Archive for Server

But will it include calendars?

Apple says:

Snow Leopard includes out-of-the-box support for Microsoft Exchange 2007

Does this mean just mail, or mail+calendar, or the whole package? Note that even Microsoft Entourage does not sync Notes or Tasks with Exchange Server.

On a related note, Jon Udell has built a small script (exchange2ical) to publish iCal feeds for Exchange calendars!

I wonder which approach will bear fruit most quickly.

E-Mail Archiving

Mary Beth Herkert
Archives Division, Information Resource Management Unit

Work on home computers is part of public record
Records retention schedules
Preserve only for as long as it is needed to accurately document agency functions
Core Elements of a Good Policy
– appropriate use statement
– access to employee computers and accounts; privacy notice
– retention of e-records
– policy awareness
– training
– compliance
Email management manual online (state archives)
Alternative communication devices
– IM
– PDAs
– Chat roms
– Blogs
Public employees — no expectation of privacy
Individual employees make decisions about what to retain (realistic?)
“Knowingly destroy public records” – okay if it’s a mistake
Synchronizing email to home computer — yes, the home computer could be subpenead
Messages that need to be saved for a long period of time should be exported from the email system
Create a filing system that is the same for both electronic and paper records (e.g., naming conventions)
Voicemail is not a public record for retention in Oregon
No jurisdiction over a private school — subject to federal requirements
Audio recordings need to be kept for one year, even if minutes were taken
May not need to capture email messages if records are documented elsewhere (e.g., teacher communicates progress report to parents)

Mary Beth Herkert
Archives Division, Information Resource Management Unit
http://arcweb.sos.state.or.us

Cisco Clean Access Woes

In August, we implemented Cisco Clean Access (also knows as Network Access Control) in order to limit the school wireless network to known users and scan desktop computers for running antivirus and the latest OS patches. Unfortunately, our implementation has hit a few snags, to the point where most of our user population is pretty cynical about the impact of Clean Access on their ability to operate and the supposed benefits it brings.

We currently have the following concerns about our implementation of Clean Access.

  • It’s mid-December and Cisco has not yet released a Leopard-compatible agent.
  • CCA login times vary from a few seconds to several minutes.
  • The current agent is not dual-NIC aware, trying to authenticate users against the secondary connection.
  • The Windows client often crashes, requiring a reboot before the user may log in.
  • One or two users per day end up in the temporary role for reasons unknown.
  • The agent often becomes unresponsive when a user switches VLANs.
  • A new patch that came out in September was incompatible with AdAware 2007 and booted half our user base from the network.

How has Clean Access been for you? Are these typical problems, or do we have a unique situation?

Update 1/8/2008: We successfully installed a secure certificate and upgraded the server and agent to new versions (4.1.3.0 on the Mac). First tests show improvement in client behavior. We are looking forward to further testing with real users to see how many of our issues the new client software solves.

Update 1/10/2008: I have the new CCAAgent 4.1.3.0 running on Leopard. We noticed right away a processor utilization issue — CCAAgent was using 100% of the processor every few seconds, not good for laptops trying to conserve battery power during a long school day. Cisco sent the following fix.

First, create a preference.plist file for youself: Show Package Contents on Applications – CCAAgent and copy Resources – setting.plist to your user Library – Application Support – Cisco Systems – CCAAgent and then rename it preference.plist. Create these folders if they don’t exist.

Run the following script in terminal (all on one line):
osascript -e ‘tell application “System Events”‘ -e ‘set the thePListPath to “~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist”‘ -e ‘tell application “System Events”‘ -e ‘tell property list file thePListPath’ -e ‘tell contents’ -e ‘set previousValue to value’ -e ‘set value to ({|VlanDetectInterval|:”0”} & previousValue)’ -e ‘end tell’ -e ‘end tell’ -e ‘end tell’ -e ‘end tell’

This turns off automatic VLAN detection in the Clean Access agent, which solves the processor utilization problem.

Update March 27, 2008
You can package the above into an executable AppleScript. Look closely — the shell command actually executes AppleScript!

Meta-calendaring with Exchange?

Dear Blogosphere,

Like many schools, we are deeply invested in Microsoft Outlook and Exchange Server. Yet, we struggle with these products’ limited calendaring abilities. We would really like a modern calendaring system that allows users to turn layers on and off for different public resources. Rather than having dozens of individual, mutually exclusive calendars, my users want dozens of layers in a single multi-calendar. Additionally, portability would be key — the ability for a single user to include an item from a public calendar in one’s personal calendar without unnecessary duplication. I have heard of Zimbra but not given it a close look. We must continue to use Outlook, and frankly, we would like to continue to use Exchange if we can, to minimize the amount of change in our system.

Do you know any open-source tools that can layer on top of Exchange to provide these meta-calendaring services?

Comparing SSL VPN Java client on Mac and Linux

One of our best purchases this year is the Sonicwall SSL-VPN 200, a $500, web-based VPN solution that allows up to ten concurrent users to get on the LAN from any location using a web browser and an Active Directory login. The software provides two choices for the browser plug-in used to present the terminal window: ActiveX or Java. Having eliminated Microsoft Windows from our home, we use the Java client exclusively. I have noticed that the Java client is so much faster on Linux than Mac OS. It practically feels like I’m on the LAN. I find the same difference with the Java applet that Menalto Gallery uses for bulk uploads. Do you know why Java applets run so slowly on a Mac? Can anything be done about this?

New Time Zone, Same Microsoft Problems

DST

So our daylight savings transition has gone no better or worse than expected. As explained before, we followed all the Microsoft instructions, yet their timezone move tool only correctly handled about half of the incorrect calendar entries. The only solution left is to manually open each item and re-save it. Although tedious, at least this finally resolves the problem. Have you found a way to do this on a global scale?

Oh, and the Blackberry DST update blew up partway through, and I had to reinstall all my handheld software. We have lost a lot of time on this daylight savings time change!

Server room cleanup

Before break, we spent a day decluttering and rewiring the entire server room. It was both a cathartic and productive day. Now we can sleep better at night knowing that each server has one power supply connected to a newly beefed-up UPS and the other connected to filtered power. This will no doubt pay off down the line in reduced power supply failure and cleaner shutdowns when we lose power.

server room

Permanent Redirects

You may know how the web address for Outlook Web Access always ends in /exchange, which is okay in a link but not if you’re trying to tell people the address. If anyone happens to go to the home page of the site, they get a “no home page” error.

Exchange default home page errorExchange server default home page!

Since the webroot for IIS on Exchange server is just about empty, so you can easily replace the default page if you like with a permanent redirect. I also found a great summary of this technique applied in different programming languages at Permanent Redirects with HTTP 301. Here’s the code for ASP, which is enabled by default on your Exchange server.

<%@ Language=VBScript %>
<% ' Permanent redirection Response.Status = "301 Moved Permanently" Response.AddHeader "Location", "http://www.yourdomain.com/" Response.End %>

This technique is useful anywhere you would like an easy redirect to another directory and you don’t have access to a .htaccess file (Linux) or the IIS admin interface (Windows).

Of course, it’s easier in PERL with CGI.pm or in PHP.

header("Location:http://www.yourdomain.com");

Active Directory Management From Your Desktop

I found out today how to manage Active Directory users and groups directly from my pc. After four years of terminaling into servers to access Active Directory, this helps consolidate administrative applications on my computer. It’s also a plus that I am running Windows under Parallels. This is a tech note that our former employee Jonathan wrote up.

Installing “Active Directory Users and Computers” Module with Exchange Features on Windows XP SP2 Workstations, using Exchange 2003

In Windows XP SP2, the SMTP snap-in is installed with the IIS snap-in. The SMTP Service is a separate component that is not required. The WWW Publishing Service is also not required. The Windows Server 2003 Administration Tools Pack is still required, because it provides the NNTP snap-in and the Active Directory Users and Computers snap-in.

1. Verify that you are using Windows XP SP2

2. Install IIS Snap-In (Add/Remove Programs – Windows Components)
a. Select “Internet Information Services (IIS)” and click the “Details” button [requires Windows XP CD]
b. The “SMTP Service” and “World Wide Web Service” can be unchecked

3. In Services, disable SMTP and WWW services, if applicable

4. Install Windows Server 2003 Administration Tools Pack [We had this on our network. It’s probably on the Server 2003 install CD.]

5. Install Exchange System Management Tools:
a. Insert the Exchange Server 2003 CD—When the installation splash screen comes up, click on Exchange Deployment Tools under the Deployment section
b. On the Welcome to the Exchange Server Deployment Tools screen, click Install Exchange System Management Tools Only
c. The following screen explains some of the prerequisites for installation… scroll to the bottom of the screen and click “Run Setup now”
d. In the Exchange installation “Component Selection” screen change the Action for the “Microsoft Exchange” heading to Install or Custom
e. Change the Action for “Microsoft Exchange System Management Tools” to Install
f. Complete installation

User and group management tabs
AD management

The Triumphant Return of DAF

I have succeeded in configuring DAF5 on our new IIS6 web server. DAF is the linchpin of our web intranet, as it permits our web site to authenticate parents without creating network accounts for them. It also provides a standard HTML login form instead of the default Windows popup dialog.

DAF permits a web site to authenticate users against two databases. We authenticate our network users against Active Directory and our parents and guest users against an Access database. DAF checks the Access database first and then forwards unknown users to IIS for Active Directory authentication. I don’t know of another product that does this function, so I was thrilled to be able to configure it correctly. Since DAF5 is in perpetual beta, documentation is scarce.

I found the correct configuration through educated trial-and-error. Here are the key steps.

IIS Manager –> [your web site] –> Properties –> Directory Security –> Authentication and Access Control –> Enable Anonymous Access

You must allow IIS to enable anonymous access in order for DAF to take over authentication for this web site.

Security Handler –> Always use a SSL connection

This is essential to prevent the plain text transmission of user passwords. Windows is no help in this regard, since Windows basic authentication is required in order to authenticate non-Internet Explorer users. Instead, I have purchased a SSL certificate for this web site, which in conjunction with DAF will make login encrypted for all users.

Security Handler –> Login Form Type –> HTML Login form

This points DAF to a HTML form instead of using a standard popup dialog. The form is located in /session in your web site. You can modify the HTML there, as long as you leave the form mechanics and includes intact. Check out our modified login form.

By default, login failure brings up a different web page. I pointed our failure page back to the same login form page, on which the error message appears. Later, it would be preferable to either make the error messages more verbose or to redirect to a different failure page with more information about what the user can do to correct the problem.

Security Handler –> User ID & Session –> HTML Login Form (using Cookies)

I used the defaults for HTML form.

Security Handler –> Advanced –> Default DAFAUTH.INI file

This step is critical to protect all of the directories in your web site at once. By default, a dafauth.ini file must be present in each directory in your web site. Since this is impractical, it is easier and more secure to choose an appropriate ini file here. Mine has the following simple settings:

[PreAuthentication]
Anonymous = disable
Authenticated = enable

Then I set NT folder security as appropriate for the access permissions I want.

Security Handler –> Count as ONE Registered Protected Site

If you don’t register with DAF, then only ten users can connect to your site.

Security Handler –> Logs

Enable Write to log file. DAF keeps different sets of error logs for different purposes. The most useful logs for debugging configuration are site-specific and found in /dafdata just outside the web site directory that you specified during installation. Note that /dafdata has the web site resource id appended to its directory name.

User DB –> Data Store –> Primary Data Store –> ODBC Data Source –> Settings

User your server’s Administrative Tools –> Data Sources (ODBC) to set up an ODBC link to your external database containing non-network user information. I wrote a separate PERL script to populate this database with registered parent login information.

Source & Connection tab: Select the ODBC source for your database and provide login information if necessary.

Table & Columns tab: Match the columns in your ODBC database to DAF standards.

Advanced tab: Use defaults

User DB –> Data Store –> Secondary Data Store –> NT User DB –> Settings

Default NT Domain: Select NT Domain User Database and specify the default NT domain. This step seemed helped in order to successfully authenticate network users without requiring them to specify their domain.

NT Account Mapping: Select Forward credentials to NT/IIS. This step permits IIS to authenticate network users, e.g., those who aren’t in the DAF database.

User DB –> Session

Enable session state. This is required for this approach, but I don’t recall why.

Other settings keep their defaults.

User DB –> NT Accounts

Default mapped NT account: This is an easy way to control privileges for the parent users on our network. As it happens, my parent registration script creates a static mapping in the DAF database, so I leave this setting empty.

Data source Login NT account: A server user that has privileges to read and write the DAF database. If this is improperly set, you will see corresponding error messages in the site error log.

User DB –> Encryption

I would like to use encryption, but it is easier to set this up for a clean install than to migrate existing, unencrypted passwords to this system. I will work on this soon.

User DB –> Logs

Write to log file