GroupWise 6 Deployment Guide - Section 3
Novell Cool Solutions: Feature
Digg This -
Posted: 12 Dec 2001
Section 3: Leveraging GroupWise Features
Internet Proxy Access
GroupWise 6 enables remote users to directly access their mailbox without having to authenticate to a VPN server or other firewall solution. With Internet Proxy Access, users can directly access all GroupWise collaboration services as if they were inside the firewall.
Deployment of GroupWise 6 Internet Proxy Access requires the following tasks:
- Configure proxy IP addresses for each GroupWise post office that will be accessed by remote users.
- Configure a DNS entry for NGWNAMESERVER.
- Enable a GroupWise MTA for Live Remote Proxy and expose it through the firewall.
- Publish the proxy POA addresses to users.
These specific tasks are reviewed below.
Configuring Proxy IP Addresses
To configure and enable proxy IP addresses for all GroupWise post offices that need to be accessed outside the firewall, the following steps must be performed.
- Identify the IP addresses and ports of the GroupWise POA for each post office.
This can be obtained from the POA object in NDS on the Network Address page of the POA object.
- Set up a proxy for that address and open the firewall for the proxy.
You must decide whether you will use a generic proxy service that is provided by Novell Border Manager or other software or a hardware device like an L4 switch. You will have to assign the proxy IP address to the proxy device and then configure the device to forward any TCP or UDP requests through your inner firewall to the POA's IP address and port.
- Add the proxy IP address to the GroupWise POA object's NDS configuration.
In ConsoleOne, modify the POA object and add the proxy IP address information to the Proxy Server Address field in the Network Address, TCPIP Address dialog.
- Verify that the GroupWise client can connect to the POA using the proxy IP address.
Launch a GroupWise client with the /@u-? command line option. (c:\novell\grpwise.exe /@u-?) Type in the name of a user on the post office you are testing; and in the TCPIP address line, specify the proxy IP address.
- Create a DNS entry for one of the POA's proxy IP address. Choose one that is configured on port 1677. This POA will serve to process batch mode requests.
Configuring a DNS entry for NGWNAMESERVER
If you are providing DHCP services with IP addresses located outside of your corporate firewall, you can configure GroupWise to automatically locate its services. GroupWise clients connecting from workstations serviced by DHCP will automatically find their home POA without any configuration required by the users.
To accomplish this you must create a DNS entry of NGWNAMESERVER in the DNS domain for the domain distributed by DHCP. This DNS entry must point to the proxy IP address of a GroupWise post office. You may also create an entry for NGWNAMESERVER2, and point that to a different GroupWise post office in order to provide some redundancy.
If the GroupWise client is ever unable to connect or does not know how to connect to its POA, it will attempt to connect with a POA with a DNS name of NGWNAMESERVER. The network client will append the DNS domain name it is using to NGWNAMESERVER to resolve this name. Failing resolution of this name, the client will try to resolve NGWNAMESERVER2 in like manner.
Enabling a GroupWise MTA for Live Remote proxy
- Set up a proxy address for an MTA in your system on port 80.
- Point this address to an MTA running on a server inside your firewall.
- Open the firewall for the proxy.
- Add the /liveremote-[port] switch to the startup file of the MTA and restart it.
- Create a DNS entry, such as gmail-remote.novell.com, that points to the proxy IP address.
Note: This is a different configuration than was used for the GroupWise 5.5 Enhancement Pack.
Publishing Information to Users
The GroupWise client will not automatically detect POA proxy addresses. Therefore, publish the DNS entry for the POA that will service remote users. Tell users to use the POA's DNS entry for Online and Caching mode connections if they are unable to connect on a network with a registered NGWNAMESERVER entry for their DNS domain. You will also have to explain how to use DNS entries to create additional connection definitions in the remote client.
Implementing Smart Caching
While other factors may come into play, performance thresholds are typically not your limiting factor when running in Caching mode. Your most significant consideration is workstation disk space. Because everything is stored on the user's hard drive, each user's available disk space needs to be considered before moving to Caching mode. Disk space becomes even more of a consideration if you implement the GroupWise client's local backup options.
When initially implementing Smart Caching, the server copies each user's mailbox to a local drive. This process, referred to as "priming," would overload the server if the system attempted to copy all user mailboxes simultaneously. Therefore, by default, priming activities are limited to no more than 20 percent of the server's threads to avoid the possibility of overloading the server (administrators can reduce or increase this percentage if necessary). Administrators can further manage priming by incrementally implementing Smart Caching on a user, post office, or domain basis.
Once a user's mailbox is primed, the user can manually switch between Online, Caching, and Remote modes by selecting a mode option from the drop-down list on the client toolbar (the administrator also has the option of locking users into a specific mode). When users switch to or from Online mode, they are prompted to exit and restart GroupWise before the mode takes effect. Transitions between Caching and Remote mode are made on the fly.
For employees who travel, you can force them to Caching mode and their system will manage itself between remote and online mode. Essentially, when a connection is available, the workstation automatically goes online every five minutes and syncs the workstation with the master mailbox. It also goes online when the user sends a message, does a Busy Search, or proxies another user's account. When a connection is not available, the workstation operates in remote mode.
When a user connects via Caching mode, the client automatically checks the user's master mailbox on the server and it syncs data between the two sources. However, the user can manually force a sync by selecting Accounts > Send/Retrieve.
By default, messages, tasks, appointments, and GroupWise client options automatically synchronize between the master and cached mailboxes. There are, however, instances in which the master and cached mailboxes do not automatically synchronize. For example, while changes made to address books in Caching mode are automatically uploaded to the master mailbox, changes made to address books in Online mode are not automatically downloaded to the cached address book. Users must manually update their cached address book by going into their personal or system address book and clicking View > Retrieve Address Books.
The same principle applies to Rules. All rules defined in Caching mode are automatically uploaded to the Master mailbox; however, rules created in Online mode must be manually retrieved to the cached mailbox. Users can click Rules > Refresh to download rules from master mailbox to the cached mailbox.
Another element that does not automatically synchronize is status information. To optimize client downloads, status information is not downloaded with new messages. Instead, it is dynamically retrieved when users go into a message's Properties menu.
With new enhancements such as disk space management, Caching mode, more efficient database maintenance, and client/server user moves, GroupWise 6 requires fewer domains and post offices than previous versions of GroupWise. Because server consolidation ultimately reduces your overall hardware expenses and administration overhead, you should seriously consider consolidating your existing post offices and domains when deploying GroupWise 6.
Before consolidating servers, you must determine which servers to consolidate and how many users to put on each server. The best way to approach these decisions is by systematically implementing the GroupWise 6 consolidation features and observing the ensuing results. The most useful benchmarks to monitor are server utilization, messages in queues, pending client/server requests, post office directory size, time required for backup/restore, and, of course, user feedback.
For example, total client/server requests processed divided by uptime indicates the load your server is currently handling. Identify this benchmark before implementing any of the GroupWise 6 consolidation options to get a good feel for the average load your server is handling under the existing GroupWise configuration. Then, after implementing GroupWise 6 consolidation options like Smart Caching, take this benchmark again to measure the overall effect on your server's load. You can then use the difference in the two benchmarks to determine if you can consolidate post offices on the server.
You can gather the information you need to consolidate servers in three basic phases:
- Deploy GroupWise 6 at the Post Office Agent (POA) and all clients.
- a. Collect Benchmarks or verify that the server is stable and performing well.
- a. Deploy the GroupWise 6 TSA and enable Smart Purge.
The GroupWise 6 TSA interacts with your backup software to perform reliable backups without bringing down your GroupWise system. SmartPurge does not allow messages to be purged until they are backed up so you have an accurate archive of every message sent within your organization
You should definitely backup your post office databases using the GroupWise TSA to ensure you get a good backup. Using SmartPurge is optional.
- b. Apply Mailbox Quotas.
Applying mailbox quotas allows you to control the amount of disk space used by user's mail. Before setting limits, the administrator should run GWCheck to determine current usage and then apply limits based on that usage.
An average mailbox size for a large company is in the range of 150 to 200 MB. You may also want to consider a message attachment size limit. GroupWise handles large attachments if the network connections are good. Consider limits in the range of 50 to 100 MB.
- c. Implement Smart Caching.
Smart Caching should be handled as a two-stage process. First, uses must be educated on the features, differences, and benefits of Caching mode. Second, migrate users to Caching mode. The migration can occur by randomly forcing a post office to change to Smart Caching or by first converting remote users and then working through a list of designated users until all users are running in Caching mode. The second migration approach provides the best success.
- d. Run GWCheck with the Expire After Download feature enabled.
The Expire After Download feature removes messages from the master mailbox after they have been downloaded to the workstation's cached mailbox. If you have wireless or WebAccess clients, they will not be able to read messages after they expire. When using this option with wireless or WebAccess clients, consider setting the expiration to no more than 30 days.
e. Collect benchmarks or verify that the server is stable and performing well.
- a. Using the benchmarks or server information you have gathered, weigh the advantages and limitations of each consolidation feature against the server performance and determine where you would like to be in terms of consolidating your system's servers. Continue adding users as long as the server is handling the load and the CPU continues to have additional capacity.
Configuring LDAP Authentication
GroupWise 6 POAs can authenticate users using the Lightweight Directory Access Protocol (LDAP). This means GroupWise users can authenticate against NDS and Netscape iPlanet Directory as well as Active Directory.
To configure LDAP, follow these steps:
- In ConsoleOne, right-click the Post Office object and select Properties.
- Click GroupWise > Security to display the Security page.
- For Security Level, select High.
- In the High Security Options box, select LDAP Authentication.
- Click the pencil icon > specify the IP address or DNS host name of the LDAP server > specify the LDAP port > click OK.
- Specify the user name that the POA can use to authenticate to the LDAP server. Having the POA authenticate to the LDAP server is faster and requires fewer connections than if each GroupWise client user individually authenticates to the LDAP server.
- If the LDAP user name requires a password, click Set Passwords and set the password.
- If the LDAP server uses SSL, select Use SSL > browse to and select the SSL key file generated by the LDAP server.
- Click OK to save the LDAP settings.
ConsoleOne then notifies the POA to restart so the new settings can be put into effect.
There are basically three types of LDAP authentication:
- Internal-The GroupWise account is linked to an NDS User object. Consequently, GroupWise authenticates the user with their NDS username and password. GroupWise accounts are linked to NDS User objects by default. Therefore, this type of LDAP authentication is the easiest to configure.
- Internal but authenticating against external-The GroupWise account is linked to an NDS User object, but the user authenticates against an external Directory.
- External-The GroupWise account is not linked to an NDS object; the user authenticates against an external Directory. Therefore, you must create GroupWise external entities in NDS for each of your users and specify the user's LDAP authentication ID in the LDAP Authentication field in the object's GroupWise Account page.
GroupWise Document Management Services
- If you plan to implement document-sharing services, follow these general guidelines:
- In placing libraries, create LAN-local rather than Post-Office-local libraries.
- When configuring your libraries, disable TurboFAT on all servers with post offices and/or libraries and assign the "manage" right to GroupWise administrators and power users.
- If you have implemented Smart Caching, the GroupWise librarians should not run in Caching mode because the Mass Document Operation is not available in Caching mode.
- If you are using GroupWise document sharing services, enable QuickFinder indexing on all your post offices. Indexing is far less "expensive" than a few complicated scan searches.
- In implementing QuickFinder indexing, do not dedicate the indexing station. Current hardware speeds are so fast that a dedicated indexing station will throw file locking errors.
- Schedule indexing so it does not occur during peak hours.
You can also download the full .pdf version of this new Deployment Guide here: www.novell.com/info/collateral/docs/4621213.01/4621213.pdf
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com