GroupWise ® WebAccess Design and Implementation Tay Kratzer Primary Support Engineer, Novell Inc. [email protected] Mike Bills ATT Engineer, Novell Inc

GroupWise® WebAccess Design and Implementation

Tay KratzerPrimary Support Engineer, Novell [email protected]

Mike BillsATT Engineer, Novell [email protected]

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nterprise is an innovative family of products which gives you the power to enable and manage the constant interaction of people with your business systems — regardless of who they are or where they are.

Novell Nterprise™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© February 2, 2004 Novell Inc.4

Session Goals

• Explain GroupWise® WebAccess Architecture• Increase GroupWise WebAccess Stability• Increase WebAcces session performance &

scalability• Secure WebAccess sessions via SSL• Implement a Virus Protection solution• HTML Monitoring WebAccess Agent and

Application • Fine tuning tips


GroupWise WebAccess Architecture

Two WebAccess Components

WebAccess Application

WebAccess Agent

1

2

Post Office

Post Office

WebAccess Agent

Web Server with

WebAccess


GroupWise WebAccess Application• Runs on NetWare, Linux, Unix, Windows• Runs a Java Applet - Hosted by a web server• Administered through ConsoleOne or the WEBACC.CFG

file• Handles about 1,000 users• Very stable process

Web Server with

WebAccess


GroupWise WebAccess ApplicationJava Applet – Tomcat – On NetWare®


GroupWise WebAccess Application

Web Server - Apache – On NetWare



Administration• Available in the eDirectory™ browser

view in ConsoleOne• Not available in the GroupWise® View• Settings kept in eDirectory and the

WEBACC.CFG• Four Objects

– GroupWiseWebAccess– NovellSpeller– GroupWiseProvider– LDAPProvider



WebAccess Application Objects in ConsoleOne®



Changes made to the WebAccess Application Objects in ConsoleOne are saved in *.CFG files on the web server.

For example: WEBACC.CFG.


GroupWise WebAccess Agent

• Executable code “GWINTER” on NetWare, Linux or Windows NT/2000

• It’s the workhorse, it acts as a client to the POA on behalf of WebAccess users

• Less stable than the WebAccess Application

• By default the WebAccess Agent only supports 250 user connections

• Administered through ConsoleOne in either the GroupWise view or the eDirectory view



WebAccess Agent on NetWare (GWINTER.NLM)



WebAccess Agent on Linux (GWINTER)



Increase Stability• Load Agents into protected memory for fast

ABEND recovery (NetWare)• Install additional Agents• Configure Application to failover to

additional agents• Exclude file attachment viewing of certain

file types


Protected Memory Notes

• NetWare 5.1 or 6.x with latest patches

• Additional memory beyond current memory requirements – about 20% more for the modules that load

• Abends only happened in the protected memory space

• NetWare unloads and re-loads the protected memory space automatically

Prerequisites:

Advantages:


WebAccess Agent on NetWare

Add the following line to the STARTUP.NCFSET MEMORY PROTECTION NO RESTART INTERVAL = 0

Create a GWINTER.CFG in SYS:SYSTEM: /HOME=

/USER=

/PASSWORD=

/LOGDISKON

1

2

Protected Memory Configuration Steps

(Note: The Linux WebAccess Agent does not use the “/user” and “/password” switches, but the NetWare and Windows WebAccess Agents do.)


Create a STARTGWA.NCF in SYS:SYSTEMLOAD ADDRESS SPACE =GW1 GWINTER @GWINTER.CFG

PROTECTION RESTART GW1

3

Create a STOPGWA.NCF in SYS:SYSTEMUNLOAD ADDRESS SPACE =GW1 GWINTERUNLOAD KILL ADDRESS SPACE=GW1

4

Protected Memory Configuration Steps (cont.)




If the WebAccess Agent abends, NetWare unloads the protected memory space automatically.

GWINTER Abend


NetWare reloads GWINTER into protected memory


Then NetWare reloads the protected memory space automatically. (Note this all happened in 7 seconds)



• Protected Memory - Final Notes: • Use the STOPGWA.NCF to unload the GWINTER• Apply latest support pack to NetWare for essential

patches to fix protected memory issues. • Or – apply the patches in • NWMEM3.EXE (support.novell.com)• NW56UP3.EXE (support.novell.com)• More reading on this topic:• December 2002 Novell Appnotes:• “Implementing a High Availability WebAccess

Solution with GroupWise 6”• http://developer.novell.com/appnotes


WebAccess Agent Confirguration for Speed, Scalibility and Failover

Create multiple WebAccess Agents and put WebAccess Agents in close network proximity to post offices they are designed to service.

Post OfficeWebAccess Agent

Web Server with

WebAccess

Post OfficeWebAccess Agent


WebAccess Agent Confirguration for Speed and Scalibility

Create an additional special-purpose secondary domain to contain the WebAccess Agent as needed.

Run the GroupWise WebAccess installation, choose to just install the WebAccess Agent (do not install the Application again).

Install the WebAccess Agent to a GroupWise domain, the special-purpose secondary domain if you created one.

Installation

1

2

3


WebAccess Agent Confirguration for Speed and ScalibilityConfiguration

1 Make sure that the newly created WebAccess Agent has the same encryption as the first WebAccess Agent. All WebAccess Agents should have identical encryption keys. Edit the properties of the WebAccess Agent to configure the encryption key.


WebAccess Agent Confirguration for Speed and ScalibilityConfiguration

2 Edit the domain or post office object and specify the default WebAccess Agent.


Add additional WebAccess Agents to the WebAccess Application's GroupWiseProvider object's failover list.

Configuration

3




Configuration – Final Notes - 1• Only two or three WebAccess Agents are needed in

the provider list, but you can create many more WebAccess Agents then that. One customer I know of has 30 WebAccess Agents.



Configuration – Final Notes - 2• Changes made to the GroupWiseProvider object should be

committed to the WEBACC.CFG in the \NOVELL\WEBACCESS directory. For example on a NetWare server the directory is typically SYS:NOVELL\WEBACCESS. Look for the syntax such as:

Provider.GWAP.Default.address.1=137.65.55.211:7205Provider.GWAP.Default.address.2=137.65.55.215:7205

• These two lines are the reference to the two WebAccess Agents. Sometimes the ConsoleOne Snapins do not write these lines to the WEBACC.CFG. You may have to add these line manually to the WEBACC.CFG. You can add these lines to the end of the file. The syntax is very exacting and case sensitive. If you were to add a third line it might look like this example:

Provider.GWAP.Default.address.3=137.65.55.216:7205



• When a user on the SLCPO logs in the WebAccess Application will create the session with the WebAccess Agent called “SLC-WEB”.

• When a user on the NYPO logs in the WebAccess Application will create the session with the WebAccess Agent called “NY-WEB”.

• If one of the WebAccess Agents goes down, the WebAccess Application just rolls to one of the WebAccess Agents listed in the WEBACC.CFG

WebAccess Operation


Secure WebAccess Sessions via SSL

• If you do not enable SSL encryption of web server/WebAccess sessions, the user's passwords etc. pass over the Internet in clear text.

• If you use a certificate signed by your own eDirectory tree, users will be prompted to accept the certificate each time they log into GroupWise

• If you use a certificate signed by a third-party, such as Verisign, your users will not be prompted to accept the certificate.



The SSL certificate is enabled on the web server. For Apache on NetWare edit the *.CONF file for the Apache web server. Add, or enabled the lines related to SSL. For example:LoadModule tls_module modules/mod_tls.nlm<IfModule mod_tls.c>SecureListen 137.65.55.211:443 "SSL CertificateDNS"</IfModule>

or if you have a certificate signed by a third-party:LoadModule tls_module modules/mod_tls.nlm<IfModule mod_tls.c>SecureListen 137.65.55.211:443 "VERISIGN_WWWFS1"</IfModule>



For further details read the October 2002 Novell Connection Magazine article titled: Securing a Web Server on NetWare

http://www.novell.com/connectionmagazine/2002/10/secure.pdf


Virus Protection for GroupWise WebAccess

• For many customers GroupWise WebAccess is a gaping hole in their virus protection. When users access GroupWise WebAccess from home or other locations, there is no guarantee that their desktop is protected from viruses. A server-based virus protection solution should be put in place on the web server.

• Attachments that users upload are only kept in their native format on the web server. The attachments are uploaded by default to the \NOVELL\WEBACCESS\TEMP directory.

• Some virus vendors do not detect a virus that comes in via a web session, for example McAfee and Symantec. Inoculan does detect viruses.



• Beginfinite makes a product “GWAVA WebAccess Edition” which is specifically designed to protect GroupWise from inbound viruses from WebAccess sessions. NOTE: Owning GWAVA is not a pre-requisite to implementing GWAVA WebAccess Edition.



You can read more about how my customer and I virus protected their web server with Inoculan in the following article:

Virus Protection for GroupWisehttp://www.novell.com/connectionmagazine/2002/02/virus22.pdf

http://www.novell.com/connectionmagazine/2002/02/virus22.pdf


Monitoring The WebAccess Agent from a Web Browser

• Edit the WebAccess Agent object

• Configure the HTTP port on the Network Address page

• Fill in the HTTP User Name and the HTTP Password on the Optional Gateway Settings page

• Restart the WebAccess Agent


Monitoring The WebAccess Agent from a Web Browser

From a web browser type in the <ip address>:<http port>.

For example: http://137.65.55.215:7211

http://137.65.55.215:7211/


Monitoring The WebAccess Application from a Web Browser

• Edit the WEBACC.CFG file for the WebAccess Application. This file is typically in the \NOVELL\WEBACCESS directory.

• These commands are only valid with the GroupWise 6.5.1 WebAccess Application or later. Look for the following three lines, or add them if they are not in the WEBACC.CFG file. Make sure the enable option is set to “true”. Configure the username and password.

Admin.WebConsole.enable=trueAdmin.WebConsole.username=gwadminAdmin.WebConsole.password=novell

Restart the WebAccess Application • java -exit• tomcat33


Monitoring The WebAccess Application from a Web Browser

Access the WebAccess Application monitoring page using the following syntax:

http://<web server>/servlet/webacc?action=Admin.Open


WebAccess Application Tips

Apache and Microsoft Internet Explorer have a problem with relation to friendly http errors. End users (particularly those with slow connections) may suddenly get the error “Page Cannot Be Displayed” during their WebAccess session. By enalbing the “nokeepalive” parameter, you can fix this issue. See the following document at Novell's http://support.novell.com web-site to remedy this problem with:

10081268http://support.novell.com/cgi-bin/search/searchtid.cgi?/10081268.htm


A WebAccess Application that supports lots of simultaneous users will need more memory than what is allocated by default. By default Java will only use 64 megabytes of memory. You must force Java to use more memory. Edit the TOMCAT33.NCF file. Add the commands -XmsNNN -XmxNNN to increase Java memory. See TID # 10068408

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10068408.htm



Bypass the GroupWise language selection page. Rename the home page (INDEX.HTM, INDEX.HTML or DEFAULT.HTM). For example in Apache, create a file by the name of INDEX.HTML in the HTDOCS directory (or the NWDOCS directory if that is what you are using). The file should contain verbage similar to this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><HTML><HEAD><TITLE>GroupWise WebAccess</TITLE><script>location="https://groupwise.wwwidgets.com/servlet/webacc"</script></HEAD></HTML>



• The WebAccess Agent is the workhorse for WebAccess

• Fast CPU• Sufficient Memory• The WebAccess Agent on the NetWare platform is

benefited by SMP

• Increase Maximum threads beyond 12 if needed. For example 25 threads.

• Configure post office links to be Client Server only

WebAccess Agent Tips


Demonstration

• Bypassing the WebAccess Language selection screen

• SSL Enabled WebAccess Session

• WebAccess Agent Abend Recovery

• WebAccess Agent Failover

• WebAccess Agent specific to the post office logged into

• HTML Monitoring of the WebAccess Application and Agent


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Documents

GroupWise ® WebAccess Design and Implementation Tay Kratzer Primary Support Engineer, Novell Inc. [email protected] Mike Bills ATT Engineer, Novell Inc