Apple says:

Snow Leopard includes out-of-the-box support for Microsoft Exchange 2007

Does this mean just mail, or mail+calendar, or the whole package? Note that even Microsoft Entourage does not sync Notes or Tasks with Exchange Server.

On a related note, Jon Udell has built a small script (exchange2ical) to publish iCal feeds for Exchange calendars!

I wonder which approach will bear fruit most quickly.

tags: exchange, ical

Mary Beth Herkert
Archives Division, Information Resource Management Unit

Work on home computers is part of public record
Records retention schedules
Preserve only for as long as it is needed to accurately document agency functions
Core Elements of a Good Policy
- appropriate use statement
- access to employee computers and accounts; privacy notice
- retention of e-records
- policy awareness
- training
- compliance
Email management manual online (state archives)
Alternative communication devices
- IM
- PDAs
- Chat roms
- Blogs
Public employees -- no expectation of privacy
Individual employees make decisions about what to retain (realistic?)
"Knowingly destroy public records" - okay if it's a mistake
Synchronizing email to home computer -- yes, the home computer could be subpenead
Messages that need to be saved for a long period of time should be exported from the email system
Create a filing system that is the same for both electronic and paper records (e.g., naming conventions)
Voicemail is not a public record for retention in Oregon
No jurisdiction over a private school -- subject to federal requirements
Audio recordings need to be kept for one year, even if minutes were taken
May not need to capture email messages if records are documented elsewhere (e.g., teacher communicates progress report to parents)

Mary Beth Herkert
Archives Division, Information Resource Management Unit
http://arcweb.sos.state.or.us



tags: acpe08

In August, we implemented Cisco Clean Access (also knows as Network Access Control) in order to limit the school wireless network to known users and scan desktop computers for running antivirus and the latest OS patches. Unfortunately, our implementation has hit a few snags, to the point where most of our user population is pretty cynical about the impact of Clean Access on their ability to operate and the supposed benefits it brings.

We currently have the following concerns about our implementation of Clean Access.

• It's mid-December and Cisco has not yet released a Leopard-compatible agent.
  
• CCA login times vary from a few seconds to several minutes.
  
• The current agent is not dual-NIC aware, trying to authenticate users against the secondary connection.
  
• The Windows client often crashes, requiring a reboot before the user may log in.
  
• One or two users per day end up in the temporary role for reasons unknown.
  
• The agent often becomes unresponsive when a user switches VLANs.
  
• A new patch that came out in September was incompatible with AdAware 2007 and booted half our user base from the network.
  

How has Clean Access been for you? Are these typical problems, or do we have a unique situation?

Update 1/8/2008: We successfully installed a secure certificate and upgraded the server and agent to new versions (4.1.3.0 on the Mac). First tests show improvement in client behavior. We are looking forward to further testing with real users to see how many of our issues the new client software solves.

Update 1/10/2008: I have the new CCAAgent 4.1.3.0 running on Leopard. We noticed right away a processor utilization issue -- CCAAgent was using 100% of the processor every few seconds, not good for laptops trying to conserve battery power during a long school day. Cisco sent the following fix.

First, create a preference.plist file for youself: Show Package Contents on Applications - CCAAgent and copy Resources - setting.plist to your user Library - Application Support - Cisco Systems - CCAAgent and then rename it preference.plist. Create these folders if they don't exist.

Run the following script in terminal (all on one line):
osascript -e 'tell application "System Events"' -e 'set the thePListPath to "~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist"' -e 'tell application "System Events"' -e 'tell property list file thePListPath' -e 'tell contents' -e 'set previousValue to value' -e 'set value to ({|VlanDetectInterval|:"0"} & previousValue)' -e 'end tell' -e 'end tell' -e 'end tell' -e 'end tell'

This turns off automatic VLAN detection in the Clean Access agent, which solves the processor utilization problem.

Update March 27, 2008
You can package the above into an executable AppleScript. Look closely -- the shell command actually executes AppleScript!

Dear Blogosphere,

Like many schools, we are deeply invested in Microsoft Outlook and Exchange Server. Yet, we struggle with these products' limited calendaring abilities. We would really like a modern calendaring system that allows users to turn layers on and off for different public resources. Rather than having dozens of individual, mutually exclusive calendars, my users want dozens of layers in a single multi-calendar. Additionally, portability would be key -- the ability for a single user to include an item from a public calendar in one's personal calendar without unnecessary duplication. I have heard of Zimbra but not given it a close look. We must continue to use Outlook, and frankly, we would like to continue to use Exchange if we can, to minimize the amount of change in our system.

Do you know any open-source tools that can layer on top of Exchange to provide these meta-calendaring services?

One of our best purchases this year is the Sonicwall SSL-VPN 200, a $500, web-based VPN solution that allows up to ten concurrent users to get on the LAN from any location using a web browser and an Active Directory login. The software provides two choices for the browser plug-in used to present the terminal window: ActiveX or Java. Having eliminated Microsoft Windows from our home, we use the Java client exclusively. I have noticed that the Java client is so much faster on Linux than Mac OS. It practically feels like I'm on the LAN. I find the same difference with the Java applet that Menalto Gallery uses for bulk uploads. Do you know why Java applets run so slowly on a Mac? Can anything be done about this?

So our daylight savings transition has gone no better or worse than expected. As explained before, we followed all the Microsoft instructions, yet their timezone move tool only correctly handled about half of the incorrect calendar entries. The only solution left is to manually open each item and re-save it. Although tedious, at least this finally resolves the problem. Have you found a way to do this on a global scale?

Oh, and the Blackberry DST update blew up partway through, and I had to reinstall all my handheld software. We have lost a lot of time on this daylight savings time change!

Before break, we spent a day decluttering and rewiring the entire server room. It was both a cathartic and productive day. Now we can sleep better at night knowing that each server has one power supply connected to a newly beefed-up UPS and the other connected to filtered power. This will no doubt pay off down the line in reduced power supply failure and cleaner shutdowns when we lose power.

You may know how the web address for Outlook Web Access always ends in /exchange, which is okay in a link but not if you're trying to tell people the address. If anyone happens to go to the home page of the site, they get a "no home page" error.

Exchange server default home page!

Since the webroot for IIS on Exchange server is just about empty, so you can easily replace the default page if you like with a permanent redirect. I also found a great summary of this technique applied in different programming languages at Permanent Redirects with HTTP 301. Here's the code for ASP, which is enabled by default on your Exchange server.

<%@ Language=VBScript %>
<%
' Permanent redirection
Response.Status = "301 Moved Permanently"
Response.AddHeader "Location", "http://www.yourdomain.com/"
Response.End
%>

This technique is useful anywhere you would like an easy redirect to another directory and you don't have access to a .htaccess file (Linux) or the IIS admin interface (Windows).

Of course, it's easier in PERL with CGI.pm or in PHP.

header("Location:http://www.yourdomain.com");

I found out today how to manage Active Directory users and groups directly from my pc. After four years of terminaling into servers to access Active Directory, this helps consolidate administrative applications on my computer. It's also a plus that I am running Windows under Parallels. This is a tech note that our former employee Jonathan wrote up.

Installing “Active Directory Users and Computers” Module with Exchange Features on Windows XP SP2 Workstations, using Exchange 2003

In Windows XP SP2, the SMTP snap-in is installed with the IIS snap-in. The SMTP Service is a separate component that is not required. The WWW Publishing Service is also not required. The Windows Server 2003 Administration Tools Pack is still required, because it provides the NNTP snap-in and the Active Directory Users and Computers snap-in.

1. Verify that you are using Windows XP SP2

2. Install IIS Snap-In (Add/Remove Programs – Windows Components)
a. Select “Internet Information Services (IIS)” and click the “Details” button [requires Windows XP CD]
b. The “SMTP Service” and “World Wide Web Service” can be unchecked

3. In Services, disable SMTP and WWW services, if applicable

4. Install Windows Server 2003 Administration Tools Pack [We had this on our network. It's probably on the Server 2003 install CD.]

5. Install Exchange System Management Tools:
a. Insert the Exchange Server 2003 CD—When the installation splash screen comes up, click on Exchange Deployment Tools under the Deployment section
b. On the Welcome to the Exchange Server Deployment Tools screen, click Install Exchange System Management Tools Only
c. The following screen explains some of the prerequisites for installation… scroll to the bottom of the screen and click “Run Setup now”
d. In the Exchange installation “Component Selection” screen change the Action for the “Microsoft Exchange” heading to Install or Custom
e. Change the Action for “Microsoft Exchange System Management Tools” to Install
f. Complete installation

User and group management tabs

I have succeeded in configuring DAF5 on our new IIS6 web server. DAF is the linchpin of our web intranet, as it permits our web site to authenticate parents without creating network accounts for them. It also provides a standard HTML login form instead of the default Windows popup dialog.

DAF permits a web site to authenticate users against two databases. We authenticate our network users against Active Directory and our parents and guest users against an Access database. DAF checks the Access database first and then forwards unknown users to IIS for Active Directory authentication. I don't know of another product that does this function, so I was thrilled to be able to configure it correctly. Since DAF5 is in perpetual beta, documentation is scarce.

I found the correct configuration through educated trial-and-error. Here are the key steps.

IIS Manager --> [your web site] --> Properties --> Directory Security --> Authentication and Access Control --> Enable Anonymous Access

You must allow IIS to enable anonymous access in order for DAF to take over authentication for this web site.

Security Handler --> Always use a SSL connection

This is essential to prevent the plain text transmission of user passwords. Windows is no help in this regard, since Windows basic authentication is required in order to authenticate non-Internet Explorer users. Instead, I have purchased a SSL certificate for this web site, which in conjunction with DAF will make login encrypted for all users.

Security Handler --> Login Form Type --> HTML Login form

This points DAF to a HTML form instead of using a standard popup dialog. The form is located in /session in your web site. You can modify the HTML there, as long as you leave the form mechanics and includes intact. Check out our modified login form.

By default, login failure brings up a different web page. I pointed our failure page back to the same login form page, on which the error message appears. Later, it would be preferable to either make the error messages more verbose or to redirect to a different failure page with more information about what the user can do to correct the problem.

Security Handler --> User ID & Session --> HTML Login Form (using Cookies)

I used the defaults for HTML form.

Security Handler --> Advanced --> Default DAFAUTH.INI file

This step is critical to protect all of the directories in your web site at once. By default, a dafauth.ini file must be present in each directory in your web site. Since this is impractical, it is easier and more secure to choose an appropriate ini file here. Mine has the following simple settings:

[PreAuthentication]
Anonymous = disable
Authenticated = enable

Then I set NT folder security as appropriate for the access permissions I want.

Security Handler --> Count as ONE Registered Protected Site

If you don't register with DAF, then only ten users can connect to your site.

Security Handler --> Logs

Enable Write to log file. DAF keeps different sets of error logs for different purposes. The most useful logs for debugging configuration are site-specific and found in /dafdata just outside the web site directory that you specified during installation. Note that /dafdata has the web site resource id appended to its directory name.

User DB --> Data Store --> Primary Data Store --> ODBC Data Source --> Settings

User your server's Administrative Tools --> Data Sources (ODBC) to set up an ODBC link to your external database containing non-network user information. I wrote a separate PERL script to populate this database with registered parent login information.

Source & Connection tab: Select the ODBC source for your database and provide login information if necessary.

Table & Columns tab: Match the columns in your ODBC database to DAF standards.

Advanced tab: Use defaults

User DB --> Data Store --> Secondary Data Store --> NT User DB --> Settings

Default NT Domain: Select NT Domain User Database and specify the default NT domain. This step seemed helped in order to successfully authenticate network users without requiring them to specify their domain.

NT Account Mapping: Select Forward credentials to NT/IIS. This step permits IIS to authenticate network users, e.g., those who aren't in the DAF database.

User DB --> Session

Enable session state. This is required for this approach, but I don't recall why.

Other settings keep their defaults.

User DB --> NT Accounts

Default mapped NT account: This is an easy way to control privileges for the parent users on our network. As it happens, my parent registration script creates a static mapping in the DAF database, so I leave this setting empty.

Data source Login NT account: A server user that has privileges to read and write the DAF database. If this is improperly set, you will see corresponding error messages in the site error log.

User DB --> Encryption

I would like to use encryption, but it is easier to set this up for a clean install than to migrate existing, unencrypted passwords to this system. I will work on this soon.

User DB --> Logs

Write to log file

We got all our users up and running on the new, single-domain servers this morning. For a disaster recovery situation, 24 hours was not too bad. How many tries did this take to get right?

Days after recovering from our failed network migration, we have had another server blowup. The air conditioning system in our server room failed this weekend, the room heated to 150 degrees F, and our Exchange server drives failed. We did get a good backup of the data store last night before the failure, but now we are left without both an Exchange server and the internal expertise to reinstall Exchange in a multi-domain environment.

At the same time, I have gathered a lot of feedback from other BAISNet tech directors and discovered that we are the only school among the respondents that is running multiple Active Directory domains. So, in this state of emergency, we have decided to immediately rebuild our new servers in a single domain environment, test it this afternoon, and migrate users to it tomorrow.

The simplified approach has reaped dividends within the first hour of adoption. Our systems administrator already worked up the primary domain controller the other day, so all he has to do now is to prep the domain for Exchange and install that. Without the multiple domain issues, we should be able to test the new server environment with user accounts by this afternoon. Our tech department users will spend the night logged into the new servers, and we will migrate others users if all is still well tomorrow morning. We may even recover all mail if we can mount the backed-up data store in an offline Exchange server and spin off the PSTs one final time.

Wish us good luck.

This feels familiar. We have twice this week unsuccessfully attempted to migrate to new servers. The problems all involve Exchange server communication between parent and child domains. I finally decided to pull in some external expertise and discovered that we are doing things the hard way at a couple of levels. First, our four-domain architecture runs counter to the conventional wisdom for organizations of our size and complexity. Microsoft and our consultant recommend a one domain architecture with organizational unit/group policy management of user privileges. Second, we manually complete a number of steps that the consultant has figured out ways to automate or shortcut. For example, we spend 20 minutes per user unjoining them from the old domain, joining them to the new domain, and then setting up their new profile. Apparently, there is a way to edit the user's registry to move a user to a new domain without changing their profile. After the third attempt to reinstall and correctly configure our new servers, we rolled back to the old servers and returned to the drawing board.

On another note, I confirmed that my struggles obtaining PERL debugging information in the browser is a new IIS6 security feature. I found a description of the problem that indicates that there is not a good way around this feature. Too bad that I have not yet found error handling options in Activestate PERL similar to those found in PHP. While it was convenient to see error messages when PERL scripts did not compile correctly, this forces me to get a legitimate PERL development enrivonment that can provide debugging information live and write my scripts to capture errors on the fly. These are good things.

Today, I continued work on our new WIMP server configuration. As opposed to LAMP, or even WAMP, WIMP stands for:

Windows
IIS
MySQL
PHP/PERL

Our WIMPy setup is coming along just fine, aside from a few speedbumps. The first occurred when PHP repeatedly failed to load the php_mysql.dll library. It took me three hours to realize that PHP was pointing to \Windows instead of \php to find the php.ini configuration file. This despite the fact that php.ini was only located in \php, and I had added that to the PATH server environment variable! A test script with the phpinfo() command was essential to discover this fault.

I am still working on the second roadblock. PERL is not returning informative error messages. When a script does not compile properly, the browser only returns an "incomplete set of headers" error message. In our old IIS5 setup, this would usually be followed by "the headers it did return are ...", which would provide the substance of the error message. Not this time! I need to determine whether this is a normal consequence of an incomplete set of PERL modules, or whether there is a way to turn on more verbose error messaging. I suspect that my answer lies in some command-line testing.

In other news, Richard Bender has completed most of the new server setup and will begin the migration tomorrow. Ina upgraded Raiser's Edge to version seven, and we are aiming to join the first admin users to the new domains on Monday.

Our beloved student.user network account graduated today. It first entered the school in the fall of 2002 as a test account for student network privileges. Needing a security group, it joined the new class of 2006. For four years, student.user made its way through the ninth grade curriculum, found a new group of friends during sophomore year, unsuccessfully ran for V.P. of Diversity junior year, and experienced a vicious senior slump this year. College really isn't in the cards for student.user. We think it is going to take some well-deserved time off and contemplate what to do next. A return to the class of 2010 is pretty much out of the question, since our current practice is to create a student test user account for each class. So, 2008.user and 2009.user are currently making their way through the rigorous UHS program, and the tech department will have many graduations to celebrate in the future. One thing for sure -- the tuition payments are killing us!

p.s. Teacher.User appears to be a lifer.