Uklug 2011 client management


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Uklug 2011 client management

  1. 1. The Definitive Guide to Client Management Francie Tanner panagenda
  2. 2. Why You Might Care About What I Say …• Technical Director, North America for Panagenda• Over 14 years experience with Domino environments  Managing, architecting, and supporting• Various site/version/size deployments  10 to 100,000 users  Versions 4-8• Experienced Lotus instructor and speaker  Pretty good administrator and end user, too• Several certifications 2
  3. 3. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 3
  4. 4. The Client Management Challenge• Your company started using Notes on version 4.x  Clients have been upgraded 5 times since then  You changed install directories and client type  Some data was migrated  Perhaps customized templates were deployed  IBM also changed client types and default directories• Your user started creating icons/bookmarks to servers on version 4.x  You added new one’s and consolidated others since then• Your users started creating local replicas on version 4.x  Anywhere they think is a good idea...  Mapped drives, outside the data directory, inside the data directory• Users shared workstations at some point, various ID’s are all over• This leave you with a HUGE problem when trying to manage our environment … 4
  5. 5. The Client Management Challenge• Who has bookmarks/icons/replicator entries pointing to which applications on which servers• Who has which location and connection documents  And who is already mis-configured and pointing to the wrong server/IP• Who has which certificates and cross certificates• Who has which local archives• Who has an outdated version of a template locally  Hint: After an upgrade the client auto-performs a convert on the local names.nsf with the local pernames.ntf• ....... 5
  6. 6. • Howdo you know how your Lotus Notes client areconfigured?• How do you manage something you don’t knowmuch about? 6
  7. 7. The Client Inventory Challenge• Specifically when upgrading, knowing what kinds of clients you have is invaluable  Basic  Standard  Single-user  Multi-user  Roaming User  Citrix/Terminal Server  iNotes/DWA  Managed Mail file users  Admin and Designer clients• CAUTION: Policies do NOT adapt to the above 7
  8. 8. The Client Inventory Challenge• Gathering the notes.ini can be very helpful in answering the previous questions, such as  InstallType=0 Designer License  InstallType=1 Admin License  InstallType=2 All clients, which is Admin and Designer  InstallType=6 Notes client license  InstallType=3 Notes client only  InstallType=7 Notes lite license  InstallType=3 Notes client only  InstallType=9 Unknown, which is set for multi-user installs 8
  9. 9. The Client Inventory Challenge• When users authenticate, AdminP records the version of Notes and client platform running, as well as machine name  There is a view in the Directory but it’s not very reliable• Who has which calendars delegated  “Access & delegation” doesn’t tell you who is actually using delegation 9
  10. 10. The Client Inventory Challenge• Is there any other Lotus interfacing software installed on the user’s machine?  Sametime stand-alone client  Anti-virus products  Login scripts  Handheld device software• What operating system are workstations utilizing?• What kind of hardware are your clients using?  Memory and disk space are most important here• What templates are mail files, archives and directories based on? 10
  11. 11. The Client Inventory Challenge• The problem with any policy bases client management is that  Policies depend on an already functioning/setup client  In my experience less than 75% of users actually receive policies  They don’t provide you with an inventory before making changed  Client Management “in the dark”  They don’t adapt to your users’ unique situation  LAN vs VPN, Citrix user, function outside the data directory  They aren’t predictable  Can happen anytime.... or not...  Most settings cannot be UNset once set  Think about it...  They cannot repeat actions  So if the user breaks something it’s broken until they call for help 11
  12. 12. The Client Management Challenge• And if you don’t know how your Lotus Notes clients are configured today, how can you possibly  perform an standardized upgrade  fix existing client issues preventatively  provide your users with a predictable Notes experience  PREDICT the impact of server based changes on your user population think about a server consolidation including icons/bookmark/replicator page changes, location/connection document updates• How do YOU deal with this situation? 12
  13. 13. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 13
  14. 14. Quotas• Should be implemented in conjunction with archiving if mail files are larger than 1GB  Those take up a disproportionate amount of server resources  Typically users will ignore quota warnings so be prepared to adjust these limits frequently  Mail files get easily corrupt if they are too large  The more writes to a database/views the greater the chances of getting corruption  Be sure to set quotas on all clustered servers as these settings don’t replicate  Can be done via a Desktop Settings document 14
  15. 15. Inbox Management• Too many items in your Inbox can corrupt it or stop new mail from being delivered to the Inbox  Refresh the view indexes on the server-based mail file via an updall  Or have the user press Ctrl+Shift+F9• A large inbox can also make Notes appear slow, especially in iNotes  Use a Mail Settings document to deal with this 15
  16. 16. Unread Marks• Users often complain of not having unread marks synchronized after failing over to another cluster server  Enable the Replicate unread marks feature  Located on the Advanced property of database  Select Replicate unread marks  Over clustered servers  Or all servers 16
  17. 17. Archives• If you don’t allow users to grow their mail files very large, you have to provide them with another way to store their data  Don’t force your users to spend time on cleaning up their mail, that’s not what they were hired to do• Local archiving is almost never the way to go  Prevent this via a policy and use server to server archiving instead  Then lock down the archive settings altogether 17
  18. 18. DAOS to Help with Mail File Size• It won’t help users with their quota but it will save up to 40% disk space Domino Attachment Object Storage  Use the DAOS estimator tool to find out how much space this could save you• DAOS collects all shared copies of the same attachment and saves it in a central repository  This is transparent to users  Requires far less back-up time  Less writes to your disks means less chances for corruption  In addition to faster servers 18
  19. 19. Notes Mail Security• Sign Sent Mail and Encrypt Sent Mail  Works natively between Notes users, requires x.509 certificate when used with other mail users• Encrypt saved mail and Encrypt incoming mail  Uses the active user ID to encrypt, which means nobody else can read mail  Including admins! 19
  20. 20. Notes Mail Security (cont.)• Private folders  Show in the mail file but encrypted with the users’ ID  This information is lost if the user ID is lost• Database encryption  Uses the user’s ID to secure local data so it cannot be read even if the laptop gets stolen  Can be set manually on the application properties tab or forced with a desktop Settings policy 20
  21. 21. Automated Local Application ODS Upgrade• New to 8.5.2 is the ability to automatically upgrade local client databases to ODS 51  Create a desktop policy setting document  Set preference on the Mail tab• Requires Create_R85_Databases=1 to be deployed to clients 21
  22. 22. Managed Replicas — New to 8.5.2• Local replicas are created in the background and users are switched over automatically  Requires existing replication schedule and bandwidth! 22
  23. 23. Managed Replicas — New to 8.5.2 (cont.)• If the managed replica requires a fixup to be run, users will be switched over to the server mail file  Still requires network connectivity but forces users to work off local when possible• If managed replicas get corrupt, they will be deleted and re-created  I’m told, have not actually seen this happen• Be careful though!  Managed replica feature isn’t aware of Citrix or low bandwidth environments 23
  24. 24. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 24
  25. 25. Mail File ACLs• Get set originally when the mail file is created  And is based off the Access Control List (ACL) of your mail template  Add entries with brackets to your template ACL so new databases inherit those. Example [LocalDomainAdmins]• Users previously required Manager in previous versions to cope with Out Of Office agents  Now Editor is sufficient and HIGHLY desirable  Editors can’t lock you out of the ACL nor delete their own mail file• Admin rights are not required if you use Full Access Admin  Users may not understand why all admins can “read” their mail 25
  26. 26. Mail File ACLs (cont.)• Require an admin server listed in order to properly work with renames  Advanced tab of the ACL, should be set to the home server 26
  27. 27. Mail File ACLs (cont.)• Mass modifying mail file ACLs is easy: File – Select All – Manage ACL  This will help with server, admin, and admin server access  Don’t forget to change your template ACLs if you want to change global mail file rights for future users• Changing individual ACL entries is a bit more tricky  Requires manual one-by-one intervention  There’s a great tool on Paul Mooney’s site  27
  28. 28. ECLs• Grants other entities rights to execute code on your workstation• Resides on each Lotus Notes client  Like preferences they are machine-specific• Gets populated upon first launch of the Notes client based on the Admin Execution Control List (ECL) in the Domino Directory  User Actions – Edit Admin ECL to modify this 28
  29. 29. ECLs (cont.)• Especially if you are coming from an “unmanaged” environment, you need to use policies to manage current and future users  Use a Security Policy to update the default ECL• Make sure your servers are listed in the ECL  Groups cannot be added  Technically speaking they can but only Certifier IDs and User IDs will get honored 29
  30. 30. ECLs (cont.)• Create an internal signing ID you use to sign and deploy all code  That way you’re not dependent upon any one person  Then only untrustworthy people will set off the alarms!• What you want to avoid is anyone ever getting ECL warnings  It’s scary and not very user friendly  Please tell your support staff not to instruct users to click the last option here 30
  31. 31. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 31
  32. 32. Certifiers• Physical certifiers should:  Be kept in a safe and NOT on a shared drive on the network  Too many people have access otherwise  Require multiple passwords to use• Use the CA process to upload our certifiers to your server instead  Grants rights to use the uploaded certifier  Doesn’t require access to the physical  Look at help topic “CA Process” for more information• Keep in mind that once you hand out an ID/certifier, you can never take it back  Use certificate/key rollover and certificate checking to ensure former admins no longer can use certifiers 32
  33. 33. ID Management• The following native Notes tools can help manage IDs and certifiers:  AdminP  Does renames and re-certifications  Certification Log  Keeps track of all that  ID Vault  Is a self-service repository for user IDs  ID Repository  The pre-Lotus Notes and Domino 8 way to reset passwords  Domino Directory  Can hold IDs but may be a security risk to have them here 33
  34. 34. User IDs• Should NOT be kept on a shared drive  All of IT doesn’t need to be able to impersonate users• Should NOT have standard passwords  See above, this is a huge security risk and then add all users to the list of people able to impersonate others• If on Lotus Notes and Domino 7 or below, use an ID Recovery database to store user IDs• If on Domino 8, keep these in a vault and set up ID Vault instead  Will make your password and ID management duties MUCH easier 34
  35. 35. ID Vault• Collects and stores current copies of existing IDs with the current password in an encrypted database  Lost/missing IDs are downloaded from the vault automatically  The users current password still works = seamless• Allows password resets if forgotten  Use ID Vault – Reset Password to immediately change the password of the user’s ID in the vault  Use random passwords for added security 35
  36. 36. ID Vault (cont.)• After 10 tries at the user ID password from the vault the user gets locked out requiring an admin password reset  Look at log.nsf – Vault Security Log for this activity• Requires a Security Settings document to apply to all users  See help topic ID Vault for more information 36
  37. 37. Password Management• Use a Security Settings document to control:  Password Quality Settings  Expire passwords  Password checking  When users enter their password to open the User ID file, the password must match the current password stored in the Person document or they will not be authenticated  Has to be enabled on both the client and the server  Update Internet password when the Notes ID password changes  This is especially helpful to keep Sametime/iNotes passwords in synch 37
  38. 38. Password Management (cont.) 38
  39. 39. Password Checking• Enabled on the Server – Security tab• Won’t allow users to authenticate if they don’t provide the last valid password  Effective especially when implemented in conjunction with password expiration and public key checking• Also allows you to lock out users with a click of a button  Although as soon as you delete the person document, this goes away 39
  40. 40. Public Key Checking• Enabling public key checking prevents users not listed in the Domino Directory from authenticating  Compares the public key in the person document to that of the ID file and doesn’t grant access to the server if no match  Make sure you LOG mismatches before enabling this  Prevents stolen IDs from authenticating if the legitimate person’s User ID has been recertified  Prevents cross-certification from working 40
  41. 41. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 41
  42. 42. Compress Port Traffic• Compressing TCPIP traffic on both the client and the server side will allow your environment to communicate faster  Done on the client via a Desktop Settings document  Done on the server via the Server – Ports – Manage Ports tab 42
  43. 43. Notes Takes “Forever” to Open• Several causes for this issue  The user starts the workstation from a cold boot  Login scripts are still running or taking inventory  Windows and anti-virus apps are still loading  Notes is launched and takes fooooorreeeeeveeerrr…• The solution? Buy more RAM and faster hard disks - OR -• Use the 8.5.2 Notes pre-loader when installing clients 43
  44. 44. Cluster Failover• Transparent in version 8.5.2 and above, can be set via policy  Desktop Settings – Mail – Client Settings• In earlier versions, implement HidePromptFailoverInc=1 to hide the error message below  Tip: Error customization tool 44
  45. 45. Roaming• Allows users to roam their bookmarks.nsf, Notes ID, names.nsf, journal.nsf, localfeedscontent.nsf, workspace (in 8.5.2) and Eclipse plug- ins and settings (roamingdata.nsf)  Feeds and plug-in information requires 8.5 clients 45
  46. 46. Roaming (cont.)• Upgrade/downgrade users to roaming users via the Admin client• New 8.5.2 roaming policy allows for greater customization 46
  47. 47. What We’ll Cover …• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs• ID Files, Certifiers and Security• Connectivity and failover• Wrap-up 47
  48. 48. Resources• Upgrading multiple local databases to a new ODS • Customizing mail quota warning text using an INI setting  H_CUSTOMIZING_MAIL_QUOTA_WARNING_TEXT_USING_A_NOT ES_INI_FILE_SETTING_STEPS.html  Disabling and re-enabling Notes roaming users on the fly  re-enabling+Notes+roaming+user+status+on+the +fly&uid=swg21424754&loc=en_US&cs=utf-8&cc=us&lang=en• Paul Mooney’s Blog  48
  49. 49. Resources (cont.)• Using a Desktop Policy to set Notes.ini and Location parameters • Lotus Notes pre-installation checklist  f4b82fbb75e942a6852566ac0037f284/71db25fc74354ee8852572fa004 e28e0?OpenDocument• Automating client installation using a silent install  b3266a3c17f9bb7085256b870069c0a9/3ccb28c079e9da3a852572fa00 4e2a3d?OpenDocument• Tips and tricks for troubleshooting Notes Smart Upgrade issues  troubleshooting-notes-smart-upgrade-issues• Training and Education  49
  50. 50. In Summary...• Understand your client landscape before making changes/upgrades so the effect of server side changes can be predicted• Use policies and other native tools to help control clients but be aware of their short comings• Stay on top of new features, such as ID Vault, DAOS and managed replicas to see if they are a fit in your environment• Train your users as much as you can to help them cope with all their IT tools, including Lotus Notes• The more Notes client issues you can proactively fix and standardize, the happier and more predictable your users’ experience will be. Plus, less support calls is nice 50
  51. 51. How to Contact Me Caribbean Headquarters