2.1 Planning a Data Synchronizer System

You can use the Mobility Pack Installation Summary Sheet to gather the information you need so that you are prepared to provide the information requested by the Mobility Pack Installation program. The Summary Sheet organizes the information in the order in which you need it during the installation and configuration process.

2.1.1 Planning Your Synchronizer System Configuration

A Synchronizer system can consist of a single Synchronizer server or multiple Synchronizer servers. For planning guidelines, review Section 1.2, Synchronizer Configurations and Section 1.3.6, Recommended Number of Devices.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Print one copy of the Mobility Pack Installation Summary Sheet for each Synchronizer server that you are planning for your Synchronizer system.

If you plan to install the Mobility Pack on multiple servers, you can proceed through the following planning sections server by server, or you can apply each planning section to all planned servers, then proceed to the next planning section.

IMPORTANT:For best security, plan to install the Mobility Pack software on servers inside your DMZ.

2.1.2 Selecting Mobility Pack Servers

Each server where you install the Mobility Pack must meet the system requirements listed in Section 1.3, Mobility Pack System Requirements.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Mobility Pack Server Information, specify the IP address or DNS hostname of the server where you plan to install the Mobility Pack software.

2.1.3 Gathering LDAP Information

The Mobility Pack Installation program needs access to an LDAP directory. The LDAP information that you provide during installation enables the Installation program to add users and groups to your Synchronizer system and provides you with access to Synchronizer Web Admin, the administrative tool used to manage your Synchronizer system after installation.

LDAP Server Network Information

In order to communicate with your LDAP directory, the Mobility Pack Installation program needs the IP address or DNS hostname of your LDAP server. It also needs the port number that the LDAP server listens on. The LDAP port number depends on whether the LDAP server requires a secure SSL connection. The default secure port number is 636. The default non-secure LDAP port number is 389.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under LDAP Server Information, specify the IP address or DNS hostname of your LDAP server, and mark whether a secure SSL connection is required.

If the LDAP server requires a secure connection, additional setup might be required. See Securing Communication with the LDAP Server in Synchronizer System Security in the Mobility Pack Administration Guide.

IMPORTANT:If there is a firewall between the Synchronizer server and the LDAP server, be sure to configure the firewall to allow communication on the selected LDAP port.

LDAP Server Credentials

In order to access the LDAP directory, the Mobility Pack Installation program needs the user name and password of an administrator user on the LDAP server who has sufficient rights to access the user and group information stored there. At least Read rights are required. You can use the admin LDAP user or an admin-equivalent user. For more information about the required rights for the user you choose, see TID 7006841 in the Novell Support Knowledgebase.

You need to provide the user name, along with its context in your LDAP directory tree, in the following format:

cn=user_name,ou=organizational_unit,o=organization

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under LDAP Server Credentials, specify a fully qualified user name with sufficient rights to read the user and group information in your LDAP directory, along with the password for that user.

LDAP User and Group Containers

During installation, the Mobility Pack Installation program lets you add users and groups to your Synchronizer system from any location in the LDAP directory where you, as the LDAP administrator user, have rights to read the user and group information. The Installation program lets you browse for the user and group containers. It then displays the containers in the following LDAP format:

ou=container_name,ou=organizational_unit,o=organization

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under LDAP Containers, specify a container object and its context in the LDAP directory tree where User objects are located. If Group objects are located in a different container, list that container as well.

After installation, you use Synchronizer Web Admin to add users and groups to your Synchronizer system. When Synchronizer Web Admin generates lists of users and groups, it searches the containers you specify, as well as subcontainers. If you want Synchronizer Web Admin to be able to search multiple, organizationally separate containers for users and groups, you can configure this functionality after you have installed the Mobility Pack, as described in Searching Multiple LDAP Contexts for Users and Groups in Synchronizer Web Admin in the Mobility Pack Administration Guide.

LDAP Passwords vs. GroupWise Passwords

Users use their LDAP (network) passwords to log in to the network. They might or might not use the same passwords to log in to their GroupWise mailboxes. The Mobility Pack Installation program configures your Synchronizer system to use LDAP (network) passwords for logging into GroupWise mailboxes. If users have different passwords for their GroupWise mailboxes, they can configure their mobile devices with their LDAP (network) passwords, rather than their GroupWise passwords, in order to synchronize data with their GroupWise mailboxes.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Mailbox Access, mark whether users use LDAP (network) passwords or GroupWise (mailbox) passwords to access their GroupWise mailboxes.

For convenience when users have different GroupWise and LDAP passwords, you can configure the Mobility Connector to use GroupWise passwords for authentication. This approach can be more intuitive for users. It is especially convenient when users’ LDAP passwords are set to expire regularly, which requires reconfiguration of mobile devices each time the LDAP passwords expire. GroupWise passwords do not expire. Device reconfiguration becomes necessary only when users manually change their own GroupWise passwords.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Enable GroupWise Authentication?, mark Yes if you plan to reconfigure the Mobility Connector to use GroupWise passwords to authenticate to mailboxes.

After you have installed the Mobility Pack, enable GroupWise authentication by following the instructions in Using GroupWise Authentication Instead of LDAP Authentication for Mobile Devices in Mobility Connector Configuration in the Mobility Connector Configuration Guide.

2.1.4 Planning How to Add Users

If you plan to use LDAP authentication, a number of variables affect how you add users to your Synchronizer system:

During installation

During installation, you can add individual users and groups of users to your Synchronizer system from any context in your LDAP directory where the LDAP administrator user has rights to access the User and Group objects. For a small Synchronizer system, you might plan to add all users during installation.

When you add users during installation, the following GroupWise data is automatically synchronized for each user:

  • Contacts from all personal address books, excluding the Frequent Contacts address book

  • Calendar items (appointments and reminder notes) from the last two weeks and all future items

  • Email messages in the Mailbox folder from the last three days

  • Standard folders (Sent Items, Work in Progress, Junk Mail, and Trash) and folders in the Cabinet (but not the items in these folders until users request them by opening the folders)

Adding at least two users for testing purposes during installation is recommended.

After installation

For a larger Synchronizer system, you might plan to add a subset of users during installation, get those users running smoothly, then add the rest of the users after installation in Synchronizer Web Admin.

If you want to restrict the amount of data that is processed during initial synchronization, add the users after you have installed the Mobility Pack. Configure the GroupWise Connector to meet your synchronization preferences, as described in GroupWise Connector Configuration in the GroupWise Connector Configuration Guide, then add the users manually, as described in Managing Users in User Management in the Mobility Pack Administration Guide.

Using LDAP groups

The Mobility Pack Installation program lets you select individual users or LDAP groups of users to add to your Synchronizer system. You might already have existing LDAP groups that represent useful sets of users to add to your Synchronizer system. If your existing LDAP groups do not meet the needs of your Synchronizer system, you can organize your users into LDAP groups specifically to facilitate the Mobility Pack installation and the post-installation growth of your Synchronizer system.

LDAP groups are a powerful tool for ongoing Synchronizer system management. When you add LDAP groups to your Synchronizer system, you can later add and delete users in the LDAP groups, rather than adding the users individually to your Synchronizer system.

LDAP groups also make the installation process more convenient. The YaST functionality of the Mobility Pack Installation program does not allow you to use Ctrl+click to select multiple users. It is much easier to add multiple users to an LDAP group than it is to select them individually in the Mobility Pack Installation program.

IMPORTANT:LDAP groups must include at least one user in order to be added to your Synchronizer system during installation.

Setting application names

If users’ LDAP user names are not the same as their GroupWise user IDs, you must set users’ application names in Synchronizer Web Admin to map from LDAP user names to GroupWise user IDs. This must be done regardless of whether you add the users during installation or after installation, and it applies to users who are added by being members of LDAP groups. To plan ahead for this process, review Setting a User’s Application Name in User Management in the Mobility Pack Administration Guide.

Single-server installation

If you are planning a single-server Synchronizer system, you might already have or want to create LDAP groups based on departmental membership, organizational roles, geographic locations, or even the need to participate in data synchronization. For example, if only a few users have mobile devices and they are scattered throughout a number of existing LDAP groups, you might create a new LDAP group named MobileDeviceUsers so that you can easily add them as a group to your Synchronizer system.

Multi-server installation

If you are planning a multi-server Synchronizer system, you might already have or want to create LDAP groups on different Synchronizer servers. You might be planning several Synchronizer servers based on geographic location, so having an LDAP group of users for each geographic location facilitates adding users. If you want a separate Synchronizer server for executives, creating an LDAP group of executives allows you to add them as a group, rather than selecting each executive individually. If you have a very large number of groups with no particular distinguishing characteristics, you might want to create LDAP groups based on the first letter of users’ last names or user names (for example, A-I, J-R, and S-Z).

Regardless of the variables involved in adding users to your Synchronizer system, effective planning can make the process of adding users easier and faster.

IMPORTANT:When you add users to your Synchronizer system, data is automatically synchronized from GroupWise to the GroupWise Connector before users connect their mobile devices to your Synchronizer system. Do not add users to your Synchronizer system who do not have mobile devices. Extraneous users create unnecessary synchronization traffic in your Synchronizer system.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Add Groups, specify LDAP groups of users to add to your Synchronizer system. If the LDAP groups do not already exist, create them in your LDAP directory before you run the Mobility Pack Installation program.

Under Add Users, specify any individual users that are not part of LDAP groups that you want to add to your Synchronizer system.

IMPORTANT:Be sure to add yourself to the Synchronizer system for testing purposes.

2.1.5 Planning How To Add Resources

You can add resources to your Synchronizer system as if they are users. GroupWise users with rights to the synchronized resource mailboxes can then configure their mobile devices to log in to resource mailboxes just as they can log in to their own mailboxes. This enables GroupWise users to monitor the contents of resource mailboxes from their mobile devices.

Work with GroupWise users to see what resources they want to synchronize to their mobile devices.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Add Groups, specify LDAP groups of resources to add to your Synchronizer system. If the LDAP groups do not already exist, create them in your LDAP directory before you run the Mobility Pack Installation program.

Under Add Users, specify any individual resources that are not part of LDAP groups that you want to add to your Synchronizer system.

2.1.6 Gathering GroupWise System Information

In order to configure the GroupWise Connector as you run the Mobility Pack Installation program, you need to gather certain information about the GroupWise system where users want to synchronize data.

GroupWise Trusted Application

A GroupWise trusted application can log into a GroupWise Post Office Agent (POA) in order to access GroupWise mailboxes without needing personal user passwords. The GroupWise Connector requires such mailbox access in order to synchronize GroupWise data with mobile devices. In addition, the Mobility Connector uses trusted application authentication through the GroupWise Connector in order to access the GroupWise Address Book to provide contact lookup beyond the contacts that are downloaded to users’ devices from personal address books.

Before you install the Mobility Pack, you must use ConsoleOne to configure the GroupWise Connector as a GroupWise trusted application. You might name the trusted application MobilityPack or GroupWiseConnector.

A trusted application uses a key that consists of a long string of letters and numbers to provide authentication to the GroupWise POA. ConsoleOne creates the key in a file in a specified location that is accessible to ConsoleOne.

You need to create only one trusted application key for the GroupWise Connector, regardless of the number of servers where you install the Mobility Pack, and regardless of the number of domains and post offices in your GroupWise system.

When you set up the GroupWise Connector as a trusted application, you only need to fill in three fields in the Create Trusted Application dialog box in ConsoleOne:

  • Name

  • Location for Key File

  • Name of Key File

Do not fill in any other fields.

Follow the instructions in Creating a Trusted Application and Key in System in the GroupWise 2012 Administration Guide to set up a trusted application and obtain a trusted application key for the GroupWise Connector. Copy the key file to a convenient location on the Synchronizer server. The Installation program automatically transfers the trusted application key from the key file into the configuration of the GroupWise Connector.

IMPORTANT:Do not use an existing trusted application key that is already in use by another application.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under GroupWise Trusted Application, specify the name of the trusted application that you created in ConsoleOne and the location where the Mobility Pack Installation program can access the trusted application key file.

NOTE:If your GroupWise system connects to any external GroupWise domains, the external GroupWise system needs its own Mobility Pack installation on an additional Synchronizer server, along with its own separate trusted application key.

GroupWise Post Office Agent

The GroupWise Connector accesses your GroupWise system by communicating with a Post Office Agent (POA). The selected POA must be configured for SOAP, as described in Supporting SOAP Clients in Post Office Agent in the GroupWise 2012 Administration Guide.

The selected POA can obtain information about all users in all post offices in your GroupWise system, if your GroupWise system has a GroupWise name server, as described in Simplifying Client/Server Access with a GroupWise Name Server in Post Office Agent in the GroupWise 2012 Administration Guide.

The Mobility Pack Installation program and the GroupWise Connector need the IP address or DNS hostname of the server where the POA is running. In addition, they need the POA SOAP port, which is 7191 by default. Typically, the same port number is used regardless of whether the POA is configured for a secure SSL SOAP connection. The Mobility Pack Installation program and the GroupWise Connector need to know whether or not the connection is secure, because they use one of the following URLs to communicate with the POA:

Non-Secure SOAP URL:

http://poa_server_address:soap_port/soap

Secure SOAP URL:

https://poa_server_address:soap_port/soap

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under GroupWise Post Office Agent, specify the IP address or DNS hostname of the server where a POA configured for SOAP is running. Specify the SOAP port, and whether or not the POA requires a secure SSL SOAP connection.

IMPORTANT:By default, the POA communicates with the GroupWise Connector using port 4500 on the Synchronizer server. If there is a firewall between the Synchronizer server and the POA server, be sure to configure the firewall on the Synchronizer server to allow communication on port 4500 from the POA server. If necessary, you can configure the GroupWise Connector to listen on a different port number after installation, as described in Changing the GroupWise Connector Listening Port in GroupWise Connector Configuration in the GroupWise Connector Configuration Guide.

GroupWise Address Book User

The Mobility Connector needs to be able to access the GroupWise Address Book to obtain user information. The Mobility Connector establishes this access through the GroupWise Connector.

The Mobility Connector needs Address Book access that is equivalent to a typical user. You control what users see in the GroupWise Address Book by controlling object visibility. You want the Mobility Connector to access the GroupWise Address Book with the same visibility as a typical GroupWise user has when viewing the GroupWise Address Book.

Therefore, you need to select a user whose view of the GroupWise Address Book matches what you want the Mobility Connector to be able to access. You do not need to provide the password for the GroupWise user because the Mobility Connector accesses the GroupWise Address Book through the GroupWise Connector, which has trusted application status.

As an example, you might have a group of mobile device users who need access to Address Book information about upper-level management in your company and another group of mobile device users who should not have this Address Book information. To meet such needs, you would set up two Synchronizer systems, one with Address Book visibility that includes upper-level management and a second one where such Address Book visibility is not included. You would achieve this by setting up each Synchronizer system with an Address Book user whose Address Book visibility provides the visibility appropriate for all users of that Synchronizer system.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under GroupWise Address Book User, specify a valid GroupWise user ID that the Mobility Connector can use to access the GroupWise Address Book to obtain contact information.

For more information about GroupWise Address Book visibility, see Controlling Object Visibility in System in the GroupWise 2012 Administration Guide.

2.1.7 Gathering Mobile Device Information

The Mobility Connector needs certain configuration information about the mobile devices that it synchronizes GroupWise data with.

For device-specific information, see the Data Synchronizer Mobility Connector Devices Wiki.

Mobile Device Port

By default, the Mobility Connector uses all available IP addresses on the server where you install the Mobility Pack. You can bind the Mobility Connector to a specific IP address after installation, as described in Binding to a Specific IP Address in Mobility Connector Configuration in the Mobility Connector Configuration Guide.

Typically, the Mobility Connector uses port 443 for secure SSL HTTP connections with mobile devices and port 80 for non-secure HTTP connections. If mobile devices connect directly to the Mobility Connector, a secure HTTP connection is strongly recommended. If mobile devices connect to the Mobility Connector through a security application such as Novell Access Manager, the Mobility Connector can appropriately be configured with a non-secure HTTP connection.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Mobile Device Port, mark whether you want to configure the Mobility Connector to use a secure or non-secure HTTP port to communicate with mobile devices. Specify the port number used by the mobile devices that your Synchronizer system supports.

IMPORTANT:If there is a firewall between the Synchronizer server and users’ mobile devices, be sure to configure the firewall to allow communication on the selected HTTP port.

Server Certificate

In order to use a secure SSL HTTP connection between the Mobility Connector and mobile devices, a server certificate is required. If you do not already have a certificate signed by a certificate authority (CA) for the Synchronizer server, the Mobility Pack Installation program can create one for you. However, you should obtain a valid signed certificate as soon after installation as possible.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Mobile Device Port, mark whether you want the Mobility Pack Installation program to create a self-signed certificate for you. If you already have a commercially signed certificate, specify the location of the certificate file. Make sure that the location is accessible to the Mobility Pack Installation program on the Synchronizer server.

For more information about certificates, see Securing Communication between the Mobility Connector and Mobile Devices in Synchronizer System Security in the Mobility Pack Administration Guide.

Incoming Devices

By default, users can configure their mobile devices to connect to your Synchronizer server as soon as they know that it is available and they have the necessary information to configure their mobile devices to connect to it. However, the initial synchronization of GroupWise data to the Mobility Connector can be a time-consuming process and can significantly increase the load on the Synchronizer server.

If users connect their mobile devices to your Synchronizer system before the initial GroupWise data synchronization is complete, users might not receive all of the expected GroupWise data when they first connect. As a result, they might think that there is a synchronization problem, when in reality, all they need to do is wait a while for all of their data to arrive.

To prevent users from experiencing partial synchronizations of GroupWise data, you can block devices from connecting to your Synchronizer system until you are certain that all GroupWise data has synchronized to the Mobility Connector and it is ready for access by mobile device users. If you block device connections until you are ready, initial synchronization for users proceeds more smoothly.

IMPORTANT:Blocking incoming devices is highly recommended, especially for larger Synchronizer systems.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Block Incoming Devices, mark whether you want to block incoming devices from connecting to your Synchronizer system until all GroupWise data has synchronized to the Mobility Connector. If you mark Yes, you must manually release the block before users can connect, as described in Blocking/Unblocking Incoming Devices before Initial Synchronization in Mobility Connector Configuration in the Mobility Connector Configuration Guide.

2.1.8 Planning the Data Synchronizer Database

When you run the Mobility Pack Installation program, it creates a PostgreSQL database that is used to store the Synchronizer system configuration information that you see in Synchronizer Web Admin. It also stores pending events when synchronization is interrupted.

The Synchronizer database is named datasync, and the user that has access is named datasync_user. You must supply the password for the Synchronizer database user.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Synchronizer Database, specify the password that you want to use for the Synchronizer database.

The Mobility Connector uses a secondary database named mobility to store events when synchronization between the Mobility Connector and mobile devices is interrupted. This includes the email, contacts, appointments, calendars, and attachments that are synchronizing to and from mobile devices. The mobility database initially uses the same user name and password as the datasync database.

If you need to change the password on either of these databases after you have installed the Mobility Pack, see:

2.1.9 Establishing Data Synchronizer System Security

Configuration and administration of your Synchronizer system is performed through Synchronizer Web Admin. From Synchronizer Web Admin, you can:

  • Add users, resources, and groups to your Synchronizer system

  • Start, stop, configure, and monitor the connectors

  • Reconfigure the connection to your LDAP server

To protect your Synchronizer system operation and configuration, you must choose one LDAP administrator user to access Synchronizer Web Admin. This LDAP user becomes the initial Synchronizer administrator. For simplest administration, use the LDAP Admin user or an admin-equivalent user.

If you prefer to establish a Synchronizer administrator user with fewer rights than the LDAP Admin user, make sure the user has sufficient rights to read the User and Group objects that you need to access as you add users to connectors in Synchronizer Web Admin.

Make sure that you know this administrator user’s password.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Synchronizer Web Admin, specify the LDAP administrator user name and password that you want to grant access to Synchronizer Web Admin.

You can add more users as Synchronizer administrators after installation, as described in Setting Up Multiple Synchronizer Administrator Users in Synchronizer System Management in the Mobility Pack Administration Guide.

2.1.10 Registering for Automatic Updates from the Novell Customer Center

When you create a new Synchronizer system, the Mobility Pack Installation program can help you register to received automatic Mobility Pack software updates from the Novell Customer Center.

Before you run the Installation program, you need to know the email address that is associated with your Novell Login account for the Novell Customer Center. You also need to log in to the Customer Center and obtain that activation code necessary to register for automatic software updates.

To obtain your Mobility Pack activation code:

  1. Log in to the Novell Customer Center.

  2. In the Select an Organization to Manage drop-down list, select your organization that is entitled to the Mobility Pack.

  3. Under My Products, select Novell Data Synchronizer Mobility Pack version_number.

    Replace version_number is the current Mobility Pack version number.

  4. Locate the Mobility Pack activation code and save it for future reference.

MOBILITY PACK INSTALLATION SUMMARY SHEET

Under Novell Customer Center Registration, specify the email address that you used to log in with and the activation code you obtained from the Novell Customer Center.

With this information, the Mobility Pack Installation program registers you to receive future Mobility Pack updates through the Mobility-1.2-Updates channel.