ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM July 9th 2010 REGULAR MEETING


A meeting of the ICC was held on Friday, July 9th, 2010 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-two members participated.
 
Remote participants: David Bauldree, Bill Black, Allan Burrage, Andrew Carey, Lance Cozart, Dan Cromer, Jennifer Dawson, Scott Jones, Kamin Miller, Marvin Newman, Scott Owens, Mike Ryabin, Louise Ryan, and Matt Wilson.
 
On-site participants: Dennis Brown, Francis Ferguson, Wayne Hyde, Winnie Lante, Steve Lasley, James Moore, Santos Soler, and Ron Thomas.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Louise Ryan is retiring and will be replaced by John Wells next Monday the 12th. We all wish Louise the best and look forward to getting to know John.

Louise is moving back to Michigan. Dan Cromer pointed us to Louise's Web site where she has some of her original artwork available; Dan suggested that Louise might now have more time to devote to her art.

Dan Cromer reported that Daniel Solano has accepted a position working for Dave Gagne in Operations Analysis; his last day with us here will be July 22nd. Daniel has had a split position with IFAS where IFAS IT paid half his salary at FSHN in return for him performing Help Desk duties. Dan Cromer said he will need to talk with Dr. Neil Shay at FSHN (who is also leaving BTW) to see if the split-appointment situation might be continued with a new hire.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling

We are still awaiting details about the reported plan is to provide some subset of individuals access to schedule their own videoconferences on TMS.

Office Communicator infrastructure status (previous discussion)

Erik Schmidt formally announced the availability of OCS via an e-mail to the ACTIVEDIR-L list in late June:

Message to the ACTIVEDIR-L from Erik Schmidt:
"[ACTIVEDIR-L] Office Communications Server (OCS) Now Up and FREELY Available to Campus!" 6/29/2010 2:47 PM


Folks:

It is with great pleasure that I am able to formally announce the availability of OCS for all UFAD-authenticated users on campus! Please share the word with others that may not have received this message!

If you’re not familiar with OCS, have a look:

http://www.microsoft.com/communicationsserver/en/us/default.aspx

OCS allows you to:

  • Have ‘instant message style’ conversations along with voice and video calls right from your desktop computer.
  • Transfer/share files with whomever you’re chatting with.
  • Remote control the computer of whomever you’re chatting with (with their permission) – GREAT for remote IT support!
  • See someone’s availability before disturbing them with a chat session or video call.
  • Host or attend ‘virtual’ group meetings.
  • Initiate conversations from within Communicator, Outlook or SharePoint, or from the web using almost any browser!
  • Teach virtual classes including the use of whiteboards, application sharing and even hand raising for questions.
  • Incorporate with larger meetings taking place in Polycom equipped rooms.

UF-OCS is:

  • Offered as a service of the UF Microsoft Applications Group (MAG), or the artist formerly known as UFAD.
  • Federated with other OCS implementations such as Microsoft and Indiana University, so that you can have voice/video calls with them.
  • Integrated with many other Microsoft products so that features work across the applications you’re already familiar with.
  • Capable of working from just about anywhere – we tested video from a wireless connection on a Delta flight somewhere over Kansas…
  • Fully redundant and reliable – built for the masses.
  • FREE of charge to UF departments.
  • Available to you NOW!
  • Did I mention FREE of charge to UF departments?

Please contact support@ad.ufl.edu for more information, or to get started using OCS in your department! Lessons and ‘guided tours’ are available at a MAG support shop near you!

-Erik

As mentioned at our last meeting, however, there are concerns over whether long-term funding will be forthcoming. Steve has heard some rumors about Mike Conlon leaving, and Tim Fitzpatrick taking over the UFAD/Exchange/OCS/SharePoint group (aka the Microsoft Applications Group or MAG). There are some indications that CNS might not be as supportive of MAG as Mike Conlon has been in the past and Tim expressly said at the June ITAC-NI meeting that he did not have the budget within CNS to support continuing eCALs or the campus server licenses. If true, the future may bode ill for centralized support of the very functions upon which IFAS has fought for and supported over the last 8 years.

Dan Cromer responded that he thought there had been a public announcement that Mike Conlon had moved to a different position effective July 1st. In any case, that part of the "rumors" is indeed fact. Our new CIO, Elias Eldayrie, apparently sent out a message to some undisclosed group wishing Dr. Conlon all the best in his new venture and that he was assigning MAG to Tim Fitzpatrick as an interim assignment. Apparently he felt the MAG group required supervision during this transition and he didn't want Erik reporting directly to the CIO.

Dan went on to say that a meeting of the UF IT Management Council is planned for August 3rd and he is certain that this issue will be discussed further at that time. Dan has spoken with Elias on several occasions and the CIO is adamant about seeking collaboration at least from the rest of the management team. Dan also suspects the CIO will host several open forums on various topics fairly soon as a way of including everyone.

Steve asked which members of the CIO Leadership Team would be directly involved in this UF IT Management Council. Dan responded that this consisted of eight individuals, four of whom report directly to the CIO. Those direct reports are:

The other four members represent the four arms of the University:

This team of eight will meet with the CIO monthly to discuss various topics which impact UF IT.

Dan pointed out that Elias is currently in a "drink from the firehose" mode trying to quickly learn as much as he can about UF's diverse infrastructure. His first priority has been to talk with Deans and Directors and ask them how they feel IT is functioning--rather than ask the IT people themselves. Dealing directly with IT staff has taken a backseat while he gets oriented.

As mentioned, Dan will have monthly meetings with the CIO as a member of the management team, but he will have individual biweekly meetings as well.

Steve asked Dan if he had any current opinion on where the MAG might best be housed. Dan responded that as soon as he heard that MAG was being moved at least temporarily under the Infrastructure Team and Tim Fitzpatrick that Dan suggested to the CIO that he consider SharePoint, Exchange, and OCS as University Systems similar to PeopleSoft and Sakai.

This was prior to Dave Gruber being appointed, however, and Dan said that he hasn't had the chance to talk with Dave Gruber about the matter yet. Dan said that he would try to talk to Dave before the August 3rd meeting. He has talked to Fedro, however, who Dan says shares his opinion that University Systems would be a better fit. Dan also said that he and Fedro both feel it important that the MAG be kept intact and working together on their various projects rather than be split up among various units.

Steve suggested that merging MAG into CNS might raise the issue of supporting duplicate services. Gatorlink e-mail vs. Exchange and OCS vs. the upcoming Cisco solution would be two examples. CNS might try to make the case that OCS be dropped for Cisco, for example. Steve would like to point out that IFAS is a Microsoft shop and has put considerable effort into building on Microsoft solutions over the last 8-plus years. Starting over just as we are getting these new services rolling would be a huge setback for IFAS in Steve's opinion.

Dan Cromer said that he feels Tim Fitzpatrick has the best interests of UF at heart in trying to support IT for the University of Florida. While Steve doesn't doubt that, he also knows that IFAS has its our perspective and certain unique and individual needs. Consequently, Steve feels we need to consider the needs of IFAS IT foremost. Dan agreed and said that having him on the IT Management Team should benefit IFAS IT as a consequence. One way or another Dan expects IFAS to continue with OCS and Exchange because those services best meet our needs.

Dan pointed out that eCALs are required for SharePoint and the current undergraduate catalog is in the SharePoint environment with everybody moving in that direction. He sees no possibility that they won't be funded. Those eCALs also give us inexpensive access to OCS whose infrastructure is already in place, so Dan feels OCS and any Cisco solution should be able to coexist. The eCALs also give access to other useful technologies such as Forefront Endpoint Protection which Wayne Hyde is investigating as an eventual McAfee replacement.

New VC gateway status (previous discussion)

Steve asked if we were SIP-enabling all the Polycom endpoints yet. Dan Cromer responded that they are still experimenting. While our OCS infrastructure is technically in production, there is a compatibility issue between the Tandberg VCS gateway and our OCS installation on Windows Server 2008 R2. Dan wasn't exactly clear on the details but it involved support for TLS. Until Tandberg releases a fix we are using a workaround which allows TCP Port 56 for our videoconferencing endpoints.

Dan noted that he had sent a message the CCC list confirming that the Exchange Support Committee had approved a naming convention change for videoconferencing end-point UFAD user objects, using XX-VC-xxxx, where XX is the OU prefix, and xxxx is the locally chosen descriptive name. You can call a videoconferencing endpoint using OC if the endpoint has been:

  1. defined in UFAD,
  2. SIP-enabled, and
  3. defined to the Tandberg VCS.

This latter item is a several step manual process that Patrick Pettus must perform. Once that is done you can add a videoconferencing endpoint to your contact list and call it from your OC. The H.232 endpoint can likewise call an OC client though it is a bit of a pain to use the keypad to dial-in (for example) dhcromer@ufl.edu to initiate the call. The limitation is that this is only available for point-to-point. Calling someone via OC and then trying to invite an endpoint as a third-party does not work. Dan suspects this issue is somehow tied into the previously mentioned incompatibility issue. It would be nice to have that capability and not have to use the bridge.

Using the bridge for multiple mixed OCS/H.232 endpoint calls works fine and Dan has documented that on the Wiki. Dan Cromer would appreciate if folks would look over that documentation and add to or improve it as you see fit. He has also started some documentation on Macintosh Messenger which is the OCS client for the Mac. The Macintosh version can conference with other Messenger or OC users but it cannot connect to an H.232 endpoint or the Codian bridges--nor can it do Live Meeting.

The next version of Office for the Mac supposedly is due sometime this Fall and it is supposed to include Outlook for the Mac rather than Entourage and the OC portion would be integrated into that as well so it could work with Live Meeting. Dan feels not having cross-platform support is a serious drawback currently, even though we do not technically support the Macintosh.

Recording lectures for Distance Education (previous discussion)


Special topic...the Accordent Capture Station


Discussion

How did we come to acquire these Accordent Capture Stations?

Steve invited Ron Thomas to our meeting and Dan Cromer had agreed to ask Mark Rieger as well, but apparently Mark had a conflict. Steve asked Ron to explain how/where this project originated.

Ron said he believes this all began when he was traveling around the state with Mark Rieger last year. They had been asked to come by the RECs to talk to them about Distance Education and communication technology. They put together a presentation on that including various technologies such as WebCT/Vista (which is now converting to Sakai), the Elluminate collaborative software system, Articulate for PowerPoint narration as well as the Accordent Capture Station which Ron has been using within ICS for about three years. They have one mobile unit which Al Williamson operates and one fixed unit in G001 where Ron has his Distance Education Center.

Visiting Milton, Ft. Lauderdale, and Ft. Pierce among others, their presentation included the uses and advantages/disadvantages of the various products. One or two presentations were made here on campus as well. The technology which received the most interest from faculty members was the Accordent Capture Station. They liked that they could give their lectures in their normal fashion, have it captured and not have to change around their style of teaching very much. There was a lot of enthusiasm for the Accordent technology.

Ron wished that Dr. Rieger was available to speak about the Distance Education initiative which is being launched by the CALS Deans office, but he tried his best to explain that. Their plan is to convert 75% of all courses to Distance Education over the next three years involving some form of on-line courses. The reasons behind this include reaching more people and saving money. A task force report has been issued which Ron believed Dr. Rieger could make available to us if we wanted.

This new initiative provided further incentive for the faculty to use the Capture Station to record their in-class lectures and, in some cases, record to an empty room.

A big pool of money became available either from stimulus funds or other end-of-year leftovers and Mark Rieger instructed Ron to buy 16 Accordent Capture Stations and distribute them to the departments and RECs which are most involved in Distance Education. Consequently, Ron ordered those through VSGI at a great discount; they retail for $15k and we obtained them for $9k each. A 3-year service and support plan (ufad\if-admn credentials required for access) was obtained as well for $2500; this is a big discount as well since we had been paying about $1500/yr individually. The support agreement document outlines what level of service we should expect for various issues which might arise.

They also purchased a number of copies of Articulate including the Quizmaker and Engage components as well as the Adobe E-Learning Suite. That latter package contains Adobe Presenter which is similar to Articulate and Captivate which is a screen capture program like Camtasia. They obtained a very good price ($254) on the Adobe product. All these funds were made available to buy these products in order to assist departments in achieving this goal of converting courses to an on-line form.

Progress report on installations

VSGI delivered the Accordent Capture Stations to campus and to the RECs and Ron hired Professional Communications Systems (PCS) to do the integration with existing cameras and microphone systems--most of which were Polycom. PCS was chosen because they have the service contract for the Distance Education Center in McCarty G001 and have worked with the Accordent there. Ron believed they had more familiarity with the Accordent system then it turns out they did.

At this point most of the sites on campus and at the RECs have been integrated, although they still need to come back to a number of sites and provide splitters and other needed components which they did not have available upon their original visit.

Last Tuesday Entomology was among the first to engage in a WebEx session with Daniel Solteldo of Accordent (along with Santos Soler) to begin setting up the system basics and connecting to the IFAS web and media servers for remote storage of the Accordent recordings. After realizing the time which would be involved to repeat this process 16 times across IFAS, Daniel stated that it was his intention to use Steve Lasley's system as a template for developing written configuration instructions. That would provide us written documentation for future use as well. Steve mentioned that he would appreciate another session with Daniel now that he has had the time to learn a bit more about the system.

Improving communications between Distance Ed and the IT support folks

Steve said that he felt rollouts such as this would go smoother if IT was involved earlier on. Steve believes it would be good to get everyone involved with the technology side of Distance Education talking so that we might best work together to meet whatever goals are being set. He asked Ron if he had any ideas on how we might improve that aspect in the future. Ron admitted that he hadn't anticipated the difficulties IT support folks might face with configuration and integration as well as having the time to provide ongoing support in using the equipment. In hindsight Ron feels he should have contacted the ICC at the time the funds were made available and before purchase. If anything like this happens in the future Ron said that he will be sure to see that we do get plugged-in as early as possible.

Dennis Brown suggested and Ron concurred that if would be good for Ron to attend ICC meetings on occasion. This forum is a good way to get information out as well as to get feedback from the folks who will be managing things at each site.

The training component

Allan Burrage at CREC said that he only discovered a Capture Station had been shipped to a local professor the day before the installers arrived. He basically had no clue about what was going on and no idea about what was being expected of him. Allan mentioned that the librarian there, Jen Dawson, generally handles videoconferencing for CREC and Allan is going to have to help her. Allan asked if there was any non-technical documentation oriented more to users of the system.

Ron responded that there has been no training yet. Ron feels that the hardest part of this project will be the integration and configuration. After that, Ron has found the operation to be fairly simple. Ron feels the system is robust and they have had very few technical problems. It is easy to operate and doesn't take a lot of time for Ron and his staff and he is hoping it won't take a lot of time for the various IT support folks. The training component necessarily has to come last, however; integration and configuration must first be completed. Training will be offered, however, and that is coming up soon now. Ron mentioned that anyone involved with this rollout that is not on the ACCORDENT-L list should please get with him so they can be added. That list will be the primary way to get information out to folks. As part of our purchase Accordent offered training and Ron is going to work out the details of that. ICS will be involved in that and fill in any gaps or offer subsequent training based on their knowledge and use of the system over the past three years. Those details are expected to be worked out next week and then Ron will have something to tell us via the listserv.

Configuration and use

Steve pointed out that he feels there are basically two ways of handling the use of these systems. One involves Ron's situation where support staff operate the equipment, start/stop and monitor the recording sessions. Mike Ryabin in Ft. Lauderdale intends to follow that model as he has OPS staff for that purpose. Because this software requires running under a privileged account Steve feels having trained staff is the only way to go if you plan to run this directly from the Capture Station.

The other option is to let the instructors themselves handle the recording by using the web interface. That is the option which Steve is trying to configure. The Accordent Capture Station itself will not be accessed directly (though Steve plans to monitor and manage it remotely via Remote Desktop). Steve briefly demoed what the web interface involves. Basically, you create usernames and passwords (within the Capture Station--not linked to UFAD) which instructors would use to logon. Those accounts are tied to settings files which control most aspects of the recording including where the files are stored. The instructors would only have to add a bit of metadata relating to the recording session which would describe the session for those viewing it and help with organizing and locating it later.

The ACS web interface

The "Interface" selection refers to the "Skin" used, which controls the overall look of the captured presentation. We might only need one of those, but various layout could be created should the need arise. Ron mentioned that they had developed three templates each of which basically uses a different logo in the upper left corner of the screen for use with either IFAS, CALS or Extension presentations. Steve developed a skin that replaced the logo with one specific to the Entomology Department and that single skin may suffice for his needs.

Besides the obvious metadata, the folder name provides the instructor a way to control the URL which can be provided to students for later viewing. The settings files control the rest of the storage path. Steve plans to have a separate settings file for each instructor account which will store things on the media server and web server under a folder name by instructor. For example, in the above example, the A/V components would go to \\if-srv-video\video\ENTNEM\lasley and the web components would go to \\if-srv-web\websites$\entnemdept.ifas.ufl.edu\accordent\lasley. The folder name picked in the dialog above would create yet another folder below these locations and the resultant URL for viewing would be, for example, http://entnemdept.ifas.ufl.edu/accordent/lasley/icc (had ICC been specified as the "Folder Name" in the dialog).

With the web interface Steve feels end-user training needs would be minimal. What Steve hasn't figured out however, is how to address the potential need for cleaning up the recording via PresenterPLUS. Steve thinks his stance will be that we won't generally support modifying the records due to the difficulties in providing safe secure access. Ron responded that ICS can certainly offer training on how to use the PresenterPLUS component should people want that. He said that he has not seen the need for much editing in the work they have done. Ron mentioned you can't really cut things at the start of the presentation without throwing off the sync with the slides. Steve mentioned that instructor-run recordings as he plans will definitely record leaving the presentation, going to the web interface, and shutting off the recording. He doesn't feel leaving that in will be too distracting, however.

Ongoing support

When Ron pointed out that Accordent has provided excellent technical support to them in the past, Steve asked if everyone had gotten their logons straightened out to access the Accordent Support Portal and Accordent University. If not, please get with Ron so that can be resolved. Steve mentioned that the Accordent University site has a video on how to submit a support request ticket.

Ron said that he has always handled system upgrades by putting in a support ticket. The Accordent support folks have then used a WebEx session to gain control and do the installation for them. Steve pointed out that this will be more involved should we move to Windows 7 on these boxes, however, due to needing to wipe and install a new OS. Dennis asked how often updates came out and Ron responded that they have gone through perhaps 2-3 upgrades in the three years they have had their systems. Ron also said that Accordent has made big improvements in the interface across these revisions and that is one of the reasons they like the company. Ron has had some things which were not working quite as they should and Accordent has addressed those in their revisions.

Steve mentioned that these units shipped with a driver for the capture card which has a memory leak requiring occasional system reboots. They do have a driver available for download to fix that, but Steve was a bit concerned that this newer driver was a beta version--particularly when Accordent warns users not to go to the card manufacturer's site for drivers as those have not been vetted to work with the Accordent.

Potential flexibility concerns

Mike Ryabin asked if it was true that the Accordent system could not export these presentations to some external video format; if not he saw that as a fairly serious weakness in the system. Ron responded that since this system combines the content and the video in its own interface there is indeed no in-built way to convert that all to another video format. Steve pointed out, however, that it is portable. The PresenterPLUS component can save the presentation to a .ZIP or self-expanding .EXE file and that can be placed wherever it might be needed--including on a CD or flash drive.

Should the Capture Stations be left running continually?

Dennis Brown asked about this and Ron replied that the systems should at least be restarted on occasion just as a maintenance reboot [likely due to memory leaks-Steve]. There is no reason the machines need to be on when not in use, however. Ron said that they shut theirs down over each weekend. Steve pointed out that system updates might be the main reason to leave them running at certain times outside use; we do need to make sure these keep patched and don't want the installation of patches to interfere with operations as might occur if they were only turned on when being used.

Thanks to Ron for coming today

Steve thanked Ron for coming today and being so willing to work with us as necessary to make this project as successful as it can be given the limitations we are under.

The remaining portion of this "special topic" section of the notes involves technical details which Steve has discovered or considered to-date based on his current integration and configuration experiences with his Capture Station.

Technical details from Steve's experience to-date

ACS is based on the aging Windows XP OS

These Accordent Capture Stations are Dell OptiPlex 780 desktop systems with third-party video/audio capture cards built on Windows XP SP3. The plan is to join them to UFAD with a naming convention of "IF-ouname-ACS". Those units getting more than one unit may add a numeric suffix to those. Since they are based on Windows XP and contain a variety of third-party client services as well as enabled Windows services such as IIS, the machines will need to be carefully patched and monitored. This includes installing antivirus software and managing user access.

Configuring for end-user access and use

Many hope that these systems can be operated by the instructors who will be using them, as staffing needs were not addressed prior to purchase. Since the software apparently must run as a local admin, there seem to be few options for providing access in a way which prevents a user from being able to hose the system unintentionally or otherwise.

Utilizing the web interface

The best solution appears to be to keep the system logged on at all times via a service account which is a member of the local admins group and permit instructors access only remotely via its web interface:

The ACS web interface

Following that model, Steve created a service account which has "log onto" rights only to IF-EYN-ACS.

The ACS web logon

He also added that service account to a security group created within his OU and to the local admin group on IF-EYN-ACS as well.

Steve configured this account on his Accordent system so the screen saver runs and password protects on resume. That will encourage that the system be left locked and running. He also used the TweakUI Powertoy for Windows XP tool to set the computer to autologon to the service account so he would not necessarily need to be available for reboots. To keep the system secure from local access with this autologon he is using an "autolock.cmd" file in the startup folder which locks the system automatically via the "%windir%\system32\rundll32.exe user32.dll,LockWorkStation" command. The idea is to prevent someone from walking up to the machine and accessing it locally, but at the same time making it operate as hands-free as possible.

Steve is waiting to get with Daniel Solteldo again to investigate how much work it will be to configure Accordent accounts and associated settings so that instructors may operate this device for recording via the web interface from another machine. Steve hopes to figure out how best to sequester the data for each course/instructor within his unit's sections on the media and web servers. This seems the only way to handle things with what we have currently as we can't/shouldn't provide multiple Gatorlink accounts (instructors) local administrative access to run this system nor should we provide the service account credentials to instructors. In Steve's opinion we need to separate the users from the system as much as possible.

Access via the web interface may not suit all

One BIG question is whether the configuration Steve is planning (as described above) suits the needs of other units--especially those off campus. Steve wants/needs a system that instructors can operate themselves as much as possible and some at the last ICC meeting seemed to be of like mind (Micah Bolen for one), other remote sites may have more ambitious needs/goals that they have not yet related.

Special considerations of the RECs

There is also the bandwidth issue of remote sites; this comes into play because the permanent storage and streaming point is planned to reside in Gainesville. This will mostly affect live streaming, but the details need to be reviewed. In the WebEx session with Steve, Daniel discussed a number of options; those need to be investigated with the people involved. Since Mike Ryabin has shown early interest in this, Steve has suggested involving him as soon as possible.

Concerns regarding the Accordent software itself

Steve has several major concerns about some very basic aspects of this software:

  1. The capture software apparently requires that it be run under a local logon which is a member of the local administrator on the machine; Steve really can't think of any excuse for that. If portions need higher than user access then they should be installed and run as a service IMO.

    Daniel's response: "The capture station software is designed to fit into multiple use-cases ranging from walk-up use to pre-scheduled captures via the Accordent Media Management System (AMMS). Accordent’s approach is to provide our customers with the most amount of flexibility possible. Our solution for situations where physical access to the device is a concern is to use the built-in web-interface or a room control device. Both the web-interface and room-control solutions can be password protected and support the same configuration/operation as if a user were to walk up to the device. The web interface enables users and administrators to start and stop captures from any web browser at any location provided they have the appropriate credentials to access the device. Alternatively, a room-control integration gives users and administrators a single unified panel to enable captures."

    The advantages of following the "Principle of Least Privilege to User Accounts on Windows" is well documented and programs which work against that principle should be strongly discouraged. Steve used Aaron Margosis's LUA Buglight program to help elucidate why the Accordent Capture Station software requires local admin rights. Results were obtained for both CapStation.exe and PresenterPLUS.exe which Steve has shared with Daniel.
    Note: a new book just came out entitled "Least Privilege Security for Windows 7, Vista and XP".

  2. This system should not be offered only on Windows XP. That guarantees fast upcoming obsolescence with the necessity of replacement.

    Daniel's response: "I agree. Our next major release, version 4.4, will include support for Windows Vista and Windows 7. This includes both the Capture Station software and the PresenterPlus software."

    Steve pointed out that moving to a Windows 7 based system, while covered under our support contract, may be challenging. Accordent may be able to complete the upgrade via a WebEx session, but local staff will have to first wipe the systems and install Windows 7 and get the basic machine functioning prior. We may not have the expertise at all locations to perform that step and some folks may need a little more help.

  3. This software involves running web (and Steve's still not clear what other server component) services on the capture station. He is not particularly comfortable with that on what in his view could/should be a client system. Not all local IT staff are skilled in maintaining such services and central management has not been arranged.

    Daniel's response: "Management is definitely important. The Capture Station’s web run-times are non-proprietary and are provided by the operating system. This means the only real management is security patching, which most organizations prefer to control via group policies or 3rd party solutions loaded onto their workstations."

  4. The system seems to include a number of unnecessary parts. Steve has already uninstalled iTunes and can't imagine why that is included to begin with. He is uncertain as to what other components may not be needed and could/should be removed. Steve's concerns there are primarily RealPlayer and QuickTime--both of which have poor security reputations.

    Daniel's response: "Accordent takes a best-of-breed approach when building images for the Capture Station. Users of the Capture Station range from k-12 schools, AV companies, higher learning institutions, and fortune 100 corporations. The best approach, which we believe is an open one, gives our customers the option to mold and manipulate Accordent solutions to best fit their needs. All of the software that has been pre-installed on the capture stations is used for operation or testing of Accordent software and presentations. As an example, specific to iTunes, we support audio and video podcasting with direct downloading into the iTunes application. You are more than welcome to remove any software that is not explicitly required for the operation of the capture station. I can absolutely help guide you through the process of slimming down the capture station to fit your security requirements."

Remote management

There is a known issue with using Remote Desktop which is documented on Accordent's support portal within the "General Streaming Information" area under the topic "I'm using Windows Terminal Services to manage my encoder, why isn't my audio device showing up anymore?" Basically, one needs to configure the Remote Desktop client so that it leaves the audio at the remote computer; once you set up the options you can save the configuration to your management desktop as an ".rdp" file and run the connection from there. If you do not do this, the ACS apparently will need to be rebooted before it will record audio properly. Of course, VNC and other remote control options are another possibility but those may not be so easily trackable and manageable in our setting.

Besides the above mentioned support site, Accordent also has something called Accordent University which has a half-dozen brief tutorials on some very basic aspects of using the ACS and Accordent PresenterPLUS.

Concerns regarding integration with Polycom

Having spent considerable effort in getting his current Polycom installations working smoothly, Steve was concerned that the addition of the Accordent not interfere with prior capabilities. He also didn't want to make operating the Polycom for videoconferencing more difficult/complicated as that is expected to remain the primary role of the installation.

After considerable investigation Steve believes there are aspects of the video and VGA integration which could best be handled by specialized hardware and API programming that is beyond the means (budget and staff) of most if not all installations. Lacking that, Steve is hoping to set reasonable expectations for his installation.

Configuring S-Video output on the Polycom units

The Polycom in room 1027 at Entomology makes use of dual-monitor emulation on a 50" plasma monitor to provide the local presenter with a good view of his remote audience as well as a monitor of the local camera/video signal. It turns out that configuring this VSX7000s Polycom system to continue providing that experience while sending an appropriate video signal to the Accordent is quite tricky. Lance Cozart spent considerable time assisting Steve with this. The near/far/content settings on the various outputs are non-intuitive and basically require both extensive trial and error as well as reference to Polycom provided examples (see "Video Source Output Examples for Multiple Monitors" in the Administrator’s Guide for the VSX Series.

Steve must assume that staff will not always be available throughout the recording sessions to run the cameras and configure the Polycoms (which would appear to involve changing system settings). Since getting a single configuration which would support the recording of both local and remote presentations proved impossible in his case, Steve plans to stick with a configuration which provides for recording of a local presenter (near only) while providing them a good view of the remote audience.

This situation is somewhat dependent on the local setup but all should be on the lookout for potential issues involved in getting the desired video input into recordings. There is an additional issue with the content side of things, unfortunately.

Configuring the VGA output to the ACS

Capturing the signal from the Visual Concert box as the system had been configured originally by the installers (Steve is utilizing a VSX7000s in this instance - see wiring diagram for details) would be necessary if one were to record remote as well as local presentations. Unfortunately, that configuration would also mean one would be recording the compressed signal with its inherent quality issues--even for local presentations. Since Steve plans to only support the recording of local presentations (for the reasons given above) he changed the VGA connection from the way it had been installed so that the local presentation signal went directly to the ACS.

To support the recording of both local and remote presentations there seems to be two options (ignoring the video difficulties mentioned prior):

  1. either add yet another switcher to the system so local operators could control the routing of the VGA signal differently for remote vs. local presentations, or
  2. settle for recording the lower quality compressed presentation in all cases.

The former would add complexity and cost and negatively impact unassisted usage. In the latter case, we could get much more flexibility from an IP-VCR solution where we basically had a recording appliance that could be joined to and record videoconferences anywhere as needed. IP-VCR is the alternative solution to the Accordent which Mike Ryabin has been trying to promote, so far unsuccessfully.

Disaster recovery and backup

There is apparently no centralized plan for this and each unit is urged to create an image for system restore as well as institute a backup scheme for the various settings files and perhaps locally stored content.

A management component exists but was not purchased: planning for student access to archived streams

Ron Thomas has reported that a quote of $43k was obtained for the AMMS management component. This was outside the available budget. It is not clear which of the above problems such software could address but it would address the issue of providing student access to recorded streams as that portion uses LDAP to integrate with Active Directory.

Other schools have done such things as creating a script on the web server that automatically generates list of content (per folder with each folder representing an instructor). When those folders are browsed via the web the user is presented a list of all encodings, live and or on-demand, based on date and time. Of course, the instructor can also provide students a direct link, but we need to carefully consider how this might be best handled in our organization. How, for example will we support restricted access? Some instructors are sure to want that.


End of special topic section on the Accordent Capture Station


Issues with Articulate software provided by the Dean (previous discussion)

Steve wants to keep this topic on the agenda to discuss ongoing issues with that somewhat fragile software. You can drill back to previous discussions on this topic by clicking on the "(previous discussion)" link above.

Videoconferencing documentation being posted via SharePoint

Steve would like to mention again that Lance Cozart has this documentation. Lance Cozart continues to develop it.

New Elluminate system status

This topic was not addressed this month.

WAN transition to CNS (previous discussion)

Connection of UF and IFAS Remedy systems with the CNS Remedy system

A demonstration of the new interconnection was provided on July 22nd but Steve neglected to ask for an update on how that went. He will try and readdress it at our next meeting.

Updates from James Moore

James Moore reported that new circuits are going in at Belle Glade, Immokalee, Vero Beach, Ona and Live Oak. He is also trying to do something with the shrimp farm in Indian River. He is also looking at the wireless links in the CEOs.

James noted that at Belle Glade most of the major carriers like AT&T wanted something like $30k for fiber work. PAETEC was willing to deliver 10Mb over coax at a great savings and so that should be ready in about 30 days.

Comcast should have a revision to their contract in Immokalee soon. IFAS is going to put down $5k towards their portion of the installation in order to cheapen the monthly costs. It will likely take an additional $1500 for the grounding, backboard and stuff. This is going to be a FLR connection; Comcast is going to do a handoff in the Tampa LATA to Brighthouse which peers with FLR.

They had been looking at PAETEC for Vero Beach as well, as their current T1 is flat-topped just like Belle Glade currently [meaning all bandwidth utilized--resulting in dropped packets]. James has not been able to find any traffic via the flow data that appears illegitimate which he might pull off there. It now looks like AT&T is willing to put in a sizeable amount of money for a fiber install and we are going to connect them in a manner similar to how things were done in Citra and Homestead. We will be back-boarding the conduit which runs from the building to the right of way and Vero will be getting an FLR connection which will be 10Mbps burstable to 100Mbps. They are sharing a common 100Mbps backbone from Sawgrass down to the node so we are paying for an AT&T connection into the cloud but there is a cost savings possible on that last leg to the FLR POP due to that sharing with the College of Business and all the other IFAS RECs like Homestead, Ft. Pierce and Ft. Lauderdale. That 100Mbps is being delivered over a 1Gbps interface and we are almost to a cost point where we can turn that second leg up to 1Gbps and maybe assign 100Mbs full instead of 10Mbps burstable. Right now they are 10Mbps burstable basically to keep them from DoSing each other.

James has had a lot of issues previously with MFN with regards to routing issues, change management and outages in general on their Metro Ethernet connections. James has discovered that we don't need to use MFN because CPE can provide that service at less cost. James is happy about that. The savings should help supply a better connection for Ona which seems to be growing by leaps and bounds. They are going to try and get the same deal for Live Oak as well.

A.D. Walker had reported that the phone switch at Live Oak is taking a turn for the worst so James has begun looking at VoIP options for Live Oak. Immokalee is the other location for which VoIP is being investigated.

In Homestead they are looking at a local CallManager VoIP solution like Mike Ryabin has in Ft. Lauderdale rather than a campus solution. At the end of the meeting Dan Cromer mentioned that Mike Ryabin has been promoting the local CallManager solution which he developed and has expertise running. Dan cautioned that we are trying to get away from that and would caution other units to take Mike's suggestion "with a grain of salt". We have gone with the campus model for Lake Alfred and Dan is pushing for that same thing for Homestead, Immokalee and others. He wants VoIP outsourced as much as possible to free local IT staff time up for other duties. He knows that Mike has done a good job and can handle it but Dan also worries about continuing support should Mike get a job elsewhere.

Steve pointed out that it was his understanding Mike went this route because CNS was not ready to provide that service to remote sites at the time. While Dan thought Mike had done it himself because it would be cheaper (not considering Mike's time), James concurred with Steve. Obviously, things have since changed.

A new Foundry switch has been ordered from Dell for each CEO and James will be working with all the district support folks to get those out possibly starting next week. He wants to coordinate with them to work on the problem sites first. This will be James's primary focus over the next couple of months.

Chris Leopold and Ben Beach are in Jay currently working on the wiring plant to get things ready for the new DC/MPS deployment there.

Backups over the WAN

Wayne Hyde asked about the connection speeds at our various sites because he is working on a remote backup plan for the new MPS servers which are being deployed. Wayne is particularly worried about upstream bandwidth back to campus. James responded that the CEOs are in the worst shape in that regard. After the planned upgrades, however, most RECs should be at least 10Mpbs burstable to 100Mbps. Right now there are 6 locations, however, that do not have that symmetrical bandwidth but rather are 1.5Mbps T1s.

Wayne plans to use Microsoft DPM for the backups and will throttle the bandwidth at the agent level. He can control things with lower utilization during the day and higher at night when more should be available. They are trying to get a list of which sites they can backup first. With DPM they can do a "FEDEX forklift" where the disk is shipped to them, they back it up and ship it out again. After that it will only need to backup changes. This should avoid any initial full backup issues relating to WAN bandwidth. Wayne hopes to get that going within the next month or two.

James promised to send Wayne a list of the connection speeds to help with this. James did mention that there are some sites for which the VPN tunnel drops overnight; these are sites which do not have a public IP from the carrier and are dynamic. When traffic stops, the VPN is dropped after a certain period of inactivity and is not reconnected until someone at the other end initiates some traffic. Wayne responded that as long as the timeout on that is greater than 15 minutes the agents on the new MPSs should keep things alive.


Policy


Alternate IFAS domains in e-mail

Steve wants to keep this on our agenda for future discussion. He believes there is no advantage to having multiple aliases and that we should move towards removing those if possible.

CIO

Elias Eldayrie is now on the job as our new CIO. Maybe we could invite him to an upcoming ICC meeting once he gets a bit settled?

Identity Management (IdM) Interface Training

Steve wants to remind everyone of the "UF_PA_IDM_NETMGR" role which will allow you to set NMB for your users. Your Department Security Administrator can do that for you.

ITAC-NI still meeting (previous discussion)

Course Management System Conversion to Sakai 3 (previous discussion)

Steve reminded folks of Doug Johnson's announcement of a CMS Transition web site. A pilot test is apparently now in progress.

myuf Market (previous discussion)

Steve wants to keep this on our agendas in case discussion seems warranted.

UF Exchange Project updates (previous discussion)

Dwight Jesseman leaving UF in a week for a job with Microsoft.

We are all very sad that Dwight is leaving and doubt we could possibly get as good and dedicated service with whomever is chosen to replace him. Steve had hoped Dwight might be able to make it to the meeting today but he must have had a conflict. In any case, we wish him the best in his new endeavors and understand that he will still be based locally and will keep in touch.

Centralized FAX service via Exchange (previous discussion)

Steve wants to keep this potential service in everyone's minds as it seems a logical direction for all to take.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


Projects


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Windows 7 deployment

Steve said that he was getting the feeling that most of the unit IT folks haven't taken or had to the time to investigate the tools which are available. He thinks this is a mistake because we all need to move to a situation where we can quickly and easily replace the OS on a system. If anyone wants to learn more about using the in-built Microsoft tools for reimaging, please feel free to get with Steve and he will do his best to help with that. Nuke and reinstall is obviously getting to be a more common need and imaging can help greatly with original deployments as well. With the advent of Windows 7 enterprise Steve has quit trying to purchase machines with a particular OS--rather he buys the cheapest OS and loads an image of his own creation. He encourages everyone to move in that direction.

In that vein, Steve noted that the Microsoft Deployment Toolkit (MDT) 2010 Update 1 was released Wednesday. It installs right on top of the previous version so there is no need to uninstall first. Although Steve's current procedures are more manual, he tries to keep up with this technology which is basically a subset of what is available in SCCM. That latter package is our long-term solution to enterprise deployment and management, but we need to find the resources to dedicate there; if we can we will save a great deal of staff time overall. Steve was sorry to hear that Daniel Solano is leaving IFAS as Daniel had taken SCCM on as a personal project, fitting it in between his others duties. We need another person to step into that role. While Dan Cromer indicated that Dan Christophy might do that, Steve suspects that Dan's time is already overbooked.

Exit processes, NMB and permission removal (prior discussion)

Nothing further was available on this topic at this time.

Re-enabling the Windows firewall (prior discussion)

Steve mentioned that Wayne has some plans for our Windows 7 machines to increase our overall security. Wayne reported that he plans to implement the firewall very soon prior to mass deployments. He also said UAC is going to be enabled and require credentials. The idea there is to help stop people from automatically installing items Without due consideration.

Wayne's ultimate desire is to not have people run as local administrators, though he realizes that he will get a lot of pushback on that idea. At the very least he is going to stop OU Admins from adding their Gatorlink user accounts into the local admin group on all our boxes; apparently some units have taken to using that method rather than using the if-adml accounts for administration tasks. One of the reasons that practice is so poor is that, unlike the if-adml accounts, Gatorlink accounts have network access which could permit an infection to easily transfer across all your machines.

Wayne suggested that the local mradmin account could be re-enabled and password protected to be used as an alternative to users having their Gatorlink account in the local admin group. Steve doesn't particularly like that solution as local accounts are much more difficult to monitor than domain accounts. Also, Steve likes to reserve those accounts for his own use as a last resort for access short of breaking in with something like the Offline NT Password & Registry Editor. He wished that an alternate domain account could be created for users along the lines of our own if-adml accounts, so users could use that to elevate; if those were available Steve would have no problems at all with removing all Gatorlink accounts from the local admin groups. Unfortunately, that is apparently not workable in our environment.

Wayne is also concerned about the number of file shares we have across IFAS. If you are going to be sharing files, then that should be done on the server. Wayne knows that there are many workstations sharing out folders, often with no real access control in place and allowing access to anyone within UFAD. One solution would be to prevent users from creating local firewall exceptions on their Windows 7 boxes; another would be to disable file and print sharing. Wayne realizes that there is some legitimate printer sharing from workstations and could provide for that by allowing the OU Admins to drop such computer objects into a security group that would enable a different GPO and permit that.

Enabling file and print sharing basically erases the effect of the firewall and provides anyone within ufad access. Wayne wants to lock this down to permit sharing on the local subnet only; exceptions may have to be allowed, however, for units which span multiple buildings and subnets. Steve pointed out that the issue Wayne raises can be alleviated somewhat by setting a local user rights policy that removes the domains users group from the "Access this computer from the network" policy. Steve always edits that when deploying a new machine and adds in a pertinent security group only on those machines which are being used to share printers in a lab.

Services Documentation: Is a Wiki the way? (prior discussion)

Steve skipped over this topic but will keep it on our agendas.


Operations


Replacement campus print server being tested

Santos Soler has been working on a new VM-based print server "if-srvv-print" for campus. Please review your current list of printers on the old "if-srv-print" server, remove any printers that have been decommissioned, and add any new printer which you will need on the new server. Please see Santos with any questions.

Santos reported that automatic transfer of printers to the new server did not work as anticipated so he has had to spend a great deal of time setting things up by hand. He is installing both 32-bit and 64-bit versions so they should work with any version of Windows we have out there.

Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only

You are reminded that the ". IFAS-ICC" email distribution group does not include the broader audience which the ICC-L will reach. Plan your e-mails accordingly.

IFAS efforts toward Green IT (previous discussion)

Status update

Dan Cromer had forwarded a Microsoft case study of UF entitled "University Furthers “Green” Goals with Stimulus-Funded Video Conference Solution".

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (prior discussion)

Steve wants to keep this topic on our radar.

Moving away from the IFAS VPN service (previous discussion)

Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.

VDI desktops as admin workstations (previous discussion)

This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.

Wayne's Power Tools (prior discussion)

There was nothing new to report this month.

OU Technical Contact email groups now in use

You should now be getting automatic FSR reports concerning file server space usage (duplicate/large files/etc.).

Computer compliance tool in production (previous discussion)

Dennis Brown had some questions about this application. He has one machine that says it is not reporting to the ePO server, but when he goes to the computer and tells it to update now, it does appear to work. Upon looking in the \\ad.ufl.edu\ifas\out-of-compliance share, it was determined that this had indeed been fixed. Wayne cautioned that the web interface updates only once an hour--plus you have to run the login script on the machine itself before the entry will be moved to the history folder (see last month's notes for a way to do that without logging back on).

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

New MPS/DC deployment

The new DC/MPS deployments have begun at Bay CEO, Jay REC, and Milton REC.

Core Services status

Data Protection Manager planning

As mentioned at our last meeting and within the WAN update section this meeting, Wayne has begun looking into Data Protection Manager as the hub of a new backup solution for ITSA. This is meant as the on-campus solution as well as for remote backups.

Right now we have Volume Shadow Copy on the files cluster. Once we move to DPM for backups instead of Backup Exec we will have another server that basically makes a replica; this will be an exact copy of all the data on the file cluster plus it does block-level changes like VSS. So, end-user recovery will remain the same as it is now (right-click to restore previous versions).

Wayne is also planning basic server infrastructure changes--trying to determine the next virtualization platform. They are also trying to replace the Enterprise SQL we have currently by deploying a physical SQL cluster (two node, one big, one small) with an iSCSI target (Dell MD3220i) which will give 30 disks back on the SAN. Wayne will then move some server VM storage to those disks and allocate the older 10k rpm disks to VDI.

UFAD DC planned for the IFAS machine room

The goal is to remove our complete dependence on our current primary and secondary DNS servers both of which are currently housed in SSRB. After a recent outage there, Joe Gasper pointed out the advisability of housing our primary or secondary DNS elsewhere. Wayne Hyde created a blank VM for Mike Kanofsky to build on and the system is now up, running, and undergoing testing.

Steve pointed out that there had been prior outages where SSRB went offline. At the time, Dan Miller had claimed that "the DNS resolvers are so slow, with something like a 30 second timeout, that a requested connection is dropped prior to the secondary resolving the address anyway; this makes that solution unworkable--at least for most applications." The solution Dan was referring to was moving the secondary DNS to ESE. Wayne (and Joe Gasper via prior communication) explained that this may be the case with Linux or some other systems, but Windows XP waits one second to try the secondary if the primary fails to respond (on a single NIC box).

ePO updates

Wayne began offering the McAfee Agent 4.5 Patch 1 for push via tagging systems in the ePO console (ufad\if-admn credentials required) on June 21st and is now pushing that out to all. Computers should soon be listed as having version 4.5.0.1499 of the agent.

Wayne has also been busy improving our on-demand scan (ODS) processes as he announced via e-mail:

Message to the ICC-L from Wayne Hyde:
"[ICC-L] new On-Demand Scan tasks; new ePO tags" Thu 6/24/2010 2:58 PM


Everyone,

I revamped the managed on-demand scan tasks in ePO. First of all, the mandatory scans:

12PM Tuesday/Thursday/Saturday – Scan of %systemroot%

  • This scan cannot be disabled but will be deferred when on battery power and during presentations (requires 8.7i).
  • The task should take no longer than 30 minutes even on slow machines and will cancel if it takes > 2 hours.

8PM Friday – Full System Scan

  • Can be deferred when on battery power and during presentations (requires 8.7i).
  • This scan cannot be disabled but it can be moved to another day/time via the other “ODS” tags. This is to ensure that at least one complete system scan is performed a week. Computers with 8.5i will only run the 8PM Friday scan -- these need to be upgraded to 8.7i manually or using the PushAV tag anyway.
  • The full scan will stop after 12 hours in case it gets stuck.

The 8 ODS tags I have created:

      ODS 8PM M
      ODS 8PM W
      ODS 8PM F
      ODS 8PM Sat
      ODS 12PM M
      ODS 12PM W
      ODS 12PM F
      ODS 12PM Sat

These are for configuring the full weekly scans only. I added the “12PM” tasks to allow scans to be scheduled on systems that may be turned off during the evening hours (aka Green IT).

You will notice the “ODS 8PM F” tag in bold. Since the default 8PM Friday scan task will not be run if any of the above tags is present, this tag forces the 8PM Friday scan to run even if one of the other tags is set. This tag allows you to have a 12PM Monday and 8PM Friday scan done on systems.

These tags do not do anything on systems that do not have 8.7i installed.

You can tag systems with multiple scan tags to force multiple full scans each week.

The managed tasks are only set for workstation operating systems. If you have a server OS that you manage you will need to configure local scan tasks.

I deleted the old “ODS” tags and moved any that were set to the closest matching new tag.

You can check if the managed tasks are enabled via the VirusScan Console. The two tasks on one of my machines look like:

      ODS tags

This machine has the “ODS 12PM Sat” tag set.

If you read this far you get a cookie. Chris Leopold will pay for it. (now we’ll find out of Chris reads my emails)

Wayne quickly supplied a brief amendment:

Message to the ICC-L from Wayne Hyde:
"Re:[ICC-L] new On-Demand Scan tasks; new ePO tags" Thu 6/24/2010 3:54 PM


Since there is a possible full-scan done on Saturday that may conflict with the systemroot scan, I’m moving the %systemroot% scan to Sunday at noon.

The corrected info.

12PM Tuesday/Thursday/Sunday – Scan of %systemroot%

  • This scan cannot be disabled but will be deferred when on battery power and during presentations (requires 8.7i).
  • The task should take no longer than 30 minutes even on slow machines and will cancel if it takes > 2 hours.

A number of questions arose the following day from Wayne's postings; most notably the question from Chris Fooshee on how best to handle scanning for machines that are turned off on nights and weekends. Wayne's response was:

Message to the ICC-L from Wayne Hyde:
"Re:[ICC-L] new On-Demand Scan tasks; new ePO tags" Fri 6/25/2010 8:58 AM


I am certainly open to moving the default full scan from 8PM Friday to perhaps noon on Friday to be more in line with the “Green IT” initiative. This would of course make some more people upset that their systems are slower during the working hours. But, they can get over it.

A possibility would be to do a scan of %SYSTEMDRIVE% on Friday at 12PM instead of “All fixed disks” and then schedule the scan of everything for a weekend night. The other ODS scan tags would be used to move the %SYSTEMDRIVE% scan to one of the other MWFS 12pm/8pm times.

Before someone asks why we need these scans, McAfee does find a significant amount of malware via the on-demand scans as not everything is caught immediately by the on-access scanner.

Please discuss...

Based on continued discussion Wayne then provided more details on the various options which may be configured within ePO:

Message to the ICC-L from Wayne Hyde:
"Re:[ICC-L] new On-Demand Scan tasks; new ePO tags" Fri 6/25/2010 10:35 AM


Here are the task options so you know what I have to work with:

The current task is for ‘all fixed disks’, but here is an alternative I’m considering:

Scan Locations

The Locations to scan includes:

Items to scan

The Scan Items tab is pretty standard:

The

Exclusions is empty for now:

Actions is pretty standard – clean first, delete if fail:

The

Performance is where I can set defer options and system utilization. If I do enable the “user may defer” option I set it to at most 3 hours. I am not sure how effective the “System utilization” setting is, but for work hour scans I set it at 40%. Artemis is set for very low to avoid false positives.

The

Reports and Task tabs … nothing important to see here, but it is where I configure the task to run on workstations and not servers. (two checkboxes)

I’m testing to see how much a user can do as far as cancelling a scan that is about to start. More later.

Wayne offered some additional observations:

Message to the ICC-L from Wayne Hyde:
"Re:[ICC-L] new On-Demand Scan tasks; new ePO tags" Fri 6/25/2010 3:24 PM


Some observations:

The scans will start silently if you don’t set the option for “User may defer scheduled scans.” The only way they would know what is going on is if they opened up the VirusScan Console and saw that one of the scan tasks was in the “running” state.

Users with administrator access can stop a scan in progress via the VirusScan Console by right-clicking on the task and selecting “stop.”

All users can see the progress of the scan via the VirusScan Console by right-clicking on the task and selecting “Show Progress.”

If “User may defer scheduled scans” is enabled the following dialog box opens up before the scan starts:

Dialog box offering to defer scan

This dialog is mostly broken due to 8.7i Patch 2 and may not be totally fixed until Patch 4 (due next month). It did work on my Windows 7 test machine with the latest agent and 8.7i patch 3. The user has 15 seconds to click ‘Defer’ otherwise the scan starts when it gets to 0.

The automatic “defer scan during presentations” setting did indeed work but only if a slideshow was active. It doesn’t defer if PowerPoint is simply running. If a scan was already running before a user started a slideshow, McAfee detects the running slideshow and will defer the active scan.

Wayne noted that on-demand scans are necessary in order to pick up what the on-access misses. Malware executables change continually and may get on our boxes prior to McAfee being able to detect them. A later on-demand scan can help clean these up after-the-fact and as well as point out potential problem machines/users for OU Admins to keep an eye on via monitoring in the ePO console.

The point of the tags which Wayne has created in ePO is to provide units some control over when these on-demand scans run while making sure that they do occur.

On a final ePO note, Wayne has noticed that the software for Logitech web cams is causing false positives. You may notice these in the ePO console as “virus detections in \Windows”. Basically, this is due to Logitech running stuff out of the %temp% folder. The rule is set to detect and not block so the software still functions. Steve also noticed that the Agent upgrade causes a similar false positive in "C:\Windows\Temp\mfe8C57.tmp\cleanup.exe". Both of these events are triggered by an Access Protection rule set to "Prevent all programs from running files from the Temp folder". Wayne is investigating the creation of exceptions to cut down on the false positives.

Wayne said that these and other issues are why is in investigating Microsoft's Forefront Endpoint Protection as a potential substitute for McAfee. Microsoft Security Essentials has done a decent job in Wayne's testing, but it will all depend on the management portion and whether that is up-to-snuff. This does tie into SCCM, however, so that should make it easy for us to push out all the clients should we go that route. The new version will be out later this Fall and that is the version which Wayne plans to investigate. Our eCALs are what would make moving to that possible.

Status of SharePoint services (prior discussion)

IFAS migrating to centralized MOSS

Status update.

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...

Microsoft

The July Microsoft patches will include four bulletins overall. Two of the bulletins affect Windows (one Critical and one Important). Two critical bulletins affect Microsoft Office. A podcast summary of these patches will be provided by "Security Bulletins for the regular IT guy".

People should also note that Windows 2000 support ends on July 13, 2010!

Adobe

Adobe provided an accelerated version of their quarterly updates for Adobe Reader and Acrobat updates were provided on June 29. This was done in order to address several critical issues.

Steve has determined a way to patch the Flash ActiveX control remotely, though it is still a manual process at this time:

A method for the manual remote patching of Flash Player


Using PsExec for remote execution

First you need to download the Sysinternals PsExec program; this is used to execute the programs on the remote machines. Steve recommends downloading the entire Sysinternals Suite. This package comes as a .ZIP file. Before expanding it you should right-click on the downloaded file, choose "Properties", and select the "Unblock" button. This permits the help files within to run. It is also very convenient to set a system path to the folder where you place these utilities. Steve uses c:\Program files\Sysinternals. You can also subscribe to the Sysinternals Blog via RSS and get notice of updates directly within Outlook.

Standalone uninstall and install files

You need to completely uninstall all Flash Player installations; in Steve's experience new installations do not overwrite the old files. You should get the latest standalone uninstall program and the latest Flash ActiveX control for IE.
[Note: these instructions don't include patching for other browsers, but that is certainly possible.]

For the purposes of this explanation, those downloads have been placed in c:\patches\flash.

The nitty gritty

For this to work you need to run a cmd prompt elevated to your IF-ADMN credentials to run your PsExec commands. You can now completely uninstall Flash Player via this command:

Assuming the remote computer is on and reachable you should see the program get copied and run. An error code of zero indicates success.

Once Flash Player is uninstalled you can then install the ActiveX control for IE via:

Again, an error code of zero denotes success. The possible error codes are as follows:

ERROR CODES:
0 = No errors detected
1003 = Invalid argument passed to installer
1011 = Install already in progress
1012 = Does not have admin permissions (W2K, XP)
1013 = Trying to install older revision
1022 = Does not have admin permissions (Vista, Windows 7)
1025 = Existing Player in use
1032 = ActiveX registration failed

There is lots of room for improving this as PsExec can take a list of machines from a text file, but the above does work and is a good start at handling remote patching. Steve used Wayne's "Computer info" Power Tool to determine which machines were out of compliance with regards to Flash.

Apple

MS Office News update

Steve has created a new 32-bit Office 2010 installation point (ufad\if-admn credentials required) for everyone's use.

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status (previous discussion)

Steve wants to keep this item on the agendas in order to address potential future concerns.


Other Topics

PDF-Xchange (prior discussion)

Steve wants to keep this on our agenda for possible latter consideration and noted that Micah Bolen has been using this product for his units.

Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL

Dennis asked about this. Steve said that he put this on the agendas at the request of Mitch Thompson in Apopka. The problem from a support aspect was this system's reliance on mySQL which is difficult to backup. Dennis said that a number of his faculty are interested in this because they "like the way it looks" and they like the blog aspect. Santos pointed out that hopefully SharePoint 2010 will allow for most of the same features. The ITSA group would very much like to avoid adding yet another difficult to support service. That said, Santos mentioned that he has a test install in place for Mitch to play with currently.

Informacast paging licenses for VoIP phones

Dennis Brown wanted to mention that CNS is rolling this out. Steve added that his department purchased these when they went Wall-Plate at a one-time cost of $25 per phone. Steve understands that a rollout of this to phones in classrooms and other public areas has been funded in-part by student government.


The meeting was adjourned a bit late at about 12:07 PM