Tech Talk #1 - Nterprise Branch Office
Jan/Feb 2003 by Linda Kennard
Go the distance with
completing the consolidation picture with Nterprise Branch Office
Enabling branch office users to access the network securely, consistently and at the performance level to which they're accustomed can be a costly nuisance. In fact, as a network administrator, you've probably experienced firsthand the cost and pain of providing, provisioning and managing access to the network for users in branch offices.
At a minimum, you face the cost of setting up the infrastructure–servers, routers and WAN connections–that enable communications between branch offices and the core network. Then you cope with annoying management issues, such as ensuring that visitors to branch offices retain their network rights and making certain that user data on branch office servers are backed up daily. To deal with setup and management issues, you can hire IT personnel to remain on each site or send corporate IT team members on an as-needed basis, but either choice consumes too much of your limited IT budget.
To avoid some of the costs associated with providing branch office users access to the network, many IT departments are attempting to consolidate network resources and services. A consolidation strategy involves hosting network resources and services on servers that are centrally located at corporate headquarters or a few key data centers. Branch office users then access these resources via portal, terminal emulation or client-server technology. Centrally hosted network resources are easier and less expensive to manage: when something goes wrong, you typically can solve the problem from the central site and thus reduce travel costs.
Unfortunately, attempts to consolidate network resources and services often fall short of completely solving the problem associated with network access at the fringe–and consequently fall short of paying off. Why? One answer is that companies are concerned that consolidating all of their network's resources and services might impede network performance. For example, if you host file and print services on centrally located servers, users' experiences with these services might suffer. When WAN links are congested, users' access to shared files and printers is frustratingly slow. Worse, when WAN links go down, users can't access these fundamental services at all. You know what happens then: best case, users' job performance suffers; worst case, they take matters into their own hands–and then you really have a problem. Novell can relate. Like every other company with one or more branch offices, Novell knows about the cost and pain of keeping branch office users happy and productive–but this cost and pain is history for Novell. To solve a considerable portion of its branch office management problem, Novell created an internal solution and made it publicly available in the form of Novell Nterprise Branch Office.
A multi-function soft appliance, Nterprise Branch Office plays a critical role in ensuring that you reap the cost savings of consolidation, without impeding network performance. In fact, in many cases, Nterprise Branch Office improves performance. Nterprise Branch Office offers uninterrupted access to file and print services for visiting and permanent branch office users, whether WAN lines are up or down. In addition, Nterprise Branch Office automatically provisions access to network resources, reduces directory overhead, and enables daily backups of branch office user data. In other words, Nterprise Branch Office reduces or even eliminates the cost and pain of providing, provisioning and managing network access at the fringe.
getting things going–just the gist
As you would expect, the specifics of installing and configuring Nterprise Branch Office vary from company to company and branch office to branch office, depending on your company's and each office's needs. For example, you can configure Nterprise Branch Office as a stand alone appliance or as part of your central network.
Whichever configuration option you choose, the good news is that you probably won't need to send an IT professional to your branch office to get Nterprise Branch Office up and running. In fact, Novell can think of only one situation that might require an IT professional on the branch office end to assist with the setup. (For more information about this situation, see "Eliminating the Need for Local Backups".) In most cases, you'll need only a little help from any branch office user–even the most technically illiterate.
To set up Nterprise Branch Office on the branch office end, you need only someone skilled enough to insert a CD into the appliance's bootable CD-ROM drive and a diskette into the appliance's floppy drive. (You can insert the CD and diskette into any appliance hardware that meets the branch office prerequisites (See "Note".) This bootable, autorun CD images and initializes your appliance when it's loaded as the hardware boots up. Inserting the diskette, which is an optional step in the installation procedure, configures the settings on the appliance to match preconfigured settings. Having completed this arduous task, this person can step away from the machine because at this point, you take over–from virtually anywhere you choose.
To configure the Nterprise Branch Office appliance software, you need only an Internet connection and Microsoft Internet Explorer 5.5 or higher loaded with Java Virtual Machine (JVM) from Microsoft or Sun. Thus wired and armed, you can configure and manage your appliance using Nterprise Branch Office Web Administrator, a browser-based management tool. (You also have the option to manage the appliance from the command line through a keyboard and monitor that are attached to the appliance.)
The first time you access Nterprise Branch Office Web Administrator, it runs a wizard to help you configure the basic settings you need to get the appliance up and running (See Figure 1). This wizard prompts you to set the supervisor password; the appliance name; the DNS name, domain and DNS server address; and, assuming you plan to use these features, user access provisioning and replication to the central office. (For more information about these features, see "Provisioning User Access" and "Eliminating the Need for Local Backups".)
Branch Office benefits–the general idea
Assuming you configure Nterprise Branch Office as part of your central office network and thus take advantage of the product's full capabilities, your Nterprise Branch Office configuration looks similar to the one shown in Figure 2.
As part of your central office network, Nterprise Branch Office offers the following benefits:
- Provides permanent and visiting branch office users with automatic access to their own and shared files as well as print resources to which they have rights.
- Reduces or eliminates directory overhead.
- Eliminates the need for local backups.
- Ensures high performance of authentication, file and print services, which in turn improves employee productivity.
- Delivers disaster fault tolerance.
- Provides the flexibility to use private WAN or public Internet connections between the central office and branch offices.
provisioning user access
Assume for a moment that you've configured Nterprise Branch Office as part of your central office network. What happens the first time a user authenticates to the Nterprise Branch Office appliance? The answer to this question is probably not the answer you expect and gets to the heart of what Novell product manager Dan Lawyer calls the "coolest part" of Nterprise Branch Office.
When Lawyer says this, he's talking about Novell's patent-pending User Access Provisioning technology. User Access Provisioning was driven by Novell's need for its branch offices to be more loosely coupled with its central eDirectory tree than its former directory architecture at the network fringe allowed.
Novell has 120 sales offices located in different parts of the world. More than two years ago, when Novell began exploring solutions to its branch office management problem, it adhered to what was then considered good directory design. That is, Novell IT personnel created a directory partition for each geographic location, and for each partition created three replicas. This left Novell with a design that required a minimum of 120 partitions and 360 replicas to manage in the primary tree.
User Access Provisioning changes the directory architecture on the network fringe, negating the need to tightly couple Nterprise Branch Office appliances with your central eDirectory tree through partitions and replicas. Instead, each Nterprise Branch Office appliance is a single-server tree, "not designed ever to be part of the primary directory," Lawyer emphasizes.
If each appliance is a single-server tree, will someone (you perhaps) need to create user accounts for permanent and visiting users in branch offices? No. The Nterprise Branch Office appliance creates user accounts automatically for any user that has an account in your central eDirectory tree.
The gist of the User Access Provisioning process works like this: Suppose your company's CEO, we'll call him Fred, decides to visit a branch office. Further suppose, that shortly after arriving at this office, Fred attempts to log on to the network, access a file and print out a report. Fred's request for authentication hits the single-server tree on the appliance. This tree, in turn, discovers that Fred doesn't have an account in this tree. Rather than denying Fred access, the appliance routes his authentication request to your central eDirectory tree over the WAN (or Internet) connection using Secure LDAP (See Figure 3).
At the central office, a server that you have configured to receive branch office users' authentication requests receives Fred's authentication request. In addition to meeting the central office prerequisites (See "Note"), this server runs the Novell International Cryptographic Infrastructure (NICI) upgrade and Novell Modular Authentication Service (NMAS). Both of these products are included on the Nterprise Branch Office CD for central office servers.
Having received the authentication request from the appliance, the central eDirectory tree looks for Fred's account. In this case, Fred is a valid user, so eDirectory finds his account and returns his authentication information to the branch office appliance. The appliance, in turn, creates a Fred-User object and caches Fred's simple password as well as several of the Fred-User object's attributes, including the Given Name, Surname, Full Name, Title, Organizational Unit (OU), E-mail Address and UniqueID. Also at this time, the appliance creates a home directory for Fred and enables him to access the shared directories as well as print resources to which he has rights.
By the time this article goes to press, Novell will have released a patch. This patch enables an Nterprise Branch Office appliance to provision access to services based on group information (in addition to the aforementioned user information). With this patch running on the central office eDirectory server and branch office appliance, the central office server sends information about the group or groups to which a user belongs. If the user belongs to a group in the central office tree, the appliance automatically creates the group (if it does not already exist) and places the user in this group at the branch office. Hence, with this update, you can establish group rights that automatically take effect when an appliance provisions services for branch office users.
reducing directory overhead
This access-on-demand, cache-on-demand directory architecture upon which User Access Provisioning is based, considerably reduces directory overhead. For example, where Novell once had 120 partitions and 360 replicas, it is now working toward having only five primary data centers and one partition per data center. For each of these five partitions, Novell IT personnel will create three replicas. This means that ultimately Novell will manage only five partitions and 15 replicas.
At the time this article was written, Novell was still in the midst of its consolidation process. When the process is complete (as it should be before the end of this year), Novell's branch office directory trees will no longer be part of its central eDirectory tree. Instead, each branch office will have single-server trees on appliances that are only loosely coupled with Novell's central directory. "So what we're doing," Lawyer explains, "is centralizing, even the directory to where it exists only in the regional data centers rather than each branch office."
What this means to you is that with Nterprise Branch Office, you can manage all of your users centrally through your primary directory without suffering the overhead typically associated with a distributed directory. In other words, you get the benefits of a central directory without the drawbacks.
When you configure Nterprise Branch Office as part of your central office network, Nterprise Branch Office ensures that users (to whom it has provisioned access to services) have steady and possibly faster access to files–whether WAN links are up or down. Nterprise Branch Office also ensures that users can find and print to any local printer to which they have rights.
With Nterprise Branch Office as a standalone device or as part of your central network, users can access their own and shared files on the local appliance using any of the popular file access protocols, namely Hypertext Transfer Protocol (HTTP), Common Internet File System (CIFS), NetWare Core Protocol (NCP), Network File System (NFS), Apple File Protocol (AFP) and File Transfer Protocol (FTP). (In a future release, Novell also plans to enable users to access their Novell iFolder files.) Users can access these files from their office computer (using whatever interface or method they're using now) or from the Web using a browser.
When users log in to an Nterprise Branch Office appliance using a browser, they also have access to self-service features to which they probably haven't had access in the past. On its home page, an Nterprise Branch Office displays links to users' own files, to shared files, to printer information (that is, maps and drivers), shared and personal Web addresses, and step-by-step instructions on mapping a network drive to any type of client–a Windows, Macintosh, Linux, UNIX, FTP or Novell client (See Figure 4 .) These instructions for mapping drives not only empower users but also might offload a few helpdesk calls.
When configured as part of your central office network, Nterprise Branch Office replicates to the central office server all of the files (including shared files) that are created on the appliance. Because these files are stored on the appliance and replicated to the central office, users always have access to their files. If the appliance fails, the data is available from the central office. Furthermore, if users have been accessing shared files over a WAN link, the appliance accelerates performance by negating the need to cross the wire to serve up the files. Instead, it delivers the files directly from the local cache.
Nterprise Branch Office delivers print services via Novell iPrint, a print solution based on Internet Printing Protocol (IPP). Novell iPrint enables users to find and print to any local printer to which they have rights, eliminating what is perhaps the most common question posed to branch office administrative assistants: How do I print to that printer?
For example, recall that Fred needed to print a report. To do so, he needs only to use his browser to access the local Nterprise Branch Office appliance. From the appliance's home page, Fred then clicks the Office Printers link. When he does, the local appliance enables Fred to access a map that reveals the location of all the printers in this office. To print to any of these printers, Fred simply clicks the printer, after which the driver is automatically downloaded (when necessary) and Fred can print.
When configured as part of your central office network, you can place the print spool on the appliance so that even when the WAN link is down, print services will always be available. Furthermore, if print requests have been routed over WAN links to a centrally hosted print spool, Nterprise Branch Office accelerates access to these services because it locally hosts the print spool (so print requests don't cross the WAN).
eliminating the need for local backups
With Nterprise Branch Office, you also get a solution to the problem of backing up user data on branch office servers. Many companies have attempted to solve this problem, but few have managed to do so–despite the thousands or even tens of thousands of dollars they've tossed in that direction.
In fact, Lawyer says that he's asked hundreds of customers whether they can state with confidence that the user data on all of their branch office servers are backed up daily. "No one has been able to answer that question confidently," Lawyer says. "The closest I got to a confident answer was from [an international] telephone company." In this case, the confident response was a negative one: The customer could state with certainty that user data on branch office servers was not backed up daily.
Nterprise Branch Office solves the problem–and saves your company money–by replicating user information on branch office servers to central servers located in your corporate headquarters or key data centers. With this information thus replicated, you can use the backup solution you already have in place to archive the information and avoid the cost (and hassle) of deploying tape solutions, for example, in your branch offices. Of course, if you already have an established backup solution (such as tape backup) in your branch office, you can configure Nterprise Branch Office to back up locally to your existing system.
A key component to the Nterprise Branch Office backup solution is the use of a highly efficient, open-source utility called rsync. Rsync synchronizes only changed Branch Office user data with a server at your corporate headquarters or data center that you've configured to receive rsync information (For more information about rsync, see www.rsync.org).
To prepare a centrally located server to receive rsync information, you first send a complete copy of the data on your branch office appliance, only once, to the office where this server is located. (This server must meet the central office prerequisites, run the rsync software, and have enough disk space to hold the data you will back up.) From this point forward, Nterprise Branch Office uses the rsync algorithm to check for changes to blocks in the files on the branch office appliance (See Figure 5).
Using Secure Sockets Layer (SSL), Nterprise Branch Office encrypts the data in the changed blocks. The appliance then sends only these changed blocks to the central office rsync server, which reconstructs the changed files so that they are an exact match with the branch office files (For more information, see "The rsync Process".)
If you have a large amount of data on your branch office appliance, Novell suggests a one-time backup of this data. That is, suppose you have 80 GB of data on your appliance. In such a situation, Novell recommends that you back up this appliance data to tape (again, only once). Next, send this tape to the central office and restore the tape on the central office server you've configured to receive rsync information. After thus pre-populating the central replication site, Nterprise Branch Office uses rsync to replicate to the central office server only those data blocks on the appliance that have changed since the last replication. This is the single circumstance under which Novell believes you might need to send an IT professional to the branch office to set up Nterprise Branch Office.
At the time this article was written, Novell had designed Nterprise Branch Office to enable you to set the time of day at which you wanted replication to occur and also to set what Lawyer calls a throttle on the bandwidth. For example, you can specify that you want replication to consume no more than 100 Kbps.
By now, Novell has probably released the update that allows for more flexibility in terms of configuring the rsync functionality. This update enables you to set multiple times of day for replication to occur and varying throttles. For example, you might specify that you want replication to occur at 10 a.m., 1 p.m. and 4 p.m. at no more than 56 Kbps, but that after 8 p.m., you wish one final replication to occur at speeds as great as 512 Kbps.
delivering disaster fault tolerance
When configured as part of your central office network, an Nterprise Branch Office appliance is, essentially, a disposable service cache. The authentication, file and print services that the Nterprise Branch Office appliance hosts locally are also hosted at the central office.
Hence, if the appliance hardware fails, you have little to worry about. Until you find the time to get a new appliance or to fix the old one, users can still access the requisite network services–that is, all of the services branch office users need to be productive–across the WAN from the central office. Assuming you do get a new appliance, you need only someone in the branch office who is capable of inserting the self-booting CD into the new appliance's CD-ROM drive and a diskette into the appliance's floppy drive. You can reconfigure and restore all services to a new or newly repaired appliance remotely (using Nterprise Branch Office Web Administrator).
The reverse is also true. When the connection to the central office is down, you don't care and users don't notice. New users aside, your branch office users can log on to the network to access and print local and shared files (from the local cache). In other words, whether the WAN connection is up or down, branch office users have access to all of the services they need to continue working without interruption.
moving to the internet office
Because of its disaster fault-tolerance and because of its support for secure Internet protocols, including Secure LDAP, SSL and Secure HTTP, Nterprise Branch Office is both Internet-ready and Internet-safe. What this means is that with Nterprise Branch Office you have the option to swap your expensive and, in some cases, slow private WAN connections with less expensive and, in some cases, faster Internet connections. Doing so can decrease your WAN connectivity costs by as much as 50% and possibly increase your bandwidth as much as tenfold.
Novell's consolidation strategy, which includes Nterprise Branch Office, has enabled it to exchange many of its private WAN connections for public Internet connections and, in the process, save money, gain bandwidth and, in a few cases, both save and gain. For example, Novell once spent $10,000 per month for a 512 Kbps WAN connection between its corporate headquarters in Provo, Utah and a branch office in Tokyo. Now, Novell spends only $1,500 per month for a T1 (1.544 Mbps) connection to its Tokyo office.
"Of course, we didn't recognize that [savings] with every connection," Lawyer clarifies. For its U.S. connections, Lawyer says, Novell saved nothing by switching from its private WAN links to the public Internet. However, Novell gained bandwidth when it swapped out its pointto-point U.S. connections, most of which were 128 Kbps connections, with Internet connections, most of which are 1.544 Mbps connections.
keeping it simple
The Internet connections that Nterprise Branch Office enables coupled with the nature of this appliance reduce the complexity of managing infrastructure on the network fringe. In a world void of consolidation and replete with private WAN connections, you have racks of servers, possibly racks of Private Branch eXchanges (PBSs), and routers to set up and manage. In the new world characterized by consolidation and secure communications over speedy Internet links, your branch office infrastructure might consist of little more than a single Nterprise Branch Office appliance and an Internet cable running from the appliance to a telco-owned-andoperated router.
Nterprise Branch Office alone does not enable you to consolidate all of your network services. It enables you to consolidate services, namely authentication, file and print services which until now, have been notoriously difficult to consolidate. Highly synergistic with other products that enable you to consolidate application and storage services, Nterprise Branch Office can be your first step toward consolidation or the final step in your nearly complete consolidation strategy.
Ultimately, this is what Nterprise Branch Office is about: consolidating and replicating critical network services while improving performance at the fringe.
NOTE: For complete details regarding system prerequisites, see Novell documentation at www.novell.com/documentation/lg/nbo and click the link to "Preparing The Central Office" in the setup guide or see www.novell.com/products.
|Tech Talk #2 - first look: GroupWise 6.5|