• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

Controlling local replicas usage

Hi all

New problem :

We have remote users (LANs without a domino server) using local replicas
so we can manage those remote locations with short bandwidth. They have a
replica of their mailfile and a replica of the public address book.

The replicas are scheduled to run every 30 minutes wich provides good velocity to all applications (Lotus Notes, Client Access, our intranet, and our Document Management app).

How do I prevent the users from forcing replications (on demand) ?
0
sync957p
Asked:
sync957p
  • 6
  • 5
  • 3
  • +2
2 Solutions
 
Bozzie4Commented:
Short anwer : you can't.

Long answer : you may try and restrict the Notes trafic (using a network trafic shaper ) per remote connection (well, you'll need to actually restrict it per individual user per remote connection)  That's probably not easy ...

cheers,

tom
0
 
HemanthaKumarCommented:
Lotus Domino strong point is replication and it could be on demand. Why do you want to restrict them replicating what they want ??

~Hemanth
0
 
Bozzie4Commented:
Probably because if all the remote users (over the same remote connection) all start to replicate 'on demand' at once, your network connection gets saturated ...

Tom
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
qwaleteeCommented:
Just to add on a bit to Bozzie's first post, what you want to do is use a QoS policy-based firewall, which can be set to limit frequency of connection by source IP address.  If you have a strong network engineer, he'll know what to do.

The only other thing I can think of doing is to have an agent that scans the logs, building its own histogram of usage.  if it detects that a user is abusing connection privilidges, it can put that user in a temporary deny access list for, say, half an hour or an hour, and send the user a messages (to be picked up after the deny access expiration) that says "due to abuse of mail access privileges, your account was suspended for xx minutes.  Your acocunt is now back on line."
0
 
sync957pAuthor Commented:
Thanks for all answers.

Bozzie4 : what is a network traffic shaper? you mean something like a Peribit?

HemanthaKumar : We have all remote locations with connections over IP at 128k, for an average of 6 users per remote location, if the dummies in marketing and the gods (ceo's) decide to send a 4 Mb email message to all users in the same day all network traffic gets jammed (yes, bandwidth is expensive in Portugal). To be honest things got a little better since we upgraded all our lines from Frame Relay to IP, but we're far from having good speed.

qwaletee : We don't have static ip's in those LAN's and we can't change that, because ceo's "on the move" like to connect their laptops anywhere without changing ip's.  That agent you mentioned seems like a good idea could you help with that?


0
 
sync957pAuthor Commented:
qwaletee : ah i forgot... and ... the internal network traffic  doesent pass by the firewall.
0
 
Bozzie4Commented:
What I call a network trafic shaper, may have other names in real life, but I mean something that can limit trafic to and from specific IP addresses over specific ports.  Some firewalls can do this, some routers can, you can have a linux box that does that.
If they all get individual ip addresses, this becomes a lot simpler : even a very simple iptables firewall can do this , there must be applications that you can download and use for free.  Basically, you can put quota on the amount of trafic (over port 1352) every IP address (and hence every user) is allowed within a specific timeframe.  An iptables solution would block the ip address for a brief period of time, but there must be solutions available that can severely limit the bandwith for that ip address.

If you run the Domino server on Linux, you don't even need a separate box to do this.... just whack an iptables firewall on and you're done :-)

Tom
0
 
qwaleteeCommented:
Yeah, I can help with the agent, but it will either have to be...


    * You write it, I'll give hints, which won't take too much of my time

or

    * You've got to get a consultant who is already handy with Notes admin and dev to write it
0
 
HemanthaKumarCommented:
Or you can contact Lotus support for any tips on controlling the bandwidth usage !
0
 
sync957pAuthor Commented:
Perhaps both?

qwaletee : could you give me any tips to start with? per ex. how to put a user in a deny list (what command to the server so the user cant replicate)

hemanthakumar : the only time i contacted lotus tech support was by phone (some urgent issue about db's getting corrupt), how do i contact them by mail?
0
 
sync957pAuthor Commented:
What about hiding menus in the client? I heard kiosk mode doesen't work so well... any toughts?
0
 
HemanthaKumarCommented:
This is the best you can get to...http://www.ibm.com/planetwide/us/

There is a email on top for general queries.. see if they respond to you by mail
0
 
qwaleteeCommented:
Kiosk mode sucks.

The way to deal with Deny Access Groups is to

1) create a deny access group for this purpose

2) Include that group in your server deny access list (server doc) -- then reboot the server, or

3) Put the new deny access group in an existing group (subgroup) that is already in the server doc deny access (no reboot)

To lock a user out, just add the user to the new group created in step 1... you shoud add the user's unabbrevaited canonical name.  If you change the group on the same server as you are trying to prevent access, the lockout should occur within 2 minutes of the change, and removal of lockout shoudl also be less than two minutes.
0
 
sync957pAuthor Commented:
Thanks everyone.

At this time our network engineer is testing a solution with an iptables fw in a linux box. Domino server will only route mail in this box.

The destinations for quotas regarding notes traffic will be based on remote location router's ip (if one of the users screws up all of the other users in the same lan will suffer, but hey , who said life's fair?)

I just wonder why cant we have an ADM for active directory like most of the mainstream software (it would be useful to find some menus from some users).

Any comments on this?
0
 
qwaleteeCommented:
It doesn't really work that way.  Policies are not magic... for ever feature you want to lock down, in, say, Windows 2000, Microsoft has to program a UI to set that policy, has to put code on the client to accept that policy, has to put code in teh client settings UI to prevent users from overriding that policy, and has to put code in the software that uses the settings to restrict to that policy.  Microsoft has done that with a lot of settings, but not all... and in fact, there are some things that have no settings at all, so neither user nor administrator can control them.

The same is tru for Notes and Domino.  In R6, there are a huge number of settings you can lock down... but there are also many that you can't.  Nobody pushed IBM hard enough to make a policy for "limitating" connection frequency/traffic level.
0
 
sync957pAuthor Commented:
Just wondering why we can restrict almost everything in Client Access ( or the latest "Iseries Access" ) wich is an IBM product and with Notes... nothing at all.
0
 
qwaleteeCommented:
Nothing to wonder at... Notes is actually more complex, and has more features that could potentially be controlled.  Dev team has to allocate resources for each feature they add that someone wants to control, and this didn't make the cut.

On top of that, the Notes communication strategy leads this to be a complex area to regulate.
0
 
CRAKCommented:
A new TA has been added to EE: Lotus Domino Admin (http://www.experts-exchange.com/Web/Lotus_Domino_Admin/).

Since it's still rather empty we're looking for content for this TA. This should offer visitors a better chanche of finding answers to their questions.

This question, though not posted in a wrong TA, was a typical Lotus Domino Admin question. Therefore I'm moving it from Lotus Notes/Domino TA to Lotus Domino Admin TA.

CRAK
Page Editor
0
 
CRAKCommented:
Moved from Notes/Domino to Domino Admin TA.

CRAK
Page Editor
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now