IFAS COMPUTER COORDINATORS
NOTES FROM July 8th 2005 REGULAR MEETING
A meeting of the ICC was held on Friday, July 8th, 2005. The meeting was chaired and called to order by Steve Lasley, at 10:18 a.m. in the ICS conference room.
PRESENT: Fourteen members participated. Remote participants: Kevin Hill, Nancy Johnson, Joel Parlin, and Mike Ryabin. On-site participants:
Dennis Brown, Dan Cromer, Chris Hughes, Winnie Lante, Steve Lasley, Richard Phelan, Mark Ross, Joe Spooner, Ruth Jeanne Tucker and A. D. Walker.
STREAMING AUDIO: here
Agendas were distributed and the meeting was called to order 18 minutes later than scheduled. The lateness was due to difficulties in getting streaming working--an obstacle which Chris Hughes overcame through mighty effort.
Report from the chairman:
We had no new members--at least that were known of prior to the meeting. Right before the meeting was scheduled to start, Dennis Brown introduced to me his new part-time assistant, Ruth Jeanne Tucker, and by the time the meeting actually started, I neglected to introduce her to our group. I would like to express my heartfelt apologies for that faux pas. I do hope she had a pleasant experience otherwise, however.
Steve skipped the "recap since last meeting", again simply pointing out that the agendas are always linked at this point to the notes from the previous meeting for review.
Adventures in wireless at Fifield:
Mark Ross has had CNS-Network Services come out a number of times regarding wireless in Fifield, but has been generally unhappy with the level/promptness of support they provided him. He did a little research and discovered that D-Link, NetGear, SMC and LinkSys all make access points that basically have all the Cisco functionality needed for Mark to provide his own wireless solution using the UF authentication VLAN. Mark went ahead and bought five D-Link DWL-2200AP's from CDGW at a cost of $159 each (note: Dell has these currently for $136.70 w/ free shipping), and deployed them in his department. He placed two on each floor down the Plant Pathology leg of "H-shaped" Fifield Hall. He placed the last one in their classroom in the central portion of the building.
Since UF requires authentication of wireless connections, Mark hooked the access points to ports on a managed switch which John Sawyer had configured to use the UF authenticated VLAN. (Note: Chris Hughes mentioned that Chris Leopold and John can both do this, but that Chris L. is the primary layer two contact currently.) Problem solved. Students open their laptops, see the "ufw" SSID, and connect to the access point. (Note: Mark's broadcast of an SSID is technically disallowed by UF wireless network policy. This points out a problem with current policy in our opinion.) They then start up a web browser that takes them to the BlueSocket Gateway where they enter their Gatorlink credentials and can then run a VPN for a secure wireless connection to their departmental resources.
Mark mentioned that the "GatorLink L2TP/IPsec VPN" installation that Chris Hughes made available at http://software.ifas.ufl.edu (OU Admin credentials needed) works great with wireless. Once that is configured on a system, you simplify check the "Logon using dial-up connection" option on the Windows logon page and then select the Gatorlink VPN dialup connection. Once you provide the credentials for that, you can get right into your departmental AD logon setup directly (scripts and all)--bypassing the need to logon via the BlueSocket Gateway. This makes the logon experience via wireless essentially the same as for a wired connection. It doesn't even require that someone has logged onto that machine prior--profiles are created and it just works. Very cool.
Chris Hughes warned that this will be going away, however; so, if you use it, be forewarned. When it does stop working there will be a fully supported one from CNS. Mark mentioned that the Cisco VPN is supposed to be able to start before logon but that he has been unable, even by calling CNS support, to get that to work. Steve reported that he gets it to work "sometimes".
Once it is in production, Chris said we will have a VPN client available that connects to an IFAS ISA server running the Network Access Quarantine Control that will ensure patches are installed and VirusScan is up-to-date before allowing a connection.
Mark said that he and John are also working on setting these access points up with RADIUS authentication (802.1X)--although progress has been delayed by all sorts of other happenings. If this works, it may solve the problem for some of our remote sites that cannot afford the $2500 cost of Bluesocket devices. CNS will not extend the authenticated VLAN off-campus due to performance considerations. Chris Hughes also speculated that CNS might not want to give us the passphrase details to hook into their RADIUS server, but Kevin Hill reported that he had gotten a Zytel Zywall 2 unit working to campus via such a passphrase and that, though it took a while, CNS was cooperative. That likely won't be necessary in any case, however, as the coming IFAS ISA server will include RADIUS and we will then have the capability within IFAS for RADIUS authentication against UFAD. Mike Ryabin asked what the timeframe on this all might be and Chris Hughes estimated roughly 6 weeks.
Mark demoed the admin console on his access point and described the basics of how to configure it for use with a walkup port. Mark sets the SSID to UFW (wondering if that will draw complaints).
Mark also showed how these units support a "P2P" bridge setting so you can use two with high-gain directional antennas to connect across spans where cabling is problematic. Richard Phalen is doing this at Environmental Horticulture with these units and it is working well. The D-Link DWL-2200AP's support PoE (Power over Ethernet), so it is easy to mount them in attics or ceilings without concern for having a power plug nearby.
Mark said there were no problems in his building with channel interference among the units. Also, he was able to move through-out his area and the connection was handed off from point to point--at least when using a D-Link NIC.
Progress on standing issues:
IT Budget Request:
The question was raised to Dan Cromer as to which of those matters discussed at the ICC were included/excluded in the final budget request and how was the request funded. In responding, Dan referred to an Excel Spreadsheet that listed the various items which were presented as a budget request to Joe Joyce for the 2005-2006 fiscal year. This spreadsheet is divided into worksheets containing the requests Dan received from his various groups for Server (IT/SA), Help Desk and WAN. Dan said he presented those, totaling approximately $950,000, to Joe Joyce as a summary of our true needs as viewed from IT's perspective. The Admin sheet summarizes a more pragmatic take on those requests as categorized by Dan into continuation costs, replacement costs and one-time purchases. As the bottom line, what Joe funded currently was the "IT Re-occurring Charges FY 2005-06" which were actually down roughly $9000 from the previous year due to that year's necessary duplication of connections while the new WAN links were installed. This bottom line translated to an IT budget amounting to $479,300 which Dan had presented as the minimum necessary to maintain current services as is.
The requested replacement items, which totaled $114,950 were deferred pending consideration via the IT Taskforce. Some of the items that were deferred (e.g., 14 news DCs) are deemed very unlikely for funding, even though Joe is aware that these were part of the original AD budget as a next year expense. Dan said we are going to go ahead with the DNS server and the DHCP server--as well as a printer server--taking it out of "IT's hide" so-to-speak by cannibalizing travel, computer supplies or professional development, for example. That hardware is deemed higher priority and cut-backs will have to occur to support those.
Mark Ross noted that this likely means IFAS IT will not get the much need fileserver space. Dan responded that it depends on what the Taskforce recommends and how that is received by administration. Dan also related that he is going to try and get the Taskforce to consider various funding models that might permit desperately needed IT service expansion. Much discussion ensued, but the question really comes down to either convincing all/most units that some IT services are best handled centrally--or setting up services that are funded for and by only those units wishing to take advantage thereof. Steve believes that the latter model has a better chance of successful implementation, because it could be done essentially from the IFAS IT level downwards, without requiring the commitment of political collateral by upper administration. This would require a carefully planned SLA for services offered in this fashion, and would naturally favor the richer units who could afford those services; but that disparity might eventually magnify our overall needs to the point where they could be more easily addressed by central administration on behalf of all. That might be the way to grow our base level services which we could supply (reliably) to all. The alternative is to continue leaving units (that can afford it) no choice but to invest in individually duplicated services to support the needs of their faculty. CREC and Animal Science are our premier examples and it is practically unconscionable to argue with their methodology given its success and in light of the overall IFAS IT funding situation.
Review of our anti-SPAM methodologies:
Dan is still trying to figure out the logistics of how to pay the $500 needed to obtain the source code to an Exchange filter which was developed for us by a Czechoslovakian programmer. That code would allow us to convert the Gatorlink Spam Assassin scores to their equivalent IMF Exchange marking so the Gatorlink system can be used as an extension of our own anti-spam setup.
Status of ICC and ITPAC recommendations on standardizing IFAS e-mail addresses:
Dan is basically waiting on a response from Jimmy Cheek and is anxious to starting getting out IFAS-All notices relating to the proposed change. We wanted to provide six month's notice, but that is already impossible if we are shooting for a Xmas holiday implementation.
John Bevis, Assistant Director of CNS, has valid issues regarding the resources to support our forwarding automation requirements (preventing mail loops for example), but Chris indicated that those processes now housed with Open Systems and the Gatorlink e-mail system may be moved to PeopleSoft under Mike Conlon's (head of the Bridges Project) control in the September-February timeframe. Chris Hughes reports that support appears to be there from Mike Conlon for the central coordination needed for our proposal to be successfully accomplished. Mike Conlon was agreeable to adding processes into the Gatorlink management system that would control Gatorlink forwarding and preferred e-mail addresses based on the "Network Managed By" (NMB) field. That could provide the needed integration between Gatorlink and Exchange.
There was a brief discussion about how our proposed e-mail changes would require all IFAS users to check their e-mail at IFAS; users could not use both Gatorlink and IFAS e-mail accounts, checking each separately. Dan said his plan is to switch everyone to that initially and perhaps provide manual overrides for individuals should that prove necessary. Mark Ross pointed out that allowing exceptions is a patently bad idea because that is contrary to the intent of simplifying and automating our processes so we can manage them well with our minimal staffing.
Office install point documentation status and the ITPAC recommendation on Changing IFAS IT e-mail client support:
This recommendation proposed 90 day prior notice for dropping Help Desk support for all e-mail clients other than the latest version of Outlook and OWA. It was contingent on first making Outlook 2003 available to all. We have a production install point (albeit publicly undocumented). Steve asked what our next step should be considering that there is another ITPAC meeting on August 18th.
Chris Hughes has seen some issues with the older Outlook clients that are throwing event errors in Exchange. Steve said this is all waiting on an official announcement and a plan for getting the new client out to those who call wishing assistance with e-mail.
Steve asked Dan if we needed anything from administration to proceed and Dan replied that he didn't think that administration was very strong in supporting this recommendation. A discussion ensued on the entire process of the ICC making recommendations to ITPAC which in turns makes recommendations to administration. The problem, as the ICC sees it, is that administration does not respond to the recommendations--either yea or nay. Once recommendations are made from ITPAC the entire process becomes very nebulous. ITPAC gets no formal feedback from administration that might guide it and the ICC to improve the efficacy (or at least efficiency) of the recommendation process. Without that, one wonders if the ICC to ITPAC pathway is worth the effort expended, or would the ICC be better off spending it's energies elsewhere?
Chris Hughes reported that he recently received an e-mail from Joe Joyce stating that Joe will soon have a meeting where he will explain the reasons why administration has not been giving such responses. Steve asked Chris if he had heard back from Jim Syvertsen, ITPAC chair, on his request for follow-up on ITPAC recommendations? Chris said that Jim thought follow-up by ITPAC was inappropriate. Dan said he felt Joe Joyce would tell us that when we get no answer, that is an answer. The ICC realizes that the VP's office and the Deans have many issues requiring their attention and that IT issues may often be among the least of their concerns. We feel, however, that feedback on whether a recommendation is being accepted, dismissed, or deferred pending...something, is important to the process as a whole. We need that guidance as to what matters administration feel we should focus on so that we won't waste time addressing issues they deem unimportant, but rather can focus on those which are of greater concern to IFAS.
Microsoft contract support for IFAS:
Chris Hughes reported that Marc Hoit indicated UF may be expanding the MS support contact to cover all of UF. Chris also said an (undisclosed) person has been earmarked for the third UFAD position, that they are qualified, and that they are being moved over from another area. This is supposed to happen quite soon. Chris said that the UFAD organizational structure whereby Mike Kanofsky is paid through CNS will be addressed when "something happens at CNS"--meaning it is not deemed as an important issue until problems at CNS are fixed.
Proposal for migrating all IFAS subnets to private IPs:
Steve asked where we were with this. Chris Hughes indicated that it was in progress and proceeding well. It is being coordinated with the various sites and they are fixing printers first. Marshall Pierce is the lead on that, and he is being assisted by Chris Leopold.
Status of the IFAS Remedy trouble ticket system:
Steve reported that he has been trying to use the system. As near as he can tell, e-mail notifications are not working in all cases. Steve has a ticket in there right now (#246538) detailing his testing--this should be addressed by Adam Bellaire as his time permits. Steve also reported that he has been looking in the queue a lot and that some tickets have been languishing in the queue for undetermined reasons. Steve has raised the question with Chris Leopold and Dan Christophy and has not heard back. There appears to be a workflow issue going on and Steve doesn't know if it is due to tickets not being assigned in some cases or what. Mark Ross and Joe Spooner confirmed that they were not getting tickets which they had submitted addressed in a timely fashion unless other methods of notification than Remedy are used.
Both Dennis Brown and Winnie Lante said they had requested access to the system from Dan Christophy, but had not heard anything back. That problem may lie with Adam Bellaire's workload, but it was recommended that Dan cc the requester when he e-mails Adam on those so that ICCers at least know that Dan himself isn't the holdup on that. Steve also recommended that all tickets be assigned to someone rather than have any tickets closed that are just assigned to the Help Desk in general. That would help greatly with workflow tracking. Chris Hughes said that ticket assignment, at least to department, based on NMB is going to be implemented very soon--they are just waiting on completing the list of support people for each unit.
Mark Ross mentioned having submitted a ticket about needing the UF Guest password for the day and that this wasn't handled well. Chris Hughes reminded folks that the ICC is no longer getting those due to our new listserv confirmation settings, but that you can request to be added to that list individually by contacting Fran McDonell. This will only be necessary until the September timeframe when an alternate web-based solution will be made available.
Regarding the Remedy system, Steve said that he sees that things are working pretty much as they always have, but now we can document how support is handled by using this system. Steve feels that use of this system may eventually result in improvements in our support system overall--as long as people start using it and following up on the results seen.
Using Outlook/Exchange capabilities for handling ICC business...e.g.: Organize Meetings with Outlook:
Steve mentioned that he had submitted an ICC meeting request via Outlook for this month. He showed how the tracking of that looked from within Outlook. Steve also stated that he will use both that and the listserv method for notification until such time as the distribution list can be brought in line with the listserv memberships.
Dennis asked why this item keeps being listed as a standing issue, since IFAS has decided to not go that route. Steve responded that it is a continuing issue, including how IFAS will handle this matter for itself. There is at least one unspecified unit that currently intends to go wallplate.
Contact and services documentation--the continuing saga:
Steve reminded folks of Ben Beach's effort for providing IT support contact information for the counties and RECs.
Joe Spooner gave a summary of where we are with this. The group hasn't met in a while but will hold a public meeting in the ICS conference room on July 14, 2005, 9am - 12pm. Dan Cromer said that Pete Vergot, chair of the Taskforce, also has agreed to give a presentation to IFAS IT on Monday the 11th at 10AM, to explain and clarify the Taskforce for them.
Reporting on the progress of the various Taskforce sub-committees, Joe said that the web portion was complete and that there was actually a position posted and closing today for IFAS Webmaster. Dan Cromer stated that this position came out of an open position in IT/SA, so this is not really the creation of a new position, but rather a reassignment of priorities within IFAS IT. Dan expects to receive the funds for the hardware portion of this new web initiative from Joe Joyce in a meeting he has scheduled with him for the 22nd--unless Joe contacts him on that sooner. Chris Hughes suggested, in that case, we wait on the DNS and DHCP server purchases so we can pool these into one order for which he has finagled an extremely good discount with Dell.
Curious from the IFAS-All message of Jimmy Cheek which mentioned the creation of an IFAS web team headed by Jack Battenfield, Chris Hughes asked about Liz Felter and how she plugs into this. Joe responded that Liz is from Don Poucher's area and that she has a background in marketing but understands IFAS extension and research well. She will be the Content Development and Training Manager and as such will help craft the messages which IFAS supplies to its clients.
The sub-committee which Joe Spooner is on, is doing a review of the 1997 report and then following that up with proposals for new IT processes to the Taskforce for discussion. Joe once again urged ICCers to get involved in this process by getting on the Taskforce list, reading the meeting notes and joining in to the discussion by providing your thoughts on these issues.
The third portion of the Taskforce is preparing a survey asking end-users for their needs. Marion Douglas is the chair of that part and he told Joe that they are pretty much done developing the question set and the next step is to have it reviewed by Glen Israel before it is distributed. Chris Hughes expressed interest in seeing the survey questions and Joe said he would request of Marion that he send that list to the ICC-L.
Kevin Hill, AD chair, mentioned that since the committee hasn't been meeting regularly, there is little to report. There have been some notifications from the UFAD group about changes at that level--including the paring-down of the ADM template storage space on the DCs which should help replication for remote sites. Kevin did mention that he is still seeing re-population of deleted NMBs and is currently handling that by throwing those folks into a "disable access" group. Kevin urged other OU Admins to make use of the User Lookup Tool Chris Hughes has provided, to see what permissions that terminated users may have and then react accordingly. Chris said that this re-population problem will be fixed with the implementation of the new Gatorlink processes in September.
Mail-enabling all IFAS users:
Eventually all IFAS users within AD will be mail enabled--which means they will all show up in the GAL. There are three holdups on that. One is getting rid of the contacts for Animal Science; David McKinney has responded with all the Gatorlink matches for those, so that one is in Chris's court. Chris is still waiting on the matchups from CREC. For VetMed, we have to get permissions over their OU in order to mail enable their users. VetMed is a unit which Joe Joyce said would be separate from IFAS, but who will be included in our Exchange GAL. The mail enabling has been all set up to occur upon the click of a button. As far as the contacts, however, we will want to do this over a long weekend to accommodate the address book updates. Chris expects this to be completed in six weeks or so.
John Sawyer was unable to make our meeting.
Plans for re-enabling Windows firewall for IFAS:
Steve wanted to mention that John has been working on this configuration and once it is finalized, he intends to re-enable the Windows firewall on all IFAS machines. Chris Hughes said that IPsec will be turned on for all IFAS servers--which will prevent Win9x clients from connecting, among other things. Chris mentioned that the recent Veritas exploit, which compromised basically all of our servers which were on public addresses, would have been prevented if IPsec had been on those--but we had been waiting for the July 1st Win9x removal deadline before doing that. Steve mentioned that John has been considering limiting access to the Backup Agent port 10000/TCP (yes, an agent that works as a server--go figure) from only necessary connecting servers as well. A lot of servers have been moved to private IP as well--another security measure that would have prevented this most recent exploit. Chris said that a lot of things would be done with IPsec that will help make us considerably more secure in the future.
In a follow-up discussion on the Vertitas enabled compromises, Joe Spooner mentioned that he is near completion of an automated process for disaster recovery on his servers and Dwight Jesseman is making that a high priority for other IFAS servers. Apparently, Kathy Bergsma has the sole discretion on whether compromised servers have to be rebuilt or not. IFAS did finally manage to get an exception for some of their most difficult to rebuild servers (Exchange).
Chris mentioned that they are in the beta program for the Microsoft Data Protection Manager with which we may eventually replace Veritas for backup. Chris hopes they can get on the Technical Adopter Program Service (TAPS) for that beta product, which would give them direct access to the developers during beta testing. IT/SA is already on the TAPS for Longhorn and it will be deployed at a remote site.
Machine startup-script changes:
Chris reported that these will be modified to accumulate "installed software" and "services" configuration data into our SQL database for security purposes. This will allow us to better find exploited machines and to find machines that have installed software which may be affected by new vulnerabilities. That would allow us to patch those in a more timely manner. Chris expects this will add 20-30 seconds to the startup time. Once it is ready, Chris will get a copy out to folks who are on remote links so that they can test it and see how long it really does take.
ePO reorg and exclusion lists:
Chris said that the plans are in progress. He is making changes slowly. Kevin and Dwight have been the only ones to supply exclusions currently. The timeframe on this will likely be two months from now--it depends on how some of the other projects go. The agents will be configured to try to install the agent on other machines which appear on the subnet. This self-perpetuating scheme should help ensure that the agent is widely deployed without relying on login scripts or manual installation. This is also how some of the DATs will be deployed, pulling from other XP machines on the subnet rather than from the ePO server. We will have coverage reports that compare to machines in AD and e-mail the respective OU Admins about potential problem machines with regards to update status or other McAfee problems. The downside of this reorg will be the difficulty of managing exclusions. Outside of the many that Dwight has for GroupShield and a couple for Kevin, however, there have not been many of those--so it is hoped that will remain manageable. Excluded items will be placed on the multi-purpose servers in a share that is accessible to everyone--and that is where the security tools will be. If you need a tool added to that location, e-mail ITNS and it will be added "el pronto" and replicated out to all servers. The scheme will prevent a virus from looking at your exclusion list and using those areas as entry points.
Steve wanted to mention that he had a problem getting VirusScan updates to run on a particular system and had received excellent help from John Sawyer with that. Steve has documented those steps within the ePO section of the IT/SA Services
Documentation pages which he maintains (OU Admin credentials required for access).
Report(s) from IT/SA
Dwight Jesseman was not at the meeting, but was taking a well deserved comp-time supported vacation
Chris reported that MOM is doing great. Within two weeks, Chris expects to be able to give OU Admins access to view their own servers in MOM. The webpage is up if you want to view the status--Chris will e-mail that link to the ICC as soon as he fixes the DNS entry to something more friendly. MOM has already detected a number of problems before they could become failures--so it has paid for itself. Steve related that John was interested in what it could provide us for spotting exploits. It would report when the VirusScan service has stopped, for example--a common means used by exploits. Chris wanted to get that word out that if you order a server, be sure to order a $147 MOM license for that. Chris said he will send the part number out to the ICC-L. We have licenses for all servers that were present at the time we ordered MOM, but new servers will need that license. MOM can monitor workstations, so if you have that need, let Chris know. Chris has 2 MOM servers configured in a load balanced arrangement. This allows one server to notice should the other fail as per MS recommendation. The configuration also allows for scalability--currently we could handle monitoring about 5000 machines, so we have plenty of capacity. Dell Open Manage reports through MOM as does the HP Insight Manager.
Providing file sharing services within IFAS:
Mike Ryabin was seeking clarification on how to coordinate local file services with central IT file services. Mike wants to propose to the Ft. Lauderdale computer committee that they purchase fileserver space so they can get end-user data off their desktops and to a place where it can be reliably backed up. Chris pointed out that the multipurpose server there has 50GB of space which can be used for this purpose and that if more was wanted, they had two server suggestions--one for internal backup and another for external backup. Dwight Jesseman is the contact on these sorts of things, but Chris offered to send Mike the server specs today; they are for a 1.2 TB server with an external backup drive w/case that would provide a week's retention at a cost of roughly $16,000.
Chris said he will be collapsing shares on the multi-purpose servers and NT-file soon. He will notify a unit when he does that, but basically he will modify your login scripts so they map in past the collapsed shares to individual directories. This is something that was not available in the older versions of our operating systems, but which we can now take advantage of to simplify our sharing structure. Chris expects to reduce our number of shares from the thousands down to the tens range so we can add them to DFS and make our shares available to collaborators throughout the world via webDav.
Changes in IFAS IT personnel:
Dan reported that Francis "Fergie" Ferguson is now covering (as OPS) the two districts formerly handled by Valerie Carter (who has left to work for the county) and David Ayers (who is retiring shortly). Francis is an excellent potential candidate for filling one of those two positions. All the district support positions will now be classified as IT Expert. Dan mentioned that the 1997 taskforce report specified that there should be 2 support persons for each of the 5 districts--something which he will reiterate to the current committee.
Chris mentioned that people wanting multi-purpose servers backed off-site should contact him and he will move your most recent full backup to Gainesville.
The meeting was adjourned at approximately 12:20pm.