GroupWise 6 In The Net Services
Novell Cool Solutions: Feature
By Steve Whitehouse
Digg This -
Posted: 5 Jun 2002
Users want fast and easy access to their mail. They don't want to have to run a network or VPN client in order to download or access their mail.
With GroupWise 6, GroupWise Client users can access their GroupWise mailbox from the Internet in Online, Caching or Remote mode without having to authenticate to a VPN server or other firewall solution.
GroupWise 5.2, 5.5 and 5.5 Enhancement Pack clients support Online and Remote modes of connecting to user mailboxes. These modes were primarily designed for use behind a firewall, although through different configurations, access through firewalls can be provided. GroupWise 6 has several enhancements to improve access through firewalls.
Online mode before GroupWise 6
In Online mode, also referred to as client/server or master mailbox mode, users connect to their mailboxes via a TCP connection to the GroupWise post office agent (POA). In order to connect to a GroupWise POA, the GroupWise client must first be able to find the correct TCP/IP address for the user's home POA. The GroupWise client attempts to locate this address in the following manner:
- The GroupWise client will use command line switches or user specified information from the client startup dialog when invoked by the user. (Startup switches include /ipa-
and /ipp- , /@u-?. The Novell GroupWise Startup dialog is invoked by clicking on the Cancel button when prompted for a password.)
- The GroupWise client attempts to browse NDS and discover the POA's IP address if the user is logged in to NDS and has the correct NDS rights.
- The GroupWise client checks the users Windows Registry for the settings of where the client last successfully connected and will attempt that at this time.
- The GroupWise client automatically attempts to connect to a POA at the DNS location of NGWNAMESERVER appended to the DNS domain used by the client workstation.
- The GroupWise client automatically attempts to connect to a POA at the DNS location of NGWNAMESERVER2 appended to the DNS domain used by the client workstation.
- If these methods fail, the GroupWise client presents a dialog that allows the user to specify the address or DNS name of the POA.
Once the client has contacted a GroupWise POA that is part of the user's GroupWise system, the POA will identify which post office that the user belongs to and then return the correct IP address of the POA that services that post office. The client will then redirect to the correct POA.
Remote mode before GroupWise 6
The Remote mode in GroupWise 5.2 and 5.5 consists of a store and forward mechanism used by the GroupWise client to upload and download any changes from the user's master mailbox. This method of connecting is sometimes referred to as batch mode. The client connects to any POA that is part of the user's GroupWise system, authenticates and then transfers the stored changes.
In GroupWise 5.5 Enhancement Pack, some new functionality was introduced to Remote mode. The Enhancement Pack client has the ability to download and upload stored changes as a stream of requests directly to the POA. The POA then immediately processes those requests as if the user were in Online mode. Performance is much faster as all information is stored in memory on the server side and is not written to disk. This connection method is known as Live Remote mode.
This Live Remote mode only works when connected to the user's home POA, however. To take advantage of the improved performance, the GroupWise Message Transfer Agent (MTA) was enhanced to act as a proxy for Live Remote requests. The MTA is capable of creating a TCP/IP tunnel for the Live Remote connection to the user's POA.
To illustrate, a user would define a TCPIP connection in their GroupWise remote client that specified the IP address of the MTA and its Live Remote port. The user would connect and the MTA would determine what post office the user belonged to and then, following its defined link configuration, it would open a TCP tunnel to the POA. GroupWise requests in the form of remote procedure calls (RPC) would then be forwarded from the client to the POA, and the changes made and requested would be synchronized to the remote and master mailboxes.
GroupWise 6 Enhancements
GroupWise 6 has the following enhancements
- Caching mode was added in the GroupWise client.
- GroupWise Remote client uses Live Remote as default connection mode.
- Support for proxy/NATIP addresses for POAs was added.
- DNS replacement for ngwnameserver was added in GW6 SP1.
- Redirection was added for Remote mode.
- MTA Live Remote proxy was enhanced.
Caching mode is a combination of Online mode and Remote mode. In Caching mode, the GroupWise client has a copy of the users mailbox on the workstation, basically the same as the remote mailbox. Additionally, it acts like a client in Online mode when sending a message, when performing a Busy Search, or when proxying to another user's mailbox. When performing any of these functions, it will connect immediately to the POA and perform the task. It also automatically connects to the users POA every 5 minutes and synchronizes the local cache. If the POA is not available when attempting to send a message, it will save the message and attempt to send it at the next synchronization.
Live Remote is default connection mode In GroupWise 5.5 Enhancement Pack, the GroupWise client would always perform a batch mode remote download when connecting to an MTA or its home POA. After this initial download completed successfully, it would switch to Live Remote connection mode. In GroupWise 6, the client always tries to connect in Live Remote mode first and then switches to batch if the Live Remote connection fails.
Proxy IP addresses
The POA now has the ability to be configured with a second IP address, a proxy address. The proxy address is assigned using some type of network device that does Network Address Translation (NAT) to provide access through the firewall. Examples include, a Border Manager generic TCP/UDP proxy, a proxy on an L4 switch or a router. This proxy device must be configured to forward any TCP or UDP requests to the POA's IP address and port.
When the POA receives a request from a GroupWise client that is communicating through a proxy, it detects that the client is outside the firewall. In the case when the POA must redirect the GroupWise client to a different POA, it uses the proxy IP address for the other POA, if configured. This allows the client to access all GroupWise services, such as proxy or document management as if the client were inside the company's firewall.
The GroupWise 6 SP1 Caching client will store both the POA's home ip address and its proxy address. When the client is launched in caching mode, it will attempt to connect to the POA on the home or inside ip address. If that connection attempt fails, it will try to connect on the proxy or outside address. Once it connects successfully, it stores that ip address in memory and will always use that address to connect until the client is restarted.
DNS replacement for ngwnameserver was added in GW6 SP1
In GroupWise 6, the GroupWise client in all modes will now attempt to locate a GroupWise POA by trying to connect on an ip address or DNS name that is defined by the administrator. This default ip address is used when other methods of connecting fail. The GroupWise 6 client will attempt to connect in the following order:
- User over-ride (command line switches, or invoke dialog)
- IP Address of the POA object read from NDS.
- IPAddress key in the Windows registry.
- DefaultIPAddress key in the Windows registry.
- User prompted in case of failure.
- 6. Home or inside IP Address stored in the Caching database.
- Proxy or outside IP Address stored in the Caching database.
- DefaultIPAddress key in the Windows registry.
The IPAddress key and the DefaultIPAddress key can be defined using the Administrator defined setup. This will cause the appropriate values to be added to the Windows registry.
In the case of the IPAddress key, a value is only added if the key does not exist or if it has no value. This condition would only be true if the GroupWise client has never been run from the workstation before.
In the setup.cfg file, the following commands can be added.
Remote mode redirection
In GroupWise 6, when a GroupWise remote client connects to a GroupWise 6 POA to upload a remote request, the POA redirects the client to connect to its home POA. The remote client will try to connect to its home POA. If it is able to connect, it will perform a Live Remote synchronization of the user's mailbox. If not, it will perform a batch request to the original POA.
- IP Address stored in the selected Connection
- Attempts to redirect to appropriate ip address
- Home or inside IP Address stored in the Remote database.
- Proxy or outside IP Address stored in the Remote database.
- DefaultIPAddress key in the Windows registry.
- NGWNAMESERVER dns entry appended to the DNS domain of the workstation.
MTA Live Remote proxy enhancements
The GroupWise 6 MTA has been enhanced by multi-threading the Live Remote connections and now handles connections across very slow links in a more reliable manner. This improves the reliability of this feature. The GW 6 MTA's Live Remote proxy feature is not compatible with the GW 55 and GW 55 EP MTA due to these new enhancements.
Service Deployment and Configuration
GroupWise 5.5 and earlier versions
In GroupWise 5.5, users can synchronize their mailboxes to their GroupWise client in remote mode via a POA exposed through the firewall.
At Novell, a GroupWise post office was deployed on a server in our DMZ (demilitarized zone, a protected network between an outer firewall and an inner firewall.) The POA running on this server was permitted to communicate via TCPIP to its MTA inside the inner firewall. The outer firewall was opened to this POA only on its TCP port. A DNS entry pointing to this POA was created and users were instructed how to create a connection in their GroupWise remote client to point to this POA.
When the user connects, the POA transfers their request to its MTA and then on to the user's home POA, which processes the request and returns the results.
GroupWise 5.5 Enhancement Pack
GroupWise Enhancement Pack added Live Remote mode and the ability to proxy Live Remote requests through the MTA.
A GroupWise MTA was exposed through the firewall allowing users to use Live Remote mode to download remote requests outside the firewall without having to run a VPN client.
To accomplish this, a GroupWise system with no users was created and installed on a server in the DMZ. An external domain was created that represents one of the domains in our GroupWise system and a hole was opened through the firewall for the MTA in the DMZ to communicate via TCPIP with the MTA inside the firewall. The GroupWise system was configured with this external domain as its "default route." This configuration option causes the MTA to forward all messages or requests for unknown destinations or recipients to the default route for address resolution.
The MTA was configured to accept Live Remote connections by using the /LIVEREMOTE-[PORT] switch in its startup file. The MTA was configured to listen on port 80 to allow users to access this from companies whose firewalls block outbound traffic on ports other than port 80 and port 443.
A hole was exposed in the outer firewall to allow users to connect to this MTA and they were provided with information as to how to create a connection to this MTA.
Note: GroupWise clients prior to GroupWise 5.5 Enhancement Pack SP3 did not support two digit port numbers correctly. They would fail to connect. A workaround is to copy an existing connection definition that worked on a four digit port and then to modify the port to a two or three digit value.
Deployment of GroupWise 6 Client Internet Services requires the following tasks:
- Configure proxy IP addresses for GroupWise post offices to be accessed outside the firewall.
- Configure DNS entries for IPAddress and DefaultIPAddress.
- Deploy the GroupWise 6 Client using setup.cfg with corresponding entries for IPAddress and DefaultIpAddress.
- Enable a GroupWise MTA for Live Remote Proxy and expose it through the firewall.
- Publish information to users.
Configure Proxy IP Addresses
To configure and enable proxy IP addresses for all GroupWise post offices that need to be accessed outside the firewall, the following steps must be performed.
- Identify the IP addresses and ports of the GroupWise POA for each post office. This can be obtained from the POA object in NDS on the Network Address page of the POA object.
- Set up a proxy for that address and open the firewall for the proxy. You must decide whether you will use a generic proxy service that is provided by Novell Border Manager or other software or a hardware device like an L4 switch. You will have to assign the proxy IP address to the proxy device and then open a hole through your inner firewall from that proxy device to the POA object on the TCP port that it listens on.
- Add the proxy IP address to the GroupWise POA object's NDS configuration. In ConsoleOne, modify the POA object and add the proxy IP address information to the Proxy Server Address field in the Network Address, TCPIP Address dialog.
- Verify that the GroupWise client can connect to the POA using the proxy IP address. Launch a GroupWise client with the /@u-? command line option. Type in the name of a user on the post office you are testing; and in the TCPIP address line, specify the proxy IP address.
Configure a DNS entry for IPAddress and DefaultIPAddress
Once all post offices are configured with a proxy ip address outside the firewall, you should create DNS names that will allow the GroupWise client to automatically locate the user's GroupWise POA. Create a DNS entry for IPAddress by pointing to a GW POA inside the firewall and a DNS entry for DefaultIPAddress by pointing to a proxy ip address for a GW POA that is available outside the firewall. This configuration will guarantee that users will always be able to download mail wherever they are connecting from.
Enable a GroupWise MTA for Live Remote proxy
Set up a proxy address for an MTA in your system on port 80.
Point this address to an MTA running on a server inside your firewall.
Open the hole in the firewall for the proxy.
Add the /liveremote-[port] switch to the startup file of the MTA and restart it.
Create a DNS entry such as gmail-remote.novell.com that points to the proxy ip address.
Note: This is a different configuration than we used previously for GroupWise 5.5 Enhancement Pack.
Deploy the GW6 Client using setup.cfg with DNS information
Add the information for the DNS names to setup.cfg that is used for client deployments.
Publish information to users
Publish the DNS entries for the MTA and the POA that will service remote users and explain how to use these to create additional connection definitions in the remote client.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com