Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | melvyn-willis |
View: | 214 times |
Download: | 2 times |
www.novell.com
How NIMS™ Was Deployed for Tens of Thousands of Students at the University of Kentucky and Embry-Riddle Aeronautical University
How NIMS™ Was Deployed for Tens of Thousands of Students at the University of Kentucky and Embry-Riddle Aeronautical University
Matt DeFoorDirectory EngineerUniversity of [email protected]
University of Kentucky at a Glance
• Facts Public, land-grant university Enrollment (FTE)=32,584
• Includes Lexington Community College Home of me, [email protected] (and a few others) Shoes optional
The “Education” of Novell Internet Messaging System™ (NIMS)
• Brief history of e-mail at the University of Kentucky (UKY)
• Proposal to implementation• Design of UKY NIMS system• Design of separate NIMS tree• Design and implementation of DirXML™
• Customization—templates and software• Problems, pitfalls, and ways to avoid them• Leveraging Novell eDirectory™ • Summary• Questions and answers
Brief History of E-mail at UKY
• IBM mainframe
• cc:Mail
• Sendmail and Qualcomm’s Qpopper
Request for Proposals to Replace Aging Sendmail and POP Service
• Proposed system requirements POP, IMAP, web access 25 MB quota per user Directory-enabled Calendar support Scan mail for viruses
• Timeline First proposal—February 2001 NIMS approved for implementation—April, 2001 Production deadline—August 4, 2001
Mail Systems to Be Replaced—or Not
• All centrally supported mail systems IBM mainframe Campus POP server UNIX mail for students in engineering labs
• System not to be replaced—Microsoft Exchange
Needed for “power users”
Proposal Accepted and Real Work Begins
• Deadline: August 4, 2001• UKY Mail Team
The NetWare® group (NIMS admins) Graphics people PR people Old mail system admins Meetings, meetings, meetings
• By the way—NIMS v3 wasn’t released yet
Spec and Order Hardware
•Five Dell PowerEdge 6450
•Dual 700 Mhz XEON Processors
•4 GB RAM•18 GB RAID1 system drives
•Two Dell PowerEdge 2550•Dual 1Ghz Processors•2 GB RAM•18 GB RAID1 system drives•Dell SAN—1.6 TB of usable
space•PowerVault 660F
•Three PowerVault 224Fs
Design of UKY NIMS System
• Distributed messaging architecture Flexible Redundant Scalable More complex
Initial Design of UKY NIMS System
• Initial production environment Windows NT 4.0 server running McAfee SMTP
WebShield 4.51 One NIMS SMTP server
• Also running POP3D for legacy clients Two “client” access servers: POP3D, IMAPD,
ModWebd Two back-end servers connect to SAN for
access to mail store
Initial Design of UKY NIMS System (cont.)
Initial Design and Implementation
of UKY NIMS System
Volume configurations
4 GB SYS volumes—RAID1; 64 Kb block size; block sub-allocation = on
12 GB SPOOL volumes—RAID1; 64 Kb block size; block sub-allocation = on
SMTP, SMTP1, CLIENT1, and CLIENT2
4 GB SYS volumes—RAID1; 64 Kb block size; block sub-allocation = on
12 GB SPOOL volumes—RAID1; 64 Kb block size; block sub-allocation = on
800 GB PV volumes—RAID5; 64 Kb block size; block sub-allocation = on
NMAP1 and NMAP2
Current Design and Implementation of UKY NIMS System (cont.)
• Production environment Two SMTP servers running Antivirus Agent
• Also running POP3D for legacy clients Two “client” access servers: POP3D, IMAPD,
ModWebd Two back-end servers connect to SAN for
access to mail store
Current Design and Implementation of UKY NIMS System (cont.)
Current Design and Implementation of UKY NIMS System (cont.)
Volume configurations
4 GB SYS volumes—RAID1; 64Kb block size; block sub-allocation = on
12 GB SPOOL volumes—RAID1; 64Kb block size; block sub-allocation = on
SMTP, SMTP1, CLIENT1 and CLIENT2
4 GB SYS volumes—RAID1; 64Kb block size; block sub-allocation = on
12 GB SPOOL volumes—RAID1; 64Kb block size; block sub-allocation = off
800 GB PV volumes—RAID5; 64Kb block size; block sub-allocation = off
NMAP1 and NMAP2
Tree Structure Design
• The file/print tree [UKY] is the result of a distributed design run amok… courtesy of Gary Porter
• We could have leveraged our existing Tree, but we didn’t feel comfortable
One wrong move by a local admin could seriously affect mail delivery for 44,000 users
Dynamic vs. Static Tree Structure Design (cont.)
• Dynamic The UKY Tree is a dynamic tree where
servers are added and removed, schema is extended and partitioned and replicated across campus and some WAN links
• Static Static tree—one where the addition of
servers, schema extensions, and partition operations were limited and under our control
Dynamic vs. Static Tree Structure Design (cont.)
So the plan was simple…we’ll have a separate Tree and sync the two with DirXML…no sweat*
* “No sweat!” is a trademark of UKY
Separate Tree for Mail System
• Ergo…The One True Directory [TOTD]* This is an inside joke among NIMS admins Active Directory is referred to as the savior of our
supposed directory problems—even though it only has a few thousand users and [TOTD] has over 43,000
The [TOTD] tree is used for everything from web page authentication to VPN access to RADIUS authentication• Oh, did I mention that they can use the same userid
and password to access each of these services?
* [TOTD] is a trademark of UKY
TOTD Tree Structure
• TOTD design and structure Consists of six servers NetWare 5.1 SP3 + various patches Pure IP Novell eDirectory v85.12a
TOTD Tree Structure (cont.)
Standard security container
TOTD Tree Structure (cont.)
Server objects
Volumes objects
LDAP group and server objects
TOTD Tree Structure (cont.)
Contains administrative objects, e.g., postmaster, groups, etc.
TOTD Tree Structure (cont.)
Group objects used for aliases
TOTD Tree Structure (cont.)
Approximately 44,000 hashed objects—serviced by two different NMAP servers
TOTD Tree Structure (cont.)
NIMS Messaging Server Objects; Parent Objects; Templates; Mailing Lists
TOTD Tree Structure (cont.)
TOTD Tree Structure (cont.)
• Partitions Three servers hold a partition of [ROOT] All servers hold a partition of UKY and Internet services Three servers hold a partition of DirXML DriverSet
Sync TOTD with UKY
DirXML—How We Did It
• Learn DirXML• Learn XML• Learn XSLT• Determine what attributes to sync• Configure Filters• Write custom Create Rules and Stylesheets• Novell Consulting—validate DirXML
implementation• No Sweat!™
Plan for Moving Existing Mail to NIMS
• Develop software to move… Existing mailboxes Existing aliases Existing forwarding
• Test the migration
Develop Custom Operational Software
• Keeping things user-friendly Form-based login for WebAccess via SSL
• Perl program to perform actual login from web form data
• Revise program to handle WebAccess session cookie (introduced with NIMS 3.0 RC2)
Form-based change password page• Perl program to affect password change from web
form data
Customized Form Login Page
• Ease of use
• Provide information on the login form page
• Redirect to our custom pages on failed logins
• Log in via SSL, then redirect out of SSL
• Public templates weren’t available
Customized Redirect Pages
Customized Redirect Pages (cont.)
Customized Password Page
• NIMS NIMS requires login to
WebAcess/WebMail Confusing if SSL is
required
• Custom Always performed via SSL You can implement
password restrictions Doesn’t require MobWeb
to change the password Easier to use
Population and Maintenance of NIMS Users in eDirectory
• Perl program to automatically add users from campus User Account Management System (UAMS)
• Perl program to push pre-populated calendar file to each user
• Perl program to handle deleted accounts Aging before removing mailboxes and mail directories
• Web front-end to IMSAudit data
Web Front-end to IMSAudit Data
Web Front-end to IMSAudit Data (cont.)
Customized WebAccess Template
Customized WebAccess Template (cont.)
Customized WebAccess Template (cont.)
•Example of pre-populated Calendar entry
Customized WebAccess Template (cont.)
•Example of pre-populated Calendar entry
Customized WebAccess Template (cont.)
Problems, Pitfalls and Ways to Avoid Them
• Modweb/WebAccess Limit your end-user expectations
• WebAccess/WebMail is your thin friend, not your fat client
• PR will be your friend Don’t let bad PR
give you a black eye
Don’t
PR Do’s and Don’ts
• Tell your users about the new system
• Tell your users you are moving to a new system one week before the changeover
• Tell your users of the benefits of the new system
• Tell your users—who all use the POP protocol—that they must go to IMAP
• Tell your users they now have web access to their mail
• Make them believe this is now the only mail access they have
• Come up with a catchy name
for your new mail system
• Have a stupid name like U-Connect@UK
Do
Problems, Pitfalls and Ways to Avoid Them
• Antivirus gateway (a problem before NIMS 3.02b)
McAfee Webshield SMTP for Windows NT Doesn’t support S/MIME attachments Malformed messages would cause the queue
to stop processing Obsolete because of antivirus agent
Using NIMS to Leverage NDS at UKY
• NIMS (TOTD) tree design recap• Using TOTD tree for wireless authentication• Using TOTD tree for campus software
download authentication• Using TOTD tree for authentication only
(no e-mail) Simply disable mail access in IMS configuration
page of NWAdmin
Monitoring NIMS
• Babymon Monitors NIMS agent connectivity
• ZENworks for Servers (ZfS) Monitors abends NDS Other OS problems
• Multi-router Traffic Grapher (MRTG) CPU utilization Messages received IMAP, Modweb and POP connections Kb transferred NIC statistics
Monitoring NIMS with MRTG
Monitoring NIMS with MRTG (cont.)
Monitoring NIMS with MRTG (cont.)
Monitoring NIMS with MRTG (cont.)
NIMS Resources and Errata
• www.nimsinfo.com• www.myrealbox.com• [email protected]• [email protected]• novell.support.collaboration.internet-messaging-
system• www.perldap.org• Multi-router Traffic Graffer (MRTG)
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
wiN big
gear up,rope in, and climb on
gear up,rope in, and climb on
with Novell Provisioning solutions
with Novell Provisioning solutions
Novell Provisioning table
pick up your entry card today
in the one Net solutions
lab
at the