Committee meeting - November 26, 2020

Carol Lu   
Secretary to the Committee   
November 26, 2020   
   
Present: Steven Bourque, Bill Baer, Erick Engelke, Paul Miskovsky, Andrew McAlorum, Greg Smith, Trevor Bain, Lori Paniak, Jason Testart, Greg Parks, Robyn Landers, Pratik Patel, Lawrence Folland, Don Duff-McCracken 

Guests: Matt Verlis, Shah Chandon 
 
Regrets: Andrea Chappell, Adam Savage, Daryl Dore 
 
Agenda   

  1. Presentation: New ONA live demo (Matt Verlis) [20 min.] 
  2. Chair’s remarks (Steven Bourque) [5 min.] 
  3. Approval of the minutes of the meetings of Thursday November 12, 2020 [5 min.] 
  4. Registering permanent devices on the network with static IP addresses (Erick Engelke) [10 min.] 
  5. 2FA transition + VPN tool (Robyn Landers) [5 min.] 
  6. WVD/Azure Billing Model (Steven Bourque) [ 5 min.] 
  7. Other business and roundtable discussion – all [30 min.] 
  8. Next CTSC Meeting [Will be held Thursday December 10 at 1:30 p.m.] 

Presentation: New ONA live demo (Matt Verlis) 

  • Matt Verlis gave a demo of the new ONA 

Comments and discussion  

  • Do you have to have a Connect email account in order to subscribe for email alerts?  
  • No, email alerts will also work for Office 365 email accounts 
  • Can update the blue banner in the new ONA to include this 
  • Can the synchronization of a switch be interrupted if you accidentally close the browser tab?  
  • No, the sync will still occur however the front-end program will not recognize that the sync happened. This will result in other users not being able to make changes as the synchronization lock will not be released 
  • GUI is based on .net framework 
  • There is a direct database with read-only access that will be distributed to the CTSC mailing list 
  • Database is on SQL server 
  • Is there an option to stop the processing of syslogs? 
  • May be possible to implement 
  • How can users input a planned offline maintenance?  
  • Users can email IST's Network Services to add a planned offline maintenance window in the new ONA 
  • HP switches will not be added to the new ONA; they will stay on the old ONA on a newer server 
  • There are only a few switches that span across more than one building (e.g., EV1, EV2, EV3) 
  • Segmentation is implemented on a building level  
  • The new ONA is relatively mobile-friendly, with the exception of some pages 
  • Is there documentation or best practices for using the new ONA?  
  • The comments field can be used for anything 
  • Note: data jack and room are separate fields and auto populated in the description  
  • Do not use the description field since the information will be auto populated 
  • Initial workflow may be slightly different if you have to input the data jack and room information 
  • Once data jack and room information is added, workflow should be relatively similar to the old ONA 
  • Please email Matt with additional feedback and comments 
  • When 1.0 is ready, Matt will send an email to the CTSC mailing list to collect the names of users who need access to the new ONA 

Chair's remarks (Steven Bourque) 

  • No remarks. 

Approval of the minutes of the previous meeting 

  • The previous meeting’s minutes were accepted as distributed.   

Registering permanent devices on the network with static IP addresses (Erick Engelke) 

  •  Running into issues when registering permanent devices on the network with static IP addresses and IPv4 subnets 
  • IPv4 address space is available but there are not enough subnets 
  • This will continue to be an issue as Engineering 8 is being built 

Comments and discussion 

  • IST recommends using dynamic IP addresses wherever possible 
  • Dynamic addresses are more effective; dynamic IP addresses cannot resolve to Active Directory names at this time 
  • IST will investigate creating a dynamic DNS to match the domain name sometime next year 
  • This would be beneficial in helping IPv6 be more transparent 
  • Might be helpful to put printers on private subnets 
  • NAT IP addresses should only be used as a last resort if you run out of addresses 
  • Registrations need to be managed better 
  • Should come up with a way to identify addresses that are stalling  
  • Science has some VLANs that are full and some that are empty 
  • Unused blocks could be used more efficiently if blocks could be moved or spanned across multiple buildings 
  • Dynamic IP addresses are not NAT addresses by default 
  • Wi-Fi and Residences are NAT, but most addresses are not 
  • Contact IST Network Services if you are interested in doing a clean-up of IP addresses 
  • IPv6 inbound is blocked by default but you can request exceptions for server rooms 
  • IPv6 uses the default firewall settings 
  • Pings are allowed inbound 

2FA transition + VPN tool (Robyn Landers) 

  • Some users had difficulty locating the 2FA instructions to troubleshoot VPN  
  • Most documentation available only covered the Duo app but did not cover the other 2FA options  
  • The email sent to generic accounts regarding mandatory 2FA did not include the name of the generic account in the email  
  • Users who have access to multiple generic accounts or mailbox forwarding rules were confused by which generic accounts were being referred to 
  • This confusion may have led to the low response rate; would be helpful to include the specific user ids in future 
  • Math has created a tool for users to check their UW VPN connection: checkvpn.uwaterloo.ca 
  • Includes 2FA second password information and links to IST Knowledge Base articles for additional troubleshooting 

Comments and discussion 

  • Users need to accept the DUO push on their devices within 10 seconds, otherwise multiple prompts will appear 
  • Timeout cannot be increased from 10 seconds; 10 second timeout is required for 2FA to work with Cisco VPN 
  • Using a passcode from the DUO app, YubiKey, or Duo token prevents multiple prompts on your device 
  • One-time codes seem to be more reliable than other 2FA methods  
  • Voice calls would have to be disabled in order to eliminate multiple prompts 
  • In Safari, 'Prevent cross-tracking' and 'Block all cookies' need to be disabled in Privacy settings in order to enable the 'Remember me for 30 days' feature 
  • Typing 'phone' as the push method will result in multiple calls 
  • Cisco AnyConnect Client does not allow for the pop-up message to be shown before the user authenticates  
  • The VPN articles in the IST Knowledge Base should be easier to find for users 
  • The 2FA website has a lot of useful information but it could be more user-friendly 
  • Duo admin page shows a higher login failure rate after work hours, which suggests students could be having more 2FA log in issues than staff  

WVD/Azure Billing Model (Steven Bourque) 

  • IST would like to keep the Windows Virtual Desktop/Azure billing model in line with the Waterloo Budget Model and  avoid doing chargebacks 
  • With the Waterloo Budget Model, the cost would be proportional to the usage 
  • https://uwaterloo.ca/waterloo-budget-model/details/academic-support-units-cost [IST has requested and updated version] 
  • This model would be for labs and other client-facing uses, not Data Centres or high-performance computing 

Comments and discussion 

  • Does this mean an extension of the Microsoft agreement is not being pursued?  
  • Multiple options are being looked at concurrently 
  • If Microsoft agrees to an extension, it will still be temporary 
  • On-prem VDI is licensed for staff but not for students 
  • It is recommended to start migrating to Windows Virtual Desktop now if possible 
  • In Engineering, many software cannot be licensed in the cloud 
  • A last resort option may be to buy licenses for students 
  • Should consider whether students want to use computer labs at all in the future 
  • In Arts the labs are not used heavily; these spaces may be modified in the future to just have ports, Wi-Fi, etc. 

Other Business/Roundtable 

Client Services, IST (Andrew) 

  • TIS and ISS have come up with a process to prevent retirees O365 and Connect accounts from being deprovisioned 
  • Process is a temporary solution until a more long-term fix is implemented 
  • Note: retirees who take the lump sum pension option are not included 
  • Members have been selected for the Jira Service Management governance committees 
  • Kate Wood and Daniel Allen are joining the operations committee 
  • Lawrence Folland and Don Duff-McCracken are joining the steering committee 
  • A communication will be sent out this week about the IST Service Desk moving common request forms from RT to Jira Service Management 

Math (Robyn) 

  • Regarding the communication from IST about the removal of info.uwaterloo.ca and strobe.uwaterloo.ca - confirmation that all important content has been moved from these systems?  
  • There is an IST project on the decommissioning of these systems, this would have been checked during the project