Plan was to do a swing upgrade as opposed to an in place upgrade – i.e. install a new server, move mailboxes from an existing server the new server, decommission the old server, rebuild it, etc. This was chosen because of the problems with doing an in place upgrade.

Original timeline – Preparation of servers over the winter break; Begin mailbox moves after Jan. 1st. The project team really started tackling all of the project tasks at the end of last summer.

What has taken place – Data from Exchange 5.5 needed to be moved to the Active Directory. First the Active Directory Connector was installed, and then the ADC agreements. The mailbox moves could then begin. Mailbox moves, overall, went smoothly for first server to be moved. Four Exchange servers had to be moved. Name change from MAINEXx to EXx. Outlook web access has changed – Exchange.asu.edu is the new address for web-based application.

Public folder replication was the next task addressed. Public folders still exist on MAINEX1, but a replica was made to the new server that is handling this (EX5). If anyone is having problems with public folders that they own, please let the WMAC team know. Permissions seems to be the main cause for most of the problems with public folders.

What’s left – get rid of old MAINEX1. This server has all of the suspended mailboxes which need to be removed; all of the bridgehead services need to be rehomed (site connectors); upgrade MAINEXSTU1 server and the West campus Exchange environment upgrade. The directory sync software needs to be rewritten to update the AD attributes. Move the internet mail service to Exchange 2000.

Current state – 5 Exchange 2000 servers, two Exchange 5.5 servers. Due to the problems that started to occur with MAINEX1, several steps are being taken to move up the tasks involving MAINEX1. There were still performance issues – bottleneck with the client. Suggestions – Traces of the old server names in the registry; these need to be changed to the new server names. These are found in the registry profile. It is suggested that you delete the current profile and then recreate the profile for Outlook. If you’re recreating the profile for a home machine, you need to put the fully qualified DNS name for the Exchange server (not just EX1) – ex1.asu.edu. Calendar shortcuts – looking at other people’s calendar – if you’re using a shortcut for this, recreate it because the shortcut may be pointing to the old Exchange server address. Public folder permissions lists can contain membership for mailboxes that no longer exist. Distribution list replication – one-way connection agreement (5.5 to 2000 only) was originally implemented. It is now a two-way replication. Changes made will be maintained now (one-way, manually changes were being lost).

Steps still underway to improve performance – remove MAINEX1; memory adjustment on the servers (done last night); free/busy data master is now on EX5 (done last night); ASURITE GC servers will have a memory upgrade. MBA Exchange server will be upgraded 2/20th. Site replication service can be stopped after that.

Questions and discussion:

• Destination address for EPO accounts will remain; DNS alias will be maintained.
• Spam filters: We do not filter spam.
• Caution on redoing the profile – deletes nicknames, etc.
• Free/busy settings – 12 months every 15 minutes.
• Still having problems with Eudora clients configured against POP with not sending/receiving mail attachments. Appears in some cases that there is an incompatibility between MS POP and Eudora POP formatting. Users experiencing these problems should document the following: what client/platform sent message; what client/platform received message; can the problem be replicated on other systems

ECA Upgrades/Stabilization - John Babb

Goal is to address how to make computing in ECA/ECB easier to debug, understand, etc. Weekly meetings to discuss how to improve computing have been setup with Data Comm and IRIS representatives. Semester startup will be taken into consideration especially due to the problems that occurred at the beginning of this past semester. The group is focusing on addressing flexibility and responsiveness to problems in ECA \ECB. Upgrades are long overdue. Spring semester problems raised the level of concern to the point that funds were allocated from the Provost and President’s office.

First portion of the upgrade – border firewall upgrade

Next part of the upgrade – upgrade two 5500 Cisco routers in ECA to 6500 Cisco routers; other routers

Upgrade of the firewall software

What happened first day of classes – BAC breaker went out. Two load balancing boxes that are before the DMZ firewall, failed. Were able to upgrade the DMZ firewall to Nokia checkpoint. Currently, the firewall is doing its own load balancing without using the DMZ.

Want to have the ability to isolate the applications by platform in ECA – such as isolating Microsoft networks, BlackBoard, etc.

John indicated that they are trying to get a second shift established for coverage of myASU.

Continue to come back to WNUG & CCC to give updates.

VPN/Firewall Update - Dave McKee and Jack Hsu

Border router upgrade – or as Dave put it “What We did on our Winter Vacation”

7513 routers – one for Aspin; one to internet service providers;

Received funding for upgrading the complex

Replaced DMZ gateway with a 6500 router (Aspin gateway); converted the ASU gateway (talks to ISP) – combined into one box. Two boxes on the inside – replaced the box that talks to all of the external ASU customers; replaced another box that handles ASU. Replaced four boxes into the two.

Another router has been placed between outside router and firewall – new DMZ.

Firewall is currently on a fail-over service; in the future, implement a DMZ.

Split traffic between ResLife

Firewall is designed to protect inside of ASU. Firewall is not setup to handle a hacker from the inside trying to go through it to get out. Compromises the firewall. Jack stressed the importance of making sure all workstations and servers we are responsible for have all the latest service packs and patches applied. Keeping machines patched is the biggest defense.

Discussion:

• Suspicious activity – ports will be turned off. ARS tickets are produced; the sooner you can get suspicious workstations/servers off the network, the healthier the network will be.
• Hacking activity originating from ASU – hard to tell; compromised machine could be sending out the information but was hacked from some place else.
• If we get ARS tickets back indicating that something is resolved, and it wasn’t, it can be sent back to the Help Desk to be reopened.
• Joe indicated that Packeteer has been updated to track and classifies traffic that might be a result of firedaemon hacking. It helps manage the bandwidth better, but it unfortunately prohibits DC from determining where the workstation is that’s being used as the broadcast server. They will continue to look at Packeteer to see if it has some other features that might be able to be used.
• VPN has not been turned on. CheckPoint has been loaded, but more testing still needs to be done. It will be turned on gradually.

Update on COX - Robin Manke-Cassidy

They haven’t done anything yet. Once they do, you need to get on the VPN. New version of CheckPoint software will be made available after it has been tested and the server side changes have been made.

Put a personal firewall on personal machines before using the VPN. The software CD that will be distributed that will have the VPN software, firewall, and antivirus. Information on setting up a VPN and securing a home workstation can be found at http://www.asu.edu/comm ,and http://www.asu.edu/security