MetaFrame Secure Access Manager in a Box.
Version 2.0 Volume 1 DRAFT
Prepared by: Roddy Rodstein, MCSE, CCEA Enterprise Systems Engineer, Western Region Citrix Systems, Inc.
NOTICE
The information in this publication is subject to change without notice.
This is not an official Citrix document.
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF
THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Rnetworkx, Inc.
The exclusive warranty for any Citrix products discussed in this publication, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
© 2002 Rnetworkx, Inc.
http://rnetworkx.com
All rights reserved.
WARNING: The information found in this document was gathered from many different sources in the computing world. It is provided for informational purposes only. The authors assume no responsibility for its usage. Use common sense in applying these concepts and tips. Screen shots may vary from environment to environment. Please verify correctness and applicability in a test environment first and then deploy to your production environment(s).
Use the information found in this document at your own risk.
Special Thanks
MSAM in a Box is a by-product of my experiences working for Citrix Systems Inc. as an Enterprise Systems Engineer. I really hope you like MSAM in a Box and find some knowledge in it.
I must also say thanks to the following awesome minds that sacrificed their time and gave of their knowledge to help create what you see before you. Without them, this project would not exist.
Doug Brown Phil Duffield Jon Barrett Jason Maynard Brian Murray
Special thanks to Citrix Systems Inc. and all my Citrix SE colleagues! Citrix ROCKS!
Special thanks to Doug Brown of dabcc.com. Doug has been a pivotal part of the creation of MSAM in a Box. Doug is the originator of the in the Box series and continues to build upon his success with his latest e-Book Methodology in a Box.
Without his contributions, support, exposure, and the use of his Methodology in the Box templates and text this document would not be the same. Thanks again Doug, you ROCK!
Special thanks to Phil Duffield of SIA Network in Van Nuys California who introduced me to Citrix solutions. Phil is a huge Citrix evangelist and remains my main resource and mentor in the information technology industry. Phil also contributed his time to spell and grammar checks several chapters. For those of you who have read my rough drafts you know that Phil spent a lot of time and effort cleaning up my work. Therefore, it goes without saying that Phil has been crucial in the creation of this project. Thanks again Phil!
Document Revision History
Being the first version of MSAM in a Box, I must admit, it is still rough and will remain to be for a couple more releases. With this in mind, please stay tuned to my home page
http://www.rnetworkx.com for the latest version of this project and to the following
document revision history section for the latest editions to this document.
Please send any and all suggestions and or comments to: [email protected]
Date Version Updated By Description of Changes
June 16, 2003 2.0 Roddy Rodstein First Release
Future Additions:
• Secure Gateway and Logon Agent defined • MetaFrame Index Server
• Access Center Design
How to Use MSAM in a Box 1.0
This document was developed to provide network administrators, Webmasters, project managers, evaluators, and reviewers with a general reference to assist in the design and development of a successful access solution with MetaFrame MSAM. With all of MSAM’s wizards to show you the way and a detailed project plan in hand, you can install MSAM, configure access to corporate resources, brand the interface, test it, and deploy MSAM in days, not weeks, months, or years!
Important: Procedures and settings in this guide may not be appropriate for enterprise deployment and scalability. For complete deployment information, including capacity sizing, hardware and software requirements, and configuration issues, see the Guide to MSAM on the MSAM distribution CD.
Prerequisites
A working knowledge of:
• Microsoft Windows 2000 Server
• v 1.0 .NET Framework
• Microsoft Internet Information Services (IIS)
• Citrix MetaFrame XP
• HTML
Finding Online Help
For additional assistance, turn to the online help files in the Access Manager Console or CDAPad. Online help is available in most MSAM wizards. For example, on the wizard page where you select a custom header, an online help topic gives an overview of the header topic. Click Help at the bottom of the wizard window for help with options and settings. The online help available in the Access Manager Console provides overview topics that explain concepts and procedures. Use the Contents tab on the left of the help window to display a list of topics.
TABLE of CONTENTS
SECURE ACCESS MANAGER OVERVIEW... 9
APPLICATION INTEGRATION USING CDAS AND WEB PARTS... 12
ROLE-BASED ACCESS... 15
CITRIX METAFRAME INTEGRATION... 17
ACCESS CENTERS “LOOK AND FEEL”... 17
ARCHITECTURE... 19
Access Manager Console (AMC)... 20
Secure Gateway (SG)... 21
Communication Ports ... 23
ACCESS CENTER HOME PAGE... 24
WEB INTERFACE (WI)OVERVIEW... 26
MSAM & MICROSOFT SHARE POINT PORTAL SERVER V 1.0... 29
DOCUMENT MANAGEMENT... 31
WEB PARTS... 32
DEPLOYMENT METHODOLOGY... 38
DEPLOYMENT PHASES OVERVIEW... 39
Analysis... 40
Analysis phase (Business and Technical) ... 40
Infrastructure Assessment (4 parts) ... 41
Proof of Concept (POC) ... 41
Rollout phase ... 41
WHAT MAKES AN EFFECTIVE MEETING? ... 42
VISION AND STRATEGY PLANNING... 43
VISION AND STRATEGY PLANNING CONSIDERATIONS... 44
ANALYSIS PHASE... 47
ANALYSIS OVERVIEW... 47
Project Scope, and Statement of Work... 48
USER COMMUNITIES... 49
INTERVIEWING COMMUNITY MEMBERS... 50
Interview Process... 51
AVAILABLE CDAS... 53
INTEGRATION POINTS & CORE SERVICES... 54
METAFRAME XP&UNIXPRESENTATION SERVER... 55
BUSINESS INTELLIGENCE... 55
BI Applications ... 56
COLLABORATION... 56
Collaboration Conclusion: ... 58
CONTENT MANAGEMENT (CM)... 58
DOCUMENT MANAGEMENT ... 60
DOCUMENT MANAGEMENT COMPONENTS AND FEATURES... 61
Repository ... 61
Workflow... 61
Search ... 61
DMSCONSIDERATIONS: ... 62
INDEXING AND SEARCHING... 62
THIRD-PARTY INDEXING AND SEARCH SOLUTIONS... 63
SUPPORT, FAQS AND HELP DESK APPLICATIONS... 63
FAQS SITES... 63
SINGLE SIGN-ON... 65
Password synchronization ... 66
Single sign-on ... 66
Access management software... 66
SSOOVERVIEW... 66
Meeting Your Requirements... 67
URL-BASED APPLICATION INTEGRATION ... 68
MACROMEDIA FLASH COMMUNICATION SERVER MX... 68
HTML WEB FORMS... 72
ACCESSING LOCAL APPLICATIONS FROM A WEB PAGE... 72
INTEGRATION POINTS & CORE SERVICES CONCLUSION... 73
PROJECT PLAN ... 77
INFRASTRUCTURE ASSESSMENT... 81
PROOF OF CONCEPT ... 82
WORKSPACE DESIGN... 83
DESIGN GOALS... 85
DESIGN CONSIDERATIONS... 86
PERFORMANCE AND NAVIGATION GOALS... 86
INTRANET INTEGRATION... 87
MULTI-PORTAL ENVIRONMENT... 88
IN ANALYSIS - CHECKPOINT... 89
DESIGN OVERVIEW ... 89
IMPLEMENTATION OVERVIEW ... 90
IDENTIFYING MSAM COMPONENTS... 91
CONTENT DELIVERY SERVICES... 91
CONTENT DELIVERY AGENTS (CDAS)... 92
Global CDAs... 92
Pages... 92
Themes ... 92
Users ... 93
Roles ... 93
EXTENSIBLE MARK UP LANGUAGE (XML)... 93
MSAMSERVICE COMPONENTS... 94
State Server ... 94
Agent Server... 95
Server Farm Database... 95
Web Server... 95
Secure Access Manager Console ... 96
MSAMSERVICES... 96
CDADIRECTORY... 97
INSTALLATION PREREQUISITES ... 97
INSTALLING THE OPERATING SYSTEM (MICROSOFT WINDOWS 2000 SERVER)... 98
INSTALL MICROSOFT WINDOWS INSTALLER VERSION 2.0. ... 99
INSTALLING THE .NET FRAMEWORK WITH SP2 ... 100
MSDE OVERVIEW... 103
UPGRADING FROM MSDE TO SQL 2000 SERVER... 104
SQL SERVER LICENSING ... 105
INSTALLING AND CONFIGURING MICROSOFT SQL SERVER 2000 ENTERPRISE EDITION ... 105
HOW TO CHANGE THE DEFAULT SQL LOGIN AUTHENTICATION MODE... 111
INSTALLING MICROSOFT DATA ACCESS COMPONENTS (MDAC) ... 112
NFE & MSAM UPGRADE ISSUES... 114
Media_Devices.xml... 115
Config.xml Code ... 115
MSAM INSTALLATION... 117
INSTALLING MSAM (SINGLE SERVER INSTALL) ... 119
INSTALLING THE SECURE ACCESS MANAGER CONSOLE ON A WORKSTATION... 123
CONFIGURE THE AMCCONSOLE... 126
BUILDING YOUR FIRST ACCESS CENTER... 128
ACCESS CENTER BRANDING & CUSTOMIZATION ... 131
LOGIN PAGE ELEMENTS... 132
Header... 132
Themes... 133
Login CDA... 133
Page Template ... 133
BRANDING THE HEADER... 134
IMPORT A CUSTOM IMAGE... 138
CONFIGURING A DEFAULT THEME... 141
ADDING AN IMAGE TO THE HEADER... 142
ADDING A BACKGROUND IMAGE IN THE HEADER ... 146
MODIFYING PAGE TEMPLATES ... 152
ACCESS CENTER CUSTOMIZATION WITH WYSIWYG EDITORS ... 155
CDAPAD &WYSIWYGEDITORS... 156
USING DREAMWEAVER AND FRONTPAGE WITH CDAPAD... 159
THEMES OVERVIEW ... 159
CASCADING STYLE SHEETS OVERVIEW... 161
EDITING STYLE SHEETS WITH CSSEDITORS &NOTEPAD... 162
MODIFYING PAGE ELEMENTS WITH CSS... 162
CREATING CUSTOM THEMES... 164
HEXADECIMAL COLOR CODES... 165
DETERMINING HEX VALUES WITH PAINT SHOP PRO... 168
BRANDING AN ACCESS CENTER WITH A HEADER IMAGE AND CUSTOM THEME... 170
USING CUSTOM IMAGES WITH THEMES... 178
CUSTOMIZING THE LOGIN CDA... 179
REFERENCING IMAGES FROM THE LOGIN CDA... 185
TURNING OFF THE LOGIN HEADER... 186
REMOVE THE HEADER BORDER... 187
ADD A PERSONALIZED WELCOME MESSAGE AND DATE TO THE HEADER ... 189
CUSTOMIZING ACCESS CENTER PAGES... 190
ACCESS CENTER PAGE ELEMENTS BREAKDOWN... 190
Header... 191
Themes... 191
Page Template ... 192
Navigation Menu... 192
CDAs and Web Parts ... 192
Footer ... 192
NAVIGATION MENU & CDA HEADER IMAGES MODIFICATIONS... 193
CDA HEADER NAVIGATION IMAGES... 194
ELIMINATE WHITE SPACE AROUND CDAS... 195
MODIFYING MSAM’S DEFAULT NAVIGATION MENU TEXT OVERVIEW... 195
XSL FILE OVERVIEW (CONVERSION.XSL)... 196
Menu CDA Components... 197
MODIFYING THE CONVERSION.XSL FILE... 197
ADD ... 198
LAUNCH ... 198
MY PAGES ... 199
CUSTOMIZING THE SESSION INITIATION PAGE (SESSIONINIT CDA)... 200
ADDITIONAL RESOURCES... 202
Preface
Welcome to the latest book in the “In the Box” series. My goal was to provide you with the tools you’ll need to plan and successfully deploy MSAM. I understand that access solutions may be new to many network administrators, so I’ll try our best to explain how to analyze, plan, deploy, and close down a successful MSAM deployment with a project-oriented approach.
This document is a work in progress please excuses any grammatical errors, formatting and incomplete sentences and sections.
way I am. I truly believe MSAM in a Box can help take you and your MSAM project to the next level.
Please, take the examples provided here at face value, and do not expect to apply them ‘as is’ to your environment. Each IT environment is unique, and as we all know, extremely complex. But, by applying some of the techniques presented here, as well as seeking professional services assistance at key points, you can minimize the risk factors and maximize the probability of success.
MSAM is access infrastructure which offers corporations a way to provide role based access to information and services in a Business to Employee (B2E), Business to
Business (B2B), Business to Consumer (B2C), and even an Enterprise Information Portal (EIP) format. MSAM offers a single, uniform point from which all of an enterprise’s information and services can be securely deployed and accessed from a Web browser. The biggest risk any Web deployment faces is lack of adoption. An intra/extranet solution is successful only if employees use it.
Roddy Rodstein, MCSE, CCEA, CCNA
Enterprise Systems Engineer, Northern California Citrix Systems, Inc.
Secure Access Manager Overview
The next several chapters will provide an overview of the business needs that MSAM addresses as well as look at all the various pieces that make up an MSAM infrastructure. We’ll begin with a quick overview and then examine MSAM features and architecture. Each topic in the overview section will be covered in greater detail in subsequent chapters.MSAM is access infrastructure which offers corporations a way to provide secure role based access to corporate information and services in a Business to Employee (B2E), Business to Business (B2B), Business to Consumer (B2C), and even an Enterprise Information Portal (EIP) solution without the need of developers or a VPN. A single MSAM infrastructure can support multiple environments enabling organizations to deliver corporate content to their users as a B2E as well as securely delivering services to partners and customers. MSAM offers users a single point from which all of their job specific applications, data, corporate information and services can be securely accessed from any Web browser. All of this is accomplished without writing a single line of code! MSAM consists of two infrastructure components, the Access Center and Secure
an integrated index server which allows internal data like office documents on file servers and existing intranet content as well as external Web site to be indexed and search. The SG component is an end-to-end SSL/TSL solution providing VPN like security without the need of a VPN. This allows users to securely access their corporate services without a preconfigured VPN client from any Web browser over a LAN, WAN, dial-up and
wireless connection.
Most corporations deliver services in a distributed computing environment where users control local and network applications and data from their workstation. Workstations typically are equipped with an office from Microsoft or Sun as well as general purpose applications like Adobe Acrobat Reader and WinZip. Users create and maintain data with local, network and Web applications as well as save their data locally as well as on network drives. As the amount of corporate information and service grow this type of environment puts users in a position to spend a fair amount of time looking for their stuff on their local workstation and corporate network as well. We all know that finding specific information we need on a corporate network can be a challenge.
The following image shows a typical LAN environment supporting standard IT services and how a user’s environment is spread throughout the LAN.
content and securely deliver services based on job roles. Using the above example, when our user accesses an MSAM Access Center (Web site) from the office or remotely she gains secure access to the same work environment. The main difference between the two models is that one supports a stationary distributed work environment and the latter supports a centrally managed portable work environment that can be securely accessed from anywhere. The SG is the component that provides the ability to securely access a preconfigured work environment from any workstation with LAN, WAN, dial-up or wireless connection.
MSAM offers corporations a way to migrate from a distributed environment to a centrally managed environment where access to corporate services is available to users anywhere. MSAM can securely delivers productivity applications, Web services, data on file server, data bases as well as intranet and external Web content directly to user’s desktop. With MSAM users can securely access a consistent environment from any workstation in the office, home or on the road.
The following image shows how MSAM aggregates corporate services and delivers them to users in a Web browser. Access to a corporation’s entire infrastructure can be managed with MSAM.
The following image shows an Access Center page delivering role based access to productivity applications, Web services, file server, data bases as well as existing
pages. Access can be configured at the folder and page level allowing very granular control to resources.
The following example breaks down the components of an Access Center page.
Application Integration using CDAs and Web Parts
MSAM provides numerous adapters which offer administrators the ability to integrate existing IT infrastructure components without writing a single line of code. Application and content integration is done within the Access Management Center (AMC) with Citrix Content Delivery Agents (CDAs) as well as Microsoft Web Parts. CDAs allow rapid integration of applications and content from various sources like Citrix MetaFrame XP and MetaFrame for UNIX, Web applications, Web Services, Web Forms, shared directories on file servers, data bases, and Document Management solutions as well as various email clients. Microsoft Web Parts enable rapid integration of applications and services like Microsoft Outlook Smart Inbox, Microsoft Great Plains Business, and Microsoft Office Spreadsheet Solutions, syndicated external MSN & MSNBC content such as news, stock reports and weather. Once again, all this is accomplished without writing a single line of code!
CDAs and Web Parts are modules of code that acquires content from an application or a Web site and displays the content within an Access Center. Access Center pages can contain one or more CDAs and Web Parts.
CDAEXCHANGE that develop, test and freely distribute CDAs. Visit
http://cdaexchange.com to see what CDAs are being developed and freely distributed.
Tip: Visit Particle Software’s homepage @ http://www.particlesoftware.com/ to have a look one of their products called IntraLaunch. It’s packaged as a CDA and is licensed on a per user bases. It allows users to access local resources from an Access Center.
The following table shows a list of the in-the-box Citrix CDAs, as well as CDAs from CDAEXCHANGE. (http://www.cdaexchange.com) as well as Microsoft Web Parts which are available on the Internet from the Microsoft Web Part Gallery.
Note: Citrix does not indorse CDA exchange CDAs.
in-the-box Citrix CDAs CDAEXCHANGE Web Parts
• Account Summary for Documentum
• Adapter for Lotus Notes Web access
• Adapter for Microsoft Share Point
• Adapter for Stellent
• Advanced search for Documentum
• Adapter for Netmeeting
• Alert Broadcaster
• Alert Broadcast Manager
• Database Viewer
• Program Neighborhood
• Embedded Application
• Event CDA for eRoom
• Interactive Poll
• Internal Search
• Message Center
• My Account for Documentum
• Personnel CDA for eRoom
• Personnel Locator
• Shared Documents
• Website Viewer
• Web Favorites
• Search
• Search CDA for eRoom
• Web Search
• World Clock
• Local Application Access
• SAP Adaptor
• Change Password CDA
• Citrix Support
• Calendar
AskJeeves Search
• Embedded Media Player
• Lycos Search
• Google Search
• Database Driven News Scroller
• Local File Explorer
• UK Weather Map
• Basic Calculator
• Clock Dashboard
• Personalized Weather Content
• MS Outlook Smart Mailbox
• MS Outlook Smart Contacts
• MS Outlook Smart Calendar
• MSN Encarta Reference
• MSN MoneyCentral Search
• MSN MoneyCentral Stock Quotes
• MSN MoneyCentral Stock Ticker
• MSN MoneyCentral Search
• MSNBC Business News
• MSNBC Stock News
• MSNBC Stock Quote List
• MSNBC Weather
• .NetWire News
• Hoovers Business Buzz
• Hoovers Capsule Search
• Hoovers City Guides
• Hoovers Headline News
• Hoovers Industry Updates
• Hoovers IPO Alerts
• Hoovers IPO Hot List
• Hoovers IPO Week Rating
• Hoovers IPOs on Deck
• Hoovers Simple Search
• Hoovers Weather
• Industry News — Aerospace & Defense
• Industry News — Automotive & Transport
• Industry News — Banking
• Industry News — Chemicals
• Industry News — Computer Hardware
• Industry News — Computer Software & Services
Conglomerates
• Industry News — Consumer Products (Durables)
• Industry News — Consumer Products (Non-Durables)
• Industry News — Diversified Services
• Industry News — Drugs
• Industry News — Electronics
• Industry News — Energy
• Industry News — Financial Services
• Industry News — Food, Beverage & Tobacco
• Industry News — Health Products & Services
• Industry News — Insurance
• Industry News — Leisure
• Industry News — Manufacturing
• Industry News — Materials & Construction
• Industry News — Media
• Industry News — Metals & Mining
• Industry News — Real Estate
• Industry News — Retail
• Industry News — Specialty Retail
• Industry News — Telecommunications
• Industry News — Transportation
• Industry News — Utilities
• Factiva Search Form Module
• Factiva Search Box Module
• Factiva Track Summary View Module
• Factiva Track Folder View
To address specific integration needs CDAs can be easily created with the MSAM SDK (CDAPad), Visual Studio .NET and WYSIWYG Editors like FrontPage and
Dreamweaver MX. CDAPad is included in the Secure Access Manager SDK and is available at no cost from http://citrix.com/cdn.
Note: Citrix considers Microsoft's Visual Studio .NET as the preferred CDA development tool.
Role-based Access
Each time I have the opportunity to give an MSAM presentation, I’ll ask the audience if they currently have an intranet. Normally most of the attendees will raise their hands. The next question is if they actually use the intranet. Roughly 80% answer no!
Over the years I’ve had to opportunity build as well as see a lot of very interesting intranet sites. I’ve talked with numerous intranet developers as well as their end users. There seems to be several conmen problems with intranet deployments. Users are simply overwhelmed with information and are unable to find anything they need. This problem appears to be a combination of information overload as well as poor design. Typically intranet initiatives start as a small departmental project with strong management sponsorship and wind up growing over time to become huge out of control Franken-Portals. I’ve had the opportunity to navigate a bunch of these monsters and they often boast hundreds and in some cases even thousands of links, pages and applications. They completely overwhelm their users with information which turns users away.
portal to find what they are looking for. The registered users on the other hand receive role-based access to their desired content.
I’m finding that a lot of customers turn to MSAM to salvage the content from their Franken-Portals. MSAM allows the quick and simple importation of the useful information and services from the Franken-Portal(s) to a MSAM infrastructure. This allows you to manage and deliver only the required information and service (role based access) to your user communities unlike a Franken-Portal which delivers 100% of its information and service to each user that visits the site. MSAM supports the
configuration of role based access from the menu structure which consists of folders and pages.
The following image shows MSAM’s menu structure displaying seven folders and the pages contained in the Departments folder. The Department folder has been selected which reveals the pages in the Departments folder.
Note: Administrators can configure access to resources at the folder as well as page level. As an example, a small business may require 25 pages within six folders to provide access to all their IT resources. Access can be granted at the folder as well as the page level which provides administrators the ability to configure granular access to an organization’s information and services. Role based access allows a corporation to provided their user communities with the information they need, which avoids information overload like with most intranets and portals.
The following images show how role based access is used to build out MSAM’s dynamic menu. Each of the roles, IT Administrators, Sales, Assembly Line Worker and Intern are configured to allow users to receive access to one or all of the six folders and 25 pages. Note how each of the four access roles allows the users to see different folders and pages. IT Administrators
Assembly Line Worker
Intern
Citrix MetaFrame Integration
MSAM provides seamless integration to single and multiple Citrix MetaFrame XP and MetaFrame for UNIX server farms via the Program Neighborhood CDA and the Embedded Application CDA. MSAM supports a full featured Program Neighborhood client, as well as the ability to embed multiple Applications in a page allowing
administrators to configure a page with Program Neighborhood as well as embedded applications, as shown in the following example.
MSAM does not necessarily require Citrix MetaFrame XP or MetaFrame for UNIX to run. MSAM supports the ability to deploy applications via Citrix CDAs (other than the Program Neighborhood and the Embedded Application CDAs), Microsoft Web Parts, .NET and URL based applications like Microsoft’s Share point Portal Server,
Macromedia’s Flash Communication Server, SAP and PeopleSoft applications right out of the box.
Access Centers have a default look and feel which can be branded and customized to suit any organizations needs. A branded Access Center strengthens corporate identity and creates an online experience that is consistent with how a user views an organization. Every company has a unique look and feel or Corporate "Brand." This includes things such as corporate colors and palette, company logo, standard fonts, and web page headers and footers. As you develop an Access Center it can be modified to follow corporate look and feel standards. The look and feel can be easily modified with the AMC, WYSIWYG editor like Dreamweaver MX, a text editor like the Notepad, as well as CDAPad. The following example shows a default Access Center login page.
The default login page can be branded to look like any corporate homepage. The
username, password, Log in automatically and the Log in button can be customized and placed any where within the page. Your existing home page look and feel can be easily copied.
Architecture
MSAM consists of two infrastructure components, the Access Center and Secure
Gateway (SG). As discussed above the Access Center infrastructure allows the creation, customization, and maintenance of Access centers as well as the importation and
configuration of role based access to corporate content. The SG extends the reach of corporate services to users accessing internal applications and content over the internet. The entire infrastructure can be installed on two machines.
Access Center
The Access Center infrastructure is composed of basic service components, which can be installed on one or more physical machines, depending on client requirements. The following are the Access Center server components:
• State Server • Agent Server
• Database for Auditing and Repository • Web Server
• Index Server • Secure Gateway
• Access Manager Console
Access Manager Console (AMC)
MSAM simplifies administration and integration of corporate information and services into individual Access Center via the Access Manager Console (AMC), which runs as a Microsoft Management Console (MMC). The Access Manager Console is wizard-driven, centralized management console which allows administrators to manage the entire
MSAM infrastructure from one single location. Within the AMC Access Centers, folders and pages can be created and configured with access roles to designated corporate
services. You can install the Access Manager Console on any Windows 2000 or XP domain machine. The Access Manager Console can be used remotely as well. The Secure Access Manager Console supports:
• Multi-Access Center administration • Multi farm administration
• Multi-server administration • Role configuration
• Page creation and layout
• CDA, Web Part and Content importation and configuration • Import/Export Access Centers
Secure Gateway (SG)
SG is the bundled security infrastructure software which allows the aggregation and secure deployment of a wide range of internal and external content. SG tunnels HTTP, HTTPS and ICA Traffic and integrates with NT, Active Directory and LDAP directories. This allows authenticated clients to securely access their internal content over the
Internet. A new feature allows the configuration of Access Control Lists to internal content which provides an even greater level of assurance that only the intended internal resources will be available through the gateway. In order to access other internal Web servers through the gateway, users run a small ActiveX control in their browser called the Gateway Client. This control acts as a localhost proxy, intercepting traffic and sending it through the encrypted tunnel to the gateway. A collection of ASP scripts called the Logon Agent delivers a login form to users before they are allowed to access an Access Center or any other internal web servers. The Logon Agent communicates with an Authorization Service (AS) housed by MSAM to authorize HTTP traffic. Other components from version 1.x of the Secure Gateway are still included as well. The Gateway Service listens for incoming SSL traffic, decrypts it and relays it to servers on the trusted network.
Another important new item is the Secure Gateway Proxy. This component is a Secure Gateway services that can proxy traffic from another Secure Gateway service to a trusted network. Using a Secure Gateway Proxy it becomes possible to deploy SG at
The following image shows an SG MMC Snap-in.
SG uses the SSL V3.0 and TLS V1.0 protocols to secure connections between the ICA client and web browser and the Secure Gateway, and between the Secure Gateway and the CSG Proxy, Authentication Service (AS), Secure Ticketing Authority (STA) and Login Agent.
In all cases, any SSL connection must adhere to the following guidelines:
• A root certificate is needed on the component that initiates the connection (the SSL client)
• A server certificate is needed on the component being secured (the SSL server)
• The SSL client must address the SSL server using its fully-qualified domain name
• The subject of the SSL server’s certificate must match the FQDN used by the SSL client
• The SSL client must be able to resolve the SSL server’s FQDN to an appropriate IP address
The SSL/TLS key generation phase of the SSL/TLS handshake is a computationally intensive operation. MSAM makes use of session ID reuse which reduces the requirement to generate a new key pair for each connection.
MSAM supports a wide range of commercial and government Cipher which allow customers to remove weak cryptography and meet government requirements for the use of FIPS 140 certified cipher.
The following is a list of supported Cipher Suites:
• RSA_WITH_3DES_EDE_CBC_SHA
• RSA_WITH_RC4_128_SHA
The following diagram highlights SG infrastructure in a single DMZ design.
The following highlights SG infrastructure in a double DMZ design.
Communication Ports
Communication Partners TCP Port
CMC Æ MetaFrame XP 2512
MetaFrame XP Æ MetaFrame XP 2513
MSAM Æ MetaFrame XP 80 or 443
MSAM Æ Secure Ticket Authority 80 or 443
Secure GatewayÆSecure Ticket Authority 80
Secure Gateway Æ MetaFrame XP 1494
MetaFrame XP Æ Data Store 1433 (SQL)
Client Æ MetaFrame XP (Internal) 1494
Client Æ Secure Gateway (External) 443
Access Center Home Page
Administrators can select any configured page as a user’s home page. A home page is the first page a user sees after she has successfully authenticated. As an example, a small company has configured 25 pages to deliver access to all their internal and external resources. Generally a home page would be one of the 25 pages which was configured to offer full desktop functionality including productivity applications, users specific data (My Documents), shared departmental document store, corporate address book, company news, corporate instant messaging, instructional videos, voice and video support, and sticky content like local weather and industry specific news.
The above example illustrates how an Access Center is presented to a user enabling her to work in an environment where productivity applications, personal and corporate data are securely delivered to her anywhere via a Web browser. This environment is
completely maintained centrally and is securely delivered to a Web browser located on a LAN, WAN, dial-up or wireless network connection.
MetaFrame Web Interface (WI) and MSAM Feature
Comparison
I wanted to spend some time talking about the differences between the Web Interface for MetaFrame and MSAM. There is a lot of confusion between the two products and I hope to provide you with sufficient information to allow you to decide which product is appropriate for you environment.
The following table highlights a feature comparison:
High Level Features Web
Interface
MSAM
Provide access to MetaFrame Presentation Server Applications
via a Web browser Yes Yes
Provide role based access to Corporate content No Yes Provide secure connections with SSL encryption Yes Yes Tight integration with Active Directory, NDS, LDAP and NIS+
directories
Yes Yes
Access applications and content via CDAs, and Web Parts No Yes
User personalization No Yes
Central administration to corporate services No Yes Integrated Security infrastructure (Secure Gateway 2.0) No Yes
Integrated Index Server No Yes
Web Interface (WI) Overview
In a nut shell the WI is nothing more than a web based version of Citrix Program Neighborhood with the ability to deploy Citrix ICA clients. For you none MetaFrame folks, Program Neighborhood is a Citrix ICA client which allows virtually any client device to connect to a MetaFrame server and run applications which completely execute on the Citrix MetaFrame servers, a la the Main Frame computing model. Program Neighborhood provides users with a login and once successfully authenticated users receive their approved applications.
There are a total of two static web pages that users interact with when accessing applications via the WI. Each page can be branded and customized by a developer or webmaster.
Let’s start by having a look at Program Neighborhood to illustrate what features the WI offers. Program Neighborhood is a full featured ICA client which allows users to connect to Citrix servers and applications as well as configure specific connection parameters. Program Neighborhood is accessed by double clicking a Program Neighborhood icon from the desktop, start menu or program menu.
The following image is the Program Neighborhood icon commonly found on the desktop.
In the above example an Application Set which allows access to approved Citrix MetaFrame powered applications has been pre-configured for the user. Once the SF-CTXS icon is clicked a user would receive a login screen where they would need to enter user name, password and domain name in the text fields to authenticate and receive a list of approved applications.
The following image is the Program Neighborhood login window
Both Program Neighborhood and the WI provide users the same two windows, a login window and once successfully authenticated a window that contains icons from approved applications the primary difference is that the WI is browser based. With the WI users interact with two static HTML / ASP pages. The first of the two pages allows users to enter their login credentials and if successfully authenticated the second page provides role-based access to MetaFrame powered applications.
The following example shows a default Web Interface login page.
users workstation even thou it is actually installed and executing 100% on a Citrix MetaFrame XP or UNIX Presentation server.
WI solutions are generally used exclusively to access MetaFrame applications.
Occasionally customers will brand and built out a WI site as a corporation’s intranet or extranet solution. When corporations utilizes the WI as an intra/extranet solution we see that over time as additional functionality like Web links, Web applications as well as the addition of departmental and geographical regional pages and links are added to the logon and application page, information overload occurs. As discussed in the previous section information overload is very conmen large intranet solutions as the continual addition of information and services over time simply overwhelms users. Typically when an intra/extranet site grows over time it transform in to a dreaded Franken-Portal with hundreds and in some cases even thousands of links, pages and applications. These solutions generally become too big to manage and users generally are unable to find anything. This is information overload!
When confronted with a Franken-Portal situation, a great way out of the information overload environment is to integrate the useful content from the Franken-Portal(s) to an Access Center via the AMC. This allows you to deliver only the required information and services (role based access) to your user communities unlike a Franken-Portal which delivers 100% of its information and service to each user that visits the site.
MSAM & Microsoft Share Point Portal
Server v 1.0
search functionality as well as limited Microsoft back-office integration via Microsoft’s Web Parts. To fully leverage Share Point Portal Server advanced document management features users accessing Share Point require a fully equipped Windows Workstation with Office XP as well as Share Point Portal Server extensions (an excellent example of the distributed computing model). Users can access the document management features from a Web browser as well as network neighborhood. Share Point Portal Server could be considered a workstation centric solution as it relies heavily on workstation components like local user profiles (for authentication and user personalization settings), Microsoft Office XP, Share Point Portal Server extensions, network neighborhood and persistent cookies.
Customers that have compared MSAM and Share Point Portal Server have noted that while they may appear similar at first glance, there are quite a number of differences. The major differences are that while Share Point is an excellent departmental single server Document Management and Search solution, MSAM is the perfect complement because it provides a scalable infrastructure which eases the configuration of secure access to existing network resources, stores user personalization settings as well as the ability to integrate existing network services other than Document Management.
MSAM makes it easier to incorporate existing network services to Access Centers via the AMC as well as the ability to store user personalization settings within the MSAM infrastructure, not in cookies and Windows profiles located on a user’s workstation. This allows MSAM users to move between workstations and receive the same Access Center at any workstation in contrast to a pure Share Point environment where a user would have to reconfigure each Web Part at each different workstation they visit (see the Web Parts section). With the AMC, administrators can manage a portal menu system, brand an Access center, modify placement of applications, create and manage role based access and add content from Citrix CDAs, Microsoft Web Parts, .NET applications and Web apps. MSAM provides an infrastructure which offers secure access to virtually all your existing network services like file servers, email servers, databases and Share Point Portal Server, in contrast to Share Point Portal Server which is a single server Document
Management solution.
Another important difference between Share Point Portal Server and MSAM is that Share Point Portal Server does not require users to authenticate to access a Share Point portal, there is not a login page. Share Point utilizes pass-through authentication from a user’s primary domain authentication. In contrast to Share Point Portal Server MSAM requires users to successfully authenticate before they receive role based access to information and service. In a MSAM infrastructure user configuration information is stored in a MSDE or SQL data base which allows personalized configurations to roam with mobile users unlike Share Point Portal Server windows profile and cookie model.
workstation and our new user would need to log on to her colleague’s workstation, access the Share Point portal, and configure the Outlook Web Part to be able to read the mail. MSAM Access Centers require authentication from the first logon page to access services, this means that users can move between workstations and gain access to their corporate content without having to make any configuration changes or directly log on to any workstation.
Let’s have a closer look at Share Point Portal Servers document management features, and then we will have a look at Web Parts as well how Share Point Portal Server can compliment a MSAM infrastructure.
Document Management
Document management systems are becoming more important as the amount of data increases that organizations manage. Share Point Portal Server’s document management feature proved an interface to access and search documents that are grouped in to
categories. Share Point Portal Servers advanced document management features includes document check in/out, versioning, and publishing. Users visit pages within The Share Point Portal and providing they have permissions and all the workstation requirements can upload, download, modify and view documents.
The following image shows a Share Point Portal Server home page. Note the Categories section.
The above examples show some of Share Point’s document management features. The next sections will overview Share Points Web Parts which in some cases offer user personalization and the ability to integrate various back-end components.
Web Parts
Web Parts are applications that can be added to pages in Share Point Portal Server as well as MSAM Access Centers. There are numerous Web Parts, some of them are free which leverage Microsoft services like Exchange server, MSNBC News feeds as well as other Web Parts that are front ends to a 3rd party back-end service like Moreover Technology’s competitive news service (pay service). The following is a partial list of available Web Parts.
• Microsoft Outlook Smart Inbox
• Microsoft Outlook Smart Contacts
• Microsoft Outlook Smart Calendar
• BusinessObjects Microsoft SPS Portal Integration Kit
• Microsoft Great Plains Business Solutions
• Microsoft Office Spreadsheet
• .netWire Headlines
• MSNBC Weather
• MSNBC Business News
• MSN Search
• Date Header
• Encarta Search
Web Parts. Web Parts which allow user personalization do not support roaming users because the personalized configuration is stored locally at the workstation.
The following examples will show pages with and without Web Parts. The next image shows a page with no Web Parts.
The following example shows a page with the addition of two Web Parts, The Date Header and MSN search.
Note: These Web Parts do not support user personalization.
When a user clicks the “Click here” from the MSNBC Weather Web Part shown above users will be able to select a zip code. Once a US ZIP code is entered and “GO” is selected the settings are saved in a persistent cookie in the users Windows local user profile.
The next image is the MSNBC Web Page Dialog window.
The following table shows a feature comparison between MSAM, Microsoft Share Point Portal Server 1.0 and Share Point Team Services 1.0.
MSAM, Microsoft Share Point & Team Services Portal Server Matrix
Microsoft Share
Point Team Services
Microsoft Share Point
Portal Server MSAM
Core Function Ad hoc information
sharing Ad hoc information sharing & Enterprise search
Access Infrastructure
Web Site Team Web sites
(5–75) users
Portal Web sites (75 + users)
Supports Multiple unique sites (1 - Unlimited)
Search Capabilities Documents within
team Web site and sub Webs
Across multiple servers and data types
Enterprise Wide, Across multiple servers and data storage types both internal and external Discussion & Notifications Discussions Notifications Surveys Discussions Notifications Discussions Notifications Surveys Interface Customization Browser-based, Microsoft FrontPage® version 2002, and SDK
Web Parts and SDK, Microsoft FrontPage® version 2002 CDAPad (SDK) and any WYSIWYG editor Document Management
Versioning Routing Publishing CDA Citrix MetaFrame XP eRoom Stellent Documentum Share Point SiteScape Twiki
Client Applications Office XP is required to run on each client workstation, Browser, FrontPage 2002, (per workstation) MICROSOFT OPEN BUSINESS LIC OFFICE XP PRO LIC $414.25, Microsoft
FrontPage 2002 (Full Version) 392-01099 $155.00 (per workstation)
$569.25 per workstation
Browser, Microsoft Windows® Explorer, Office XP or 2000 is required to run on each client workstation, MICROSOFT OPEN BUSINESS LIC OFFICE XP PRO LIC $414.25 per workstation
Browser (IE), Office XP may run on local
workstation or on MetaFrame XP servers ($6,995/20 users).
No need to install Office XP on client device. With MSAM and MetaFrame, Share Point becomes client independent. Requires specialized administration skills
Yes Yes No
Roles-based
Security Customizable roles:Administrator, Advanced Author, Author, Contributor, and Browser Administrator, Coordinator, Author, and Reader
Data Storage Microsoft SQL
Server™ Web Storage System Any
Application
integration/support
No No Yes
(Complete Citrix MetaFrame XP and MFU Support)
Web Part Support Yes Yes Yes
CDA Support No No Yes
3rd Party
application support
No Yes
Limited support via Web Parts
Yes
Customizable themes
No No Yes
User
personalization
No Yes Yes
Scalable No No Yes
Licensing One license of
FrontPage for the Server; No client access licenses (CALs) FrontPage 2002 (Full Version) 392-01099 $155.00
Microsoft H04-00001 MS Share Point Portal Server 2001 - License and media - 5 clients - CD -
Win2000 Server, Win2000 Advanced Server, Win2000 SP1 - STD $4,900.49.
MICROSOFT SHARE POINT PORTAL SERVER 2001
5-CLIENT CAL User H04-00001 bump pack $598.00
MSAM offers concurrent user licensing @ $140.00 per user. (user bumps avail in packs of 25, 50, 100, and 250 for $140/user) with Citrix Subscription Advantage™
The following image shows how Share Point Portal Server fits in to a corporate infrastructure with other back-end services.
Citrix provides a CDA for Share Point which allows corporations to seamlessly integrate Share Point Portal Server content with an Access Center. With careful planning and design a Share Point Server document management solution can be seamlessly integrated and securely delivered to corporate users over the WAN, LAN, dial-up and Wireless network connection via MSAM.
The following image shows the Citrix Share point Portal Server CDA.
Note: I’m currently working on a complete volume of MSAM in a Box dedicated to
Document Management solutions and MSAM integration. Stay tuned to
http://rnetworkx.com to download MSAM in Box Document Management Solutions. Highlights will include detailed design, deployment, branding, integration as well as the pros and cons of each document management solution, like Share Point 2.0, and the latest version of Twiki as well as the Shared Document CDA with a Macromedia content management solution.
Like any IT initiative, an access infrastructure cannot succeed without a detailed plan, strong backing from management, and dedicated resources to manage and monitor the environment. The following chapters will focus on underlying deployment methodologies such as Business Requirements Analysis, Project Management, and System Design. Access solutions and content integration implementations are especially dependent on best practices and practical experience. Like other IT projects, access implementations have common fundamentals that can be taken into account to reduce engagement risk and ensure a successful deployment. My main goal is to help you meet your objectives with minimal time and investment. I hope to help you avoid unnecessary steps to shorten the decision-making and deployment timeframe by focusing on the following:
• Avoid time consuming non-value added steps
• Shorten decision making timeframe
• Identify and confirm business case
• Identify and define critical steps
• Identify and deliver business value
• Improve quality
• Reduce risks
We will break down the steps of creating an access solution plan by Business, Technical and Creative tracks. Once the initial Business Requirements Analysis, (referred to in this document as a “Vision and Strategy plan”) is completed and signed off by your customer the Technical and Creative tracks could be followed in parallel. In order to meet
objectives and your timeframe there must be strong project management and
communication between the Technical and Creative teams. Expect to spend 80% of your timeframe to fall to the business track. You know the old saying, the technology is easy, and it’s the people that take up all your time. That means for your project to succeed it will not be completely IT driven.
Organizations use technology to reach strategic objectives, unite business units, corporate departments, geographical regions, and partners. MSAM plays a critical role in
proactively responding to competitive market conditions and high-level corporate strategy.
The Project Management methodology that follows throughout MSAM in a Box is made up of four phases:
• Analysis • Design
• Proof of Concept (POC) • Rollout
Note: Each topic will be addressed in detail in following chapters.
Analysis
The Analysis phase is also known as the “setting expectations” phase. During the process of completing each segment, you spend the bulk of your time in meetings with your customer asking questions and setting the rules for the project.
The analysis phase will consist of a Business and Technical tracks. The first part is the Business track and the creation of a Vision and Strategy Plan. Once this is completed and accepted by your customer we precede to the Technical tract.
Before we even consider the design phase, we must first undertake a thorough business and technology assessment. A detailed vision and strategic plan will eliminate a great deal of uncertainty and engagement risk.
Analysis phase (Business and Technical)
Business
Creating a vision and strategy plan which encompasses business needs is critical for a successful implementation. A vision and strategy plan is absolutely the first step. The following list shows the focus of the vision and strategy plan.
• Identify Business needs
• Identify Functional requirements
• Identify User needs
• Identify Architectural challenges
• Identify integration points
• Identify user roll-out and migration strategy
Technical
Once we have identified the business requirements we can focus on the technology assessment. We need to define the customers technical requirements based upon their access and user community needs. Identifying your customer’s user communities is especially important in an MSAM deployment as users, business units, corporate departments, geographical regions and partners will interact within Access Centers. The following list shows the arias of our focus.
• Access criteria (intra/extranet access)
• Identify user communities (business units, departments and partners)
• User and application authentication
o Directory Service (NT, Active Directory, NDS, NIS+ or LDAP)
o 3rd Party Authentication (RSA, Secure Computing)
• Single server or distributed environment
• Identify information and services (aggregation and presentation)
o Client server (CDA/Web Part, .NET, Web) applications
o MetaFrame based applications
o Corporate & Syndicated content
• Define access roles
• Branding (look and feel)
• Sketch out the entire site (all folders and pages)
Infrastructure Assessment (4 parts)
Infrastructure assessments are one of the most overlooked sections of a successful project, but is one of the most important to mitigate risk. A MSAM deployment will augment the environment you deploy it to. If you place a MSAM infrastructure in a poorly designed network, you will most likely experience problems. However, if you prepare your environment and deploy to a network that meets the necessary requirements, your customer will love the outcome, and you will make more money with less hassle. The following list shows the areas of focus for an infrastructure assessment.
• Network architecture • Hardware environment
• Client environnent (desk top, browser, plug-ins, IEAK) • Change control environment
Proof of Concept (POC)
In a Proof of Concept (POC), you create a small MSAM test environment to prove to your customer and yourself that an MSAM rollout is able to meet the vision set forth. A common attitude towards a POC is one of, “Why? I already have those applications working.” Unfortunately, this attitude misses the intention of a POC. Simply focusing on applications is only part of what a POC can accomplish.
The following list shows the POC framework. • Build a POC
• Offer a limited pilot
• Query users about performance, content, look and feel
• Monitor server and network resources during to determine utilization needs • Implement change management and modify the infrastructure to suit needs
Rollout phase
Note: During the first months of an implementation when there are ongoing discussions between management, the portal manager and user communities are encouraged to assist in the development of the Access Center.
I have broken this section down in to the above four phases. Following these phases will assist you in successfully managing a project deployment.
At the end of each phase, you can present your customer with a deliverable that signifies the completion of the phase. The checkpoints at the end of each phase also act as an opportunity for you to compare your plan against what you have completed and to verify that you are still on track with the original project plan. At this point, you might need to add or subtract items. It is important to measure your progress and not just blow through each of the checkpoints. If you make a change to the plan, you should present the change and the revised plan to the customer for sign off.
Note: The project examples found throughout this document represent a specific
deployment in a specific organization; in other words, they cannot be applied directly to other IT environments. It is important to remember that your projects will differ from deployment to deployment and you will need to take what you learn in this document and adapt it to your future projects.
What Makes an Effective Meeting?
Throughout a project-oriented deployment, you will be required to conduct numerous meetings with your customer. If you plan them properly, you can steer the project in the right direction. With meetings, you can gather the key players in one room, put them on the same page, work through issues that might have arisen, and make decisions.
When I first started running my own projects, I was given some great tips on what makes an effective meeting, and it might be helpful if I pass them on.
Set Objectives– The art of setting objectives is something you will get better at with experience. You want to give the attendees as much information as possible about why you have called the meeting and what you expect to accomplish. You also want to set a clear timeline.
Establish an agenda and distribute it in advance – Send your attendees an agenda and a copy of the documentation you will be presenting to them. This gives them an
participate. Asking for participation shows you are interested in what they have to say, that you like to be prepared in advance, and you don’t want to waste their time.
Start and end the meeting on time –Don’t allow interruptions or sidetracking from the agenda. Use your time as efficiently as possible. It is a good idea to set tentative times for each item and then stick to them. You can do this by the art of “on table / off table”. If you find the meeting getting off subject, you will want to take the subject “off table.” Then, when you are documenting and assigning the next steps, you can schedule time for important questions or comments.
Work through each agenda item – Assign and document action items. The agenda should document a list of action items you want to discuss. You will want to address each item and, if additional follow-up is needed, assign someone to be responsible for the task and a timeline for completion.
Document and assign next steps – If you can’t complete the action items, document the steps required for completion and the individual responsible. You can also make assignments for the items that you tabbed “off table,” and schedule follow-up.
Summarize – To close the meeting, leave yourself a few minutes to summarize what has been completed and what needs following up. You should schedule follow-up meetings for sign-off on any action items that you have scheduled.
Minutes – Make sure that comprehensive minutes are taken and distributed. You can do this yourself or assign it to another person.
Vision and Strategy Planning
Creating a vision and strategy plan that encompasses the business needs of business units, corporate departments, geographical regions, partners and user needs is critical for a successful MSAM implementation. A vision and strategy plan is the first step on the road to a successful MSAM deployment.
Here is a high-level list of the “big picture” items which need to be identified, examined and planed for in a vision and strategy plan:
• Identify Business needs
• Identify Functional requirements
• Identify User needs
• Identify Architectural challenges
• Identify integration points
• Identify user roll-out and migration to portal strategy
• Problems to be solved
• Corporate-wide information sharing and collaboration should be easy
• Reduced time spent obtaining information and services from departments
• User requests should get immediate response from corporate departments
• Expected tangible and intangible benefits
• Enhancements to service delivery and user satisfaction
• Reduced error rate
• Estimated Integration
The following questions and issues related to the high-level work plan for the project should be considered:
• Has a vision and strategy plan been developed?
• Does the vision and strategy plan include all major phases, such as integration and implementation?
• How realistic is the plan?
Intra/extranet projects that do not start with a detailed vision and strategy plan usually fade away. Like any systems deployment, an access solution project cannot succeed without a detailed plan, strong backing from management, and a dedicated manager who maintains the Access Centers and manages its content. The following sections address these points and explain how to mold them into your project plan.
Vision and Strategy Planning Considerations
The first step is to address any considerations and concerns regarding the lifespan of the project. Business units, corporate department, and managers of geographical regions and in some cases partners will participate in Access Center maintenance by providing and updating content. You can delegate content maintenance to the departmental level, ensuring that content is continually updated. Content managers or your delegates can maintain corporate content from the AMC, third-party content management solution like Macromedia’s Contribute, Microsoft Content Manager, an FTP utility, or an ASP such as Atoms. Stale, outdated content, whether within the Access Center or on a linked external site, has a negative impact on the usefulness and general impression of an Access Center. This issue falls under general content maintenance, and should be addressed by the content manager.
Implementing a unified intra/extranet solution allows an organization to consolidate file servers and databases, and to implement policy-driven file stores. With a unified
intra/extranet solution, server consolidation has little impact on users. No matter where you move information and services within the back end, the user’s Access Center does not change.
staff, management, and the entire user community. Provide users with a detailed Access Center map, including detailed descriptions of the available information and services from each page. Offer hands-on training, on-line support, and instructional videos available from within the workspace. When all these pieces are in place, you can begin digitizing a business.
Note: I encourage you to jump on the internet, visit your favorite search engine and do a search for “Portal Vision and Strategy Plan”. Numerous Universities and Businesses have published fantastic documents on the internet that we can access, read and learn a great deal from.
The following example is an example MSAM portal deployment vision plan. Company ABC: Portal Vision and Strategy Example
The strategy set forth by the CIO is for portal development at Company ABC to be guided by the principal of having one “gateway” or starting point for its constituents. CompanyABC.com (www.CompanyABC.com) will be the general Web gateway for external and internal communications, content, and services.
This document summarizes a vision and strategy for utilizing CompanyABC.com as the primary portal for external and internal constituents. The list of constituents promotes a “cradle to grave” philosophy, representing prospective business units, corporate
departments, individual users, and partners.
Vision
A portal is a place where information and services come together in a focused and personalized way to serve defined constituencies and create and build upon a sense of community.
The vision for Company ABC's portal is to:
Create a seamless, centered experience by providing a single access point to disparate information and services for our constituents.
Provide each constituent with a unique, personal, and preferred view of Company ABC. Create an environment where all enterprise Web initiatives complement one another. Leverage, to the greatest extent possible, the investments that Company ABC makes in underlying infrastructure, tools and other components that make our Web-based services work.
Strategy
years by rolling out to additional constituents, upgrading its content management system, improving and extending integration capabilities, and improving CompanyABC.com. We need to move toward a one-gateway portal by consolidating or merging unnecessary access points into CompanyABC.com and discouraging the creation of unnecessary access points. In some cases existence in CompanyABC.com will not preclude independent availability of the information or services outside the CompanyABC.com network. In other cases, such as the existing intranet, the strategy recommends phasing out alternative access points, making intranet services available only through
CompanyABC.com.
The strategy encourages integrating information and services into the company Website where it makes sense, and in ways that are most cost-effective. The level and
sophistication of the integration must be determined on a case-by-case basis. Integration may range from a simple link between applications, to a more complex data exchange between applications, to an even more complex program-to-program
inter-communication between applications.
In the long term, the purchase of an enterprise portal framework and an enterprise content management product will likely be the most effective way to achieve Company ABC’s vision.
The complete strategy document details the need for one portal focused on internal and external constituents, describes a vision of what that portal could be, and outlines short and medium-term action items for moving toward the vision. This strategy should continue to evolve through periodic review and re-evaluation to meet the demands of the ever-changing landscape of information technology.
It is important to note that this vision and strategy does not imply the creation of an approved charter. Rather, it recommends a shift in philosophy about how we do Web development at Company ABC, how we deliver information and services, and how we prioritize Web initiatives that impact our constituents.
Benefits
The primary benefits of this strategy include the following:
Having one portal provides a single, consistent “front door” for our internal constituents that is in line with the “one-stop service portal” concept put forth by the IBM Best Practices consortium.
A single portal promotes cross-integration of information and services. Disparate applications and content can draw on one another, creating an information ecosystem built by the interchange and sharing of data.
Centralized IT resources are more effective and efficient. Redundancy in Web development and infrastructure is reduced. Web technology transforms key business processes.
Challenges
While there are many benefits in pursuing a one-portal strategy, it is customary in large enterprises for individual units to have considerable autonomy and to go their "own way" when delivering content and services. There needs to be a significant and on-going communication effort to achieve "buy-in" from all parties. You cannot decree a shift in philosophy; you need to have an ongoing conversation with all constituents. Since conversation is a hallmark of Company ABC's culture, it should be expected and welcomed, as you develop a "virtual Company ABC." However, it is not practical to expect to reach consensus before moving forward. Publicize the vision and strategy widely and then on a Business Unit by Business Unit basis to start a dialogue and address each constituent's issues. This document represents the beginning of that process.
Analysis Phase
The Analysis phase is also known as the “setting expectations” phase. During the process of completing each segment, you spend the bulk of your time in meetings with your customer asking questions and setting the rules for the project.
With a little experience and the right know how, you can set the rules to your advantage and guide your projects toward successful completion.
The analysis phase (technical) is usually broken down into the following four segments: • Statement of Work
• Project plan
• Infrastructure assessment • Proof of concept
Deliverables are created for completion of each segment.
Analysis Overview
This Analysis Phase document is the first technical part deliverable of the MSAM project. It explains in detail the project’s high-level business as well as technical vision and scope.
• Statement of Work • Project Scope
• Estimated Project Plan
• Infrastructure Assessment Findings • Proof of Concept Findings
Project Scope, and Statement of Work
Prior to any obl
