Upgrade GroupWise WebAccess

Revision for “Upgrade GroupWise WebAccess” created on April 5, 2014 @ 19:13:56

TitleContentExcerpt
Upgrade GroupWise WebAccess
<p class="Body"><a id="Anchor-6"/>With GroupWise 2012, Novell made some major changes to WebAccess, which continue with GroupWise 2014. There is no longer a GWINTER (WebAccess Agent) for GroupWise WebAccess. Rather than having the WebAccess Application (web server) speak to the WebAccess Agent to gather information for the user, the WebAccess Application speaks directly to the POA via SOAP.</p>
<p class="Body">Also, the directory objects for the WebAccess Application are no longer used. If you have read our books on manually configuring GroupWise WebAccess on Apache, you will know that these agents were always “optional” and were essentially just a GUI interface for editing the web server and WebAccess configuration files. From here on out, you will need to make configuration changes directly to the <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg</span> file if you wish to modify your WebAccess Application settings. We will go over some of those settings later in this chapter.</p>
<p class="Body">Finally, the GroupWise 2014 WebAccess cannot service users on post offices that have not been upgraded to GroupWise 2014. In other words, if you will not upgrade all of your post offices rapidly (perhaps over a weekend or other “off” time such as a long holiday), you will either need to leave your WebAccess at your current GroupWise version, or have two separate WebAccess installations to provide for both your older post offices and your new GroupWise 2014 post offices.</p>
<p class="Body">GroupWise 7 and later WebAccess installations can access a GroupWise 2014 post office with no major <span class="char-style-override-2">downsides (we have not checked. Of course, your users will not be able to utilize any of the new features of the GroupWise 2014 WebAccess, but the users will be able to log into the upgraded PO through a GroupWise 7 or later WebAccess installation.</span></p>
<p class="Body"><span class="char-style-override-2">Since you are moving your server, you will simply install GroupWise WebAccess on your target server. </span></p>
<p class="Head1">Preparing For The Upgrade To GroupWise 2014 WebAccess </p>
<p class="Body">For the Web Server running the WebAccess Application you will need one of the following:</p>
<p class="Body"/>
<p class="Body"/>
<p class="Body"/>
<p class="Body"/>
<p class="Body"> </p>
<p class="Head2">SLES 11/OES 11</p>
<p class="Body">Apache 2.2 plus:</p>
<ul class="List-1">
<li class="Bullet">Tomcat 6.0 or later (installed via YaST for SLES, or during GroupWise installation for OES11)</li>
<li class="Bullet">JRE 5 or later</li>
<li class="Bullet">ModProxy Module</li>
</ul>
<p class="Head2">Windows Server 2008/2008 R2/2010</p>
<p class="Body">Microsoft Internet Information Server (IIS) 7 or later plus:</p>
<ul class="List-1">
<li class="Bullet">Tomcat 6 or later</li>
<li class="Bullet">JRE 5 or later</li>
<li class="Bullet">Jakarta Connector 1.2 or later</li>
<li class="Bullet">ISAPI Support</li>
</ul>
<p class="Head1">Firewall Considerations</p>
<p class="Body">The GroupWise 2014 WebAccess Application requires access to the SOAP port on each Post Office Agent in the system. This is typically port 7191. The GroupWise 2014 WebAccess Application also requires access to at least one GroupWise Document Viewer Agent (GWDVA) in the system. This is generally port 8301. Ensure that your firewall does not block this access by the WebAccess Application. </p>
<p class="Body">While we do not wish to get into a huge server placement discussion here, web server placement IS important, especially if you are upgrading from a system prior to GroupWise 2012. With GroupWise 8 and earlier, the web server only needed to talk to one WebAccess Agent on port 7205 (although it was possible to configure fault-tolerance and have multiple WebAccess Agents accessible by the Web Server). With GroupWise 2012 and later, ALL post office agents need to be accessible on the SOAP port, and at least one GWDVA needs to be accessible. Thus, if you place your web server in the DMZ, you potentially need to open many more “holes” into the inside. If you place the web server inside of your network, you only need to open port 433 (and 80 if you insist, but you should use SSL, so in reality you could get by with only port 443 being open to the internal web server).</p>
<p class="Body">To make your WebAccess installation fault tolerant, you could use an L4 switch and round-robin between multiple WebAccess server installations.</p>
<p class="Head1"><span>Installing </span>WebAccess </p>
<p class="Head2">Linux WebAccess Installation</p>
<p class="Body"/>
<ol>
<li class="Number-Step-1">If you are in a GUI file browser like Nautilus or Konqueror, just click on <span class="Typed-in-Text" style="font-size:0.9em;">install.sh</span> in your extracted software directory, and choose Run in Terminal (this is a text based installation, and will only run from the terminal). If you are at a terminal window, type <span class="Typed-in-Text" style="font-size:0.9em;">./install.sh</span> in the directory where the script resides. Here’s the installation screen! <ol><li class="Caption-1">The Installation Window<img class="Object-Style-1" width="74%" src="webacc-lulu-web-images/linuxinstall003_fmt.png" alt="linuxinstall003.tif"/></li></ol></li>
</ol>
<p class="Number-Step-Indent"/>
<p class="Number-Step-Indent">Notice that this is no longer a GUI installation. Everything is text based. In many builds of this installation routine, we have noticed that the arrow keys do not work, and you must use the tab key. If you have issues with arrowing around, use the tab and shift-tab.</p>
<ol>
<li class="Number-Step">You have 5 languages to choose from here. Choose your language, and we’ll move on.</li>
<li class="Number-Step">At the next screen you will have two choices: Documentation and Installation. Documentation will attempt to open a web browser and take you to the Novell docs. Remember that the installation can be done in a totally text based environment, thus if you have no GUI/browser available to you, you will only be able to view the <span class="Typed-in-Text" style="font-size:0.9em;">Readme</span> if you choose to look at the documentation. </li>
<li class="Number-Step">The next screen will present you with the EULA. When you agree to the EULA you are moved to the following screen:<ol><li class="Caption-1"><img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall087_fmt.png" alt="linuxinstall087.tif"/>The Main Installation Screen</li></ol></li>
<li class="Number-Step">Here we will choose to install GroupWise Webaccess. Choose OK.</li>
<li class="Number-Step">Next you have the option of Install or Configure<ol><li class="Caption-1"><a id="Anchor-5"/><img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall088_fmt.png" alt="linuxinstall088.tif"/>Installation Screen</li></ol></li>
</ol>
<p class="Body"/>
<p class="Number-Step-Indent">We’ll of course choose Install. This will install the actual files. We will later go to configure.</p>
<ol>
<li class="Number-Step">The installation routine will copy the necessary files to the server (and check the server repositories for needed updates to server software. Apache and Tomcat will also be restarted.</li>
</ol>
<p class="Number-Step-Indent">Once the files are installed, you will receive a prompt to “press any key to return . . .”. This will take you back to the Install/Configure menu.</p>
<ol>
<li class="Number-Step">Next we will choose Configure. At the next screen choose 1 to Continue.</li>
<li class="Number-Step">In the following figure you see the text that says “Specify the network address and port of the Post Office Agent. Please note that this is two different fields, but you will not see the “port” field until after you enter the network address. Do not get confused and think you need to put the port on the same line as the network address. You need only enter one POA location for WebAccess to work. WebAccess will connect to that POA and if the user requesting access belongs to a different post office, standard post office redirection will send the user to the proper POA.<ol><li class="Caption-1">Post Office Agent SOAP setup<img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall065_fmt.png" alt="linuxinstall065.tif"/></li></ol></li>
<li class="Number-Step">The next screen will be the same, except it is for the GWDVA information. We will discuss more about the DVA below. The DVA port is 8301 by default.<ol><li class="Caption-1">DVA Port Setup<img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall066_fmt.png" alt="linuxinstall066.tif"/></li></ol></li>
<li class="Number-Step">The next screen indicates the location of Apache and Tomcat. Unless you have manually configured a different instance of Apache, these paths should be correct.</li>
<li class="Number-Step"><img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall067_fmt.png" alt="linuxinstall067.tif"/>The configuration will finish, and you will be returned to the Install/Configure screen. Choose Back and then Exit.</li>
<li class="Number-Step">While the installation should restart Apache and Tomcat, to be thorough, you should do the following steps:</li>
</ol>
<p class="Body"><span class="Typed-in-Text" style="font-size:0.9em;">/etc/init.d/apache2 restart </span></p>
<p class="Body"><span class="char-style-override-2">and </span></p>
<p class="Body"><span class="Typed-in-Text" style="font-size:0.9em;">/etc/init.d/tomcat6 restart (SLES 11)</span></p>
<p class="Body">or</p>
<p class="Body"><span class="Typed-in-Text" style="font-size:0.9em;">/etc/init.d/novell-tomcat6 restart (OES)</span></p>
<p class="Note"><span>Even though deep down we know that OES uses novell-tomcat6, sometimes we also restart tomcat6 for good measure.</span></p>
<p class="Head2">Windows WebAccess Installation</p>
<p class="Body"/>
<ol>
<li class="Number-Step-1">From Windows Explorer, double-click on <span class="Typed-in-Text" style="font-size:0.9em;">setup.exe</span> in your installation directory. Here’s the installation screen! <ol><li class="Caption-1">The Installation Window<img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall049_fmt.png" alt="linuxinstall049.tif"/></li></ol></li>
<li class="Number-Step">Here we will choose to install WebAccess.</li>
<li class="Number-Step">Choose your language.</li>
<li class="Number-Step">The WebAccess installation routine will be launched. When you see the Installation Welcome screen, press Next.</li>
<li class="Number-Step">Here you will choose the Web Server Information. Unless you have more than one web server location running on this server, the default location is where you should place GroupWise WebAccess. Click on Default Web Site and click next.</li>
<li class="Number-Step">In the following figure you will enter the information for the network address and port of the Post Office Agent. You need only enter one POA location for WebAccess to work. WebAccess will connect to that POA and if the user requesting access belongs to a different post office, standard post office redirection will send the user to the proper POA.<ol><li class="Caption-1">Post Office Agent SOAP setup<img class="Object-Style-1" width="77%" src="webacc-lulu-web-images/linuxinstall073_fmt.png" alt="linuxinstall073.tif"/></li></ol></li>
<li class="Number-Step">The next screen will be the same, except it is for the GWDVA information. We will discuss more about the DVA below. The DVA port is 8301 by default.<ol><li class="Caption-1">DVA Port Seetup<img class="Object-Style-1" width="77%" src="webacc-lulu-web-images/linuxinstall074_fmt.png" alt="linuxinstall074.tif"/></li></ol></li>
<li class="Number-Step"><span class="char-style-override-2">At the summary screen, check your settings, and click Install.</span></li>
<li class="Number-Step"><span class="char-style-override-2">You will be prompted to either shut down IIS manually, or allow the installation to shut it down for you. Click Yes when you are ready.</span></li>
<li class="Number-Step"><span class="char-style-override-2">The installation will proceed, and you will see the final screen, and your WebAccess installation is complete.</span><ol><li class="Caption-1"><img class="Object-Style-1" width="78%" src="webacc-lulu-web-images/linuxinstall075_fmt.png" alt="linuxinstall075.tif"/>The Completed WebAccess launch</li></ol></li>
<li class="Number-Step">Click Finish to return to the Main GroupWise Installation screen.</li>
</ol>
<p class="Head1"><a id="Anchor-16"/>Loading the GroupWise WebAccess Application </p>
<p class="Head2">Linux </p>
<p class="Body"><span class="char-style-override-2">The commands for loading the Apache web server and Tomcat on Linux are as follows: </span></p>
<p class="Body"/>
<p class="Typed-In-Text">/etc/init.d/apache2 start</p>
<p class="Body">and</p>
<p class="Typed-In-Text">/etc/init.d/novell-tomcat6 start (OES)</p>
<p class="Body">or</p>
<p class="Typed-In-Text">/etc/init.d/tomcat6 start (SLES)</p>
<p class="Body"/>
<p class="Body"><span class="char-style-override-2">You can also check status, stop and restart using these scripts. For example:</span></p>
<p class="Typed-In-Text">/etc/init.d/apache2 restart</p>
<p class="Body"/>
<p class="Body">Most SLES/OES commands are also available from any location through a search path by appending “rc” to the command. For example,</p>
<p class="Typed-In-Text">rcapache2 restart</p>
<p class="Typed-In-Text"><span class="char-style-override-3">OES will auto-start both Apache and Tomcat on a reboot. To ensure that your WebAccess is functional after a reboot of SLES, do the following:</span></p>
<p class="Typed-In-Text"/>
<p class="Typed-In-Text">chkconfig apache2 on </p>
<p class="Typed-In-Text">chkconfig tomcat6 on</p>
<p class="Typed-In-Text"/>
<p class="Head2">Microsoft Windows Server </p>
<p class="Body"><span class="char-style-override-2">The GroupWise WebAccess Application is designed to start when the Microsoft IIS Service and Web Server is started. The Microsoft IIS Web server is designed to start with the Microsoft Internet Information Server service is started. To restart the service, open the Internet Information Services (IIS) Manager from the Administrative Tools menu. Click on your Web Server (top left). On the right side you will see options to Restart, Start and Stop the server.</span></p>
<p class="Head1"><a id="Anchor"/>Configuration Options</p>
<p class="Body">The majority of WebAccess optimizations are done through the <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg</span> file. This file is found in the following locations:</p>
<p class="Typed-In-Text"> Linux: /var/opt/novell/groupwise/webaccess</p>
<p class="Typed-In-Text"> Windows: c:\Novell\GroupWise\WebAccess on the Web server</p>
<p class="Body">The original webacc.cfg file on a particular server will be very orderly, and broken into distinct sections. As you patch and update your server over time, new settings will be saved to the bottom of the file in a section called “Values added by install to update config file”. If you change information in the file, make sure to look at the end to ensure that you do not have conflicting values, as the final value will win!</p>
<p class="Body">There are many interesting options in the webacc.cfg. We encourage you to look through the file to see what might interest you. </p>
<p class="Body">Following are some important configurations options pertaining to the upgrade that you should know more about. After any changes, restart Apache and Tomcat (see the section above for <a href="#Anchor-16"><span class="Cross-Reference">“Loading the GroupWise WebAccess Application”</span></a> for instructions on restarting these processes.</p>
<p class="Head2">Configuring Additional Post Office Agents</p>
<p class="Body">The GroupWise WebAccess Application talks directly to post office agents in your GroupWise system to gather the information necessary to show in WebAccess. During installation, you can only supply one post office agent address. However, you can supply as many POA designations as you like, and the WebAccess Application will attempt them in order until it finds a POA that responds. This is only for initial connection to the GroupWise system. Adding additional post offices here adds fault tolerance. For example, if POA1 is down, and it is the only Post Office Agent defined in webacc.cfg, then all users in your system are locked out of WebAccess. Adding additional “entry points” for the WebAccess Application allows you to continue to provide WebAccess services to users of those Post Offices that are active.</p>
<p class="Body">If the user logging in does not belong to the POA that is contacted by the WebAccess Application, the redirection table will send the WebAccess Application to the proper location.</p>
<p class="Body">In the webacc.cfg, search for Provider.SOAP.1.ip – for example:</p>
<p class="Typed-In-Text"> Provider.SOAP.1.ip=192.168.110.237</p>
<p class="Typed-In-Text"> Provider.SOAP.1.port=7191</p>
<p class="Body">Copy these two lines and change the “1” to a “2” in each line, and modify the IP address and port.</p>
<p class="Typed-In-Text"> Provider.SOAP.2.ip=192.168.110.238</p>
<p class="Typed-In-Text"> Provider.SOAP.2.port=7191</p>
<p class="Body">Do this as many times as necessary, making sure to have two lines for each SOAP provider number you add.</p>
<p class="Head2">Configuring Additional Document Viewer Agents</p>
<p class="Body">As with the Post Office Agent, you can only configure one instance during installation. Modify the following information to add additional DVAs to your webacc.cfg:</p>
<p class="Body">In the webacc.cfg, search for Provider.DVA.1.ip – for example:</p>
<p class="Typed-In-Text"> Provider.DVA.1.ip=192.168.110.237</p>
<p class="Typed-In-Text"> Provider.DVA.1.port=8301</p>
<p class="Body">Copy these two lines and change the “1” to a “2” in each line, and modify the IP address and port.</p>
<p class="Typed-In-Text"> Provider.DVA.2.ip=192.168.110.238</p>
<p class="Typed-In-Text"> Provider.DVA.2.port=8301</p>
<p class="Body">Do this as many times as necessary, making sure to have two lines for each SOAP provider number you add.</p>
<p class="Head2">Configuring HTTP Monitor for WebAccess</p>
<p class="Body">Like the other GroupWise Agents, you can configure a web based monitor for WebAccess administration activity. The <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg</span> file contains the following lines:</p>
<p class="Typed-In-Text"> ##############################################################</p>
<p class="Typed-In-Text"> # Application Administration Tool</p>
<p class="Typed-In-Text"> # Invoked on the URL</p>
<p class="Typed-In-Text"> # (e.g. http://&lt;server&gt;/gw/webacc?action=Admin.Open)</p>
<p class="Typed-In-Text"> ##############################################################</p>
<p class="Typed-In-Text"> Admin.WebConsole.enable=true</p>
<p class="Typed-In-Text"> Admin.RestService.host=127.0.0.1</p>
<p class="Typed-In-Text"> Admin.RestService.port=9710</p>
<p class="Typed-In-Text"/>
<p class="Body">You can turn this on or off. By going to your server at the URL specified, you can log in and view logged in users, configuration and log files. </p>
<ol class="List-2">
<li class="Caption-1">The WebAccess Administration Console<img class="Basic-Graphics-Frame" width="93%" src="webacc-lulu-web-images/linuxinstall207_fmt.jpeg" alt="linuxinstall207.tif"/></li>
</ol>
<p class="Head2">Setting the GroupWise 2012 WebAccess as Your Default</p>
<p class="Body">If your system will have more than one version of WebAccess in order to accommodate older GroupWise post offices, you can choose to have a single entry point for all of your users. For example, you may already have <span class="Typed-in-Text" style="font-size:0.9em;">https://mail.yourdomain.com/gw/webacc</span> pointing to your GroupWise 2012 or older WebAccess. Rather than having to direct users to multiple locations, you can continue to have <span class="Typed-in-Text" style="font-size:0.9em;">https://mail.yourdomain.com/gw/webacc</span> as the entry point for all users, and redirect users on older post offices to <span class="Typed-in-Text" style="font-size:0.9em;">https://gw12.yourdomain.com/gw/webacc</span>. In order to do this, you must make a change in the <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg file</span>, and of course create an A Record in DNS for your secondary WebAccess server (in our example, <span class="Typed-in-Text" style="font-size:0.9em;">gw12.yourdomain.com</span>).</p>
<p class="Body">This setting is found in the <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg</span> file as:</p>
<p class="Typed-In-Text"> #Redirect.url=http://gw8.novell.com/gw/webacc</p>
<p class="Body">simply remove the pound sign and change the URL to match your desired URL. Once the system is restarted, if a user logs into your http://mail.yourdomain.com/gw/webacc location, their POA will indicate it is not a GroupWise 2013 post office and the WebAccess Application will redirect the user to the older GroupWise WebAccess Application. The user will be required to enter their WebAccess credentials again. These credentials are not passed through to the redirected server.</p>
<ol class="List-2">
<li class="Caption-1"><img class="Object-Style-1" width="38%" src="webacc-lulu-web-images/linuxinstall077_fmt.png" alt="linuxinstall077.tif"/>Redirecting to an older WebAccess server</li>
</ol>
<p class="Head2">Security Timeouts</p>
<p class="Body">GroupWise 2012 brought a new set of security timeouts to WebAccess, and they are still effective for GroupWise 2014. When a user logs into WebAccess, the user has the option on the main login screen to choose whether the computer is public or private. This allows for users who access GroupWise solely via WebAccess, from a private computer at home or at the office to have a longer timeout value set. These values are listed in the <span class="Typed-in-Text" style="font-size:0.9em;">webacc.cfg</span> as:</p>
<p class="Typed-In-Text"> Security.timeout=20</p>
<p class="Typed-In-Text"> Security.Private.timeout=480</p>
<p class="Body">Setting the “Private” timeout to a higher value “in minutes” prevents users in a more secure setting from timing out multiple times a day, no doubt reducing their frustration!</p>
<p class="Head2">Deleting Unneeded eDirectory Objects</p>
<p class="Body"><span class="char-style-override-2">In prior versions of GroupWise, when you installed WebAccess, an object representing the WebAccess Agent (Gateway) was created in eDirectory and the GroupWise view. Also, objects for the WebAccess Application were created (most commonly under the GroupWise domain object itself, but realistically they could be anywhere!). These objects are no longer used, and can be removed from eDirectory to avoid confusion. We recommend that you give your system a few days to settle down before you delete them, but once everything is working as you expect you can delete the following items:</span></p>
<ul class="List-1">
<li class="Bullet">GroupWise WebAccess Agents no longer in use. Make certain you export any access control settings you might need as outlined above before you delete the objects!</li>
<li class="Bullet">GroupWiseProvider Objects</li>
<li class="Bullet">LDAPProvider Objects</li>
<li class="Bullet">GroupWiseWebAccess Object </li>
<li class="Bullet">NovellSpeller Objects</li>
</ul>
<p class="Body"/>
<p class="Head1">Troubleshooting</p>
<p class="Body">There are settings in the webacc.cfg that pertain to how the new admin console connects to the GroupWise Administration Service.</p>
<p class="Body"/>
<p class="Typed-In-Text"> ######################################################################</p>
<p class="Typed-In-Text"> # Application Administration Tool</p>
<p class="Typed-In-Text"> ######################################################################</p>
<p class="Typed-In-Text"> Admin.WebConsole.enable=true</p>
<p class="Typed-In-Text"> Admin.RestService.host=127.0.0.1</p>
<p class="Typed-In-Text"> Admin.RestService.port=9710</p>
<p class="Body"/>
<p class="Body">There are a couple of reasons why these default settings might not work for you:</p>
<ul class="List-1">
<li class="Bullet">If you are running WebAccess on a server that does not have a GroupWise Administration Service running, the setting of 127.0.0.1 will be invalid. You will need to change it to the proper ID address.</li>
<li class="Bullet">If you have an MTA running on this server, but it is set to bind to a specific IP address, the Admin Service will also not be listening on localhost (127.0.0.1) and you should change this to the specific location. Surprisingly, if your MTA is set to a host name rather than an IP address, the Admin Service could complain if you enter an IP address here. Test to see which works properly for you.</li>
<li class="Bullet">If you have modified the default port for your Admin Service, you will also need to change the information here.</li>
</ul>
<p class="Body"/>
<p class="Body">Once you are ready to continue, just turn to the next chapter in your upgrade plan.</p>
<p class="Typed-In-Text"/>



Old New Date Created Author Actions
April 5, 2014 @ 19:13:56 Danita
April 5, 2014 @ 19:12:14 Danita