Uklug 2011 client management

Francie Tannerpanagenda

The Definitive Guide to Client Management

2

Why You Might Care About What I Say …

• Technical Director, North America for Panagenda• Over 14 years experience with Domino environments Managing, architecting, and supporting

• Various site/version/size deployments 10 to 100,000 users Versions 4-8

• Experienced Lotus instructor and speaker Pretty good administrator and end user, too

• Several certifications

3

What We’ll Cover …

• Introduction• The Client Management Challenge• Managing the mail file• Working with ACLs and ECLs • ID Files, Certifiers and Security• Connectivity and failover• Wrap-up

4

The Client Management Challenge

• Your company started using Notes on version 4.x Clients have been upgraded 5 times since thenYou changed install directories and client typeSome data was migratedPerhaps customized templates were deployedIBM also changed client types and default directories

• Your user started creating icons/bookmarks to servers on version 4.x You added new one’s and consolidated others since then

• Your users started creating local replicas on version 4.x Anywhere they think is a good idea...Mapped drives, outside the data directory, inside the data directory

• Users shared workstations at some point, various ID’s are all over• This leave you with a HUGE problem when trying to manage our

environment …

5


• Who has bookmarks/icons/replicator entries pointing to which applications on which servers

• Who has which location and connection documents And who is already mis-configured and pointing to the wrong server/IP

• Who has which certificates and cross certificates

• Who has which local archives

• Who has an outdated version of a template locally Hint: After an upgrade the client auto-performs a convert on the local

names.nsf with the local pernames.ntf

• .......

• How do you know how your Lotus Notes client are configured?

• How do you manage something you don’t know much about?

6

7

The Client Inventory Challenge

• Specifically when upgrading, knowing what kinds of clients you have is invaluable Basic Standard Single-user Multi-user Roaming User Citrix/Terminal Server iNotes/DWA Managed Mail file users Admin and Designer clients

• CAUTION: Policies do NOT adapt to the above

8


• Gathering the notes.ini can be very helpful in answering the previous questions, such as InstallType=0 Designer License InstallType=1 Admin License InstallType=2 All clients, which is Admin and Designer InstallType=6 Notes client license InstallType=3 Notes client only InstallType=7 Notes lite license InstallType=3 Notes client only InstallType=9 Unknown, which is set for multi-user installs

9


• When users authenticate, AdminP records the version of Notes and client platform running, as well as machine name There is a view in the Directory but it’s not very reliable

• Who has which calendars delegated “Access & delegation” doesn’t tell you who is actually using delegation

10


• Is there any other Lotus interfacing software installed on the user’s machine? Sametime stand-alone client Anti-virus products Login scripts Handheld device software

• What operating system are workstations utilizing?

• What kind of hardware are your clients using? Memory and disk space are most important here

• What templates are mail files, archives and directories based on?

11


• The problem with any policy bases client management is that Policies depend on an already functioning/setup client In my experience less than 75% of users actually receive policies

They don’t provide you with an inventory before making changedClient Management “in the dark”

They don’t adapt to your users’ unique situationLAN vs VPN, Citrix user, function outside the data directory

They aren’t predictableCan happen anytime.... or not...

Most settings cannot be UNset once setThink about it...

They cannot repeat actionsSo if the user breaks something it’s broken until they call for help

12


• And if you don’t know how your Lotus Notes clients are configured today, how can you possibly perform an standardized upgrade fix existing client issues preventatively provide your users with a predictable Notes experience PREDICT the impact of server based changes on your user populationthink about a server consolidation including icons/bookmark/replicator

page changes, location/connection document updates

• How do YOU deal with this situation?

13



14

Quotas

• Should be implemented in conjunction with archiving if mail files are larger than 1GB Those take up a disproportionate amount of server resourcesTypically users will ignore quota warnings so be prepared to adjust

these limits frequently Mail files get easily corrupt if they are too largeThe more writes to a database/views the greater the chances of

getting corruption Be sure to set quotas on all clustered servers as these settings don’t

replicateCan be done via a

Desktop Settings document

15

Inbox Management

• Too many items in your Inbox can corrupt it or stop new mail from being delivered to the Inbox Refresh the view indexes on the server-based mail file via an updall Or have the user press Ctrl+Shift+F9

• A large inbox can also make Notes appear slow, especially in iNotes Use a Mail Settings document to deal with this

16

Unread Marks

• Users often complain of not having unread marks synchronized after failing over to another cluster server Enable the Replicate unread marks featureLocated on the Advanced

property of database Select Replicate unread marksOver clustered serversOr all servers

17

Archives

• If you don’t allow users to grow their mail files very large, you have to provide them with another way to store their data Don’t force your users to spend time on cleaning up their mail, that’s not

what they were hired to do• Local archiving is almost never the way to go Prevent this via a policy and use server to server archiving insteadThen lock down the archive settings altogether

18

DAOS to Help with Mail File Size

• It won’t help users with their quota but it will save up to 40% disk space Domino Attachment Object Storage Use the DAOS estimator tool to find out how much space this could

save you• DAOS collects all shared copies of the same attachment and saves it in a

central repository This is transparent to users Requires far less back-up time Less writes to your disks means less chances for corruptionIn addition to faster servers

19

Notes Mail Security

• Sign Sent Mail and Encrypt Sent Mail Works natively between Notes users, requires x.509 certificate when

used with other mail users• Encrypt saved mail and Encrypt incoming mail Uses the active user ID to encrypt, which means nobody else can read

mailIncluding admins!

20

Notes Mail Security (cont.)

• Private folders Show in the mail file but encrypted with the users’ ID This information is lost if the user ID is lost

• Database encryption Uses the user’s ID to secure local data so it cannot be read even if the

laptop gets stolen Can be set manually

on the application properties tab or forced with a desktop Settings policy

21

Automated Local Application ODS Upgrade

• New to 8.5.2 is the ability to automatically upgrade local client databases to ODS 51 Create a desktop policy setting documentSet preference on the Mail tab

• Requires Create_R85_Databases=1 to be deployed to clients

22

Managed Replicas — New to 8.5.2

• Local replicas are created in the background and users are switched over automatically Requires existing replication schedule and bandwidth!

23

Managed Replicas — New to 8.5.2 (cont.)

• If the managed replica requires a fixup to be run, users will be switched over to the server mail file Still requires network connectivity but forces users to work off local

when possible• If managed replicas get corrupt, they will be deleted and re-created I’m told, have not actually seen this happen

• Be careful though! Managed replica feature isn’t aware of Citrix or low bandwidth

environments

24



25

Mail File ACLs

• Get set originally when the mail file is created And is based off the Access Control List (ACL) of your mail templateAdd entries with brackets to your template ACL so new databases

inherit those. Example [LocalDomainAdmins]• Users previously required Manager in previous versions to cope with Out

Of Office agents Now Editor is sufficient and HIGHLY desirableEditors can’t lock you out of the ACL nor delete their own mail file

• Admin rights are not required if you use Full Access Admin Users may not understand why all admins can “read” their mail

26

Mail File ACLs (cont.)

• Require an admin server listed in order to properly work with renames Advanced tab of the ACL, should be set to the home server

27

Mail File ACLs (cont.)

• Mass modifying mail file ACLs is easy: File – Select All – Manage ACL This will help with server, admin, and admin server accessDon’t forget to change your template ACLs if you want to change

global mail file rights for future users• Changing individual ACL entries is a bit more tricky Requires manual one-by-one intervention There’s a great tool on Paul Mooney’s sitewww.pmooney.net/resources

28

ECLs

• Grants other entities rights to execute code on your workstation

• Resides on each Lotus Notes client Like preferences they

are machine-specific• Gets populated upon first

launch of the Notes client based on the Admin Execution Control List (ECL) in the Domino Directory User Actions – Edit Admin ECL to modify this

29

ECLs (cont.)

• Especially if you are coming from an “unmanaged” environment, you need to use policies to manage current and future users Use a Security Policy to update the default ECL

• Make sure your servers are listed in the ECL Groups cannot be addedTechnically speaking they can but only Certifier IDs and User IDs will

get honored

30

ECLs (cont.)

• Create an internal signing ID you use to sign and deploy all code That way you’re not dependent upon any one personThen only untrustworthy people will set off the alarms!

• What you want to avoid is anyone ever getting ECL warnings It’s scary and not very user

friendlyPlease tell your support

staff not to instruct usersto click the last option here

31



32

Certifiers

• Physical certifiers should: Be kept in a safe and NOT on a shared drive on the networkToo many people have access otherwise

Require multiple passwords to use • Use the CA process to upload our certifiers to your server instead Grants rights to use the uploaded certifier Doesn’t require access to the physical cert.idLook at help topic “CA Process” for more information

• Keep in mind that once you hand out an ID/certifier, you can never take it back Use certificate/key rollover and certificate checking to ensure former

admins no longer can use certifiers

33

ID Management

• The following native Notes tools can help manage IDs and certifiers: AdminPDoes renames and re-certifications

Certification LogKeeps track of all that

ID VaultIs a self-service repository for user IDs

ID RepositoryThe pre-Lotus Notes and Domino 8 way to reset passwords

Domino DirectoryCan hold IDs but may be a security risk to have them here

34

User IDs

• Should NOT be kept on a shared drive All of IT doesn’t need to be able to impersonate users

• Should NOT have standard passwords See above, this is a huge security risk and then add all users to the list

of people able to impersonate others• If on Lotus Notes and Domino 7 or below, use an ID Recovery database

to store user IDs• If on Domino 8, keep these in a vault and set up ID Vault instead Will make your password and ID management duties MUCH easier

35

ID Vault

• Collects and stores current copies of existing IDs with the current password in an encrypted database Lost/missing IDs are downloaded from the vault automaticallyThe users current password still works = seamless

• Allows password resets if forgotten Use ID Vault – Reset Password to immediately change the password of

the user’s ID in the vaultUse random

passwords for added security

36

ID Vault (cont.)

• After 10 tries at the user ID password from the vault the user gets locked out requiring an admin password reset

Look at log.nsf – Vault Security Log for this activity• Requires a Security Settings document to apply to all users

See help topic ID Vault for more information

37

Password Management

• Use a Security Settings document to control: Password Quality Settings Expire passwords Password checkingWhen users enter their password to open the User ID file,

the password must match the current password stored in the Person document or they will not be authenticated

Has to be enabled on both the client and the server Update Internet password when the Notes ID password changesThis is especially helpful to keep Sametime/iNotes passwords in

synch

38

Password Management (cont.)

39

Password Checking

• Enabled on the Server – Security tab

• Won’t allow users to authenticate if they don’t provide the last valid password Effective especially when implemented in conjunction with password

expiration and public key checking• Also allows you to lock out users with a click of a button Although as soon as you delete the person document, this goes away

40

Public Key Checking

• Enabling public key checking prevents users not listed in the Domino Directory from authenticating Compares the public key in the person document to that of the ID file

and doesn’t grant access to the server if no matchMake sure you LOG mismatches before enabling this

Prevents stolen IDs from authenticating if the legitimate person’s User ID has been recertified

Prevents cross-certification from working

41



42

Compress Port Traffic

• Compressing TCPIP traffic on both the client and the server side will allow your environment to communicate faster Done on the client via a Desktop Settings document

Done on the server via the Server – Ports – Manage Ports tab

43

Notes Takes “Forever” to Open

• Several causes for this issue The user starts the workstation from a cold boot Login scripts are still running or taking inventory Windows and anti-virus apps are still loading Notes is launched and takes fooooorreeeeeveeerrr…

• The solution? Buy more RAM and faster hard disks - OR -

• Use the 8.5.2 Notes pre-loader when installing clients

44

Cluster Failover

• Transparent in version 8.5.2 and above, can be set via policy Desktop Settings – Mail – Client Settings

• In earlier versions, implement HidePromptFailoverInc=1 to hide the error message below Tip: pmooney.net Error customization tool

45

Roaming

• Allows users to roam their bookmarks.nsf, Notes ID, names.nsf, journal.nsf, localfeedscontent.nsf, workspace (in 8.5.2) and Eclipse plug-ins and settings (roamingdata.nsf) Feeds and plug-in information requires 8.5 clients

46

Roaming (cont.)

• Upgrade/downgrade users to roaming users via the Admin client• New 8.5.2 roaming policy allows for greater customization

47



48

Resources

• Upgrading multiple local databases to a new ODS www-01.ibm.com/support/docview.wss?rs=899&uid=swg21429889

• Customizing mail quota warning text using an INI setting http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/

com.ibm.help.domino.admin85.doc/H_CUSTOMIZING_MAIL_QUOTA_WARNING_TEXT_USING_A_NOTES_INI_FILE_SETTING_STEPS.html

Disabling and re-enabling Notes roaming users on the flywww-01.ibm.com/support/docview.wss?rs=0&q1=Disabling+and+

re-enabling+Notes+roaming+user+status+on+the+fly&uid=swg21424754&loc=en_US&cs=utf-8&cc=us&lang=en

• Paul Mooney’s Blog www.pmooney.net/resources

49

Resources (cont.)

• Using a Desktop Policy to set Notes.ini and Location parameters www-01.ibm.com/support/docview.wss?uid=swg21196837

• Lotus Notes pre-installation checklist www.ipi.org/help/help8_admin.nsf/

f4b82fbb75e942a6852566ac0037f284/71db25fc74354ee8852572fa004e28e0?OpenDocument

• Automating client installation using a silent install www.ipi.org/help/help8_admin.nsf/

b3266a3c17f9bb7085256b870069c0a9/3ccb28c079e9da3a852572fa004e2a3d?OpenDocument

• Tips and tricks for troubleshooting Notes Smart Upgrade issues www-10.lotus.com/ldd/dominowiki.nsf/dx/tips-and-tricks-for-

troubleshooting-notes-smart-upgrade-issues• Training and Education www.waresource.com

50

In Summary...

• Understand your client landscape before making changes/upgrades so the effect of server side changes can be predicted

• Use policies and other native tools to help control clients but be aware of their short comings

• Stay on top of new features, such as ID Vault, DAOS and managed replicas to see if they are a fit in your environment

• Train your users as much as you can to help them cope with all their IT tools, including Lotus Notes

• The more Notes client issues you can proactively fix and standardize, the happier and more predictable your users’ experience will be. Plus, less support calls is nice

How to Contact Me

[email protected] Headquarters

Uklug 2011 client management

Technology

client management challenge

client inventory challenge

client types

functioningsetup client

changed client management

existing client issues

policy bases client

version of notes