Novell GroupWise ® 6 Deployment and Best Practices Howard Tayler GroupWise Product Manager Steve Whitehouse Systems Engineer Frank Sinak Technical Consultant UAB Health System Jayson Berger Account Manager Gregory White Systems Engineer

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Agenda Guidelines for deployment of Novell GroupWise ® 6  The upgrade process Case Study: University of Alabama Leveraging new features of GroupWise 6  Server consolidation  Proactive monitoring  LDAP authentication  The “Internet Office”

for guidelines deploymeNt

Key Principles Behind the GroupWise 6 Upgrade Take no chances  Pilot the code before rolling out enterprise-wide  Remember, GroupWise is a mission-critical app Admin, agents, clients  The “back end” is compatible with all 4.x and 5.x “back end” components  The GroupWise 6 Client, WebAccess, and GWIA cannot connect to a 5.x post office  The GroupWise 5.x Client, WebAccess, and GWIA connect fine to a 6.x post office

Upgrade At-A-Glance Install the Novell ConsoleOne ® snap-ins Upgrade the primary domain Upgrade secondary domains and post offices Upgrade gateways Deploy clients The upgrade is simple—just install and load the new code

Upgrading Domains Primary domain first Communication  Primary must be able to communicate with all secondary domains  4.x and 5.x MTAs can communicate directly with a GroupWise 6 MTA Steps  Install GW 6 MTA—agent install will merge startup files (user ID and password can be in the directory now)  Previous configuration settings in Novell eDirectory ™ are preserved  Unload MTA and reload with GroupWise 6 MTA  View domain with ConsoleOne to verify version  Repeat for each secondary

Upgrading Post Offices The “owning” domain must be upgraded first Steps  Install GroupWise 6 Post Office Agent (POA)  Unload/reload POA  Wait… Post office upgrade is complete when the POA has rebuilt/recovered WPHOST.DB  ConsoleOne will indicate version 6 for the post office  The Admin thread in the POA will show a “recovery count” of 1

Agent Installation Information Information to have on hand  Domain name (for MTA startup file naming)  Post office name (for POA startup file naming)  Universal Naming Convention (UNC) path to domain and post office directories  HTTP port for the monitoring agent Automatically launch agents?  If this is used, and a POA and MTA are running on the same server, the POA will need to be unloaded and reloaded later

Upgrading GroupWise WebAccess Upgrade servlet Upgrade GWINTERs ConsoleOne will have new objects  Provider (Application) objects for GroupWise Monitor, WebAccess, WebPublisher  Servlet objects Set default WebAccess  WebAccess is now capable of redirection New features  Rules, Signatures,“Mark Unread,” personal address book creation Required for GroupWise wireless

Upgrade the GroupWise Internet Agent (GWIA) Run the agent install Configuration tips  DSN (Delivery Status Notification) is now available  Relay does not require exceptions for authenticated POP and IMAP  Secure POP, IMAP, and SMTP require a certificate The certificate cannot be password-protected

Roll Out The GroupWise 6 Client Novell ZENworks ®  Use.AXT files provided by Novell with GW6 SP1  Installation MUST deal with dependencies: Windows Messaging is the critical piece Or… SetupIP with SETUP.CFG  Hide prompts from users  Force standardization of paths  Prevent help-desk calls

Using SetupIP and SETUP.CFG Run WRITEIP.EXE  Software/admin/utility/setupip  GUI for creating WRITEIP.INI and SETUPIP.EXE  List paths to up to four web servers for client install Edit SETUP.CFG  Show dialogs = No, Standard Install = Yes  New option for showing individual dialogs  “Windows Messaging = Yes” will require a reboot mid-install Web server requirements  Web server must support file dates  Web server must list 400 files without truncating the list

deployment in actioN

Deployment Case Study: The University of Alabama at Birmingham Medical Center

The University of Alabama at Birmingham (UAB) The cornerstone of the UAB Health System is the University of Alabama at Birmingham (UAB)  UAB was established in 1969 as an autonomous university within the University of Alabama system  It now serves as one of the nation’s top-ranked universities in research support and higher education and is home of a world- class medical center that has been serving Alabama for over 50 years  UAB is widely known for top-notch medical education and innovative medical and scientific research activities Participating in Novell Academic Licensing Agreement (ALA) and Novell Tech Support Premium 600 with PSE

The University of Alabama at Birmingham Medical Center The medical center is part of the UAB Health System  UAB Hospital —908 beds  UAB Kirklin Clinic —30 distinct multidisciplinary clinical units  UAB Health Centers —neighborhood clinics in Birmingham, Hoover, Huntsville, Montgomery, Selma, and Tuscaloosa  The University of Alabama Health Services Foundation — a 660+ closed-group physician practice  UAB Eye Foundation Hospital —offering the latest ophthalmic microsurgery, corneal transplantation, and an emergency department dedicated to treating trauma to the eye  The University of Alabama School of Medicine —clinical training programs

Just the Facts… The University of Alabama Health System (UABHS) network is a campus area network consisting of over 685 hubs, routers and switches connecting 55 buildings and maintaining, on average, over 9,800 active user connections UABHS maintains two parallel network backbones  An ATM LANE network and a Gigabit Ethernet network  Full migration to Gigabit is currently in progress 11,000+ users (total), 8,000+ GroupWise users 128+ servers (total), 16 GroupWise servers  68 NetWare, 49 NT/2000  3 domain servers, 10 Post Office servers, and 3 gateways

UABHS GroupWise Layout Primary Domain UAB Internet Agent GWIA1 MSGUAB Secondary Domain HOS MSGHOS Secondary Domain HSF MSGHSF SFM/SVC ANC/CLN MSGHSF01 HSFPO1 HSFPO2 HSFPO5 MSGHSF02 HSFPO3 HSFPO4 HSFPO6 Secondary Domain WEB1 MSGWEB1 Secondary Domain WEB2 MSGWEB2 Internet Agent GWIA MSGIA GuinNT GuinNT2 MSGCLN02 HOSPO12 MSGANC02 HOSPO11 MSGSVC02 HOSPO10 MAGADM02 HOSPO09 MSGCLN01 HOSP04 HOSP08 CLN ANC SVC ADM MSGANC01 HOSP03 HOSP07 MSGSVC01 HOSP02 HOSP06 MSGADM01 HOSP01 HOSP05

Why Move to GroupWise 6 Secure POP/IMAP Near full-featured WebAccess Wireless Backup/restore GW Server clustering Improved user move/post office consolidation Mailbox size restrictions

Pre-Installation— Do the Homework Read  README.TXT  Novell Product Documentation Installation and Upgrade Manual  “GroupWise 6 Upgrade Guide” By Tay Kratzer and Danita Zanré Developed implementation procedures  Performed upgrade on test system  Created check list

Pre-Installation— Do the Homework (cont.) Prepared the system  Validated domains and post offices to be sure no physical problems exists  Backed-up each component immediately before the upgrade  Copied new startup files to each domain and post office Prepared the users  Scheduled a time  Notified/reminded the users

Installation Used installation wizard  Extended schema  Walked through the wizard to upgrade each component  Upgraded the entire system at once

Post-Installation Rolled-out new GWCheck Rolled-out ConsoleOne and new snap-ins Flagged GWDOM.DC and GWPO.DC files as read- only Obtained new MAC view files from Support.Novell.com and installed to each PO Pushed client

Problems/Gotchas WebAccess  WebServer would not load  Installed Field Test File of GW 5.5 Enhancement Pack Support Pack 3 to work around problem until a fix was found Relay exceptions  With GW6, the IMAP or POP client must authenticate to the server before they can relay  No other exceptions need be defined

was no more difficult “Upgrading to GroupWise 6 Support Pack” than applying a GroupWise Frank Sinak UAB Health Systems

principles into turning solutioNs

Getting the Most Out of GroupWise 6 Proactive System Monitoring Server Consolidation LDAP Authentication The “Internet Office”

Proactive System Monitoring Deploy GroupWise Monitor  Use the same HTTP Monitoring password for all agents  Monitor can track legacy agents via SNMP Set Thresholds  Queues  Agent Status  Requests Pending  Disk Space  Rebuild/Recover operations Start with low thresholds  Monitor with increasing severity  Frequency, magnitude, and duration yield Impact

GroupWise Monitor Learn more during Session TUT221 Connect to Domain Database MTA Poll agents via XML over HTTP POA MTA POA SNMP-based Mgmt System Alerts WAP Device

Server Consolidation Why Consolidate?  Reduced hardware expense  Reduced administration overhead  Increased administrative responsiveness  The “Internet Office” Supporting Features  GroupWise Smart Caching ™ mode  Multi-threaded GWCheck  “Live” mode user moves  Disk-space management  GWCheck expire downloaded items

Online Mode vs. Caching Mode Performance Scalability Thresholds Lab Results on a Pentium 1266 system  The POA starts to back up at around 570 c/s requests per second  Online mode: the 570/sec mark is around 4700 users  Caching mode: 570/sec is around 14,000 users With Caching mode, performance thresholds are not your limiting factor

Preparation for Server Consolidation Deploy GroupWise 6 at the POA and all clients Collect Benchmarks Apply Mailbox Size Limitations  Be generous… just let online users know the space they are taking up Enforce Caching mode Run GWCheck with “expire after download” options Collect Benchmarks

Meaningful Benchmarks to Record Post office directory size Time required for backup/restore Pending Client/Server Requests Client/Server Requests per unit of time Server Utilization Messages in queues End-user opinion Be sure to tune the server for best GroupWise performance  TID , Appendix B

Server Consolidation Based on your benchmarks, decide how many users you can support on a single server Consolidate by moving users from multiple post offices to a single post office The GroupWise 6 “Live” move process is 4 times faster than the 5.5 move process and is transparent to the end-user

Server Consolidation And The WAN Configure for Stability  LAN links should be meshed  WAN links should follow WAN topology  One MTA and domain per server  Immediate Purge ON  Create separate routing domains for GWIA, Async, and WebAccess as necessary Improvements in GroupWise 6  8KB chunk transmission (first appeared in 5.5ep SP2)  Message size-based delay and blocking per link  Message size restriction per user, domain, or post office

GroupWise WebAccess GroupWise Client LDAP Authentication to GroupWise Post Office Agent GroupWise 6 SP1 LDAP Server eDirectory 8.5 (or any LDAP v3 Directory) Login Request Credentials Results

LDAP Authentication: Prerequisites and Limitations GroupWise 6 SP1 POA, WebAccess, and Client  (client and WebAccess required for interface support of password expiration dialogs) eDirectory 8.5 LDAP Server, with GroupWise users in the eDirectory 8.5 tree  OR User object MAIL attribute synchronization between GroupWise and the LDAP server of choice For full password expiration functionality the POA must be forced to BIND

LDAP Authentication: Post Office Configuration required recommended leave blank 636

LDAP Configuration: Why Leave the LDAP User Name Blank? Credential behavior with the LDAP user name and password  POA will use this user name and password to connect, and then do a ‘compare’ of the user-provided credentials against the LDAP directory  ‘compare’ does not support expiration of passwords Credential behavior without the LDAP user name and password  POA will use the user-provided credentials to attempt to bind to the LDAP server.  Password expiration is supported for a BIND connection

LDAP Configuration: SSL Certificate Use and Requirements Why Use SSL?  Without SSL LDAP credentials are passed in the clear—this is unacceptable, even within your firewall SSL Certificate must be a Trusted Root certificate for the LDAP directory  This is the way the standard is written—it’s an LDAP requirement The LDAP SSL Port is 636—required in the address field Learn more during Session TUT222

LDAP Configuration: Using an external LDAP Directory By default, the POA will look for the DN- converted user name (CN=htayler, OU=groupwise, O=novell) If the LDAP directory is not structured like the tree GroupWise is using, this will fail, and the POA will fall back on the MAIL attribute.  This assumes a meta-directory synchronization tool (DirXML, anyone?) populating both GroupWise and the external LDAP directory, so that the GroupWise address and the LDAP MAIL attribute match.

Reducing Your Network Costs: The Internet Office WAN $$ Corporate Network

Reducing Your Network Costs: The Internet Office GroupWise 6 Internet Corporate Network

Supporting Features for The Internet Office SSL Transfer Between Agents  Securely use the Internet as your WAN for POA and MTA traffic POA Proxy-Server Connectivity  Allow remote users to connect to the POA without requiring a VPN or a Live-Remote MTA Learn more during Session TUT222

The Internet Office: POA Proxy-Server Connectivity IP Address “Z” Proxy IP Address “Y” IP Address “X” Requests sent to address “Y” Requests sent to address “Z” Responses sent to address “Y” Responses sent to address “X”

POA Proxy Server Connectivity: Agent Configuration start here recommended required

For More Information GroupWise 6 Best Practices Guide  practices_guide_gw.html GroupWise 6 Deployment Guide  13.pdf GroupWise 6 Upgrade Guide  From Tay Kratzer and Danita Zanré  GroupWise 5.5 Best Practices Guide  TID at