More blog spam

Posted on By Mark Wilson

A few months back I had to enable comment moderation on this site to deal with the blog spam I was getting. Unfortunately, over the last few days I’ve had to delete hundreds of spam comments sent to my e-mail for moderation so, with regret, I’ve had to turn on word verification to make sure that comments are only left by humans.

Please continue to leave comments on the blog – it’s always nice to hear when something was useful, or when someone has some additional information relating to one of my posts. I’m just sorry that I have to put these blocks in to make it harder for the ‘bots – unfortunately it also makes it harder for people to leave genuine comments too.

Office Groove 2007 overview

Posted on By Mark Wilson

Microsoft Office

At the risk of annoying yet more people at Microsoft after my comments in this week’s Computer Weekly, last night I attended what was probably the worst Microsoft event I’ve ever been to. To be fair to Microsoft, they are kind of pre-occupied this week… some sort of big launch happening today… something called Windows Vista and Office 2007… but this was Bad (note the capital B).

I’m not sure if I should name the presenters – I’ll just say that there was an IT Pro Evangelist who is normally both a good presenter and who generally gives the impression of possessing detailed product knowledge (something which was sadly lacking at this event) supporting someone from the marketing side of the organisation as she gave a very superficial run through a slide deck with which she was clearly unfamiliar.

Microsoft Office Groove 2007

The topic was Office Groove 2007 and this was supposed to be a technical overview. To me, it felt like an unrehearsed dry run of a presentation about a product that has been bought into the company and which, based on last night’s presentation, very few Microsoft people understand. Luckily, Ray Jordan from D2i Solutions – the UK distribution partner for the original Groove Networks product line – was extremely knowledgeable and stepped in to rescue the event (although he seemed to disappear at the refreshment break – presumably embarrassed at having to answer questions from the audience to pick up on the Microsoft presenters’ shortcomings).

For those who are not familiar, Groove Networks was a company founded in 1997 by Ray Ozzie (originally of Lotus Notes fame and now Microsoft Chief Software Architect) which specialised in collaboration products and was purchased by Microsoft in 2005. There’s some speculation as to whether Microsoft wanted the company’s products or were really after Ray Ozzie himself, but whatever the politics, Groove Virtual Office is now being absorbed into Microsoft Office.

I used Groove Virtual Office 3.1 for a recent project and found it both useful and impressive. With the launch of Office Groove 2007, I was interested to see what Microsoft has done to the product. It seems that the product bundling has changed and there are some minor changes but on the whole it’s very similar.

Office Groove 2007 is a team workspace application that provides for greater collaboration between customers, partners and colleagues which each user having access to a number of collaborative workspaces across a range of projects. These workspaces may be customised with a range of tools and templates to allow people to use their time effectively through offline working, yet remaining synchronised.

Whereas users in a corporate environment are used to sharing information using file servers and intranets, once a project or other collaboration requirement crosses organisational boundaries it gets more difficult. Groove overcomes this using a highly secure yet distributed architecture whereby each workspace member synchronises changes with others and a relay server acts as a broker when workspace members are offline.

The process of sharing a workspace involves either synchronising a local folder via Groove or creating a new XML datastore, protected using an internal PKI mechanism (with 192-bit AES encryption), then inviting others to join the workspace and sharing encryption keys between members. Each workspace member is allocated one of three roles – manager, participant or guest – and has an exact copy of the workspace. These roles can be amended within the workspace properties and the permissions assigned to each role can also be adjusted. When synchronising changes only the changed portions of the database are transmitted (a hash is calculated on the whole file and on each portion of the file – by comparing hashes it is possible to work out which portions have been modified) and because each change and the whole workspace is signed using the internal PKI (as well as all network traffic) it is impossible to inject any malicious changes.

If a workspace member does not access the workspace for 21 days then they are uninvited – a process which involves all other members having new keys issued – effectively locking the absent member out of the workspace. If a member cannot sign in they can still work offline and access data but no changes will be synchronised. When I suggested that this was a security loophole it was pointed out to me that it is really no worse than traditional methods of sharing data (e.g. transferring files via e-mail) and that digital rights management can be applied to further protect the data (although that would remove many of the advantages of offline access to the workspace).

In addition to controlling workspace members, Groove is able to synchronise data between devices (e.g. a home PC and a work PC) by inviting other devices into the workspace. If a conflict does occur during synchronisation, then two copies are created and the duplicate is suffixed with the username.

Within Groove, it’s easy to identify new content as it gains an additional red flash on the icon. There’s also a communications manager which can be used to monitor the status of synchronisation.

By default, Groove communicates using its native simple symmetrical transfer protocol (SSTP) over TCP port 2492. If this port is unavailable (e.g. blocked by a firewall) then the client and/or relay servers will encapsulate messages within standard HTTP and drop back to using HTTPS over port 443 or, as a last resort, HTTP on port 80, as described in Microsoft knowledge base article 917165.

Each workspace can be based on a standard template or can include additional collaboration tools, including file sharing, discussion tool, calendar, forms, SharePoint files, meeting tool, notepad, pictures and a sketchpad. It’s also possible to build custom forms (or to import them from InfoPath). In addition to workspaces, Groove provides an instant messaging and presence awareness capability for workspace members. I found it strange that Microsoft should continue the use of the Groove instant messaging feature (in addition to its other IM clients) but in reality this is the lowest common denominator – it will read contact lists for both Windows Live Messenger and Office Communicator but because there are no guarantees that all workspace members will be using the same instant messaging client, building the capability into Groove neatly circumvents any connectivity issues.

One of the main changes with Microsoft Office Groove is the product packaging – whereas the Groove Networks incarnation of the product was based around a distributed network of users and Groove’s own public (but highly secure) servers, corporate customers need to see that their data is stored on servers under their own control, with tight controls over account creation. Consequently, Microsoft have made it easier for corporate clients to run the Groove server product internally.

In addition to the Office Groove client application, there area number of server roles – manager, relay (store and forward synchronisation and messages between workspace members as they come online but others are offline), data bridge (to allow the extension of data to other teams) and an enterprise auditing management server.

Centralised administration is made possible using policies to apply identity and device controls (e.g. throttling bandwidth). The Groove server maintains its own account database (which can be synchronised with other directory servers) for provisioning and revoking access and this is where Groove’s heritage is obvious – it would seem reasonable to expect future versions of the product to feature tighter Active Directory integration and possibly the use of ADAM where a connection to a non-Microsoft directory is required.

One potential issue for organisations looking at using Groove in a centralised manner is that of backing up the distributed data within Groove, because there is no central storage location and backups of local copies of the workspace can be invalidated by subsequent PKI key changes. Microsoft’s answer is that the synchronisation mechanism provides built-in protection – certainly more than is generally afforded to user data held on individual PCs.

There is still a hosted version of the product – Office Live Groove. This allows for workspace members to use the Groove client with a public relay server; however they do not lose any or the security within the product. All communications are still signed and all data on the relay server is transient. For many organisations that do not want to maintain their own Groove server infrastructure, this is an ideal solution.

In all, Office Groove 2007 looks to be a great product. The only problem I can see is persuading an IT Manager from a blue-chip corporate to look at a product called “Groove” (it’s probably not such an issue in a creative organisation). Maybe the usual bland Microsoft product names are not so bad after all…

To find out more, read the Microsoft Office Groove 2007 product guide or download a trial version of Office Groove 2007 – both are available from the Microsoft website.

VMware ESX Server and HP MSA1500 – Active/Active or Active/Passive?

Posted on By Mark Wilson

Recently, I’ve been working on a design for a virtual infrastructure, based on VMware Virtual Infrastructure 3 with HP ProLiant servers and a small SAN – an HP MSA1500cs with MSA30 (Ultra320 SCSI) and MSA20 (SATA) disk shelves.

The MSA is intended as a stopgap solution until we have an enterprise SAN in place but it’s an inexpensive workgroup solution which will allow us to get the virtual infrastructure up and running, providing a mixture of SATA LUNs (for VCB, disk images, templates, etc.) and SCSI LUNs (for production virtual machines). The MSA’s Achilles’ heel is the controller, which only provides a single 2Gbps fibre channel connection – a serious bottleneck. Whilst two MSA1500 controllers can be used, the default configuration is active-passive; however HP now has firmware for active-active configurations when used with certain operating systems – what was unclear to me was how VMware ESX Server would see this.

I asked the question in the VMTN community forums thread entitled Active-Active MSA controller config. with VI3 and MSA1500 and got some helpful responses indicating that an active-active configuration was possible; however as another users pointed out, the recommended most recently used (MRU) recommended path policy seemed to be at odds with VMware’s fixed path advice for active-active controller configurations.

Thanks to the instructor on my VMware training course this week, I learned that, although the MSA controllers are active-active (i.e. they are both up and running – rather than one of them remaining in standby mode), they are not active-active from a VMware perspective – i.e. each controller can present a different set of LUNs to the ESX server but there is only one path to a LUN at any one time. Therefore, to ESX Server they are still active-passive. I also found the following on another post which seems to have been removed from the VMTN site (at least, I couldn’t get the link from Google to work) but Google had a cached copy of it:

“The active/active description”… “seems to imply that they are active/active in the sense that both are doing work but perhaps driving different LUN’s? i.e. if you have 10 volumes defined you might have 5 driven by controller A and 5 driven by controller B. Should either A or B fail all ten are going to be driven by the surviving controller. This is active/active yes [but] this is also the definition of active/passive in ESX words (i.e. only one controller have access to one LUN at any given time).”

Based on the above quote, it seems that MSA1500 solutions can be used with VMware products in an active-active configuration (which should, theoretically, double the throughput) but the MRU recommended path policy must be used as only one controller can access as LUN at any given time.