Solved

Controlling local replicas usage

Posted on 2004-03-25
19
546 Views
Last Modified: 2013-11-16
Hi all

New problem :

We have remote users (LANs without a domino server) using local replicas
so we can manage those remote locations with short bandwidth. They have a
replica of their mailfile and a replica of the public address book.

The replicas are scheduled to run every 30 minutes wich provides good velocity to all applications (Lotus Notes, Client Access, our intranet, and our Document Management app).

How do I prevent the users from forcing replications (on demand) ?
0
Comment
Question by:sync957p
  • 6
  • 5
  • 3
  • +2
19 Comments
 
LVL 15

Expert Comment

by:Bozzie4
ID: 10680164
Short anwer : you can't.

Long answer : you may try and restrict the Notes trafic (using a network trafic shaper ) per remote connection (well, you'll need to actually restrict it per individual user per remote connection)  That's probably not easy ...

cheers,

tom
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 10680967
Lotus Domino strong point is replication and it could be on demand. Why do you want to restrict them replicating what they want ??

~Hemanth
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 10681032
Probably because if all the remote users (over the same remote connection) all start to replicate 'on demand' at once, your network connection gets saturated ...

Tom
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 250 total points
ID: 10681543
Just to add on a bit to Bozzie's first post, what you want to do is use a QoS policy-based firewall, which can be set to limit frequency of connection by source IP address.  If you have a strong network engineer, he'll know what to do.

The only other thing I can think of doing is to have an agent that scans the logs, building its own histogram of usage.  if it detects that a user is abusing connection privilidges, it can put that user in a temporary deny access list for, say, half an hour or an hour, and send the user a messages (to be picked up after the deny access expiration) that says "due to abuse of mail access privileges, your account was suspended for xx minutes.  Your acocunt is now back on line."
0
 
LVL 1

Author Comment

by:sync957p
ID: 10685435
Thanks for all answers.

Bozzie4 : what is a network traffic shaper? you mean something like a Peribit?

HemanthaKumar : We have all remote locations with connections over IP at 128k, for an average of 6 users per remote location, if the dummies in marketing and the gods (ceo's) decide to send a 4 Mb email message to all users in the same day all network traffic gets jammed (yes, bandwidth is expensive in Portugal). To be honest things got a little better since we upgraded all our lines from Frame Relay to IP, but we're far from having good speed.

qwaletee : We don't have static ip's in those LAN's and we can't change that, because ceo's "on the move" like to connect their laptops anywhere without changing ip's.  That agent you mentioned seems like a good idea could you help with that?


0
 
LVL 1

Author Comment

by:sync957p
ID: 10685480
qwaletee : ah i forgot... and ... the internal network traffic  doesent pass by the firewall.
0
 
LVL 15

Accepted Solution

by:
Bozzie4 earned 250 total points
ID: 10688936
What I call a network trafic shaper, may have other names in real life, but I mean something that can limit trafic to and from specific IP addresses over specific ports.  Some firewalls can do this, some routers can, you can have a linux box that does that.
If they all get individual ip addresses, this becomes a lot simpler : even a very simple iptables firewall can do this , there must be applications that you can download and use for free.  Basically, you can put quota on the amount of trafic (over port 1352) every IP address (and hence every user) is allowed within a specific timeframe.  An iptables solution would block the ip address for a brief period of time, but there must be solutions available that can severely limit the bandwith for that ip address.

If you run the Domino server on Linux, you don't even need a separate box to do this.... just whack an iptables firewall on and you're done :-)

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10717429
Yeah, I can help with the agent, but it will either have to be...


    * You write it, I'll give hints, which won't take too much of my time

or

    * You've got to get a consultant who is already handy with Notes admin and dev to write it
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 10717740
Or you can contact Lotus support for any tips on controlling the bandwidth usage !
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:sync957p
ID: 10722018
Perhaps both?

qwaletee : could you give me any tips to start with? per ex. how to put a user in a deny list (what command to the server so the user cant replicate)

hemanthakumar : the only time i contacted lotus tech support was by phone (some urgent issue about db's getting corrupt), how do i contact them by mail?
0
 
LVL 1

Author Comment

by:sync957p
ID: 10722070
What about hiding menus in the client? I heard kiosk mode doesen't work so well... any toughts?
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 10723767
This is the best you can get to...http://www.ibm.com/planetwide/us/

There is a email on top for general queries.. see if they respond to you by mail
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10728154
Kiosk mode sucks.

The way to deal with Deny Access Groups is to

1) create a deny access group for this purpose

2) Include that group in your server deny access list (server doc) -- then reboot the server, or

3) Put the new deny access group in an existing group (subgroup) that is already in the server doc deny access (no reboot)

To lock a user out, just add the user to the new group created in step 1... you shoud add the user's unabbrevaited canonical name.  If you change the group on the same server as you are trying to prevent access, the lockout should occur within 2 minutes of the change, and removal of lockout shoudl also be less than two minutes.
0
 
LVL 1

Author Comment

by:sync957p
ID: 10758354
Thanks everyone.

At this time our network engineer is testing a solution with an iptables fw in a linux box. Domino server will only route mail in this box.

The destinations for quotas regarding notes traffic will be based on remote location router's ip (if one of the users screws up all of the other users in the same lan will suffer, but hey , who said life's fair?)

I just wonder why cant we have an ADM for active directory like most of the mainstream software (it would be useful to find some menus from some users).

Any comments on this?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10787457
It doesn't really work that way.  Policies are not magic... for ever feature you want to lock down, in, say, Windows 2000, Microsoft has to program a UI to set that policy, has to put code on the client to accept that policy, has to put code in teh client settings UI to prevent users from overriding that policy, and has to put code in the software that uses the settings to restrict to that policy.  Microsoft has done that with a lot of settings, but not all... and in fact, there are some things that have no settings at all, so neither user nor administrator can control them.

The same is tru for Notes and Domino.  In R6, there are a huge number of settings you can lock down... but there are also many that you can't.  Nobody pushed IBM hard enough to make a policy for "limitating" connection frequency/traffic level.
0
 
LVL 1

Author Comment

by:sync957p
ID: 10804082
Just wondering why we can restrict almost everything in Client Access ( or the latest "Iseries Access" ) wich is an IBM product and with Notes... nothing at all.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10833819
Nothing to wonder at... Notes is actually more complex, and has more features that could potentially be controlled.  Dev team has to allocate resources for each feature they add that someone wants to control, and this didn't make the cut.

On top of that, the Notes communication strategy leads this to be a complex area to regulate.
0
 
LVL 13

Expert Comment

by:CRAK
ID: 10969207
A new TA has been added to EE: Lotus Domino Admin (http://www.experts-exchange.com/Web/Lotus_Domino_Admin/).

Since it's still rather empty we're looking for content for this TA. This should offer visitors a better chanche of finding answers to their questions.

This question, though not posted in a wrong TA, was a typical Lotus Domino Admin question. Therefore I'm moving it from Lotus Notes/Domino TA to Lotus Domino Admin TA.

CRAK
Page Editor
0
 
LVL 13

Expert Comment

by:CRAK
ID: 10969213
Moved from Notes/Domino to Domino Admin TA.

CRAK
Page Editor
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now