFAS (previous discussion)
Updates not available...
Domain Policy and redirect duration (previous discussion)
Updates not available...
CNS working to implement NAC for UF wireless (previous discussion)
Dan Cromer reported that NAC is currently only in test mode. The plan is to put this in production either at the beginning of Summer B or in the Fall. The UFW ssid will be eliminated at that time and everyone will be subject to NAC prior to connection.
Jimmy Anuszewski said that the NAC installs the SafeConnect Policy Key software on Macs during this process.
Steve noted that he had only setup a single laptop on the "UF" ssid currently but found the instructions such that he expected end-users might have some difficulties.
UF Exchange Project updates (previous discussion)
Outsourcing of student email?
From the notes of the May SIAC meeting it would appear UF is getting serious about outsourcing student email via Microsoft Office 365 apparently.
[Note: When Mark Minasi first heard about the Office 365 name he immediately wondered what would happen on leap years...and indeed the service went down on the next Feb. 29th!]
Sakai e-Learning System now in production (previous discussion)
Updates not available...
Alternate IFAS domains in e-mail (previous discussion)
Updates not available...
Electronic Copy - Print Output Cost Reduction program (previous discussion)
Updates not available...
Split DNS solution for UFAD problems (previous discussion)
Updates not available...
Projects
New web cluster (previous discussion)
Chris Leopold reported that they have tweaked the web cluster configuration some because they ran into a potential tradeoff between complexity and robustness in engineering for fault tolerance. They are happy with the configuration they have currently, which is using a network load balancing interface for two Application Request Routing (ARR) boxes. That in turn connects to a backend that can failover to a second backend if necessary. Should additional problems arise they might simplify the design further, but they hope they are where they need to be now.
Chris said there are still a few issues with WebDAV, but Chris is happy that they are beginning to migrate sites, beginning with their own. The old web server is in danger of collapse, so migration can't go too quickly to suit Chris.
Chris also related that over his recent vacation he found himself in New Orleans at NETC 20101 along with John Wells who was presenting there on his experiences with Wordpress. Chris wasn't registered for the conference but asked for and was granted access to the session. Listening to that he came to a realization that the server administrators' perspective can be very much different than that of the web developer or end user and that some continuing conversations might help ITSA improve its services in a way that might further enable the sorts of things developers are always wrestling with.
From the perspective of the server administrators, Wordpress is problematic because it relies on MySQL for backend storage which is not really an enterprise level database platform. It requires flat file backup and there is always the risk of data loss. After the conference Chris came to believe that it is not Wordpress per se that draws developers; rather, it was the integration of services that Wordpress provides via plug-ins that create easily managed wrappers to provide end-user access to various communication services with targeted audiences.
Chris wants to start discussions with IFAS users and web developers that might open ITSA's eyes more to their perspective on service needs. He hopes that open communication could lead to solutions that are both robust on the back-end and flexible on the front-end.
Chris indicated that they have tried to make Wordpress more robust on the back-end by using PHP code to intercept MySQL calls and re-route to SQLserver. This avoids the MySQL backup issue but breaks many of the plug-ins that developers want to use.
Jimmy Anuszewski provided his perspective, having recently taken over the Agronomy site which was one of the first Wordpress sites that IFAS supported. The point of Wordpress is to make site modifications easy, but Jimmy discovered to his surprise that the Agronomy site, while running on Wordpress, doesn't really use the Wordpress paradigm but rather requires extensive HTML coding to implement even simple changes.
Jimmy says that the inability to directly utilize common plug-ins and having to figure out ways to communicate to SQLserver on the back-end is causing a number of headaches. Chris Leopold responded that many plug-ins are written in a way that requires direct access to a MySQL database rather than using more standardized calls (e.g., ODBC) that can hide specific back-end dependencies.
Jimmy believes that open communications between the developers and the server administrators is the way to go. These sorts of issues will arise with any content management system, no matter which one is picked and it is important that we all work together to get something that is both flexible from the developers standpoint and supportable from the server administrators perspective.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM (previous discussion)
MDT 2012
Steve is still looking for the time to play with the new MDT package that can handle Win8 deployment. Exciting and potentially very time saving, but in the meantime quite time consuming to investigate thoroughly.
SCCM for IFAS
Work continues on the central SCCM plans.
Alex York has been playing with App-V, which is Microsoft's application virtualization product. It does some very cool things, but licensing is an issue for that product itself and it also has the same third-party licensing issues as Wayne Hyde has had with the VDI pools.
Exit processes, NMB and permission removal (previous discussion)
Updates not available...
Re-enabling the Windows firewall (previous discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (previous discussion)
Updates not available...
Operations
Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection? (previous discussion)
Dan Cromer reported that OSG considers Forefront a function of SCCM and are talking about offering Forefront as an option. Dan has mentioned to them that reducing the $180K cost of McAfee software might make a broader migration attractive.
Print server (previous discussion)
Updates not available...
Recording lectures for Distance Education (previous discussion)
See discussion earlier in meeting.
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (previous discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
Can IFAS support DirectAccess in the future? (previous discussion)
Updates not available...
Moving away from the IFAS VPN service (previous discussion)
Winnie Lante reported that she and her users have been experiencing issues accessing the file server from non-domain joined computers utilizing the l2tp/ipsec VPN from off-campus. The same results were obtained via the IFAS VPN as well. This has been causing her grief because she has had to tell her users to resort to using http://files.ifas.ufl.edu. The problem started a few weeks ago; she has been using DFS targets and Chris suggested she try the direct target as a diagnostic.
Winnie also mentioned that they do have some file server resources that are not available via http://files.ifas.ufl.edu. Chris said that they can add a DFS target for that resource and get it added.
VDI desktops as admin workstations (previous discussion)
Updates not available...
Wayne's Power Tools (previous discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Chris Leopold said he plans to look at updating this tool so it could check for Forefront Endpoint Protection as well as McAfee. He would like to hear from others as to any changes they might like considered as well.
Folder permissioning on the IFAS file server (previous discussion)
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age (previous discussion)
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.
Core Services status (previous discussion)
Chris Leopold mentioned that ITSA will soon be working with Dennis Brown on migrating many of his in-house services to their IFAS equivalents, including file services.
Chris said they are getting more storage for their DPM back-ends. They are also improving their disaster recovery plan for files services. The file server consists of three NX3000s in a majority node set cluster that provides fault tolerance for the hosting hardware. The setup is all single-instance storage (SiS) enabled in order to save significant storage space on the back-end. SiS-enabled volumes seem to be causing some issues with DPM; at least they believe that to be the root cause because these problems had not shown up on their prior configuration. They have been in contact with MS on the issue and MS has been able to reproduce it and is planning fixes. While that is good, ITSA is also planning a secondary read/write file server off-site in order to beef up our disaster recovery capabilities for the file server. Data will be replicated to that offsite area as well using lower-end storage. The current plans in the case of a major disaster would be to change the DFS targets to point to the DPM servers to provide a read-only copy. This new off-site plan would allow that to be read-write.
ePO updates (previous discussion)
Updates not available...
Status of SharePoint services (previous discussion)
IFAS migrating to centralized MOSS
Updates not available...
Public folder file deletion policies and procedures status (previous discussion)
Updates not available...
Patching updates... (previous discussion)
Microsoft
An out-of-band security update was pushed on Monday to address a certificate signing vulnerability.
The June Microsoft patches will include 7 bulletins (3 "Critical," and 4 "Important") addressing multiple vulnerabilities in Windows, IE, and .NET.
McAfee provides podcasts on the highlights of each month's offerings.
Adobe
Adobe originally indicated that users of Photoshop and Illustrator would have to upgrade to CS6 versions in order to address security vulnerabilities that were reported last month. Since then, they lightened up a bit and have now developed patches for Illustrator CS5/CS5.5 and Photoshop CS5/CS5.5.
Apple
A new version of QuickTime was released since our last meeting.
Other security matters
Chris Leopold wanted to raise our awareness of last year's DNSCHanger Malware and potential upcoming consequences--mainly for home owner installations. There have been reports of a July 9th internet Doomsday event when the DNS servers to which the infection points a client are finally removed. The FBI has published information on the matter which describes what the malware does and how to determine it a particular machine or SOHO router is infected. There are many more details on the DNSChanger Working Group's web site and they have a DNSChanger Eye Chart one may use to easily determine if there is an issue as well.
MS Office News update (previous discussion)
Updates not available...
Job Matrix Update status (previous discussion)
Steve pointed out that the ITSA job matrix still does not list Alex York. Steve suggested (facetiously) that Alex might consider changing his name as one solution.
Remedy system status (previous discussion)
Updates not available...
Other Topics
New data classification policy
Dan Cromer wanted us aware of a new emphasis at UF regarding our Data Classification policy as related in a recent DDD memo. Dan said that we are going to be responsible for knowing what data we have where and will have to research that accordingly.
Big Blue Button proof-of-concept server (previous discussion)
Updates not available...
Results of GPO disabling for non-portable devices (previous discussion)
Alex York came to the realization that our problems with off-line files were very likely a result of not using FQDN within our DFS structure. Chris Leopold said that we very much need to get our DFS structure off of any WINS dependency so it is using FQDNs. Three new DNS servers were recently added utilizing FQDN entries for our DFS targets to ameliorate the issue as an interim step.
WebDAV issue with Mac OS X Lion (previous discussion)
Updates not available...
The meeting was adjourned well ahead of usual at about 11:15 AM.
|