Small Business: Implementing GroupWise® 6 Novell BrainShare 2002 Small Business: Implementing GroupWise® 6 Eric Raff Designated Support Engineer Novell, Inc. eraff@novell.com David Crowther Novell Small Business Manager dcrowthe@novell.com TUT125—Small Business: Implementing GroupWise 6
Vision…one Net Mission A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Novell Small Business Suite 6: What Do You Get in the Box? Novell BrainShare 2002 Novell Small Business Suite 6: What Do You Get in the Box? NSBS 6 pulls together everything you need to make things happen It’s a full-service bundle that instantly transforms your business into a fully-networked powerhouse 50-user maximum Two server licenses NetWare® 6 ZENworks® for Desktops 3.2 Partner applications BorderManager® 3.6 GroupWise® 6 NSBS 6 Sample Configuration TUT125—Small Business: Implementing GroupWise 6
Novell Small Business Suite 6: What Do You Get in the Box? (cont.) Novell NetWare® 6 Novell iFolder™ instant access to data from any location iPrint—Internet printing Native file access for Windows, Mac, and UNIX NetWare Remote Manager and NetWare WebAccess Novell eDirectory™ Two NetWare 6 server licenses in the box Novell GroupWise® 6 E-mail, calendar, scheduling, and document management Wireless device support Novell ZENworks® for Desktops 3.2 Full version App distribution, management, and recovery Workstation imaging and inventory management Novell BorderManager® Enterprise Edition 3.6 Firewall, proxy/cache, remote access VPN services Novell Small Business Tools and Enhancements Simplified install Novell Easy Administration Tool (NEAT) Novell Internet Connection Expert (NICE) Partner products Tobit FaxWare Electronic faxing from the desktop Network Associates NetShield and VirusScan Server and desktop virus detection and recovery FatPipe Internet Modem pooling for a faster Internet connection
Introduction High-level architecture of GroupWise® GroupWise install and configuration GroupWise Client install and configuration Expanding a GroupWise system GroupWise Internet Agent (GWIA) install and configuration GroupWise WebAccess install and configuration GroupWise Remote Access options GroupWise tips and tricks GroupWise best practices
High-Level Architecture of GroupWise GroupWise is administered through ConsoleOne® GroupWise maintains its own directory store Directory store is fully replicated Administration point is the Domain database (WPDOMAIN.DB) GroupWise system components Domain (WPDOMAIN.DB) Message Transfer Agent (MTA) Various gateways (GWIA, WebAccess, fax) Post Office (WPHOST.DB) Post Office Agent (POA)
Basic Layout of GroupWise System Drop-down list acts as filter for domains, MTAs, post offices, POAs, gateways, libraries, distribution lists, resources, nicknames, and users GroupWise Gateway (GWIA) GroupWise Domain GroupWise Post Office
GroupWise Client Install and Configuration GroupWise 32-bit client runs on Windows platforms (Win95, 98, ME, NT 4, 2000, XP) Install is initiated by running SETUP.EXE from Client\Win32 directory of the GroupWise software distribution directory (SDD) Can be installed to local machine or run from a network location with minimal code on workstation Auto Update Algorithm allows the client to automatically be updated when newer versions are released
GroupWise 6 Client Modes Online Data store is on server Client has a persistent Client Server (C/S) connection to the Post Office Agent (POA) Mail is sent and received immediately Cache Data store is on the local hard drive Client does not maintain persistent connection Implies that a connection is readily available to the POA Mail is sent immediately, and received every ten minutes by default Remote Client is considered out of office Mail is sent and received only when a send/receive is issued or scheduled Connection options are Internet access or dial-up access
Switching Client Modes Switching to or from online mode requires GroupWise client restart Switching between Cache and Remote mode does not require restart Tip: Cache and Remote can and should share the same message store Drop-down list of available client modes
GroupWise Client Options Allow administrator to set global settings that affect all users at the Domain, Post Office, or User level Can be locked down by the administrator Doing this prevents end users from modifying their client options Are accessed by highlighting the Domain, Post Office, or User from the GroupWise View Then right-click and select GroupWise Utilities|Client Options
Some Available Client Options Environment General—allow shared folder creation, check spelling before send, allow use of POP and IMAP accounts, etc. Client Access—fill vs. limited licensed accounts, client access mode, etc. File Location—archive path, custom views path Cleanup—delete mail after X days, allow purge of items not backed up, etc. Send Sent options—wild card addressing, allow use of reply to all rules, allow use of “Internet Mail” tracking, etc. Mail, Appointment, Task, Note—status tracking, sent items, etc. Disk Space Management—limit size of mailbox, size of sent item Date and Time Calendar—include myself when sending appointment, month display options, work days, work schedule, show week number Busy Search—days to search, range and time to search, etc.
Expanding a GroupWise System Installing additional Domains and Post Offices Installing GroupWise Internet Agent (GWIA) Installing WebAccess gateway
Installing Secondary Domain and Post Office Creating secondary domain provides level of fault tolerance Add secondary domain to host various gateways in the GroupWise system Review Link Configuration after domain is created and verify that domains communicate over TCP/IP Create additional Post Offices for political as well as technical reasons Verify that Post Office links are IP from both Domain and POA perspective F10 | Configuration status from MTA F10 | Message Transfer Status from POA
GroupWise Internet Agent (GWIA) Provides the ability to send and receive Internet mail Takes GroupWise proprietary formatted mail and converts it to SMTP format Can then deliver mail to destination Internet host Also takes inbound SMTP mail and brings it into the GroupWise system for delivery by the MTA and POA Allows POP3 and IMAP4 clients to connect to it Facilitates the retrieval of GroupWise e-mail from any POP3 or IMAP4–compliant client Can act as an LDAP server to respond to LDAP requests This allows LDAP clients to query GWIA to find names, phone numbers, and e-mail addresses of GroupWise users Can run on either a NetWare or NT platform
Prerequisites to Installing GWIA GroupWise Domain installed and functioning Access to the Domain database from GWIA server Access to Novell eDirectory™ while installing GWIA Prerequisites to sending Internet mail Dedicated Internet connection or dial-up access Registered DNS name and IP address* In-addr.arpa entry should exist for the domain name* Prerequisites to receiving Internet mail Registered DNS Name with corresponding Mail Exchange (MX) record(s) * Not a must to send; must have in place if destination is doing reverse DNS lookups on sending SMTP server
Example of Mail Exchange Record C:\>nslookup Default Server: ns2.novell.com Address: 137.65.1.2 > set type=mx > novell.com Server: ns2.novell.com novell.com MX preference = 10, mail exchanger = prv2-mx.provo.novell.com novell.com MX preference = 20, mail exchanger = cpl-mx.novell.nl novell.com MX preference = 5, mail exchanger = prv-mx.provo.novell.com novell.com MX preference = 5, mail exchanger = prv1-mx.provo.novell.com novell.com nameserver = NS1.WESTNET.NET novell.com nameserver = ns.novell.com novell.com nameserver = NS.UTAH.EDU prv2-mx.provo.novell.com internet address = 192.233.80.18 cpl-mx.novell.nl internet address = 195.109.215.67 prv-mx.provo.novell.com internet address = 192.233.80.8 prv1-mx.provo.novell.com internet address = 192.233.80.9 NS1.WESTNET.NET internet address = 128.138.213.13 ns.novell.com internet address = 137.65.1.1 NS.UTAH.EDU internet address = 128.110.124.120 > From an NT class workstation you can issue the C:\nslookup command to perform a DNS lookup Use this slide for large graphics Tip: the command >server 137.65.1.2 (name or IP of DNS server) points the query to a different DNS server
Internet Connectivity Options In order for GWIA to send and receive Internet mail, it must be able to access the Internet You have two options to this Internet connectivity 1. Always-on broadband connection (DSL, cable modem, ISDN, fractional T1, T1 line, etc.) 2. Dial-up access through an ISP
Broadband: Always-on Connection Receive static IP address(s) from ISP Can be assigned to the broadband firewall/router, then use Network Address Translation (NAT) to facilitate Internet connectivity from all machines in the network Must set up a static NAT on firewall that will take all data on port 25 from the public address, and send it to the IP address of the server where GWIA is running This IP address can be assigned to the NetWare server, which will act as the firewall for your organization Register DNS Name that points to this static IP address Enter an MX record for your registered Domain name
Dial-up Internet Access Enter MX record with highest preference (lowest number) that points to static IP address that GWIA will use When Internet connection is up, in-bound mail is sent directly to GWIA Enter MX record with second-highest preference that points to ISP Extended TURN (ETRN) server ISP will queue inbound mail for your company on their server when the GWIA is not up and active Configure NetWare 6 server to dial ISP Can use the NICE utility from within NEAT
Installing GWIA GWIA is installed by running INSTALL.EXE from the GroupWise Software Distribution Directory\Internet\gwia directory What is a Relay Host? GWIA can be configured to use a Relay Host A relay host is simply another SMTP agent to which GWIA will send all of its outbound Internet mail Does not deliver mail to the recipient’s SMTP server, but simply hands everything to the Relay Host
Configuring Dial-up Settings When using a dial-up connection to the ISP, you will need to configure the GWIA to use this dial-up session Configure GWIA to connect to ETRN server under Dial-up Settings Configure GWIA to send and receive via profiles under Scheduling Configure GWIA to use /MH switch to send all outbound mail to ISP Mail is received from ISP only when “Polling Interval” threshold is met
GWIA Scheduling Settings
GWIA will send mail only when any of the Queue Thresholds are met GWIA Profile Settings GWIA will send mail only when any of the Queue Thresholds are met GWIA will retrieve mail only on the Polling Interval—not when a Queue Threshold is met and it dials to send
Access Control Options on GWIA You can set up access control options on GWIA to limit what services are available (POP, IMAP, SMTP in and out) to a wide variety of users or groups Properties of GWIA | Access Control | Settings is where these levels of access control are administered Create profiles that contain the access Associate users or groups to specific profiles
Access Control Settings Class of Service Services that can be enabled or disabled Exceptions to the membership of this profile
Antivirus Options for GroupWise GroupWise message store is encrypted and compressed data As of today, no product will find viruses in GroupWise message store GroupWise Antivirus Agent (GWAVA) www.beginfinite.com Works at the MTA level only Allows scanning of viruses between domains Allows attachment type and size filtering Guinevere www.openhandhome.com Works at the SMTP level Allows all inbound and outbound Internet mail to be scanned via standard desktop antivirus software Allows disclaimer to be added to all outbound Internet mail Save all inbound and outbound mail for legal or archiving purposes See February 2002 issue of NetWare Connect magazine for additional information www.nwconnect.com
GroupWise WebAccess A GroupWise gateway that allows users to access their GroupWise mailbox and documents from any browser Supports many different devices and browsers, including cell phones, palm OS devices, Windows CE devices (iPaq, Jornada, etc.)
Components of WebAccess WebAccess application Runs on a web server as a Java servlet It is responsible for interacting with the various web browsers that are used to access the mailbox Communicates with the WebAccess Agent WebAccess Agent Runs on NetWare or NT platforms Is responsible for retrieving user’s mail from the message store and can be thought of as a “client” Is responsible for rendering attachments when viewed from a browser
Installing WebAccess Installing WebAccess on NetWare 6 requires a few manual steps NetWare 6 uses the Apache Web Server with the Tomcat Servlet Engine by default Procedure is outlined in Novell TID 10067255, Configuring GW6 SP1 WebAccess on Apache Web Server and the Tomcat Servlet Gateway
Configuring the WebAccess Application After WebAccess application has been installed, you can administer it by going to the details of the eDirectory objects that were created during the install These objects are located in the eDirectory Tree view and by default are created under the Domain object Items of interest you can configure Timeout value for WebAccess sessions Log-out URL that users are sent to after logout
Configuring the WebAccess Agent Select to view gateways from GroupWise view in ConsoleOne Next, go to details of the WebAccess agent Items that can be configured here Number of threads the agent will use to process requests Encryption key used to encrypt data sent between agent and application Tip: if multiple agents have been installed, this encryption key must be the same for each agent Access control settings Can restrict who has access to the WebAccess gateway
Securing WebAccess WebAccess must communicate with a browser of some sort It may be desirable to encrypt this data with SSL encryption To configure the Apache WebServer to use SSL you must edit the HTTPD.CONF file found in the SYS:\Apache\Conf directory Look for the line <IfModule mod_tls.c> SecureListen 443 "SSL CertificateIP" </IfModule> This line tells Apache to use the certificate called SSL CertificateIP to encrypt all data across port 443 This is the name of the SSL certificate as found in your eDirectory Tree Tip: it may be desirable to get a new SSL Certificate generated by a third party that is more universally accepted See TID 10050310 for how to import a third-party certificate
GroupWise Remote Access Options POP3 access through GWIA IMAP4 access through GWIA Browser access through WebAccess Remote/cache client access through Live Remote MTA Remote/cache client access through Proxy Post Office
GroupWise 6 Tips and Tricks After installing GWIA, check the send and receive SMTP threads and make sure they are adequate Default to two send, four receive Use GroupWise Diagnostics to view all information about GroupWise Objects Helpful to identify the tie between GroupWise and eDirectory objects Run GWCheck utility to find GroupWise accounts that have not been used in XX days Action = Audit Report
GroupWise 6 Tips and Tricks (cont.) Back up features and fault tolerance by running in cache mode in the GroupWise client GroupWise Import Export utility can be used to export all users with FID See TID 2960897 Enable LDAP authentication at POA level to facilitate and enforce password policies Set up two rules on any GroupWise resources to automatically accept or decline appointments See TID 10009545 If MAPI32.DLL is smaller than 621K, you are not running the full version of Windows Messaging
GroupWise 6 Best Practices Develop and set up clean-up policies Expire reduce items older than X days Expire reduce items larger than X size Set up scheduled maintenance operations Structure check on user and message databases nightly Contents check on user and message databases at one per week Always try to use TCP/IP connections throughout the GroupWise system
GroupWise 6 Best Practices (cont.) Enable Internet addressing on new installs of GroupWise Do not scan domain or post office directories with antivirus software GWAVA is the only solution that facilitates virus scanning inside the GroupWise system Have users run in cache mode whenever possible For more information BrainShare session TUT224—GroupWise 6 Deployment and Best Practices