Information Technology at Emory Academic and Administrative IT Client Technology Services IT Briefing Agenda 12/15/05 MS Campus Agreement Exchange Update

Information Technology at Emory

Academic and Administrative ITClient Technology Services

IT Briefing Agenda 12/15/05

• MS Campus Agreement

• Exchange Update• VeriSign Certificates• Remote Access (f5)• it.emory.edu update• NetCom Q&A

• John Ellis

• John Ellis • Jay Flanagan• Jay Flanagan• Karen Jenkins• Paul Petersen


Emory Email Strategy

Draft12/2/2005



Rationale for Current Direction

• EmoryLink report and related discussions revealed the following themes:– Learnlink and enterprise email/calendaring serve

different purposes– Strong student affection for Learnlink driven mostly

by conferencing features; no products that can currently replace Learnlink at comparable $

– Desire for a more enterprise quality email solution for the administrative layer of the institution

– Preference for freedom of choice in email clients by faculty



Recommendation• A robust Learnlink offering for all students and for those faculty that

wish to use it• For those faculty that only want email, the freedom to choose any

email client (e.g., Eudora, Thunderbird, Outlook Express) on multiple platforms (e.g., PC, Mac, Unix, Linux) by taking advantage of the exposed IMAP or POP services on an Exchange server

• For faculty that want email and scheduling, a variety of centrally supported, feature rich clients:

– PC: Outlook, Outlook Web Client (Explorer, Firefox)– Mac: Entourage, Outlook Web Client (Safari, Firefox)– Linux: Evolution, Outlook Web Client (Firefox)

• For administrative staff, a mandated set of options– Outlook (PC) or Entourage (Mac) for local access– Outlook web client for offsite access

• For faculty/staff that spend time in the Healthcare setting– A HIPAA/PHI certified Exchange/Outlook solution that is offered on

the Healthcare Virtual Desktop (VDT)


Learnlink



A Robust LearnLink -Initial Steps

• Infrastructure will be hardened to support growth (need more specifics here)

• LearnLink will be considered a Tier I enterprise application

• LearnLink will continue to be accessible via a client, web interface, POP, or IMAP

• Migration of content from Eagle Mail clients will be accomplished by client-side action



A Robust LearnLink - Longer Term Changes

• Move infrastructure to a highly available Blade Architecture

• Evaluate options for linking Learnlink with University’s standard directories (LDAP/AD)

• Streamline backups with EMC Replication Manager • Move core server & gateways from Windows to Linux• Adopt upcoming Releases

– 8.1 Enhanced workflow, customization, and application support

– 8.2 Enhanced User Interfaces (client & web)– 8.3 Enhanced Mobility Support (BlackBerry, PocketPC,

Symbian, SyncML)– 9.0 Compliance and Archiving



LearnLink Core Server(FirstClass 8.0)

`

LearnLinkInternet Services

Web Gateway(HTTP, IMAP4)

LearnLink (FirstClass) InfrastructureEmory University

LearnLink(FirstClass 8.0)Client Interface

Web Client Interface(www.learnlink.emory.edu)

`

EMC SAN Storage

INTERNETWWW

`

IMAP Mail Client(imap.learnlink.emory.edu)

`

POP Mail Client(pop3.learnlink.emory.edu)

PO

P3

LearnLinkInternet Services SMTP Gateway(SMTP, POP3)

SMTP Services (OutBound Mail)(smtp.services.emory.edu)

Mail Relay Server(InBound)

Connects via TCP/IPInternet/Local

Networks


Exchange



Why MS Exchange?

• Despite the real and/or perceived issues with Microsoft, there is significant demand for the feature rich, widely utilized Exchange/Outlook combination. If we don’t offer this service centrally, units will continue to adopt it and will be forced into supporting it locally, at higher cost

• Market leader, and growing in market share (57% in 2005)

• Messaging server most supported by 3rd party vendors (mobile devices, unified messaging, compliance, retention, archiving)

• The licensing costs of Exchange and Outlook are already covered as part of our new Microsoft site license

• Although security is a valid issue, we believe it can be managed with an appropriate design and mix of 3rd party products



Exchange Security• All client communications restricted to Front End Servers

– RPC over HTTPS communications (SSL Encryption)– OWA (SSL Encryption)– IMAP / POP3 / SMTP (authenticated / SSL / TSL)

• ISA (Internet Security and Acceleration) Proxy Servers– Protects Front End server services – Moving from ISA to an appliance-based firewall solution

• Outlook 2003 – native support for personal key individually encrypted messages

• Native Microsoft Database Encryption • Symantec Antivirus protecting servers and Symantec Mail

Security protecting Exchange Mail and Databases• GFI Mail Essentials marking Spam



Expansion Plan

• Current Exchange infrastructure will be expanded to support 6,000 Outlook email/scheduling clients + 9,000 email only clients (IMAP, POP, Web)– Hardware upgrades– Staffing changes– Phased, prioritized migration plan– Content migration accomplished

by client-side action



Future Architectural Changes

• Enhance spam scanning• Implement faster backup solution• Implement email archiving

– Minimize necessity for quotas– Appropriately match requirements to storage

technologies

• Evaluate Exchange 2003 SP2 mobile push features

• Link Exchange with HealthCare GroupWise servers so calendar data can be shared



Features & Funding

• Finalize feature set and policies• Finalize cost/funding model

– Goal is to stay cost neutral compared to current centralized offerings so no additional allocations will be necessary


Digital Certificates

Jay D. Flanagan




• Utilizing VeriSign SSL Global Certificates– Manage our own certificates via the

VeriSign control center– Went from 10 to 50 over a 4 year

period– Pushed all access for SSL up to 128

bit encryption– Cost $594.00




• Moving to VeriSign SSL Standard Certificates– Manage our own certificates via the

VeriSign control center– Purchased 75 certificates– Cost $175.00– Ordered 25 additional certificates

and saved 20k



Digital Certificates• More affordable for schools and

departments• Easy to request and implement• Request via the following URL:

– https://onsite.verisign.com/EmoryUniversityInformationTechnologyDivisionGlobalServer/server/index.html

• This URL can be found on the digital certificates web page at:– http://it.emory.edu/showdoc.cfm?docid

=1384&fr=1025


ClientlessSSL VPN F5 Firepass

Jay D. Flanagan



Clientless SSL VPN

• Remote Access to the Admin Trusted Core– Checkpoint’s Secure Remote Client

• Limited number of Operating Systems that can be used with

– Does not have Linux or Solaris client• Limitations and issues with MAC clients• Problems with other applications on user

machines• Problems with ISP’s (Bell South)• Manual installation of new clients• Reports of poor performance



Clientless SSL VPN

• Current VPN architecture has single points of failure

Border-a

Firewall Load Balancer

FW FW


Admin Trusted Core

VPN


DMZ



Clientless SSL VPN

• Customer Friendly tool– Easy to use with little or no manual

intervention from customer

• Usable with multiple operating systems and browsers

• Scalable to meet future expansion



Clientless SSL VPN

• Reviewed and evaluated three vendor products to replace Secure Remote– Aventail SSL VPN– Checkpoint Connectra– F5 Firepass

• Chose F5 Firepass



F5 Firepass SSL VPN• Architecture for new Firepass SSL VPN

Internet2Internet

(InterNap)

Border-a


FW FW


Academic Core


FW FW


Admin Trusted Core

Firewall Load

Balancer

DMZ

VPNP

VPNF

F5 Firepass SSL VPN



F5 Firepass SSL VPN• Go to https://vpn.emory.edu for access to the tool• Use network id and password for access



F5 Firepass SSL VPN• After logging in the user will be presented with two

options



F5 Firepass SSL VPN• Admin Core Remote Access Only – From On or

Off Campus– This option should be chosen by those users only

accessing the Admin Core • Specifically if the user is on campus

– This option can also be chosen if the user is off campus and only needs access to the Admin Core

• Emory University Remote Access INCLUDING Admin Core – From Off Campus– This option should be chosen by those users who

need to access both the Admin Core and the Academic Core

• Specifically if the user is off campus



F5 Firepass SSL VPN

• Once an option has been chosen– First time users will have a plug-in loaded

• For windows users, this will be an ActiveX control

– The plug-in is only loaded on the first login and will not be seen on future logins

• May have to download the plug-in again for upgrades or when new features are added to Firepass



F5 Firepass SSL VPN• Once the plug-in has loaded users will see the following

connection screens:

• After completing authentication this screen will automatically minimize

• Users can now do their normal remote access work



F5 Firepass SSL VPN• Firepass supports the following browsers:

– Dell® Axim, Version 4.21.1088 - Windows® Mobile 2003, Second Edition

– Firefox® 1.0.x – HP® iPAQ 4155, Version 4.20.0 - Windows® Mobile 2003, First

Edition – i-mode phone – Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0 – Microsoft® Pocket PC 2003 and Microsoft® Pocket PC Phone

Edition 2003 – Mozilla® version 1.7.x – Netscape® Navigator, version 4.7x or 7.x – OpenWave® WAP browser – Mozilla® version 1.7.x on Apple® Mac OS® X 10.2.x systems – Safari® version 1.2 on Apple® Mac OS® X 10.3.x systems – Safari® version 2.0 on Apple® Mac OS® X 10.4.x systems – Toshiba® E800, Version 4.20.1081 – Windows® Mobile™2003, First Edition – XDA® II, Windows® Mobile™ 2003 First Edition



F5 Firepass SSL VPN• Additional Benefit

– Specific checks on user machines before allowing access

• Checks include:– Windows Antivirus Checker - Enforces antivirus

protection and checks endpoint for viruses– Windows Firewall Checker – Checks presence of

firewall• Other Checks include:

– Extended Windows Information – Gets extended information about Windows OS

– Internet Explorer Information – Gets extended information about Microsoft Internet Explorer

• Admin Console



F5 Firepass SSL VPN

• Reviewing use of tool to replace current Nortel VPN– Working out the details with NetCom

• vpn.service.emory.edu

– Still several months away– More details in future Briefing



?Questions?Questions


it.emory.edu

Karen Jenkins



Goals

• Provide a new combined IT website for all three divisions– Links to other campus IT units

• Work with F&A on common template/approach for all F&A divisions

• Leverage existing content management system for near term improvements

• Research and evaluate long term enterprise scale CMS solution



Schedule/Milestones

• January

• February• TBD

• TBD• TBD

• New it.emory site with new look and combined services

• Add NetCom services• Add Healthcare

services• F&A template• New CMS



Manage IT• User Group Meetings

– Jan. 4th 2:00pm–3:30pm Kennesaw => Reporting– Jan. 17th 9:30am–11:00am Kennesaw => Training

101• Suppress notification now available• Purchased Dashboard module … can now

create more than 5 dashboards• Close on Resolution capability• Getting consultant beginning of January to

bang out some of the customization requests• Healthcare update

– Initial broad meeting (yesterday) went well– Getting quotes for licenses and consulting





NetCom Q&A

Paul Petersen



NetCom


Documents

Information Technology at Emory Academic and Administrative IT Client Technology Services IT Briefing Agenda 12/15/05 MS Campus Agreement Exchange Update