Skip Maine state header navigation
Skip First Level Navigation | Skip All Navigation
 |
| Home | Newsroom | Calendar | Contact Us | Site Map |
|
Home
> Architecture > State of Maine Information Technology Environment
State of Maine Information Technology EnvironmentJuly 23, 2009Table of Contents
2. Oracle Database and Application Server 8. Citrix Application Delivery 12. Fortis Document Imaging and Management 14. Internal Directory Service 17. Client Technology Services 1. IntroductionThis document describes the current I.T. environment of the State of Maine . No reference to this document is complete without citing its date of issue. This document is strictly about the technology environment and not about the rates, which are posted elsewhere. 2. Oracle Database and Application ServerThe Oracle environment consists of both the Oracle databases and the Oracle Application Servers. The database servers use hardware clustering for redundancy and the Oracle Application Servers use software clustering. Both Intranet and Internet access is allowed. The goal is to provide high performance, redundancy, high availability, and support to the State's Oracle Applications.
The environment consists of several Sun UNIX servers and several Microsoft Windows Server 2003 servers. The production side consists of Oracle databases running in a hardware cluster, Oracle Application Servers, Windows application servers, Internet webservers, and Intranet webservers. The test side is similar but without Internet connectivity. Minimally, each application has a test and production environment. Most also have a development environment. There exists a strict version control policy within the Oracle environment. The goal is to ensure all applications are running current, fully supported versions of Oracle and third-party tools. 3. MS SQL Server Database
A minimum of a production and test are required for each application. Applications requiring HA need to support SQL 2005 database mirroring and utilize the SQL 2005 native client. Storage is provided by the EMC disk arrays. Disks are configured such that RAID 1+0 is utilized for database log files and data files. The environment is configured to optimize O.L.T.P. performance. Active Directory integrated security is the preferred option. Services such as Reporting Services, Web, and OLAP services will be added as satellite services that may rely on the Enterprise O.L.T.P. Applications should be designed using the principal of least privilege. System Administrator (SA) access will not be granted. Remote access to the operating system is prohibited. Applications that require clustering are not supported. The CJIS SQL Server has been deployed for applications that have high security requirements. All applications utilizing this server need to meet the CJIS security requirements. This server runs SQL 2008 Standard edition X64 in an effort to keep costs down. This environment also has Analysis Services and Reporting Services available. This environment is very new and the specifications of the environment may change as new applications are loaded. The environment is anticipated to primarily serve the high security needs of certain Public Safety applications. SQL Server 2005 Reporting Services has been loaded on 1 server to date. This environment has been created to provide for applications requiring business intelligence. SQL Standard Edition X64 was chosen in an effort to keep costs down. Reporting Services provides ad-hoc capabilities as well as pre-written reports and BI applications. Currently an instance of Reporting Services consists of hosting 2 databases on 1 of the enterprise SQL Servers, an installed instance of SQL Server Reporting Services on the reporting server and a website on the reporting server (SQL Server Reporting Services 2005 utilizes IIS). Reporting Services requires Internet Explorer be utilized on the clients. 4. Windows Web HostingIntranet: INET is a Windows 2003 Server, running Internet Information Services V6. INET provides hosting for agency intranet sites and applications. The server is located on the State's WAN and no external publishing to the internet is provided. This is a single-server solution with no load balancing or fault-tolerance. Secure Socket Layer (SSL) is available. The server supports ASP 3.0 as well as all current versions (1.1, 2.0, 3.0, and 3.5) of ASP. NET . Webpage publishing is done via FTP. In accordance with the Web Standards, both Macromedia Dreamweaver and Contribute are supported for content publishing. An INET test server (identical configuration to the INET production server) is also available for testing purposes. Internet: Two environments are currently provided for Internet sites/applications: PortalXW and Gateway.Maine.Gov. PortalXW supports ASP 3.0 as well as all current versions (1.1, 2.0, 3.0, and 3.5) of the ASP.NET framework. This consists of two Windows 2003 Servers, running Internet Information Services Version 6. The servers are hardware load-balanced via an Alteon load balancer, and websites can be published to the Internet via the Oracle Application Server Web Cache. Secure Socket Layer (SSL) is available. Webpage publishing is done via FTP. A third, single-server test environment (configured identically to the production servers) is also available for testing purposes. SSL is available on the test server, but no publishing to the Internet (via the Web Cache) is available. Gateway.Maine.Gov supports ASP 3.0 as well as all current versions (1.1, 2.0, 3.0, and 3.5) of the ASP.NET framework. This consists of two Windows 2003 Servers, running Internet Information Services Version 6. The servers are hardware load-balanced via an Alteon load balancer, and reside in the State's DMZ. Secure Socket Layer (SSL) is available. Webpage publishing is done via FTP. 5. File ServicesFile service is provided using standard Microsoft drive mapping. Application must be able to store essential data on servers, no applications will be allowed to run on the file server and servers will be accessed using fully qualified DNS names. Vendor should not assume that desktops are backed up. File servers are physically distributed in order to manage WAN segment loads and access latency. Each user is allocated space for dedicated storage that is accessible only to that user and those others that have been approved by the user. A common area is allocated where files that are shared by all users in a workgroup can be placed and all members of the workgroup have full access to that area. Other data paths could be allocated based on request. All centrally-administered storage spaces are maintained either on standard Windows Server 2003 or other applicable environments (UNIX, NAS, SAN), based on best practices for the respective data type, including regularly scheduled backups. The backup protocol is full backups once a week with incremental backups on the remaining days. Weekly tapes are retained for five weeks with the last weekly tape of each month retained for one year. If a longer retention is required, then it must be negotiated and paid for separately. No local desktop backup is offered, therefore, all data of value should reside on the centrally-administered storage space. HP is the prime server hardware OEM, the preferred product being the Proliant DL or ML series depending on the project. The disk sub system is configured using raid technology. All servers are sized to handle peak loads demands. 2 fans, 2 power supplies, and 2 NICs are utilized for fault tolerance (teaming) and a 3 rd NIC configured for backup (CommVault) purposes. ILO (Integrated Lights Out) is utilized for monitoring and remote reboots and HP Insight Manager for predicting hardware failures. All servers are monitored through Plixer WebNM, which is an agent-less, web-based monitoring and alerting tool for servers and network devices. WebNM provides a central overview of uptime and availability, event logs, and performance data. The archived collection and reporting of performance data on components such as CPU, memory, and disk space allow trends to be spotted over time. Alerting options are highly configurable and can notify a pager, email, or cell phone. WebNM supports WMI, syslog, Event Log, and SNMPv1, v2, and v3. There exists a minimum 30-day lead time for implementing servers and other equipment into any data center. This process defines power, HVAC, rack, and other requirements. 6. Backup and RecoveryThe standard backup application, except the mainframe, is CommVault QiNetix Galaxy V6.1. The data centers at EDOC ( Edison Drive Operations Center ) and CMCC ( Central Maine Commerce Center ) each contain a Scalar i2000 tape backup system with smaller tape libraries at a few remote sites. Disk-to-tape and Disk-to-disk-to-tape are the available backup options. Backups are generally handled through NAS EMC Celerra NS data mover where NDMP is used to backup to tape. The State will work with vendors to determine data agent requirements, and the State is responsible for acquiring the licenses. All servers within the data centers will require a dedicated NIC for backup purposes. 7. Data StorageThe enterprise data storage environment exists to provide centralized, low-cost storage solutions for all database, file sharing, and backup projects. The environment utilizes SAN and NAS technology in the State's two primary data centers. The SAN environments are built with EMC Clarion CX series storage systems with McData and Brocade 2GB flexport fiber switches connecting over LC-LC fiber cables. Host connectivity to the SAN has two prerequisites: 1) EMC PowerPath software to provide high availability and dynamic multi-pathing, and 2) QLogic or Emulex host bus adapters that are EMC-certified. The NAS environments are built with EMC Celerra NS series data movers in an active/passive clustered environment. Host connectivity to the NAS is provided by NFS, CIFS, iSCSI, and NDMP protocols over the existing State WAN. Both environments provide cloning and snapping capabilities. 8. Citrix Application DeliveryCitrix allows for the distribution of native desktop applications from a controlled and centralized environment. Citrix also gives poor performing Client-Server applications the ability to be offered across the State network. The enterprise environment consists of: Windows 2003 operating system running Citrix Presentation Server 4.5 , Citrix XenApp 5.0, XenApp Client 11, Terminal server 2003 configured to the State's Active Directory, load balancing, high availability, failover and redundant hardware. Citrix XenApp (formerly Citrix Presentation Server) is an application publishing product that allows users to connect to applications or full desktop from central servers. The advantage of publishing applications or full desktop utilizing Presentation Server is that it allows users to connect remotely from their home or any State office that is on the wide area network. The enterprise offers two models: Published Desktop and Published Application. The Published Desktop provides a user with a fully functional desktop suite delivered using either a thin or a fat client. The Published Application is a specific application published and delivered over either Citrix or Terminal Server 9. Planet Press PrintingThere are Six Planet Press Servers (from ObjectifLune.com) in the State. The PlanetPress suite enables easy creation, printing and distribution of transactional documents and business forms integrating variable data as well as offering advanced automated workflow management capabilities. Documents created with PlanetPress can be printed in high-volume, archived, emailed, and/or faxed as part of a sophisticated output management application. Two of the servers are housed at EDOC and four at CMCC One of the Planet Press servers at CMCC is paired with an Oracle database, and another at EDOC with an MS SQL Server. The print facility has one Planet Press server located at EDOC and the other located at CMCC. Both are mirrored for disaster recovery and also used to send print from EDOC to CMCC using SSH. Qdirect in conjunction with both Planet Press servers directs the print files to their destination printers. 10. Momentum Secure FTPMomentum is the chosen product (momsys.com) for secure file transfers (both SFTP and FTPS) and its main feature is the Automatic File Director (A.F.D.). While Momentum has its own product to do FTPS transactions, the State mostly uses WSFTP_Pro Server. It is also possible to do HTTPS transactions with Momentum using Secure WebMailboxes. There is limited capability with the Secure WebMailbox feature, but it does allow users to place files into a directory using a web browser, and those files can be distributed using the A.F.D. or picked up by other clients. There are two production servers and two backup servers in the Momentum environment: two of the servers are inside the State's firewall and the other two are outside the State's firewall. Files coming from the outside are automatically transferred securely to the internal server using Secure File Transfer (S.F.T.), which is a Momentum product. Both sets of servers are installed with WSFTP and S.F.T. Momentum's S.F.T. product uses SSL implicit connection using port 990, and WSFTP accepts SSL explicit connections using port 21. WSFTP now supports SSH as well using Port 22. WSFTP forces clients to connect using SSL so that they cannot make straight FTP connections. The Momentum A.F.D. is utilized to push files to different servers once they reach the internal server. This is usually done using straight FTP once the files are inside the State's firewall. The State only accepts passive connections, which means files must be transferred securely to the Momentum servers and picked up by the receivers of the files in a secure manner as well. Supported clients include WSFTP_Pro, Filezilla, MoveItBuddy, CuteFTP, and CoreFTP. 11. Exchange EmailExchange 2003 is running in native mode on six (two-node) active/passive clustered mailbox servers. All mail servers run Microsoft's Antigen virus scanner. There are approximately 13,500 mailboxes, 2000+ users per mailbox server. Each server contains three storage groups with four stores per storage group. Multiple agencies reside on each mailbox server. In addition to the mail servers, there are two Outlook Web Access servers, a server running FaxMaker faxing software, a server running Blackberry software, and one running Live Communications server. Two servers located in the D.M.Z. are used for incoming internet mail. They accept mail for Maine.gov. These servers run a SPAM filtering product called X-wall. X-wall is configured to tag mail with a Bayes value of 60 or greater and to reject mail from mail servers that are listed on the following two SPAM lookup services: SPAMCOP and Spamhaus. Microsoft's Antigen SMTP Virus Scanner is installed on these mail servers as well. Relaying is currently allowed on our SMTP boxes to accommodate our application servers and POP3/IMAP clients. Incoming internet mail is forwarded via smart-host configuration to the internal Exchange 2003 Bridgehead servers, where it is distributed to the appropriate mailbox servers. Antigen's SpamCure is used at these servers for added protection. There are three ZixVPM gateway servers used for encrypting mail for approximately 150 users. All outgoing mail is directed to these ZixVPM servers before going to the Internet. Incoming Internet mail for zixvpm.Maine.gov is decrypted at the ZixVPM gateway and forwarded to Maine.gov. The Outlook client makes up approximately 90% the State's mail clients. Outlook Express is used by the State Police (approximately 275 clients). Outlook Web Access is used by the Bureau of Motor vehicles (about 100 clients). Entourage is used by approximately 400 users of the Judicial Branch. The current mail volume is as follows:
12. Fortis Document Imaging and ManagementFortis is one of the products used by the State for Document Management. This product was developed by Westbrook Technologies (westbrooktech.com). Two separate systems are currently in operation to provide a production and testing environment and provide failover capabilities. Details regarding the Fortis environment are as follows:
There are now two approved ways of interfacing applications with Fortis:
13. DNSDomain name resolution service consists of internal and external domain name resolution. This includes internal name registration and external zone coordination, as well as root management of the state.me.us and Maine.gov domains. A grid of network appliances supports internal and external domain name service for the State. The grid provides a high degree of performance, reliability, and security through a combination of high availability device pairing, dynamic member synchronization, and secure communications. Domain namespace entries will be provided in accordance with the relevant State policy (Maine.gov/oit/oitpolicies/DNSPolicy_Final.htm). 14. Internal Directory ServiceMicrosoft Networking Active Directory services provide control and management of all internal computers, network resources, and user authentications. The Active Directory service is an integral component of the State's network infrastructure that is based on Microsoft's server operating systems. The system consists of a root domain, five child domains, and 17 domain controllers. Any State application must be AD-aware, which means that it must be capable of participating in LDAP transactions, domain registration, etc., in accordance to industry accepted Active Directory standards. 15. Applications ArchitectureAll State Applications should be clearly decomposed into these four layers:
In terms of long-term enterprise asset management, the two layers that matter the most to the State are Business Logic and Data.
The art and science of building good applications is too rich to be recapitulated here. That said, the State places a premium on the following:
The State is heavily invested in the ESRI geo-spatial suite, but continues to explore other lighter-weight, lower-cost options, including the Spatial Extensions built into SQL99 and its descendants. It remains an explicit goal of the State to foster the embedding and cross-fertilization between spatial and non-spatial applications. Please see the next section for further discussion of GIS Services. 16. GIS ServicesThe enterprise GIS infrastructure consists of several components: Web Mapping, Application Programming, Database, and Desktop. Each of them is elaborated further below. Web mapping There are currently three web mapping environments: ArcIMS, ArcGIS Server, and MapServer. ArcIMS is an obsolete technology to be phased out by end of FY09. It currently runs on two Windows servers with ServletExec. There is one new ArcIMS application coming online, which is the GeoLibrary Portal, and it requires Apache Tomcat. The Portal will be hosted on dedicated equipment, with the goal of migrating it to either MapServer or ArcGIS Server by the end of FY09. ArcGIS Server is the current ESRI offering for web mapping and web GIS services. This is a strong tool for deploying web services, especially useful for geoprocessing and geocoding services. MapServer is an open-source web mapping platform for lighter weight web mapping applications, which also doubles as a WMS server. Google Earth can now be embedded in a webpage, therefore, we are open to exploring Google Earth for web mapping. Application programming Supported languages (and frameworks) include C#.NET 3.x, VB.NET 3.x, ASP.NET 3.x, Java 5.x, XML 1.1 (including KML and GeoRSS), HTML 4, SVG 1.x, CSS 2.x, and JavaScript 1.7. To the maximum extent possible, applications should rely upon currently supported tools and use open standards (such as the OGC standards). Proprietary or third-party tools can only be used after a through testing and vetting cycle. Database Spatial data are stored using ArcSDE (now known as ArcGIS Server “Basic Edition” – enterprise license), primarily on Oracle database. There are three core locations for ArcSDE: the Maine Office of GIS (MEGIS), the Department of Transportation (DOT), and the Department of Environmental Protection (DEP). MEGIS and DEP operate Oracle on Solaris, DOT on Windows. Two efforts are underway to utilize Microsoft SQL Server for SDE: PUC Secure GIS and E911. We remain open to migrating other data to MS SQL Server, depending on costs. There are many client-side databases which are hosted in Microsoft Access, ESRI file-based geodatabases, DBF files, or INFO databases. The enterprise is working on standardizing all its data into ArcSDE 9.2, with the exception of certain DOT applications which still require ArcSDE 8.1. Desktop There are three main desktop GIS suites: ArcGIS, MapInfo, and Google Earth. ESRI ArcGIS is the most widely-used desktop GIS suite, and is deployed either through desktop installs or Citrix (200-300 users). Most users are now on version 9.2. DOT still has some requirements for ArcGIS 9.1 to interface with their ArcSDE 9.1. Several custom tools are written for ArcGIS in VB, VBA, Python, Java, and AML. MapInfo is used primarily by Conservation, Agriculture, Maine Housing Authority, and Baxter Park Authority. This suite is available either through either desktop installs or Citrix. Most users are on version 9. Google Earth is used primarily by DEP and to some extent by other agencies. Usage of this suite is protected to grow. ArcView 3.x is obsolete technology which still has some applications, but is being phased out, and will become de-supported in the future. The MEGIS site (megis.maine.gov) provides internet access to ArcIMS internet applications, packaged GIS data for download, and additional State GIS information. 17. Client Technology ServicesAll new applications must be able to perform acceptably with the following minimum standards for desktop:
For the desktop operating system, the State will likely skip Windows Vista and upgrade directly to Windows 7. Any customization or extraordinary use of desktop resources must also be identified. Otherwise, it is assumed that any software provided will behave like most quality off-the-shelf software in a typical corporate desktop, namely in reasonable use of system and virtual memory, CPU usage, disk I/O, network bandwidth etc., and not require any special or modified system software 18. Customer Support HelpdeskThe Customer Service Center (CSC) is staffed between 7 A.M. and 5 P.M. business days. The CSC is the entry point for all State Executive branch agency I.T. issues. Calls are also received from non-Executive agencies that utilize some centralized services as well as calls directly from the public. The CSC triages calls and either resolves issues or send to appropriate group for resolution using an electronic ticketing system called Footprints. When taking calls for application issues, the CSC is responsible for ensuring that the application is working for the customer. This means eliminating server, network, or installation issues (for fat clients). How-to issues are assigned to the appropriate groups for response. After hours, calls are forwarded to Enterprise Operations Management (EOM). EOM can do some (not all) password resets and high level troubleshooting. They also expedite and place calls to stand-by personnel when appropriate, again, tracking issues in Footprints. 19. SecurityThe security requirements are governed by the I.T. Security Policy . It establishes requirements for organizational security, asset classification & control, personnel security, physical and environmental security, communications & operations management, access control (including password policy), systems development & maintenance, and disaster recovery & business continuity. The other significant security-related policies are as follows:
Important security issues that all parties engaged in State I.T. projects need to be aware of are:
20. NetworkThe State's data network consists of a redundant backbone that covers 16 population centers. These 16 centers provide network support to more than 500 State edge sites. The overall topology is a distributed star layout. Internet service is also provided via SONET and ATM. In the capitol area, the three major campuses and two data centers are supported via fiber based Metropolitan Area Networks (MANs). For management simplicity, the State utilizes a minimum of equipment vendors for the network. The network utilizes OSPF and private 10.0.0.0 addressing. Backbone - The backbone consists of a mixture of ATM (Verizon) and STS1 service (Oxford Networks) in the WAN, and 100M, 1G, and 10G service in the MAN. ATM includes locations at Augusta , Bangor , Calais , Machias, Houlton, Caribou, Rockland , Bangor , Ellsworth, Presque Isle, Skowhegan, Farmington, and Fairfield. It is a star topology and all of the virtual circuits are shaped from 20 to 40mbps. STS1 service is provided by Oxford Networks to Lewiston , Portland , Biddeford , Sanford , and four locations in Augusta . The STS1 service is 51 MB. Additional redundancy is provided by 20M ATM PVCs in southern Maine , and T1s in northern Maine . Additional redundancy will be provided by a mesh of 5mbps ATM PVC's or other services among the 16 hub sites . The majority of the ATM switching equipment is provided by Cisco Systems with some Nortel Networks equipment. HUB Sites – The hub sites support various leased circuits in a star topology to the edge sites. The core routers are Cisco 7200-class routers. The majority of the edge sites are connected via one or more dedicated, leased T-1 circuits. It is important that all applications function effectively at T-1 speed. Internet – Internet service is provided via 100 MB SONET (2 Oxford STS1's) and 40mb ATM PVC to the University of Maine . CJIN sites – Additional service is provided to non-State public safety entities via frame relay circuits at varying speeds, terminating on a T3 at CMCC. Augusta area MAN – The Augusta MAN supports the Capital campus, the East Augusta campus, the state agencies at the CMCC (including the data center), and the data center on Edison Drive . It is fiber-based via Adelphia, Oxford Networks, and state-owned fiber plants. There is limited redundancy but this issue is being addressed. The slowest primary link speeds are 100mb Fast Ethernet with some of the major links being Gigabit Ethernet. The primary data centers are connected via 10 gig, with backup currently a 40 MB ATM PVC from CMCC to the Cross Office Building (next to the Capitol). Remote Access – Remote access via Internet VPN is accomplished with the CheckPoint SecuRemote client software connecting to our CheckPoint Firewall and Juniper SSL VPN. Most City Halls and Town Offices use this as their primary connection to the state systems. http://maine.gov/oit/oitpolicies/ITSecurityPolicy2008.pdf http://maine.gov/oit/oitpolicies/DeployCertPolicy.htm http://maine.gov/oit/oitpolicies/SafeguardingPolicy_Final.htm http://maine.gov/oit/oitpolicies/RemoteHostingPolicy.htm http://maine.gov/oit/oitpolicies/PKIpolicy.htm
Email any feedback to Enterprise.Architect@Maine.Gov
|
| Copyright © 2009 All rights reserved. |
