www.novell.com

How NIMS™ Was Deployed for Tens of Thousands of Students at the University of Kentucky and Embry-Riddle Aeronautical University

How NIMS™ Was Deployed for Tens of Thousands of Students at the University of Kentucky and Embry-Riddle Aeronautical University

Matt DeFoorDirectory EngineerUniversity of Kentuckymattd@uky.edu

University of Kentucky at a Glance

• Facts Public, land-grant university Enrollment (FTE)=32,584

• Includes Lexington Community College Home of me, mattd@uky.edu (and a few others) Shoes optional

The “Education” of Novell Internet Messaging System™ (NIMS)

• Brief history of e-mail at the University of Kentucky (UKY)

• Proposal to implementation• Design of UKY NIMS system• Design of separate NIMS tree• Design and implementation of DirXML™

• Customization—templates and software• Problems, pitfalls, and ways to avoid them• Leveraging Novell eDirectory™ • Summary• Questions and answers

Brief History of E-mail at UKY

• IBM mainframe

• cc:Mail

• Sendmail and Qualcomm’s Qpopper

Request for Proposals to Replace Aging Sendmail and POP Service

• Proposed system requirements POP, IMAP, web access 25 MB quota per user Directory-enabled Calendar support Scan mail for viruses

• Timeline First proposal—February 2001 NIMS approved for implementation—April, 2001 Production deadline—August 4, 2001

Mail Systems to Be Replaced—or Not

• All centrally supported mail systems IBM mainframe Campus POP server UNIX mail for students in engineering labs

• System not to be replaced—Microsoft Exchange

Needed for “power users”

Proposal Accepted and Real Work Begins

• Deadline: August 4, 2001• UKY Mail Team

The NetWare® group (NIMS admins) Graphics people PR people Old mail system admins Meetings, meetings, meetings

• By the way—NIMS v3 wasn’t released yet

Spec and Order Hardware

•Five Dell PowerEdge 6450

•Dual 700 Mhz XEON Processors

•4 GB RAM•18 GB RAID1 system drives

•Two Dell PowerEdge 2550•Dual 1Ghz Processors•2 GB RAM•18 GB RAID1 system drives•Dell SAN—1.6 TB of usable

space•PowerVault 660F

•Three PowerVault 224Fs

Design of UKY NIMS System

• Distributed messaging architecture Flexible Redundant Scalable More complex

Initial Design of UKY NIMS System

• Initial production environment Windows NT 4.0 server running McAfee SMTP

WebShield 4.51 One NIMS SMTP server

• Also running POP3D for legacy clients Two “client” access servers: POP3D, IMAPD,

ModWebd Two back-end servers connect to SAN for

access to mail store

Initial Design of UKY NIMS System (cont.)

Initial Design and Implementation

of UKY NIMS System

Volume configurations

4 GB SYS volumes—RAID1; 64 Kb block size; block sub-allocation = on

12 GB SPOOL volumes—RAID1; 64 Kb block size; block sub-allocation = on

SMTP, SMTP1, CLIENT1, and CLIENT2

4 GB SYS volumes—RAID1; 64 Kb block size; block sub-allocation = on

12 GB SPOOL volumes—RAID1; 64 Kb block size; block sub-allocation = on

800 GB PV volumes—RAID5; 64 Kb block size; block sub-allocation = on

NMAP1 and NMAP2

Current Design and Implementation of UKY NIMS System (cont.)

• Production environment Two SMTP servers running Antivirus Agent

• Also running POP3D for legacy clients Two “client” access servers: POP3D, IMAPD,

ModWebd Two back-end servers connect to SAN for

access to mail store

Current Design and Implementation of UKY NIMS System (cont.)

Current Design and Implementation of UKY NIMS System (cont.)

Volume configurations

4 GB SYS volumes—RAID1; 64Kb block size; block sub-allocation = on

12 GB SPOOL volumes—RAID1; 64Kb block size; block sub-allocation = on

SMTP, SMTP1, CLIENT1 and CLIENT2

4 GB SYS volumes—RAID1; 64Kb block size; block sub-allocation = on

12 GB SPOOL volumes—RAID1; 64Kb block size; block sub-allocation = off

800 GB PV volumes—RAID5; 64Kb block size; block sub-allocation = off

NMAP1 and NMAP2

Tree Structure Design

• The file/print tree [UKY] is the result of a distributed design run amok… courtesy of Gary Porter

• We could have leveraged our existing Tree, but we didn’t feel comfortable

One wrong move by a local admin could seriously affect mail delivery for 44,000 users

Dynamic vs. Static Tree Structure Design (cont.)

• Dynamic The UKY Tree is a dynamic tree where

servers are added and removed, schema is extended and partitioned and replicated across campus and some WAN links

• Static Static tree—one where the addition of

servers, schema extensions, and partition operations were limited and under our control

Dynamic vs. Static Tree Structure Design (cont.)

So the plan was simple…we’ll have a separate Tree and sync the two with DirXML…no sweat*

* “No sweat!” is a trademark of UKY

Separate Tree for Mail System

• Ergo…The One True Directory [TOTD]* This is an inside joke among NIMS admins Active Directory is referred to as the savior of our

supposed directory problems—even though it only has a few thousand users and [TOTD] has over 43,000

The [TOTD] tree is used for everything from web page authentication to VPN access to RADIUS authentication• Oh, did I mention that they can use the same userid

and password to access each of these services?

* [TOTD] is a trademark of UKY

TOTD Tree Structure

• TOTD design and structure Consists of six servers NetWare 5.1 SP3 + various patches Pure IP Novell eDirectory v85.12a

TOTD Tree Structure (cont.)

Standard security container

TOTD Tree Structure (cont.)

Server objects

Volumes objects

LDAP group and server objects

TOTD Tree Structure (cont.)

Contains administrative objects, e.g., postmaster, groups, etc.

TOTD Tree Structure (cont.)

Group objects used for aliases

TOTD Tree Structure (cont.)

Approximately 44,000 hashed objects—serviced by two different NMAP servers

TOTD Tree Structure (cont.)

NIMS Messaging Server Objects; Parent Objects; Templates; Mailing Lists

TOTD Tree Structure (cont.)

TOTD Tree Structure (cont.)

• Partitions Three servers hold a partition of [ROOT] All servers hold a partition of UKY and Internet services Three servers hold a partition of DirXML DriverSet

Sync TOTD with UKY

DirXML—How We Did It

• Learn DirXML• Learn XML• Learn XSLT• Determine what attributes to sync• Configure Filters• Write custom Create Rules and Stylesheets• Novell Consulting—validate DirXML

implementation• No Sweat!™

Plan for Moving Existing Mail to NIMS

• Develop software to move… Existing mailboxes Existing aliases Existing forwarding

• Test the migration

Develop Custom Operational Software

• Keeping things user-friendly Form-based login for WebAccess via SSL

• Perl program to perform actual login from web form data

• Revise program to handle WebAccess session cookie (introduced with NIMS 3.0 RC2)

Form-based change password page• Perl program to affect password change from web

form data

Customized Form Login Page

• Ease of use

• Provide information on the login form page

• Redirect to our custom pages on failed logins

• Log in via SSL, then redirect out of SSL

• Public templates weren’t available

Customized Redirect Pages

Customized Redirect Pages (cont.)

Customized Password Page

• NIMS NIMS requires login to

WebAcess/WebMail Confusing if SSL is

required

• Custom Always performed via SSL You can implement

password restrictions Doesn’t require MobWeb

to change the password Easier to use

Population and Maintenance of NIMS Users in eDirectory

• Perl program to automatically add users from campus User Account Management System (UAMS)

• Perl program to push pre-populated calendar file to each user

• Perl program to handle deleted accounts Aging before removing mailboxes and mail directories

• Web front-end to IMSAudit data

Web Front-end to IMSAudit Data

Web Front-end to IMSAudit Data (cont.)

Customized WebAccess Template

Customized WebAccess Template (cont.)

Customized WebAccess Template (cont.)

•Example of pre-populated Calendar entry

Customized WebAccess Template (cont.)

•Example of pre-populated Calendar entry

Customized WebAccess Template (cont.)

Problems, Pitfalls and Ways to Avoid Them

• Modweb/WebAccess Limit your end-user expectations

• WebAccess/WebMail is your thin friend, not your fat client

• PR will be your friend Don’t let bad PR

give you a black eye

Don’t

PR Do’s and Don’ts

• Tell your users about the new system

• Tell your users you are moving to a new system one week before the changeover

• Tell your users of the benefits of the new system

• Tell your users—who all use the POP protocol—that they must go to IMAP

• Tell your users they now have web access to their mail

• Make them believe this is now the only mail access they have

• Come up with a catchy name

for your new mail system

• Have a stupid name like U-Connect@UK

Do

Problems, Pitfalls and Ways to Avoid Them

• Antivirus gateway (a problem before NIMS 3.02b)

McAfee Webshield SMTP for Windows NT Doesn’t support S/MIME attachments Malformed messages would cause the queue

to stop processing Obsolete because of antivirus agent

Using NIMS to Leverage NDS at UKY

• NIMS (TOTD) tree design recap• Using TOTD tree for wireless authentication• Using TOTD tree for campus software

download authentication• Using TOTD tree for authentication only

(no e-mail) Simply disable mail access in IMS configuration

page of NWAdmin

Monitoring NIMS

• Babymon Monitors NIMS agent connectivity

• ZENworks for Servers (ZfS) Monitors abends NDS Other OS problems

• Multi-router Traffic Grapher (MRTG) CPU utilization Messages received IMAP, Modweb and POP connections Kb transferred NIC statistics

Monitoring NIMS with MRTG

Monitoring NIMS with MRTG (cont.)

Monitoring NIMS with MRTG (cont.)

Monitoring NIMS with MRTG (cont.)

NIMS Resources and Errata

• www.nimsinfo.com• www.myrealbox.com• Nimstalk@nimsinfo.com• Nimsdev@nimsinfo.com• novell.support.collaboration.internet-messaging-

system• www.perldap.org• Multi-router Traffic Graffer (MRTG)

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

wiN big

gear up,rope in, and climb on

gear up,rope in, and climb on

with Novell Provisioning solutions

with Novell Provisioning solutions

Novell Provisioning table

pick up your entry card today

in the one Net solutions

lab

at the