Upgrade GroupWise WebAccess

With GroupWise 2012, Novell made some major changes to WebAccess, which continue with GroupWise 2014. There is no longer a GWINTER (WebAccess Agent) for GroupWise WebAccess. Rather than having the WebAccess Application (web server) speak to the WebAccess Agent to gather information for the user, the WebAccess Application speaks directly to the POA via SOAP.

Also, the directory objects for the WebAccess Application are no longer used. If you have read our books on manually configuring GroupWise WebAccess on Apache, you will know that these agents were always “optional” and were essentially just a GUI interface for editing the web server and WebAccess configuration files. From here on out, you will need to make configuration changes directly to the webacc.cfg file if you wish to modify your WebAccess Application settings. We will go over some of those settings later in this chapter.

Finally, the GroupWise 2014 WebAccess cannot service users on post offices that have not been upgraded to GroupWise 2014. In other words, if you will not upgrade all of your post offices rapidly (perhaps over a weekend or other “off” time such as a long holiday), you will either need to leave your WebAccess at your current GroupWise version, or have two separate WebAccess installations to provide for both your older post offices and your new GroupWise 2014 post offices.

GroupWise 7 and later WebAccess installations can access a GroupWise 2014 post office with no major downsides (we have not checked. Of course, your users will not be able to utilize any of the new features of the GroupWise 2014 WebAccess, but the users will be able to log into the upgraded PO through a GroupWise 7 or later WebAccess installation.

Since you are moving your server, you will simply install GroupWise WebAccess on your target server.

Preparing For The Upgrade To GroupWise 2014 WebAccess

For the Web Server running the WebAccess Application you will need one of the following:

SLES 11/OES 11

Apache 2.2 plus:

  • Tomcat 6.0 or later (installed via YaST for SLES, or during GroupWise installation for OES11)
  • JRE 5 or later
  • ModProxy Module

Windows Server 2008/2008 R2/2010

Microsoft Internet Information Server (IIS) 7 or later plus:

  • Tomcat 6 or later
  • JRE 5 or later
  • Jakarta Connector 1.2 or later
  • ISAPI Support

Firewall Considerations

The GroupWise 2014 WebAccess Application requires access to the SOAP port on each Post Office Agent in the system. This is typically port 7191. The GroupWise 2014 WebAccess Application also requires access to at least one GroupWise Document Viewer Agent (GWDVA) in the system. This is generally port 8301. Ensure that your firewall does not block this access by the WebAccess Application.

While we do not wish to get into a huge server placement discussion here, web server placement IS important, especially if you are upgrading from a system prior to GroupWise 2012. With GroupWise 8 and earlier, the web server only needed to talk to one WebAccess Agent on port 7205 (although it was possible to configure fault-tolerance and have multiple WebAccess Agents accessible by the Web Server). With GroupWise 2012 and later, ALL post office agents need to be accessible on the SOAP port, and at least one GWDVA needs to be accessible. Thus, if you place your web server in the DMZ, you potentially need to open many more “holes” into the inside. If you place the web server inside of your network, you only need to open port 433 (and 80 if you insist, but you should use SSL, so in reality you could get by with only port 443 being open to the internal web server).

To make your WebAccess installation fault tolerant, you could use an L4 switch and round-robin between multiple WebAccess server installations.

Installing WebAccess

Linux WebAccess Installation

  1. If you are in a GUI file browser like Nautilus or Konqueror, just click on install.sh in your extracted software directory, and choose Run in Terminal (this is a text based installation, and will only run from the terminal). If you are at a terminal window, type ./install.sh in the directory where the script resides. Here’s the installation screen!
    1. The Installation Windowlinuxinstall003.tif

Notice that this is no longer a GUI installation. Everything is text based. In many builds of this installation routine, we have noticed that the arrow keys do not work, and you must use the tab key. If you have issues with arrowing around, use the tab and shift-tab.

  1. You have 5 languages to choose from here. Choose your language, and we’ll move on.
  2. At the next screen you will have two choices: Documentation and Installation. Documentation will attempt to open a web browser and take you to the Novell docs. Remember that the installation can be done in a totally text based environment, thus if you have no GUI/browser available to you, you will only be able to view the Readme if you choose to look at the documentation.
  3. The next screen will present you with the EULA. When you agree to the EULA you are moved to the following screen:
    1. linuxinstall087.tifThe Main Installation Screen
  4. Here we will choose to install GroupWise Webaccess. Choose OK.
  5. Next you have the option of Install or Configure
    1. linuxinstall088.tifInstallation Screen

We’ll of course choose Install. This will install the actual files. We will later go to configure.

  1. The installation routine will copy the necessary files to the server (and check the server repositories for needed updates to server software. Apache and Tomcat will also be restarted.

Once the files are installed, you will receive a prompt to “press any key to return . . .”. This will take you back to the Install/Configure menu.

  1. Next we will choose Configure. At the next screen choose 1 to Continue.
  2. In the following figure you see the text that says “Specify the network address and port of the Post Office Agent. Please note that this is two different fields, but you will not see the “port” field until after you enter the network address. Do not get confused and think you need to put the port on the same line as the network address. You need only enter one POA location for WebAccess to work. WebAccess will connect to that POA and if the user requesting access belongs to a different post office, standard post office redirection will send the user to the proper POA.
    1. Post Office Agent SOAP setuplinuxinstall065.tif
  3. The next screen will be the same, except it is for the GWDVA information. We will discuss more about the DVA below. The DVA port is 8301 by default.
    1. DVA Port Setuplinuxinstall066.tif
  4. The next screen indicates the location of Apache and Tomcat. Unless you have manually configured a different instance of Apache, these paths should be correct.
  5. linuxinstall067.tifThe configuration will finish, and you will be returned to the Install/Configure screen. Choose Back and then Exit.
  6. While the installation should restart Apache and Tomcat, to be thorough, you should do the following steps:

/etc/init.d/apache2 restart

and

/etc/init.d/tomcat6 restart (SLES 11)

or

/etc/init.d/novell-tomcat6 restart (OES)

Even though deep down we know that OES uses novell-tomcat6, sometimes we also restart tomcat6 for good measure.

Windows WebAccess Installation

  1. From Windows Explorer, double-click on setup.exe in your installation directory. Here’s the installation screen!
    1. The Installation Windowlinuxinstall049.tif
  2. Here we will choose to install WebAccess.
  3. Choose your language.
  4. The WebAccess installation routine will be launched. When you see the Installation Welcome screen, press Next.
  5. Here you will choose the Web Server Information. Unless you have more than one web server location running on this server, the default location is where you should place GroupWise WebAccess. Click on Default Web Site and click next.
  6. In the following figure you will enter the information for the network address and port of the Post Office Agent. You need only enter one POA location for WebAccess to work. WebAccess will connect to that POA and if the user requesting access belongs to a different post office, standard post office redirection will send the user to the proper POA.
    1. Post Office Agent SOAP setuplinuxinstall073.tif
  7. The next screen will be the same, except it is for the GWDVA information. We will discuss more about the DVA below. The DVA port is 8301 by default.
    1. DVA Port Seetuplinuxinstall074.tif
  8. At the summary screen, check your settings, and click Install.
  9. You will be prompted to either shut down IIS manually, or allow the installation to shut it down for you. Click Yes when you are ready.
  10. The installation will proceed, and you will see the final screen, and your WebAccess installation is complete.
    1. linuxinstall075.tifThe Completed WebAccess launch
  11. Click Finish to return to the Main GroupWise Installation screen.

Loading the GroupWise WebAccess Application

Linux

The commands for loading the Apache web server and Tomcat on Linux are as follows:

/etc/init.d/apache2 start

and

/etc/init.d/novell-tomcat6 start (OES)

or

/etc/init.d/tomcat6 start (SLES)

You can also check status, stop and restart using these scripts. For example:

/etc/init.d/apache2 restart

Most SLES/OES commands are also available from any location through a search path by appending “rc” to the command. For example,

rcapache2 restart

OES will auto-start both Apache and Tomcat on a reboot. To ensure that your WebAccess is functional after a reboot of SLES, do the following:

chkconfig apache2 on

chkconfig tomcat6 on

Microsoft Windows Server

The GroupWise WebAccess Application is designed to start when the Microsoft IIS Service and Web Server is started. The Microsoft IIS Web server is designed to start with the Microsoft Internet Information Server service is started. To restart the service, open the Internet Information Services (IIS) Manager from the Administrative Tools menu. Click on your Web Server (top left). On the right side you will see options to Restart, Start and Stop the server.

Configuration Options

The majority of WebAccess optimizations are done through the webacc.cfg file. This file is found in the following locations:

Linux: /var/opt/novell/groupwise/webaccess

Windows: c:\Novell\GroupWise\WebAccess on the Web server

The original webacc.cfg file on a particular server will be very orderly, and broken into distinct sections. As you patch and update your server over time, new settings will be saved to the bottom of the file in a section called “Values added by install to update config file”. If you change information in the file, make sure to look at the end to ensure that you do not have conflicting values, as the final value will win!

There are many interesting options in the webacc.cfg. We encourage you to look through the file to see what might interest you.

Following are some important configurations options pertaining to the upgrade that you should know more about. After any changes, restart Apache and Tomcat (see the section above for “Loading the GroupWise WebAccess Application” for instructions on restarting these processes.

Configuring Additional Post Office Agents

The GroupWise WebAccess Application talks directly to post office agents in your GroupWise system to gather the information necessary to show in WebAccess. During installation, you can only supply one post office agent address. However, you can supply as many POA designations as you like, and the WebAccess Application will attempt them in order until it finds a POA that responds. This is only for initial connection to the GroupWise system. Adding additional post offices here adds fault tolerance. For example, if POA1 is down, and it is the only Post Office Agent defined in webacc.cfg, then all users in your system are locked out of WebAccess. Adding additional “entry points” for the WebAccess Application allows you to continue to provide WebAccess services to users of those Post Offices that are active.

If the user logging in does not belong to the POA that is contacted by the WebAccess Application, the redirection table will send the WebAccess Application to the proper location.

In the webacc.cfg, search for Provider.SOAP.1.ip – for example:

Provider.SOAP.1.ip=192.168.110.237

Provider.SOAP.1.port=7191

Copy these two lines and change the “1” to a “2” in each line, and modify the IP address and port.

Provider.SOAP.2.ip=192.168.110.238

Provider.SOAP.2.port=7191

Do this as many times as necessary, making sure to have two lines for each SOAP provider number you add.

Configuring Additional Document Viewer Agents

As with the Post Office Agent, you can only configure one instance during installation. Modify the following information to add additional DVAs to your webacc.cfg:

In the webacc.cfg, search for Provider.DVA.1.ip – for example:

Provider.DVA.1.ip=192.168.110.237

Provider.DVA.1.port=8301

Copy these two lines and change the “1” to a “2” in each line, and modify the IP address and port.

Provider.DVA.2.ip=192.168.110.238

Provider.DVA.2.port=8301

Do this as many times as necessary, making sure to have two lines for each SOAP provider number you add.

Configuring HTTP Monitor for WebAccess

Like the other GroupWise Agents, you can configure a web based monitor for WebAccess administration activity. The webacc.cfg file contains the following lines:

##############################################################

# Application Administration Tool

# Invoked on the URL

# (e.g. http://<server>/gw/webacc?action=Admin.Open)

##############################################################

Admin.WebConsole.enable=true

Admin.RestService.host=127.0.0.1

Admin.RestService.port=9710

You can turn this on or off. By going to your server at the URL specified, you can log in and view logged in users, configuration and log files.

  1. The WebAccess Administration Consolelinuxinstall207.tif

Setting the GroupWise 2012 WebAccess as Your Default

If your system will have more than one version of WebAccess in order to accommodate older GroupWise post offices, you can choose to have a single entry point for all of your users. For example, you may already have https://mail.yourdomain.com/gw/webacc pointing to your GroupWise 2012 or older WebAccess. Rather than having to direct users to multiple locations, you can continue to have https://mail.yourdomain.com/gw/webacc as the entry point for all users, and redirect users on older post offices to https://gw12.yourdomain.com/gw/webacc. In order to do this, you must make a change in the webacc.cfg file, and of course create an A Record in DNS for your secondary WebAccess server (in our example, gw12.yourdomain.com).

This setting is found in the webacc.cfg file as:

#Redirect.url=http://gw8.novell.com/gw/webacc

simply remove the pound sign and change the URL to match your desired URL. Once the system is restarted, if a user logs into your http://mail.yourdomain.com/gw/webacc location, their POA will indicate it is not a GroupWise 2013 post office and the WebAccess Application will redirect the user to the older GroupWise WebAccess Application. The user will be required to enter their WebAccess credentials again. These credentials are not passed through to the redirected server.

  1. linuxinstall077.tifRedirecting to an older WebAccess server

Security Timeouts

GroupWise 2012 brought a new set of security timeouts to WebAccess, and they are still effective for GroupWise 2014. When a user logs into WebAccess, the user has the option on the main login screen to choose whether the computer is public or private. This allows for users who access GroupWise solely via WebAccess, from a private computer at home or at the office to have a longer timeout value set. These values are listed in the webacc.cfg as:

Security.timeout=20

Security.Private.timeout=480

Setting the “Private” timeout to a higher value “in minutes” prevents users in a more secure setting from timing out multiple times a day, no doubt reducing their frustration!

Deleting Unneeded eDirectory Objects

In prior versions of GroupWise, when you installed WebAccess, an object representing the WebAccess Agent (Gateway) was created in eDirectory and the GroupWise view. Also, objects for the WebAccess Application were created (most commonly under the GroupWise domain object itself, but realistically they could be anywhere!). These objects are no longer used, and can be removed from eDirectory to avoid confusion. We recommend that you give your system a few days to settle down before you delete them, but once everything is working as you expect you can delete the following items:

  • GroupWise WebAccess Agents no longer in use. Make certain you export any access control settings you might need as outlined above before you delete the objects!
  • GroupWiseProvider Objects
  • LDAPProvider Objects
  • GroupWiseWebAccess Object
  • NovellSpeller Objects

Troubleshooting

There are settings in the webacc.cfg that pertain to how the new admin console connects to the GroupWise Administration Service.

######################################################################

# Application Administration Tool

######################################################################

Admin.WebConsole.enable=true

Admin.RestService.host=127.0.0.1

Admin.RestService.port=9710

There are a couple of reasons why these default settings might not work for you:

  • If you are running WebAccess on a server that does not have a GroupWise Administration Service running, the setting of 127.0.0.1 will be invalid. You will need to change it to the proper ID address.
  • If you have an MTA running on this server, but it is set to bind to a specific IP address, the Admin Service will also not be listening on localhost (127.0.0.1) and you should change this to the specific location. Surprisingly, if your MTA is set to a host name rather than an IP address, the Admin Service could complain if you enter an IP address here. Test to see which works properly for you.
  • If you have modified the default port for your Admin Service, you will also need to change the information here.

Once you are ready to continue, just turn to the next chapter in your upgrade plan.