GroupWise Architecture and Best Practices WebAccess Kiran Palagiri Team Lead GroupWise WebAccess kpalagiri@novell.com Ed Hanley Senior Architect ed.hanley@novell.com
Agenda Kiran Palagiri Architectural Changes in GroupWise 2012/2014 Performance and Scalability Ed Hanley Design and Deployment Details Q and A (short) Kiran Palagiri Security WebAccess Demo Q and A 2
Goals for GroupWise 2012 and 2014 Simplify the Architecture Simplify the Install Simplify the Administration Lay down the framework that would make it easy to add new features Easy to troubleshoot Create a scalable system 3
Revamped Architecture Bye Bye WebAccess Agent (a.k.a GWINTER) Built on GroupWise No more objects in Novell Web Services (SOAP) API edirectory No more objects in GroupWise Domain Database Simplified Install Created a stand alone Document Viewer Agent (DVA) The WebAccess Application talks HTTP to this Agent to convert a document Multiple DVAs supported for one Application 4
Revamped Architecture Provided a cleaner interface for third parties to integrate Easier to deploy No more objects to configure Cloud friendly Run multiple instances of the WebAccess Application depending on the load 5
Performance and Scalability How does WebAccess perform and/or scale in this new architecture? It does great There have been numerous improvements made to the Post Office Agent to speed up things WebAccess uses a more optimized and tailored code path for efficient data retrieval and transfer Built on highly scalable Java technology We performed a simulation test, so let s see how it went 6
Performance and Scalability (cont.) How many users can I have on one WebAccess server? We had 1400 active sessions on one WebAccess server AND one Post Office Agent 15000+ requests processed in one hour 1200+ logins 5000+ messages read 2200+ messages sent 2000+ checked calendar 660+ logouts 7
Performance and Scalability (cont.) What are some typical response times? Login: 350ms Logout: 25ms Read an Item: 75ms Send an Item: 80ms Check Calendar: 75ms Read Message List: 350ms webacc.cfg Performance.Dump.enabled=true /var/opt/novell/groupwise/webaccess/logs/performance.txt (do not keep enabled all the time) exceptions.txt - might also be present 8
Performance and Scalability (cont.) How much memory do we recommend? Java heap limits configured as: -Xms2048m Xmx4096m We had 8 GB on the server Rule of thumb: WebAccess needs 4 MB per session How many processors do we recommend? We used a single processor with four cores Is WebAccess disk intensive? Not really. It uses the disk only for storing attachments and temporary files 9
Optimizations Built-in Compress the HTTP Responses for faster downloads A 384 KB JavaScript compressed to 35 KB (by 90%) Leverage the HTTP Caching headers for static content Leverage the HTTP Expires headers for static content IIS Administrators need to add these manually Use Image Sprites for fewer image/icon downloads Minify the CSS files along with JavaScript files Use Web 2.0 techniques for fewer page loads 10
Optimizations Manual Java Memory Settings You most likely need to tweak these settings to suit your environment Follow the instructions provided in the documentation WebAccess does not create worker threads Requests are processed under Tomcat threads Modify the Tomcat threads to handle higher loads A good understanding of the Tomcat optimization techniques is necessary The default number of worker threads (maxthreads) is 200, which is pretty good for most deployments 11
How to Deploy? In the past, a typical deployment had the WebAccess Agent inside the firewall, and the WebAccess Application outside the firewall (in a DMZ) With the new architecture, we recommend putting the WebAccess Application inside the firewall and use any of the following options to expose it outside the firewall An L4 switch A reverse proxy server (like Novell Access Manager) Or a simple Apache server running as a reverse proxy server Checkout the documentation and/or cool solutions article for details on how to set this up 12
How to Deploy WebAccess? Laptop POA PC ipad Android WebAccess Application POA POA DVA DVA 13
How to Deploy WebAccess? (cont.) Laptop POA PC POA ipad L4 Switch Firewall POA Android WebAccess Application DVA DVA 14
Installing WebAccess Things are really nice and easy with a new install No objects to worry about There are a few things to take care of, however, with an upgrade Install will not remove objects from Novell edirectory or GroupWise Domain Database If you have any secondary domains that serve just a WebAccess Agent, then it might be time to consolidate that If those objects are not used by any GroupWise 8 system, then delete these objects using Novell ConsoleOne Trust me, it s easy 15
What About the Order of Installation? Well, starting with 2012, WebAccess will follow other GroupWise Clients paradigm It needs a POA that s on the same version or newer So, do I have to wait for all the POAs to be upgraded to 2012/2014 before I upgrade WebAccess? Not needed, you can run a GroupWise for users on GroupWise 8 Post Offices 8 WebAccess 16
What About the Order of Installation? Upgrade your main WebAccess server to 2014, and add the URL to your GroupWise 8 WebAccess to it s configuration file (setting name: Redirect.url) 2012 WebAccess will happily process requests for Windermere users (2014) And it will redirect GroupWise GroupWise 8 WebAccess 8 users to the You don t have to give two URLs to your users 17
Q and A
WebAccess New Features in 2012/14 Polling (a.k.a Auto-refresh in 2014, IP Port 8500) New Look and Feel Follows the Novell Branding Guidelines Busy Search HTML Signature Recurrence Two timeouts Public or Shared Computer will timeout sooner Private computer will keep the session active for longer Create Tasks easily in the Tasklist folder 19
WebAccess New Features Column Sorting Add Pictures to Contacts Create Groups easily All Day Events Download All Attachments in one shot Auto logout when the browser window is closed 20
Security Level No Security Required (such as an Intranet) Install WebAccess Application on any Web server that Provides access for your users Meets basic installation requirements Security Required Firewall in place to provide security Install WebAccess Application inside firewall and use a proxy server or Install WebAccess Application on a Web server outside your firewall with POA and DVA inside the firewall 21
Security Design Options Configuration with Proxy Service 22
Security Design Options Configuration without Proxy Service 23
WebAccess Configuration webacc.cfg file Webacc.cfg file purpose Set with default configuration settings during installation Can be configured to meet WebAccess user and administrative needs Webacc.cfg file location OES Linux: /var/opt/novell/groupwise/webaccess SLES: /var/opt/novell/groupwise/webaccess Windows: c:\novell\groupwise\webaccess (on the Web server) 24
WebAccess tweaks (webacc.cfg) Multiple POA s Provider.SOAP.1.ip=10.20.30.131 Multiple DVA s Provider.DVA.1.ip=10.20.30.201 Configure a helpdesk URL ( Can t log in? ) Helpdesk.url=http://<server>/support/ Enable Admin WebConsole Admin.WebConsole.enable=true Admin.RestService.host=10.20.30.125 Easy customization /var/opt/novell/groupwise/webaccess/customization.cfg 25
WebAccess Security Direct Access Works but Better Via Proxy Via L4 load balance appliance 26
WebAccess frontend Use a load balancer (like pound part of OpenSUSE) Also does SSL Offloading ListenHTTPS Address <IPAddress> Port 443 Cert "/etc/ssl/servercert_with_key.pem" Service BackEnd Address <IPAddress> Port 80 End BackEnd Address <IPAddress> Port 80 End Session Type IP TTL 28800 End End End 27
Configure Session Security Timeout Interval Overview Users are logged out of WebAccess after 20 minutes (default) with no requests Interval controlled by WebAccess application (through webacc.cfg file) Benefits Provides security for users who forget to log out Enhances Web server performance User s session saved for 24 hours Saved in Web server directory User can log in again and start from last action 28
Configure Session Security Timeout Interval webacc.cfg Setting Timeout Interval (in minutes) 29
Configure Session Security Change Password Overview Users are allow to change their GroupWise (default) Setting controlled by WebAccess application (through webacc.cfg file) Can be disabled If you are using a LDAP directory for authentication Some other system for authentication password 30
Configure Session Security Change Password webacc.cfg Setting (Disable) Change from To 31
Configure Session Security IP Address Checking Overview Checks Web browser IP address of user to confirm communication with same user Works well on desktop workstations Highest form of security Laptops and mobile devices IP address checking can cause interruptions in user sessions Other WebAccess Application security features (such as cookies) can provide excellent security without IP address checking enabled 32
Configure Session Security IP Address Checking webacc.cfg Setting (Disable) Change from To 33
Configure Session Security WebAccess Usage Overview All Groupwise users can use WebAccess (default) Access control configured with gwac.xml OES Linux: /var/opt/novell/groupwise/webaccess SLES: /var/opt/novell/groupwise/webaccess Windows (Web server): c:\novell\groupwise\webaccess Control access based on Domain Post office User groups (distribution lists) Individuals 34
Configure Session Security WebAccess Usage gwac.xml Settings 35
Configure DVA Security Overview Configure DVA by editing startup file (gwdva.dva) Linux: /opt/novell/groupwise/agents/share Windows: c:\program Files\Novell\GroupWise Server\Agents Updating DVA software creates a new gwdva.dva file Existing gwdva.dva retained as gwdva.nnn (where nnn increments for each update) Working directory (gwdva.dir) and four working subdirectories (log, quarantine, temp, and template) If gwdva.dir grows too large, you can move it to another location, and edit gwdva.dva to reflect new location 36
Configure DVA Security Enable SSL for DVA 1. Open the gwdva.dva file in a text editor 2. Search to find the following switch: httpssl 3. Remove the semicolon (;) to activate the setting 4. For subsequent switches: Specify the full pathname to the SSL public certificate file (must be in PEM format) Specify the full pathname to the SSL private key file Specify the password for the private key file 5. Save the gwdva.dva file 6. Enable the configuration changes 37
WebAccess Demo
Q and A
Remember Fill out session survey Visit our table in IT Central Enjoy the Conference!!!
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Novell, Inc. may make improvements in or changes to the software described in this document at any time. Copyright 2014 Novell, Inc. All rights reserved. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States. All third-party trademarks are the property of their respective owners.