Run to the Border(manager) and shoot it!

About 4 months ago, we opened up streaming media to the masses. This resulted in a terminal failure of our trusted and loyal Novell Bordermanager (v3.9sp2 on Netware 6.5Sp8, edir885 patch 5) due to their inefficient handling of streaming media. It was so bad that the servers would disappear off the network for up to 15minutes until the stream they were on was completed. Temporary solution was to restrict streaming media again until we could figure a way out.

We didn't.

Shifted gears and since we were already using one vendors filtering database we used our existing license key for their new shiny webfiltering solution. Much better reporting, much better "use and abuse" management as well.

The biggest change is in the licensing size for the management database. Under Bordermanager a user who had an computer, a laptop and came into a remote VDI session counted as "1" user. Under the new system, each devices counts as "1" user. We went from X thousand users connecting to 4X users connecting when you included are "Guest" wireless network (which seems to attract every iPhone in a 20 block radius). Once we got the licensing churn solved, it settled down into a nice pattern. One of the things that happened is that the filter catagories got more accurate. As example, twitter wasn't blocked under the old social media filter, now it is. On the upside we are now able to provide our users with streaming media and also tell their bosses when they've spent the day watching kitten videos.

Internet Cop, just another job for getting IT done

SVN, or how to save your butt on IDM

Subversion support is built into Novell IDM 3.6.1 and late, use it! (but don't trust it)

I set up an old  box as a SVN box on the network, running SLES and using LDAP tied to eDir for authentication in case I want to ever give this out.  All it does is back up my IDM projects and allow me to put them down on other machines. When I'm done doing work in Designer I "check in" the changes and append the changelog to give me a future clue of what I did.

Nice right? I think it is....

Now here's the don't trust it part,

I also export the project as a ZIP file with the project name and date, and then save that ZIP file on the corp file server to make sure it's backed up.....I've seen funky things go wrong with SVN when moving to older versions of code, to prevent that, I can restore from these ZIP backups instead of trying to navigate though the SVN browser in Designer.

Suspenders and belt, whatever IT takes to keep your pants up

Keyboards.....

I was perusing this article about things that have fallen away from the mainstream in computer technology....

I am one of those old keyboard folks. I am typing this on an Apple Keyboard attached via BlueTooth to an iMac, BUT at work I use an IBM Model "M" keyboard. The clunky, clicky keys just "do it" for me. I actually feel like I am accomplishing something and the positive feedback. The one I use has a born on date of July 5 1996. It's been apart several times and cleaned in a dishwasher. I have several other ones that serve as backup and parts repositories. The point is that they may not be efficient or "new" but they work reliably...

And being reliable is what IT is all about.


(Note: I originally wrote this several months ago and found it languishing in the "DRAFTS" folder)

The.... FUTURE!

Beginning in the next few weeks we will be embarking on our journey into the...."FUTURE!" We will be building a OES2SP3 Cluster on SLES10SP4. RIGHT in time for the beta launch of OES11 on SLES11 which means another migration in the near term. At first this will be for file storage, but soon it will be Groupwise (8.02HP2) followed at some point by iPrint (as soons as they ditch the XP SP2 boxen). One my attempts during this is going to be to blog more.

for those of you at Brainshare, enjoy it, but then let's get down to work....


Making IT work , yep that's the job

IDM : when passwords attack

App Analyst for the new IDM made a tactical error, he set the Global password sync attribute to on for the entire environment. In Novell IDM this is the classic NBD (no big deal), in the new one? Well, it does this, it captured password changes off the AD side, which is down stream from the eDir and Identity Vault. It then says "Hey! new password! I need to tell all the downstream apps that it's a new password!." It then sends the passwords to the down to the attached app, which in our case is eDir and AD, ok it's the same password NBD, right? wrong... It does an administrative password set, which means that the password is immediately expired. A hundred help desk calls later, they finally ping me, I investigate since the App Analyst didn't do a change control on this. The password was initially ok, set to expire in 60 days per policy, 5 minutes later it would suddenly be expired. I pulled the Novell IDVault logs on some password changes with the log level set to 5. Nothing, everything looked normal, except that 5 minutes after the password event happen another one appeared, from apparently no where. Off to DSTRACE, I had a suspicion, watch the LDAP records and 5 minutes after a password change another one came through from the other IDM.  Go to App Analyst;
"What did you do?"

"I changed the Global Sync Attribute"

"Change it back"

"Why"

"Cause people are constantly resetting passwords because you caused a logic loop"

"Crap"

Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.

Ease of Use.....

About 2 months ago, we started working on this new "Provisioning Solution".  We had the full court press from the vendor, out of country contractors, VP's of Application, PM's of Doom and the Salesman. Our current provisioning is a rather ingenious in house system that was cooked up using Access and a good deal knowledge. Having been working on Novell IDM for the last 3 years I have a pretty good idea of what it can and can't do.....

This new solution? Can't rename attributes down stream? Can't edit the XML directly, can't reconfigure on the fly or move drivers from one device to another rapidly. No IDE, no easy command line access,. It's all "web" 2.0'd to death, and it's sluggish. IDM routinely parses over 12,000 records in an hour, this one? (and this is from their developer) would take "20 hours" to parse the same amount of records. To support this super duper solution we need to spin up a "DEV" environment, which means that I needed to produce a separate but identical eDir, IDM and AD. The eDir? simple, spin up a SLES 11Sp1 box, load in eDir, load in IDM. Do the connector magic in Designer. LDAP export PROD into the new DEV for the O's and OU's. Deploy, get the Certs right and start. Minor tweaking ensues and in 5 hours I have a duplicate environment with all the users and groups.  The IDM and the AD won't take even close to that long. 

That new fangled one? yeah.... 8 weeks, and it doesn't do anything yet. It could provision eDir and AD sure, but it has this bug....

If you use the new tool to change your password, it sets it in eDir, it sets it in AD, but......

it locks you out of the new solution.......

Because it can't change the password there......

Ease Of Use, Helps get IT done......

It's All About the Real Estate

Desktop Real Estate that is.....

A well documented fact is that multiple monitors increase productivity. Not everyone feels that way, usually the manager who thinks that it's a luxury or a "geek" perk. Jeff Atwood puts forth in his Programmer's Bill of Rights that 2 monitors is a Right of the Programmer. Trading Houses have no problem with their Traders having massive 6 monitor setups with two high end computers to make money on the stock market. and they don't spend a dime unless it is to make money.  In IT multiple monitors come from our incredible ability to scavenge and improvise, which means we're using equipment that would of just been sitting or otherwise stored until it was useless.

My current work setup is four screens.

Screen #1 HP 8540 Laptop running SLED 11sp1 and Win7
Screens #2 and #3 HP 6000 Desktop Running SLED 11SP1 with XP running in a VM
Screen #4 KVM attached to a HP 5800 Desktop, a HP 6000 Desktop and a Wyse Terminal

and I use EVERY one , ALL day, EVERY day.

The laptop is used for communication, meetings, and as a "research and code on the move" screen. The biggest advantage on Screen 2 and 3 is that I use 5 virtual desktops on the SLED desktop and switch around in them all day, one virtual desktop runs email and ticketing, another is where monitoring happens, one houses the XP desktop, another is test and the last is for writing code that is tested out on Screen #4. My own dev/test environment in 36sq ft. of cube real estate. When I started doing development I was using an IBM 701C laptop with a 10" screen that was also attached to a 14" CRT. Even then I used both monitors as a way to spread out. As I've gained experience and age, my eyes have lost some sharpness and precision. Larger fonts on larger monitors helps make up for that loss of acuity and allows me to continue to be productive.

And Being Productive is What "IT" is all about .

Novell Datasync

Smart App, good interface, needs to be marketed better.....

We're implementing Datasync because we have an influx of iPhones and tablets starting to wander into our world. At effectively zero cost except for the CA Cert and SAN space it makes it an economic good choice in my book. Right out of the box, it's going to save time and money, down the road we should be able to leverage it to our SharePoint Implementation.

The build is straight forward, build a SLES 11 SP1 x64 box with 8GB of RAM. Fairly steep RAM requirement for a SLES box, but it's running in VMWARE, so it's just a configuration gotcha. We updated the build via our SMT before configuring. We followed the build guide and it worked like a charm. We did upgrade the groupwise back end to 8.02 HP2, this is important since it throws SOAP errors unless you do this update. Mail setup is fairly straightforward an easy. We're currently testing blowing up phones remotely and should be implementing this in May/June.....

It really needs to be talked up better by Novell. Businesses have potential savings in large amounts, either through migrating from Blackberry and BES to Android/iPhone or by adding it as a value added service to their users (never underestimate the value of good will).

If we can figure out how to allow some of our outside users onto Mail clients, this should be a slam dunk

Caveats.

You MUST be running GW 8.02 HP2, anything less will SOAP error your PO into a down state very quickly. For access outside your network get a REAL cert from a cert provider, but on the plus side you only need to expose one port to the outside world, 443.

Send in the Tablets

Here come the tablets, working in healthcare means working with doctors and working with doctors means working with users with disposable income.  This lead inevitably to Tablets... Galaxy, XOOM, iPad and iPad2. Android, iOS and eventually webOS, QNIX, and Windows. Portable devices with portable problems. One of the faster growing ways of dealing with this, protecting the data AND still giving the users what they need (which is different than what they want) are the solutions from VMWARE and CITRIX involving their VDI or XENDESKTOP offering. The one issue is that you are trying to handle a windows interface over a touch interface. What we really need is a competent tablet interface, but we didn't have one ten years ago and we don't have one now.  Natively there's too much of a chance of loss of data and in HIPAA environment this is bad. Browsers aren't any better because most of the infrastructure is coded to IE7 (hopefully) or IE6 (most likely).

What we need is a virtual interface that isn't dependent on anything resembling a standard interface that allows IE emulation but on a more stable platform. Win7 isn't it, Win8 is a pipe dream, Ubuntu NBR is a good candidate IF you can get IE to run on it legally.....

points to ponder