lessons learned from a major ibm collaboration solutions deployment
TRANSCRIPT
#engageug
Lessons learned from a Major IBM Collaboration Solutions Deployment
Martijn de Jong (ilionx) & Frank Visser (IBM)
Str. 06
#engageug 2
• M.Sc. Electrical Engineering at the University of Delft, The Netherlands
• Psychology & Ergonomics at the University of Stellenbosch, South Africa
• Advanced Certified IBM Lotus® Notes® & Domino® 9 Application Developer & System Administrator and a Certified Lotus Instructor
Who Am I
Martijn de Jong [email protected] twitter.com/martdj
nl.linkedin.com/in/martdj
#engageug 3
• Master East European Studies (focus on Russia), University of Amsterdam, The Netherlands
• Advanced Certified IBM Lotus Notes & Domino 8.5 System Administrator and Certified IBM Lotus Notes & Domino 9 System Administrator
Who Am I
Frank Visser [email protected]
#engageug 4
• The opinions expressed in this presentation are the personal opinions of the speakers. They don’t necessarily reflect the official opinions of their employers nor of the customer on which case the information in this presentation was based
• Our opinions are based on our experiences with the products in 2015. Some challenges we encountered might be solved in your situation
• You may thank us for that ;-)
Disclaimer
#engageug 5
• Customer Case
• Architecture
• Strategy• Division of Responsibilities
• Corporate Directory
• It’s supported, but should you do it
• Deployment• Connections
• Sametime Complete
• Mobile / Verse
• Domino / Notes
Agenda
#engageug 6
• Customer in financial services
• ±30K Employees and ±11K Employees in subsidiaries
• Customer was using Notes / Domino 8.5 and Sametime chat
• Customer decided in 2014 for IBM Collaboration Solutions portfolio:
• IBM Connections 5
• Notes / Domino 9 (internal organisation)
• Sametime 9 Complete
• IBM Notes Traveler / MaaS360 / IBM Mobile Connect / Verse
Customer Case
Architecture - Connections
7
Architecture - Sametime
8
Architecture - Sametime A/V
9
Architecture - Mobile
10
Strategy11
#engageug 12
Division of Responsibilities
Responsibility Matrix
13
Connections
Mobile
Domino
Sametime
Domino / Collaboration
Wintel
RDBMs
WebSphere
Unix / Linux
Network
Storage
VMWare
HR
Security
Netherlands Poland
Netherlands India
Netherlands India
Netherlands India
Netherlands India
Netherlands India
Netherlands India
Netherlands India
Netherlands
Netherlands
Enterprise Directory
#engageug 14
Bystander effect
#engageug 15
• Departments focus on specific versions of products
• Connections / Sametime / Mobile / Domino have their own rules regarding versions, fixpacks, fixes etc
• This often clashes
• Better to have knowledge of WebSphere & RDBMS in department supporting Connections/Sametime/etc
• Concatenate Support Responsibilities
Lesson learned
Concatenate Responsibilities
16
Domino / Collaboration
Wintel
RDBMs
WebSphere
Unix / Linux
Network
Storage
VMWare
HR
Security
Collaboration• Domino • WebSphere • TDI • DB2 • Windows • Linux
Network
Storage
VMWare
HR
Security
#engageug 17
• Don’t try to make COTS (Commercial Off The Shelf) software comply to a strict set of standards made for running WebSphere enterprise applications
• The same holds for standards regarding Operating Systems
• Make sure this is clear in the architecture phase and if applicable the contract with the customer
Lesson Learned
#engageug 18
• When implementing new products, you’re bound to miss some expertise
• Try to get the right experts involved in the architecture phase and early deployment phase
• Hire them if necessary
• Might save you a lot of extra work during deployment
Lesson learned : Expertise involvement
#engageug 19
Corporate Directory
Or
#engageug 20
• Who do you want to use Connections / Sametime / Mobile / Domino Mail?
• Are they all in one directory?
• Is this an LDAP directory?
• Can you add data to this directory that you need for Connections / Sametime / Mobile?
• Do you want SSO? Is data that you need for SSO in your LDAP directory?
• What information should users be able to edit themselves?
• What about groups?
• Who owns the content of groups?
Corporate Directory
#engageug 21
Carefully plan and prepare your Corporate Directory before deployment of Connections / Sametime / Mobile
Lesson learned
#engageug 22
• The fact that something is supported, means if it doesn’t work, IBM will create a fix for you. It doesn’t necessarily mean it works out of the box!
• It also doesn’t mean no extra costs are involved in using this solution!
It’s supported, but should you do it?
#engageug 23
Supported RDBMSProduct RDBMS Version
Connections 5.0
DB2 Enterprise Server Edition Microsoft SQL Server
Oracle Database 11g Enterprise Edition Oracle Database 11g Standard Edition
10.1 2012 Rel. 2 Rel. 2
Sametime 9 DB2 Workgroup Server Edition 9.7 & 10.1
Traveler 9 HADB2 Enterprise/Workgroup Server Edition Microsoft SQL Server Enterprise Edition
9.7 & 10.1 2008 (R2) SP1 CU1+
IBM Mobile Connect 6.1
DB2 Universal Database or Express Microsoft SQL Server Standard / Express
Oracle 11g with Data Direct Connect ODBC 7.1
9.1 or 10.X 2008+
#engageug 24
• If something is supported, but hardly anyone uses it you’re prone to encounter bugs
• It might be wisest to use DB2 as RDBMS for all ICS products even when it’s not your strategic platform
Lesson learned
Deployment25
ConnectionsDeployment
26
#engageug 27
• Like most other products also Connections has security vulnerabilities. Finding and fixing them is an ongoing process
• Users could create special pages to abuse these
• Many other settings to enforce stricter security
• Lesson learned: Define beforehand what should be considered a security risk and what not
Security vulnerabilities
#engageug 28
• Single Sign-on was configured using SPNEGO
• Not all users could use SSO and needed username/pw
• Lesson Learned: Design and implement a fallback mechanism for authentication
Authentication
#engageug 29
• You’ll want to restrict access to some parts of Connections
• Metrics, Connections administrative roles, WebSphere Admin
• You’ll probably want to use groups for these
• Lesson Learned: You need a mechanism to create/modify/delete your LDAP groups
Authorisation
#engageug 30
• Cognos loves it’s database
• It gets really upset if the database is not there
• By default, it will try to find it multiple times a second
• Databases don’t like this. This creates a lot of log entries. Our Oracle grid went down because of this behaviour
Database hunger
#engageug 31
• Beware of Cognos DB Hunger. If you plan to take your RDBMS down for whatever reason, stop Cognos first
• If your RDBMS went down unexpectedly, stop Cognos ASAP
• Consider creating a separate DB instance for Cognos
Lesson learned
#engageug 32
• Connections integrates with Notes very nicely via 3 plugins (Files - Activities - Status Updates), but why do they load so slow?
• The plugins load by default via UDP. Check if all your network
components are configured to support this
• If not check the krb5.ini (krb5.conf on linux) and configure it to use the TCP protocol (udp_preference_limit=1)
Connections plugin in Notes
SametimeDeployment
33
#engageug 34
• Since the latest Domino versions, you should use TLS for secure LDAP connections. Much of the Sametime documentation still assumes you’ll use SSL (don’t do that!). You need to create a keystore for TLS for secure connections to LDAP
• [Config] STLDAP_TLS_TRUST_STORE_TYPE=p12 STLDAP_TLS_TRUST_STORE_FILE=trust.p12 ST_TLS_TRUST_STORE_PASSWORD_STASH_FILE=trust.sth
• http://ibm.co/1M6WAXi for more info
Sametime IM
#engageug 35
What do you want to show in your Sametime business cards? • Email address • Phone number • Address • Etc…
And: do you want to give users the the possibility to change their own data? Based on that you can retrieve your business card information from: • your (Domino) LDAP directory • HR system • Connections profile (easy to manage, users can upload their own
photo when they create their Connections profile). • …
Sametime business cards
#engageug 36
• Plan your Sametime data sources carefully before implementing.
• Plan whether or not you will allow users to modify their own data.
Lesson learned
#engageug 37
In Sametime you can show a photo in your business card. There are multiple ways of achieving this. • From the Domino Directory (bad idea as it will explode the size of
you Domino Directory database) • From your (Domino) LDAP directory (bad idea, same as previous) • Custom Notes database • Connections profile (easy to manage, users can upload their own
photo when they create their Connections profile).
Sametime photo
#engageug 38
• Plan your Sametime data sources carefully before implementing.
• Be careful storing photo’s in a Domino or LDAP Directory.
• Best practise would be to use the Connections Profiles to retrieve the photo’s from. This will encourage users to use Connections as well.
Lesson learned
#engageug 39
• Sametime can update your Sametime availability according to your calendar entries
• This is called the Auto-status check
• Sounds good?
• Some Sametime client versions had a bug, causing the client to connect to the Domino server 20 times a second instead of once per 10 minutes (like the version without bug)
• Our Domino servers slowly died
Auto-status check
#engageug 40
• When enabling a new feature, do thorough research for potential problems with this feature
• Make sure all your (embedded) sametime clients are updated to the latest version before implementing the Autostatus check setting.
• http://ibm.co/1S3y88t
Lesson learned
#engageug 41
• A Sametime migration means Contact list migration
• This can be tricky, easy to get double contacts in Sametime clients
• Even more when you migrate from Domino authentication to LDAP
• Force a one-way sync from server to local for contact lists
Contact list migration
#engageug 42
• Copy vpuserinfo.nsf and convert contacts to LDAP style
• Make sure that local contact lists are overwritten by the server contact list to prevent loss of data on the server side
• Use a policy for this
Lesson learned
#engageug 43
DesktoppolicyversusUpdateSiteSametime policies can be pushed via a Desktop policy (Managed Settings tab) or an Update site.
Sametime Policies
DesktopPolicy UpdateSite
OnlyforembeddedSametime WorksforEmbeddedandStandaloneST.
Easytomanage(differentiate) Differentiationpossible,butdifficulttomanage.
WorksforallClientversion MaynotworkforNotes8.5.2andbelow.Settingscanbeset,butnotenforced. SettingscanbesetANDenforced.
#engageug 44
• Plan how you want to deploy Sametime policies. There are pro’s and con’s for both
• If you have standalone clients, you must use an update site
• If you need to differentiate between countries or groups, it may be easier to use a Desktop policy
• If you want to enforce settings, you must use an Update site
Lesson learned
#engageug 45
• IBM recommends to deploy Sametime A/V in close collaboration with the network supplier
• Take this recommendation serious!
• You’ll need many open ports between different network segments
• This changes as the product evolves
• Luckily usually the number of open ports becomes less
Sametime A/V
MobileDeployment
46
#engageug 47
• Many companies have a BYOD (Bring Your Own Device) Strategy
• To secure company resources on a device that’s owned by the user there are 2 possibilities:
• Mobile Device Management (MDM)
• Mobile Application Management (MAM)
• MDM solutions with Traveler / MaaS360 have a higher installed base
Who do you trust?
#engageug 48
• MAM has lower impact on the devices of the employees
• MAM containers depend on the supplier of the container. New OS versions (Android, iOS) might be incompatible with these containers
• If MAM containers need to talk to other containers of different suppliers you might have challenges
MDM vs MAM
#engageug 49
• Cloud solutions might save you a lot of hassle. Discuss early with Legal department what can be in the cloud and what can't
• The chosen solution was cutting edge. Many fixes needed (and received in a timely manner)
• IBM Mobile Connect is a good solution to distribute load evenly over Traveler pools
Lessons learned
#engageug 50
• Strategy of enabling everything through mobile, might have been overambitious
• Give people a choice. As little company influence as possible -> you get basic functionality
• The MaaS360 apps provide this and work fine as MAM solution
• People who want/need more -> accept an MDM solution
Lessons learned (2)
Notes / DominoDeployment
51
#engageug 52
(Centralized) deployment of the Notes Client: • Manual • Smart Upgrade • Microsoft System Center Configuration Manager (SCCM) • Other Third-party tooling
Keep in mind that a Notes upgrade takes quite a while (up-to 45 minutes) and users are not patient.
Client Deployment
#engageug 53
• Communication, communication, communication!
• If possible, make sure users CANNOT break the Notes installation (lock the Notes processes)
Lesson learned
#engageug 54
A Company specific Welcome Page in Notes. Very nice! But how?
• Create a template and deploy via the Client package? -> causes problems when upgrading the Notes Client. No go!
Lesson learned: Create Welcome pages the proper way: • Create a Welcome Page database • Deploy via a Desktop policy.
Corporate Homepage
#engageug 55
• Problem: Our Custom Welcome Page was overruled by the standard Discovery Page
• Cause: Desktop Settings Form in Domino 9 contains a “bug” which enforces the Discovery Page as the Default Homepage
• Solution: We fixed the bug ourselves: http://ibm.co/1RNF4nw
• Lesson learned: If you don’t want your Custom Welcome Page to be overruled by the Discovery Page, fix the Desktop Settings Form
Discovery Page
#engageug 56
Great feature! Very useful for offline working on Laptops. • It can be configure for Laptop Users only • Don’t forget to set the “Use local mail.box to send messages”
option! (set via managed settings to have laptop only)
Managed Replica’s
#engageug 57
• Managed Replica is useful, but implement it properly
Lesson learned
#engageug 58
There are multiple “Roaming” solutions. • Store Notes data on a File Share (NO GO! Not supported and can
cause performance issues) • Notes Roaming (on File Share or Domino Server) • Third Party tooling
Roaming
#engageug 59
• Consider your Roaming strategy
• Arrange access to both Server and Client side
• Get help from an expert if you have no Roaming experience
Lesson learned
#engageug 60
Notes supports multiple languages. Nice, but there are complications.
• Support from non-local helpdesks is complicated • MUI mail template can cause issues with customised or old mail
files (created with version 4.5) • Not supported with Traveler / Verse • Not supported in the Cloud
Notes Multilingual
#engageug 61
• Multilingual Notes Client: Nice. But do you really want it? It makes things more complicated
Lesson learned
#engageug 62
Questions?