| Figure 5.5 gives a detailed look at the post office details window. Figure 5.5. The post office object properties page 
As with the domain properties window, the post office properties window has several property pages: Identification Post Office Settings Client Access Settings Membership Resources Distribution Lists Libraries Gateway Aliases Internet Addressing Security Default WebAccess
The Identification Property Page The fields on the Identification property page are shown in Figure 5.5. Only two fields are non-editable. The remaining four fields on this property page will generally stay the same. These are the options you'll find here: Post Office: This field displays the post office's GroupWise object ID (or "name" to you and me). Post offices cannot be renamed after they have been created. As with domains, if you need to rename one for some reason, you will have to create a new post office and move your users between the two. Moving users is covered in Chapter 13. Description: This optional field might be a good place to enter your pager number, or perhaps special instructions for system operators. The text here is visible through this window only. UNC Path: This field shows the path to the post office database, WPHOST.DB. Incorrect information here can foul network links and can prevent you from successfully running system maintenance on the post office database. If a post office is located on a Linux server, the path indicated here would not look like a UNC path. It might look something like this: /data/corppo. Language: This field shows the language for this post office. Be sure to select your local language so that your users will get the system messages, if any, in their own preferred local language instead of in English. Time Zone: This is the time zone for this post office. Changing this setting will result in chaos among the users on this post office, because all the appointments on their calendars at the time of the change will move. Time zones should be carefully selected when you create the post office, and then you should leave them alone. Database Version: As explained in the section "The Domain Identification Property Page," this will be 4.1, 5.0, 5.5, 6, 6.5, or 7. Configure Non-DOS Name Space Access: If you are running in direct access mode, and you have GroupWise clients running on platforms that do not recognize UNC paths, and you want those clients to obtain the post office path from eDirectory, you'll need to use this button. Enter the path style that your clients prefer into the appropriate field in the resulting dialog box. This setting really is here to be backward compatible to GroupWise 5.xlevel post offices and is rarely used anymore.
The Post Office Settings Property Page The Post Office Settings property page is packed with features specific to a post office. Here's an explanation of each of the options on this page: Network Type: This field is obsolete and can be ignored. Software Distribution Directory: This pull-down menu is populated with the names of each of the Software Distribution Directories (SDD) you have created in this system. Assigning an SDD to a post office provides the GroupWise client with a UNC path for client updates. Chapter 12, "Administering the GroupWise Client," discusses software distribution directories in more detail. Access Mode: There are three options here: Client/Server Only: The client "talks" via IP (Internet Protocol) to the POA. The POA handles all message store transactions. Users do not need any file-system rights to the message store to run in client/server mode. (This is the preferable mode for running the GroupWise client.) Client/Server and Direct: The client attempts a client/server connection, and if that fails, it attempts to connect in direct access mode. This mode is not a hybrid. Clients always connect in only one manner. All this mode offers is the flexibility to support a mix of machines with and without IP addresses. Direct Only: The client performs all mailbox transactions directly on the message store. It does not talk to the POA at all but will access the message store directly. This is not a recommended mode to run your GroupWise clients in. Delivery Mode: This setting applies only if users are allowed to use the direct connection. For users with direct-access connections, the setting applies as described here: Use App Thresholds: The client writes to the sending user's USER and MSG databases, and, if the threshold is not exceeded, also writes to each recipient's USER database. Client Delivers Locally: The client writes to the sender's USER and MSG databases, as well as to the USER database for every recipient on the local post office.
Warning Novell recommends that clients connect to the post office only in client/server mode. Direct mode, regardless of the delivery mode selected, poses a security and a stability risk to the message store. In direct mode, users must have file-system rights to the message store, and store files are subject to corruption if a workstation crashes.
Disable Live Mode: Select Disable Live Move to turn off the improved move-user capabilities available in GroupWise 6.5 and GroupWise 7. A live move uses a TCP/IP connection to move a user from one post office to another. In general, it is significantly faster and more reliable than earlier move-user capabilities in GroupWise 5.x. However, it does require that both post offices are running GroupWise 6.x or 7.x POAs, and that TCP/IP is functioning efficiently between the two post offices. Moving users and live-mode user moves are both discussed in Chapter 13. Exempt This Post Office from the Trusted Application Routing Requirement: This feature is made available for third-party integration with the GroupWise POA and MTA. It's an obscure feature that you should check only if you are instructed to do so when installing software that integrates with the GroupWise POA. An example is a server-based virus scanning utility that integrates with GroupWise. Remote File Server Settings: Use the remote file server settings to provide the POA a login ID to use when connecting to another file server. This is used to access a remote machine where a GroupWise library, a document storage area, or restored post office databases are located. The POA might also connect to a GroupWise Software Distribution Directory on another server using this same login information. The Remote File Server Settings are not needed unless the POA will need to connect to a remote file server for any of the aforementioned purposes. Remote User Name: Specify the network USERID for the POA(s) of this post office to use when accessing a remote file server. For example, GWMAIL.EMAIL.ACME identifies the eDirectory USERID that the POA will use to authenticate to the remote server. Remote Password: Specify the password associated with the login ID provided in the Remote User Name.
Note The remote user name and password must have the necessary rights to access the remote file server and perform whatever action the POA has been instructed to perform.
The GroupWise Post Office Settings page is not a page where you will be making frequent changes. Most of your post offices will be configured in the same manner under the post office settings page. The Post Office Client Access Settings Page The Client Access Settings property page allows you to lock out older clients, or users that might be trying to get into another user's account without authorization. Settings that can be configured here include the following: Minimum Client Release Version (x.x.x): This is a great way of keeping users with an older GroupWise windows client out of your post office. However, if users are denied the ability to connect to your post office because their GroupWise client is too old, they are not prompted to upgrade their client in any manner. To determine the Client Release Version of a GroupWise client, select Help, About GroupWise within the GroupWise Windows client. Look at the program release; it will read 7.0, or something similar. Minimum Client Release Date: This feature is very similar to the Minimum Client Release Version. A GroupWise client has both a release version and a release date. This is a great way of keeping users with an older GroupWise windows client out of your post office. However, if users are denied the ability to connect to your post office because their GroupWise client is too old, they are not prompted to upgrade their client in any manner. To determine the Client Release Date of a GroupWise client, select Help, About GroupWise within the GroupWise Windows client. Look at the program release; it will read something similar to 9/4/2005. Disable Logins: If this is checked, users cannot log in to their GroupWise mailboxes on this post office. This option does not kick users out, however, if they are already logged in.
Note If you need to kick users out in order to perform server or system maintenance, it helps if you are in client/server only mode. In this mode, you can simply unload the POA from the server console to kick everyone offanother reason to choose client/server only mode over the alternatives.
Tip This feature is highly recommend when using WebAccess. Otherwise, intruders might try to get access to the mailbox by the method of password guessingtrying to access an account by using an automated procedure with an endless list of possible usernames and passwords.
Incorrect Logins Allowed: Specify how many unsuccessful login attempts trigger a lockout. The default is 5. Valid values range from 3 to 10. Incorrect Login Reset Time: Specify how long unsuccessful login attempts are counted. The default is 30 minutes. Valid values range from 15 to 60 minutes. Lockout Reset Time: Specify how long the user login is disabled. The default is 30 minutes. Valid values range from 15 to 60 minutes.
If a user account is locked out because it tripped the Intruder Detection code, you can go to the user's account and uncheck the Disable Logins check box on the GroupWise Account property page. The Post Office Membership Property Page The Membership property page provides a list of those users assigned to this post office. This tab comes equipped with tools to add existing eDirectory users to this post office, delete users from the post office, and move users between post offices. The Post Office Resources, Distribution Lists, and Libraries Property Pages These property pages provide lists of the various non-user objects associated with this post office. None of these objects can be created from the post office details window, so there are no Add buttons. The Post Office Gateway Aliases Property Page Post office aliases provide one way for a post office to be given a different Internet address than the rest of your organization. The Post Office Alias is generally useful only when you have defined an external post office. External post offices are explained in more detail in Chapter 19, "Building Your GroupWise System Correctly." The Post Office Internet Addressing Property Page Just as on the domain details screen, the Internet Addressing tab exists to enable you to make exceptions to the system Internet addressing configuration. Chapter 16 covers Internet addressing in detail. The Post Office Security Property Page There are two possible security values for a post office: Low: Users' network logins are not checked to determine whether they correspond to the mailbox they are using. In this mode, mailboxes should be password protected. If they are not, any user can log in as any other user by placing the /@u-userID switch on the GroupWise command line. High: Users' eDirectory passwords are checked before they can access their GroupWise mailbox. There are two methods GroupWise can use to get the eDirectory password: eDirectory authentication and LDAP authentication. Here's a discussion of both of these options: With eDirectory authentication enabled, if a user has a Novell client that is authenticated to an eDirectory tree, the GroupWise 32-bit client queries the Novell client using a network API call. If a user is logged in as one person, but trying to open GroupWise as someone else, that user will be prompted for the mailbox password, which is not contained in eDirectory and requires that the mailbox truly have a GroupWise password. WithLDAP authentication enabled, if users do not have the Novell client on their computers, or a user is using GroupWise WebAccess through a Web browser, they can still use an eDirectory password. The POA queries eDirectory via LDAP on behalf of the user. A prerequisite to this functionality is that your implementation of eDirectory be version 8.5 or better, with LDAP services enabled. Setting up LDAP authentication for the POA is explained in detail in Chapter 26, "Configuring GroupWise Authentication via LDAP."
The Post Office Default WebAccess Property Page Use the Default WebAccess property page to select the WebAccess agent (or gateway) that will process requests from this post office's users. This page applies only if you have multiple WebAccess agents installed in your GroupWise system. If you have only one WebAccess agent, that WebAccess agent services users in all domains. Chapter 11 goes into more detail about how to use this feature for practical purposes. The following are the choices you can make on the Default WebAccess page: Default WebAccess: When you have multiple WebAccess agents and a user logs in to GroupWise WebAccess, the GroupWise WebAccess Application (running on the Web server) checks to see whether a default WebAccess agent has been assigned to the user's post office (Post Office object, GroupWise tab, Default WebAccess page). If so, the WebAccess application connects to the assigned WebAccess agent. If not, it connects to the default WebAccess agent assigned to the post office's domain. If possible, you should select a WebAccess agent that has the best network-level access to this post office to ensure the best performance. Each post office will use the domain's default WebAccess agent unless you override the default at the post office level. Override: Check this box to indicate that you want to assign a default WebAccess agent to the post office. Default WebAccess Gateway: Browse for and select the WebAccess agent you want to use as the default.
|
