# Getting Started with Google Cloud ##### last updated July 13, 2023 ## Why Google Cloud? [[https://console.cloud.google.com/marketplace/product/nasuni-public/nasuni-access-anywhere-server|{{ :googlecloud-gettingstarted:launchnow.png?nolink|nobox}}]] Google Cloud customers are using Nasuni Access Anywhere to take advantage of the high durability, scalability and low cost of Nasuni file sgtorage. Customers are able to securely extend access to end users and existing file-based applications, significantly reducing migration costs to the cloud. ## Deployment Architecture {{ :googlecloud-gettingstarted:eff-google-mktplace.png?200| }} For evaluation and smaller production environments, the Access Anywhere Server is typically deployed as a single virtual machine. The virtual machine includes an embedded database and search index. A single virtual machine can be launched directly from the Google Cloud Platform Marketplace. ### High Availability {{ :googlecloud-gettingstarted:eff-google-arch.png?200| }} The platform may also be deployed across multiple nodes with an external database for scalability and High Availability. Contact us for more information. Please contact us for more information on setting up HA deployments on the Google Cloud Platform. ### Sizing For production deployments see [[sizingguide]]. ## Requirements You will need the following information before you can complete setup on the Google Cloud Platform: * Access to request / update DNS names for appliance (recommended) * Serial Number and Authentication Code. * Outbound mail relay information. (recommended) * Default storage system connectivity details - Google Cloud Storage recommended (required) * An Active Directory service account if you are connecting to AD (optional) ## Launch {{ :googlecloud-gettingstarted:launch-server.png?400 |}} 1. From the Google Cloud Platform Marketplace click [[https://console.cloud.google.com/marketplace/product/nasuni-public/nasuni-access-anywhere-server|Nasuni Access Anywhere Server]]. 2. Then click **Launch**. ## Deploy 1. Choose a name for your instance 1. Choose a Zone 1. Verify the Machine type - The minimum is large enough for evaluation. 1. Optionally Set IP Ranges for TCP port 8080 - This port is used only for initial network configuration 1. Select **Deploy**. {{ :googlecloud-gettingstarted:new-gcp-deployment.png?nolink&1000 |}} ## Deployed After a few minutes an instance is deployed. {{ :googlecloud-gettingstarted:solution-deployed.png?nolink&1000 |}} ## Verify Web Access {{ :googlecloud-gettingstarted:appl_login.png?300 | }} From the deployment panel, click the button **Visit the site** to bring up the appliance login page. You can also use the Site Address URL directly. Use the username **appladmin** and password **Admin password** to log into the appliance. Until changed the appliance has an untrusted SSL certificate. Most browsers will flag this as a potential security issue and require your acknowledgement to bring up the page. If you don't have the deployment panel, first open the [[https://console.cloud.google.com|Google Cloud Console]]. From the top left hamburger menu (aka Navigation menu) go to the page **Compute Engine > [[https://console.cloud.google.com/compute/instances|VM instances]]**. If you don't see the Access Anywhere server instance check the project you are viewing. Open the VM instance details and locate the **External IP** under Network interfaces. Open the appliance website at %%https:///%%. The username is appladmin and the password can be found towards the bottom of the page under Customer metadata as the ```eff_user_password```. {{ :googlecloud-gettingstarted:custom-metadata.png?500 |}} ## Verify SSH Access From the deployment panel, or from vm instance details, click the **SSH** button for remote access to the instance (using a browser or another ssh client). Check that you can become the smeconfiguser. sudo su - smeconfiguser Check that you can become root. sudo su - This will be required to complete the configuration. # Configure Network Services ## SSL Configuration (Recommended) The appliance is configured, by default, with DHCP and a self-generated untrusted SSL certificate. In order to use the client tools (desktop and mobile applications) over SSL you will need a trusted SSL certificate and a fully qualified domain name (FQDN). ## Disabling SSL (Not Recommended) If you do NOT wish to use SSL for the trial you can disable it: * Log into the appliance as the Appliance Administrator (appladmin) * Navigate to Settings > Site Functionality * Set Always use HTTPS to false. ## Create a Static IP Address Unless you are using a dynamic DNS service you'll need a static IP address in order to create a DNS entry. From the top menu of the Google Cloud Platform dashboard, navigate to NETWORKING / VPC network > External IP addresses. The external address of the appliance you just launched is listed as Type Ephemeral. Change it to Static, enter a Name in the dialog box and select RESERVE. {{ :googlecloud-gettingstarted:externalip.png?nolink&650 |}} ## Create DNS entries Choose three fully qualified domain names (FQDNs). For example: * **files**.example.com - Principal name, to be used as hostname * **files-webdav**.example.com - used for WebDAV service * **files-s3**.example.com - use for S3 service Add DNS type A records that point these domain names to the appliance IP Address. For example, ^ Type ^ Name ^ Value^ | A | files | 35.188.82.62| | A | files-webdav | 35.188.82.62| | A | files-s3 | 35.188.82.62| Verify that Public DNS records are setup correctly by pinging each FQDN. ping files.example.com ping files-webdav.example.com ping files-s3.example.com ## Change Hostname To update the appliance with the FQDN change to the root user by issuing “sudo su -“ with SSH. As the root user, edit /etc/hostname with nano or vi. Change the google instance name to your FQDN. {{ :server:applinstallv1901:image002.png?nolink&600 |}} ## Start NAAConfig Server If you are logged in as root leave root privilege and as the smeconfiguser start the configuration server by typing **smeconfigserver**. You should see a confirmation that the config server is running: {{ :server:applinstallv1901:image004.png?nolink&600 |}} Now open your favorite browser and go to http://:8080 ## Configure Hostname Settings Here you only need to configure the three domain names. Click "Configuration" and then "NAAServer Hostname Settings". {{ :googlecloud-gettingstarted:server-hostname-settings.png?nolink&600 |}} After Saving go to the "Overview" page and scroll down to the bottom to "Apply". No other changes are required for the appliance on the Google Cloud Platform. Follow the prompts on the page to reboot the appliance. If you are not doing this immediately stop the Config Server by typing Control-C in the terminal window. ## Create SSL Certificates This section creates and configures SSL certificates from Let's Encrypt. If you are using your own certificates (or a different service) you can use the smeconfigserver above to add certificates. Elevate to the root user by typing the following command and entering the root password when prompted. sudo su - Note: The appliance will be inaccessible during the request which may be up to a minute. Run the following command: certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" This command will prompt for an email address. It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate. Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation. Certbot will automatically detect what FQDNs are setup for the Access Anywhere server and prompt for which should be included in the certificate. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: files.example.com 2: files-s3.example.com 3: files-webdav.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3 Lastly, Certbot will prompt to disable all HTTP access. Please select option 1 as the server already has HTTP to HTTPS redirection options configured. Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 After successful completion, the server will automatically start using the new certificates. These certificates will last for 90 days, so the final step is to setup automated renewal. ### Automatically renewing the certificate A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration. A simple cron job will run daily and handle renewals. Please Note: The server will be inaccessible during the renewal. Please ensure that the renewal time is during off hours. Downtime will only occur every 60 days when a renewal is required and may last up to one minute. While still logged in as root run the following command to add a cron job. crontab -e In the example below the renewal attempt will process at 2:30AM. The server ships with the timezone set to UTC. You can set the cron jobs to run at the time of your choosing, but do not change the server's timezone. 30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file. Use https://www.ssllabs.com/ to test the installation after updating the certificate. ## Outbound Email (Recommended) An SMTP server is used by the appliance to send registration and notification emails to users. It can be configured under **Settings > Email & Filebox**. If you do not configure an email server remember not to use email notification when adding users. ### Outbound Email (Recommended) An SMTP server is used by the appliance to send registration and notification emails to users. A daily report and error notices are also emailed to the "Notification Email". See [[server/smtp_configuration]]. If you do not initially configure an email server remember not to use email notifications when adding users. ### Change Appliance Admin Email With an SMTP server configured you can change the email of the Appliance Admin. Go to the main menu (Hamburger icon) to Password/Login. You can also set up Two Factor Authentication (2FA) for the Appliance Admin from this screen. ### Server Notification Email Server errors and a daily report are sent to a notification email that must be configured by the Appliance Administrator. The default is not to email reports. The "Notification Email" setting is on the "SMTP and Filebox Configuration" page that can be found via the menu "Email and Filebox". # Create an Organization An //organization// is a tenant within the appliance and is created by the Appliance Administrator. Log in as the Appliance Admin at %%https:///%% with a browser. Use the “appladmin” username. ## License Key Configure your license key under **Settings > License Key**. A trial key can be requested from https://www.storagemadeeasy.com/appform/. ## Review User Package (Optional) The platform uses templates for organizations, in order for us to create our organization, we need to pick a template, before we do, let’s review. Click “User Packages” and then click the pencil to modify “Organisation Cloud 20 Users” This is a good template to start from. Scroll down to the “Extra options” section and add “Content Search Enabled” and Dropfolders. Use “Crtl-Click" to add to the selection. ## Create Organization In the hamburger menu, select “Users” and then "Add a User". On the Add a User screen create your Organization admin user. (This will also be your organization.) 1. User Login: The Organization short name and superuser's username. We recommend the domain name of your company such as "smestorage.com". 1. E-mail: Email address of organizational admin, must be unique to the system, do not use your own. 1. Password: 1. Name (Company Name): Full organization name. 1. Package: The user package template from earlier. 1. We do not need to split the license between organizations, leave the last field empty. Click Save. {{ :server:applinstallv1901:image014.png?nolink&400 |}} # Setting Up an Organization Log out from the Appliance Admin, appladmin user, and log back in as the user you just created. You will first see the “Add Storage Provider” screen. You have to add storage before you can continue. {{ :googlecloud-gettingstarted:choose-provider.png?nolink&500 |}} Select your provider and follow the instructions on the next couple of screens. See the next section for information on setting up Google Cloud Storage. ## Google Cloud Storage Key To generate a key for Google Cloud Storage: - Open the [[https://console.cloud.google.com/projectselector/storage/settings|Cloud Storage Settings]] page in the [[https://console.cloud.google.com/|Google Cloud Platform Console]]. - Select "Interoperability". - If you have not set up interoperability before, click "Enable interoperability access". - Click "Create a new key". Do not use a storage location with existing production data for the initial trial. # Use Cases Once this is complete you can: * [[admin/usermanagement|Add users]] * [[cloudproviders/googledocs|Link your account to Google Drive]] For more information see [[index|]] # Accessing Open Source Licenses The server includes open source components. Open source licenses can be found on the appliance in the root folder: * Third Party Licenses including Open Source Software.pdf