Presentation held by Mr.Goce Bogatinov and Mr. Jordan Tikvesanski as a part of the - Cooperation between academia and ICT businesses Session at the 8th SEEITA and 7th MASIT Open Days Conference, 14th-15th October, 2010
1. Forefront Identity Manager
2010 implementation in “Goce
Delcev” University – Stip
Goce Bogatinov, Chief IT Administrator
University „Goce Delcev“ - Stip
goce.bogatinov@ugd.edu.mk
Jordan Tikvesanski, IT System Administrator
University „Goce Delcev“ - Stip
jordan.tikvesanski@ugd.edu.mk
3. Contents
• Presentation of the University "Goce Delchev" – Stip and its
informational system
• The role and method of involvement of Microsoft Consulting
Services in the performance of the decision
• Intec Systems and Gemalto part in the performance of the decision
• Experiences and recommendations
4. General information
• Established in 2007
• Elected rector Prof. Dr. Sasa Mitrev
• More than 13.000 students and 500 employees at the moment
• 1.200 PC’s and up to 50 servers
• 10 Campuses located in different cities
• 10 Campuses in Stip
7. User profiles
• Students
• undergraduate
• Master studies
• PhD studies
• Employees
• Administration
• Teachers (associates, visiting…)
• Student Services
• Other personnel
• IT Staff
• Administrators
• Technical staff
• Help desk
8. Student services
• Mail
• Microsoft Live@EDU
• Learning gateway
• Moodle
• Student files
• Microsoft Dynamics CRM
• Video conferencing
• Polycom
• Wireless internet access
• Cisco, Microsoft NAP
9. Employee services
• Mail
• Microsoft Exchange 2010
• Telephony
• Cisco UCM, Cisco IP Phones
• Microsoft Exchange 2010 UM
• IM, A/V Conferencing, Desktop sharing
• Microsoft Office Communicator
• Document management
• Xerox Docushare
• Wireless internet access
• Cisco, Microsoft NAP
10. Challenges
• Unique user name and password for all
• Time and attendance tracking system
• Two-factor authentication
• Student/employee ID card
11. Implementation stages
• Specifying and clarifying what is necessary for project implementation
ENVISION • Establishing the foundation of the team and core of the project cycle
• Collecting as much information as possible
PLAN • Development of conceptual solutions in specific design and plan
• Making the decision in a test environment and its documentation
BUILD • Testing of all aspects of the decision
• Improving the quality of the solution to meet the criteria for his release in
production
STABILIZE • Verification of functionality and usability of the solution of business and user
perspective
• Setting up in production environment
DEPLOY • Transition of the system into operational functioning
12. ENVISION PLAN BUILD STABILISE DEPLOY
Administration and
Demands IT Infrastructure
maintenance
• High level of • Various vendor based • Small team and
automation, easy for technology helpdesk, no user
use, high level of • Windows Server 2008 defined roles, large
availability • AD DS number of critical
• MS SQL 2008 systems, large
number of helpdesk
• MS Exchange 2010 demands.
• MS SCCM 2007
• AD Certificate
Services
• Vmware virtualization
technology
13. ENVISION PLAN BUILD STABILISE DEPLOY
• 40% of the time spent on this stage
• Functional specs (What are we going to build?)
• Conceptual design (How will we build it?)
• Timeline of activities (When will we build it?)
• Are we ready to build?
14. ENVISION PLAN BUILD STABILISE DEPLOY
• Building the system in test environment
• Implementation of the planned functionalities
• Testing
• Testing
• Testing
15. ENVISION PLAN BUILD STABILISE DEPLOY
• The process of bringing the solution to an
acceptable level of quality and functionality
performed by testing and correction system
• Implementation of the solution in production
environment
• Testing of all aspects of the decision of an
isolated group of users – Pilot users
16. ENVISION PLAN BUILD STABILISE DEPLOY
• Large overlap of activities performed in the phase
of stabilization
• Preparing the physical infrastructure through GPO,
distribution of necessary client agents, installing
enrollment kiosks…
• Operating and maintenance of the system
17. PKI decision contents
PKI based on Windows Server 2008 R2
1 Offline Root CA
2x Enterprise Issuing CA
CRL and AIA publish via AD DS and IIS 7.0
Certificate templates
• Vraboten Standard
• Vraboten Encryption
• Student Standard
Use of certificates
• Authentication (Domain Logon, Application logon, Wi-Fi Access)
• E-Mail signing
• Disk and data encryption
18. FIM 2010 CLM decision contents
• FIM CLM Application - NLB Cluster FIM 2010 CLM
servers
• MS SQL 2008 Failover Cluster Backend DB
• FIM 2010 client component
• Self Service user portal
• Administration and configuration portal
• FIM CM SQL API for interaction with other
systems
• Profile templates for students and employees
• Smart Card Middleware and Enrolment
• Smart card printing
19. Smart Cards
• Gemalto Hybrid Smart Card .NET + EM4100 contactless chip
• .NET framework on SmartCard
• Easy integration in Microsoft environment
• Microsoft Base Smartcard CSP support
• CMS Microsoft CMS/FIM 2010 preferred
• .NET SDK integration with Microsoft Visual Studio
20. Gemalto .NET implementation on WSCF
Microsoft Crypto Next
Generation Architecture Gemalto .NET Crypto
architecture
Microsoft Smart Card Enabled Applications Microsoft Smart Card Enabled Applications
Microsoft Base Smart Card CSP Microsoft Base Smart Card CSP
Smart Card Vendor Mini Driver .NET Minidriver DLL
MS Smart Card Resource Manager
MS Smart Card Resource Manager
PC/SC
PC/SC
Add-on on MS Base CSP witch redirects
requests to Gemalto .NET card module
21. Experiences
• Complex system of permissions and role separation
• Profile Templates and Certificate Templates – crucial in the
further exploitation period
• Investments in compatible components
• Condition of existing infrastructure
• Concomitant use of x86 and 64bit clients
• Client works through IE 6.0 +
22. Recommendations
• The complexity of the system requires thorough planning
• Using virtual environment
• Document every step in the development and implementation of
the system
• Test the entire system after each change
• Use separate user accounts for each user role even if the same
person is in question
• In system with more than 10,000 users there are no "minor"
changes