Tech Talk 1 by Ken Baker
Smart Box, Low Touch
Simplify Remote Location Management with Novell Products
Organizations with several satellite offices often face a number of challenges in providing IT services to those sites, especially if they have limited or zero staff at those locations. Other challenges include:
- difficulty in enforcing build standards for servers and workstations
- remotely managing user accounts and hardware
- effectively administering patch management
- implementing and executing effective disaster recovery procedures
- and dealing with limited or unpredictable WAN bandwidth.
Novell recently created a solution for the U.K. National Health Services (NHS) to address precisely these challenges, effectively simplifying the deployment, support and management of several remote sites from a central location over low-bandwidth connections.
Typical appliances are characterized as dumb boxes, but the satellite site appliances deployed at the NHS are very smart boxes that can be centrally customized to meet the standard needs of the organization. Better yet, just about anyone at the organization's remote locations can physically build them into low-touch servers that are easily managed from a central location, regardless of bandwidth constraints.
The idea for the solution grew from the NHS's need to manage IT requirements for more than 1,000 remote health care locations spread across the U.K. Headed by Novell lead engineer, David Shepherd, a Novell consulting team addressed this need by providing NHS remote locations with:
- streamlined appliance deployment
- centralized user provisioning
- application provisioning
- local file and print services
- encrypted management connections between the local appliance and the central IT authority
- DNS forwarder
- Web site proxy services
- asset management
- and policy enforcement.
The solution components delivering these capabilities are SUSE Linux Enterprise Server 10 SP1, Novell Open Enterprise Server Version 2 and ZENworks Configuration Management.
How Does it Work?Key to facilitating the deployment and day-to-day management of the appliances is the central management directory, which is basically an eDirectory instance that has certain schema extensions. One of the schema extensions in the central management directory is an appliance object that can be used when they want to deploy a new appliance at a new site. The creation of the appliance object process directs them to configure items specific to that site, such as:
- server name
- IP address
- whether it's a DHCP server or not
- where it should get its DNS
- application license keys
- and even integration with an on-site active directory server if desired.
Once all of the site-specific information has been configured, simply clicking the Generate Config button builds an ISO file for that site appliance.(See Figure 1.)
You can burn the ISO file, which contains an automated and unattended installation, to a DVD that a local user can simply insert into an on-site hardware box and walk away.
Subscribe to Connection Magazine
The automated installation leverages AutoYaST and some custom scripts to install the server software. It then sets up and configures the server services; Novell Storage Services volumes, applications, users and policies. When it finishes, the server is ready to use.
Simplified Day-to-Day Site Management
In addition to containing the appliance object, the central management directory also contains user and application objects for the appliance. To facilitate day-to-day management and provisioning, once an appliance is built at a satellite location, it communicates at scheduled intervals back to the central management directory for updates regarding its settings, users and applications.
An important point to understand here is that you don't need a persistent connection between the appliance and the central management directory. In fact, the solution was designed specifically to accommodate environments or scenarios that don't have a constant connection or might have a low-bandwidth connection. The appliance doesn't require a time sync between the central management directory. It can operate for as long as needed without a connection, allowing the NHS to schedule update intervals to occur hourly, daily, weekly, monthly or whatever fits their needs. A connection is only needed when the provisioning of a remote device is required. And if the connection happens to be down, the provisioning can retry later.
As mentioned earlier, users or identities are housed in the central management directory. But the user objects can be fed from somewhere else, including an Active Directory directory. Once they're in the directory, they're assigned in the same way you would make a user a member of a group. Users can be assigned to an individual appliance or an appliance group. An appliance group basically has two parts: a list of users and a list of appliances.
When a user is assigned to an appliance or an appliance group in the central management directory, it automatically builds a provisioning request. This provisioning request is a very small file-about 100 bytes per user, including its encrypted password. The provisioning request is placed in the central management directory's output queue where it waits for the appliance's next scheduled check-in. When the appliance checks in, it takes the provisioning request and leverages local LDAP provisioning templates to properly add the user to its local directory.