Upload File

taking advantage of active directory support in groupwise 2014

  • Home
  • Documents
  • Taking Advantage of Active Directory Support in GroupWise 2014
7
Taking Advantage of Active Directory Support in GroupWise 2014 Flexibility and interoperability have always been hallmarks of our company. That’s why it should be no surprise that Micro Focus ® GroupWise ® 2014 adds support for Microsoft Active Directory. It even allows users from Active Directory, Micro Focus eDirectoryor no directory at all to co-exist on the same post office. This makes it ideal for organizations that have undergone a merger and have user information stored in both eDirectory and Active Directory. It also simplifies life for those who value the productivity, security and cost efficiency delivered by GroupWise, but want to migrate or consolidate their environment onto Active Directory. This paper provides technical insight and outlines the simple steps needed to take advantage of the new Active Directory support offered by GroupWise. White Paper GroupWise

Upload: vuongnga

Post on 10-Feb-2017

231 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Taking Advantage of Active Directory Support in GroupWise 2014

Taking Advantage of Active Directory Support in GroupWise 2014

Flexibility and interoperability have always been hallmarks of our company. That’s why it should be no surprise that Micro Focus® GroupWise® 2014 adds support for Microsoft Active Directory. It even allows users from Active Directory, Micro Focus eDirectory™ or no directory at all to co-exist on the same post office. This makes it ideal for organizations that have undergone a merger and have user information stored in both eDirectory and Active Directory. It also simplifies life for those who value the productivity, security and cost efficiency delivered by GroupWise, but want to migrate or consolidate their environment onto Active Directory. This paper provides technical insight and outlines the simple steps needed to take advantage of the new Active Directory support offered by GroupWise.

White PaperGroupWise

Page 2: Taking Advantage of Active Directory Support in GroupWise 2014

2

White PaperTaking Advantage of Active Directory Support in GroupWise 2014

Technical OverviewA key design attribute enabling this simplic-ity is that no schema modifications are nec-essary to implement GroupWise on Active Direc tory. To accomplish this, GroupWise no longer writes any GroupWise-specific informa-tion back into the directory other than email addres ses. Additionally, all directory synchroni-zation occurs via standard Lightweight Direc-tory Ac cess Protocol (LDAP) access.

The GroupWise architectural components re-sponsible for synchronizing users from Active Directory are essentially the same components required to synchronize users from eDirectory:

Message Transfer Agent (MTA)—The MTA performs the periodic user synchronization to keep both GroupWise and Active Directory up to date. Most of the modifications that enable Active Directory support occurred in the MTA. These modifications were designed to ensure that the Active Directory schema and configuration communicate accurately with GroupWise.

Post Office Agent (POA)—The POA performs the LDAP authentication for GroupWise and did not require any

modi fi cations in terms of Active Directory support.

Administration Service—The administra-tion service responsible for configuring the directory was enhanced to facilitate the importing of users and the re-association of eDirectory-based GroupWise users to Active Directory-based users.

MMC Plug-in—To facilitate management of Active Directory users in GroupWise, the MMC plug-in can be installed into the Microsoft Management Console. This allows you to create users in Active Directory and easily assign those new users to a GroupWise post office using the MMC user creation wizard.

One additional requirement of Active Directory support in GroupWise involves SSL authenti-cation. You will need to configure and enable an SSL certificate to enable secure connec-tion between GroupWise and Active Directory.

How to Implement Active Directory Support in GroupWiseImplementing Active Directory support in Group Wise can be broken down into the fol-lowing categories:

Best Practices for Implementing Active Directory Support

Configuring the Connection between GroupWise and Active Directory

Importing Active Directory Users Into GroupWise (Merger Scenario) or Migrating GroupWise Users from eDirectory to Active Directory (Directory Consolidation Scenario)

Verifying Successful Implementation

Enabling LDAP over SSL

Best Practices for Implementing Active Directory SupportWhether you’re migrating eDirectory users in your GroupWise environment to Active Direc-tory or adding existing Active Directory users to GroupWise, before attempting any such moves it’s essential to make sure your existing systems are functioning properly. Ensure that you have successfully deployed GroupWise 2014, applied the most recent updates, and confirmed that the system is in a stable condi-tion. Your eDirectory and Active Directory en-vironments need to be stable as well. Making a directory change will not solve any directory problems you already have. Rather, it will likely complicate matters.

Insight and Guidance for Enabling Active Directory Support in GroupWiseOne of the main design goals of the new Active Directory support in GroupWise was to make it easy to implement. As a result, the steps for moving from Micro Focus eDirectory to Active Directory are simple and straightforward.

Page 3: Taking Advantage of Active Directory Support in GroupWise 2014

3

Configuring the Connection between GroupWise and Active DirectoryThe steps for implementing Active Directory support vary depending on your particular en-vironment. But regardless of scenario, your first step will be to create a connection between GroupWise and Active Directory by performing the following initial configuration steps:

1. While logged into the GroupWise Administration Console for your primary domain, navigate to System and then to LDAP Servers.

2. Select the New Directory option.

3. Set the Type to Active Directory.

4. Enter the appropriate information for your Active Directory server, including the name, IP address, port, LDAP user, LDAP user password, base Distinguished Name (DN), and sync domain:

a. The LDAP user will be either a fully qualified Distinguished Name or principal account name for your Active Directory server.

b. To prevent recursive searching through the Active Directory forest, the base DN should be set to include at least the domain components for your Active Directory server.

5. If you are using SSL, you will also need to provide the SSL certificate information for your Active Directory server. (Refer to the Enabling LDAP over SSL section of this paper.)

6. Mark Enable Synchronization and click OK.

Importing Active Directory Users Into GroupWise or Migrating GroupWise Users from eDirectory to Active DirectoryThe remaining steps for implementing Active Directory support in GroupWise differ depend-ing on whether you are introducing existing Active Directory users into a GroupWise envi-ronment for the first time or if you are migrat-ing existing GroupWise users from eDirectory to Active Directory. The first scenario usually occurs as a result of a merger and requires a simple import operation to bring the Active Directory users into GroupWise. The second scenario typically occurs as a result of a di-rectory consolidation effort and requires the eDirectory users to be re-created in Active Directory and then re-associated in GroupWise to reflect their new directory environment.

Merger Scenario —Importing Active Directory Users Into GroupWiseTo import existing Active Directory users into GroupWise, do the following:

1. From the System menu in the GroupWise Administration Console, select User Import.

2. Select the directory you are importing from and then select the GroupWise post office where you want your Active Directory users to be imported.

3. Enter any appropriate context information for your directory and import action.

4. Enter any desired LDAP filter options and mark the appropriate search options.

5. Select Preview to review the list of users to be imported and make modifications to the list as needed, such as manually ex cluding users from the import operation.

6. Click Import Users to perform the import of your Active Directory users. Note: If you want to distribute the directory users to multiple post offices, you need to run the import once for each post office. You can use the LDAP context or the search filter option to place a subset of the Active Directory users onto a given post office.

Figure 1. Connecting GroupWise with a new directory can easily be accomplished via the GroupWise Administration Console.

Figure 2. Existing Active Directory users can be imported into GroupWise through a few simple steps

Page 4: Taking Advantage of Active Directory Support in GroupWise 2014

4

White PaperTaking Advantage of Active Directory Support in GroupWise 2014

Additionally, since LDAP authentication is not enabled by default on GroupWise post offices, after importing Active Directory us-ers into a new GroupWise post office you will need to do the following to configure LDAP authentication:

1. From the GroupWise Administration Console, view the details of the GroupWise post office for your Active Directory users.

2. Navigate to the Security tab.

3. Enable LDAP authentication.

Directory Consolidation Scenario—Migrating eDirectory Users to Active DirectoryA directory consolidation scenario can involve migrating existing eDirectory users to Active Directory. This type of migration requires that you re-create these users in Active Directory, making sure that all the user objects for your GroupWise users exist in Active Directory be-fore switching from eDirectory to Active Direc-tory in GroupWise.

The steps for creating the Active Directory user objects are beyond the scope of this paper. However, for a successful switch over, it’s critical that the value stored in the sAM-AccountName (account logon name/user ob-ject) you establish in Active Directory for your individual users exactly matches their corre-sponding uniqueID (UID) value in eDirectory.

Making sure these user account names match precisely enables you to seamlessly and accu-rately form the new associations between your Active Directory users and GroupWise. For example, if user Joe Johnson has an eDirec-tory UID of joe_johnson, and the correspond-ing sAMAccountName in Active Directory is joe_johnson, when you perform the bulk re-association task in GroupWise, it will be able to recognize and match the user objects and then automatically shift the GroupWise as-sociation from eDirectory to Active Directory.

Any users that do not have matching UID and sAMAccountName(s) will have to be re-asso-ciated manually.

Once you have your users properly set up in Active Directory, configuring GroupWise to be associated with those Active Directory user objects rather than the user objects in your eDirectory system involves the following steps:

1. From the System menu in the GroupWise Administration Console, navigate to Directory Associations.

2. From the Directory pull-down options in the Directory Associations dialog, choose the Active Directory server and context that contain the users that need to be re-associated with GroupWise.

3. Enter any desired LDAP filter options and mark the appropriate search options.

4. Be sure to mark the Override existing association option.The default behavior in GroupWise is to match only unasso ciated users. So, unless the Override existing association option is marked, users previously associated with eDirectory

will remain associated with eDirectory instead of being re-associated with Active Directory.

5. Select Preview to review the list of the users to be re-associated and make any needed modifications to the list.

a. Note: As a best practice, it’s recom-mended that you re-associate one or two test users before re-associating all users in your organization. You can use the Preview menu to filter out all the users except the test users. Once the test users have been re-associated using the remaining steps in this section, execute the steps in the Verifying Successful Implementation section to ensure that the process completed successfully. If the test users re- associated properly, return to the steps in this section to re-associate all the remaining users.

6. Click Associate.

Verifying Successful ImplementationRegardless of whether you are importing ex-isting Active Directory users into GroupWise, migrating eDirectory users to Active Directory, or a combination of both, you need to verify the success of those operations. Ver ifying a successful implementation of Active Directory support in GroupWise 2014 can be bro ken down into three main areas:

I. Verifying successful association of Active Directory users with GroupWise

II. Verifying successful authentication

III. Verifying complete user migration

I—Verifying Successful Association of Active Directory Users with GroupWiseTo verify that Active Directory properly syn-chronizes with GroupWise, perform the fol-lowing synchronization test:

Figure 3. Once you have user objects created in Active Directory, you must change the directory association in GroupWise.

Page 5: Taking Advantage of Active Directory Support in GroupWise 2014

5

1. From within Active Directory, verify that users’ GroupWise email addresses were published properly into Active Directory.

2. Modify the phone number of a user from within Active Directory.

3. In the GroupWise Administration Console, connect to the MTA of the domain responsible for synchronizing the directory objects.

4. Ensure that an HTTP username and password is set.

5. Click Launch MTA Web Console and enter the appropriate username and password when prompted.

6. From the Configuration tab, select Directory user synchronization.

7. Mark the Perform GroupWise Directory Synchronization Now button and click Submit.

8. To verify that the user phone number was properly applied to the user object in GroupWise, do the following:

a. Navigate to the most recent log file and search for directory synchroni zation events. You will be able to identify them as a cluster of log entries that begin with something to the effect of “Synchronizing Directory XXX.” The entries will show all of the users that were checked or updated by the synchronization process.

b. Log into the GroupWise Administration Console and verify that the user’s details, such as phone number, were updated there as well.

II—Verifying Successful AuthenticationTo ensure that the newly re-associated users can log in to GroupWise using LDAP authen-tication, do the following:

1. Launch the GroupWise client and use one of the Active Directory users to attempt to log in to the GroupWise post office using LDAP authentication.

2. Verify that the user properly authenticates to GroupWise and can access email.

III—Verifying Complete User MigrationYou can use the user list search capability in the GroupWise Administration Console to de-termine if all your users have actually been associated with your Active Directory environ-ment and confirm that you have no remaining eDirectory users associated with GroupWise. To perform this verification, click on Users in the left column and enter a search expres-sion that looks for any users associated with a directory that is not equal to your Active Directory server. The search expression might look similar to the following:

directory = null or directory != MyActiveDirectory

Such a search will return the list of users that have no directory association or have a di-rectory association different from the Active Directory identified in the search expression. If desired, you can choose to search just for unassociated users or just for non-Active Directory users by executing only half of the above search expression, including either the parameter set before or after the “or”.

Some unassociated users that appear in the returned search list might be orphan users that no longer belong to your organization; thus, you did not create user objects for them in Active Directory. In these instances, you can choose to disable their GroupWise accounts. Your search results may also include us-ers whose eDirectory UIDs did not match their corresponding sAM Account Name(s) in Ac tive Directory. As a result, they weren’t auto matically associated with GroupWise. To manually associate these Active Directory us-ers with GroupWise, do the following:

1. In the GroupWise Administration Console, navigate to the user details for the individual GroupWise user.

2. Select Associate Item under the More menu option.

3. Browse the Active Directory server for the corresponding user object and link the GroupWise user to that Active Directory user object.

Once you are certain that you have success-fully associated all your GroupWise users with Active Directory, you can choose to delete your eDirectory directory object in GroupWise if de-sired. However, caution should be used if you are considering decommissioning your eDirec-tory server once the migration is complete. If you are using any other Micro Focus services, they might depend on the user information stored in eDirectory. You might even have third-party or internally developed services that le-verage your eDirectory server. Make sure that no other services or appli cations used within your organization rely on eDirectory before you consider shutting it down.

Enabling LDAP Over SSLGroupWise connects with Active Di rectory via LDAP. By default, LDAP communicates in an insecure manner. This means that unless you secure your Active Directory communications, GroupWise user credentials will be transmitted over the wire in clear text.

To secure your LDAP communications be-tween GroupWise and Active Directory, you can use Secure Sockets Layer (SSL) / Trans port Layer Security (TLS) by installing a properly formatted certificate from either a Microsoft certificate authority (CA) or a third-party CA.

When setting up a trusted root certificate in an Active Directory environment using the Microsoft CA, it’s recommended that you al-ways follow published best practices from Microsoft. You should consult with your Active Directory administrator on whether to en-able LDAP SSL or export the SSL certificate from your production environment. Microsoft provides various resources on how to enable

Page 6: Taking Advantage of Active Directory Support in GroupWise 2014

6

White PaperTaking Advantage of Active Directory Support in GroupWise 2014

LDAP over SSL, such as the online resource found at: social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

While not a recommended best practice for production environments, you can use the fol-lowing procedure to familiarize yourself with the process of creating and configuring a cer-tificate in a lab environment.

1. From the Add Roles and Features Wizard within the Microsoft Management Console (MMC), install an AD Certificate Service Role on one of your AD Domain Controllers.

a. Note: Installing an Active Directory Certificate Service Role on an Active Directory Domain Controller is a practice that Microsoft does not recom mended. However, in a lab environment with a simple Active Directory forest with one domain controller, it’s a convenient way of creating and configuring a certificate.

2. Highlight Server Roles and select Active Directory Certificate Services under Roles, and then click Next.

3. When prompted to add features required for Active Directory Certificate Services, mark Include management tools and click Add Features.

4. Accept the defaults on the subsequent steps until you’re presented with the Select role services screen. Mark the Certificate Authority option and click Next to install the role. Other options can be installed if desired, but are not necessary.

5. After the role installs, configure the certificate services by clicking on the option Configure Active Directory Services on th…

6. On the Credentials screen for the AD CS Configuration, verify that the correct credentials are listed and then click Next.

a. Note: The user needs to be a domain administrator.

7. On the Setup Type screen, select Certificate Authority as the role to config-ure and then select Enterprise CA as the type. Using the Enterprise CA type will configure the LDAP service to use SSL without requiring any further steps.

a. Note: Typically, you would next select a Root CA, but if you already have a CA configured, you don’t necessarily need to install a new one.

8. For the remaining steps in the wizard, you can select the default settings. Once the configuration completes, you need to restart the server.

9. After the server reboots, you need to export the certificate so it can be used with GroupWise. From within MMC, highlight Add/Remove Snapin under the File menu and select Certificates.

10. In the subsequent screens, select Computer Account and then select Local Computer.

11. At the Console Root folder, expand the folders to the path Certificates (Local Computer)\Personal\Certificates) and then right-click the certificate that was issued to the local server (not the CA certificate).

12. Select Export under All Tasks and click Next.

13. Click Next again until presented with the Export Private Key dialog. Mark the No, do not export the private key option and click Next.

14. For the Export File Format, mark DER encoded binary X.509 (.CER) and click Next.

16. Enter a path and filename with a .cer extension and click Finish.

16. Now that the certificate is ready to be used by GroupWise, open the GroupWise

Administration Console on that Windows server, navigate to LDAP Servers under the System menu, select your Active Directory server to edit, and from the General tab browse to your exported certificate file by clicking on the pencil icon by the SSL Certificate field. Selecting your certificate file will upload it to the domain.db file.

17. On the General tab, re-enter the LDAP user password and click Test Connection. If you’re presented with a Connection Successful message, then the certificate import executed properly. If the connec-tion fails, select the Details link to view the error supplied by the LDAP service.

Active Directory Support and MoreTo learn more about how to take advantage of the new Active Directory support in GroupWise 2014, contact us or an authorized partner. Upgrading to GroupWise 2014 also enables you to take advantage of a wide array of other new features, including the new Web admin-istration console, delegated admin functions, system overview page, new client interface and enhancements, and much more. For technical inquiries about GroupWise 2014, contact Micro Focus Technical Services, your sales engineer or an authorized partner.

About Micro Focus

Since 1976, Micro Focus has helped more than 20,000 customers unlock the value of their business logic by creating en-abling solutions that bridge the gap from well-established technologies to modern functionality. The two portfolios work to a single, clear vision—to deliver innovative products supported by exceptional cus-tomer service. www.microfocus.com

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
http://www.microfocus.com
Page 7: Taking Advantage of Active Directory Support in GroupWise 2014

162-000029-001 | N | 09/15 | © 2015 Micro Focus. All rights reserved. Micro Focus, the Micro Focus logo, eDirectory, and GroupWise, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

Micro FocusUK HeadquartersUnited Kingdom+44 (0) 1635 565200

U.S. HeadquartersProvo, Utah801 861 4272888 321 4272

Additional contact information and office locations: www.novell.com


Medicare Advantage Pharmacy Directory for Massachusetts · 2012-09-26 · Medicare Advantage Pharmacy Directory For Massachusetts Medicare HMO Blue. SM, Medicare HMO Blue ValueRx

Essence · PDF fileProvider Directory 1 Essence Advantage (HMO) Provider DirectoryProvider Directory Provider Directory This directory provides a list of Essence’s network

Health Net Medicare Advantage Chiropractic and Acupuncture · Health Net Medicare Advantage Chiropractic and Acupuncture HMO/PPO Provider Directory This directory provides a list

Mary Washington Medicare Advantage 2020 …...Provider Directory H2825_20-016_C Mary Washington Medicare Advantage (HMO) Provider Directory Provider Directory This directory is current

Provider Directory - - Bright Health · Provider Directory This directory is current as of 09/26/2018. Bright Advantage (HMO) H4853-001 Bright Advantage Plus (HMO) H4853-002 List

Stanford Health Care Advantage (HMO) 2018 Pharmacy Directory · Stanford Health Care Advantage (HMO) 2018 Pharmacy Directory This pharmacy directory was updated on 10/2017. For more

2019 Kaiser Permanente Senior Advantage Provider Directory …...H9003_DIR0420_C Kaiser Permanente Senior Advantage (HMO) Plan Provider Directory This directory is current as of December

Health Net Medicare Advantage Plan Provider Directory

GroupWise SDK: Administration REST API Guide...10 GroupWise SDK: Administration REST API Guide 1.2 GroupWise Administration Architecture Starting in GroupWise 2014, the GroupWise Admi

PHP Advantage 2020 Provider Directory Provider Directory . H7646_20-034_C . PHP Medicare . HMO-POS . Provider Directory . Provider Directory . This directory is current as of January

Research Publications Directory-Environmental Technologies and Competitive Advantage

Prise en charge d’Active Directory dans GroupWise 2014 · Prise en charge d’Active Directory dans GroupWise 2014 La flexibilité et l’interopérabilité ont toujours été la

Archiving GroupWise Mail CON 7/16/2004. Setup Archive Directory Click TOOLS Menu Click Options

Bright Health Acupuncture Provider Directory · Bright Health . Acupuncture . Provider Directory . This directory is current as of 07/20/2018. Bright Advantage ... Bright Advantage

NHC Advantage (HMO) Plan Provider Directory · 1 HMO Plan Provider Directory This directory provides a list of NHC Advantage’s network providers. This directory is for NHC Advantage

Independent Health’s Medicare Advantage … Advantage Physician/Provider Directory Addendum December 2017 Independent Health’s Medicare Advantage Physician/Provider Directory Addendum

Health Net Medicare Advantage SilverSneakers · Health Net Medicare Advantage SilverSneakers® Provider Directory This directory provides a list of Health Net’s contracted SilverSneakers

Plan Directory for Medicare Advantage, Cost, PACE, …cdn4.medicarehelp.org/wp-content/uploads/2015/10/MA_Contract...Plan Directory for Medicare Advantage, Cost, PACE, and Demonstration

Bright Health Acupuncture Provider Directory Health Acupuncture Provider Directory This directory is current as of 02/19/2018. Bright Advantage (HMO) H7853-001 Bright Advantage Plus

eControl - Simplified management for Active Directory, Exchange, SAP, eDirectory, GroupWise and other systems

Aproveitando as Vantagens do Suporte a Active Directory no … · GroupWise e o Active Directory As etapas para implementar o suporte ao Active Directory variam dependendo do seu

2022 Medicare Advantage Provider Directory

Senior Advantage Medicare Medi-Cal (HMO D-SNP) …...Senior Advantage Medicare Medi-Cal (HMO D-SNP) Plans Provider Directory This directory is current as of June 1, 2020. This directory

2019 Kaiser Permanente Senior Advantage - Delta Dental ...info.kaiserpermanente.org/info_assets/directory/... · Kaiser Permanente Senior Advantage (HMO) Delta Dental Provider Directory

View the 2018 Medicare Advantage Provider and Pharmacy Directory

Bright Health Vision Care Provider Directory...VSP Vision Care Provider Directory This directory is current as of 10/01/2019. Bright Advantage(HMO) H7409-001 . Bright Advantage Assist

GroupWise 8 Troubleshooting 3: Message Flow and Directory Structure

2022 Directory of Dental Providers HMSA Akamai Advantage

Research publications directory environmental technologies and competitive advantage

GroupWise 7 Troubleshooting 3: Message Flow and Directory ... · Novell novdocx (ENU) 10 August 2006 GroupWise 7 Troubleshooting 3: Message Flow and Directory Structure GroupWise

2021 Dental Provider Directory - Arizona Advantage

2018 Kaiser Permanente Medicare Advantage (HMO) …info.kaiserpermanente.org/info_assets/directory/pdf/mid_ma_dcmd...2018 Kaiser Permanente Medicare Advantage (HMO) Provider Directory

Health Net Medicare Advantage (HMO) · Health Net Medicare Advantage (HMO) Plan Provider Directory This directory is current as of August 1, 2017. This directory provides a list of

Covenant Advantage 2021 Provider Directory 2021 Provider Directory Medicare Advantage Serving Bay, Saginaw, and Tuscola Counties This Provider/Pharmacy Directory was updated on 02/03/2021

Community Advantage (HMO) 2020 Provider Directory · 2020-07-01 · HO-P007-002-0903C HO-P007-002-0903C Community Advantage (HMO) 2020 Provider Directory This directory is current