Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
cloudappliance/applinstallation [2019_10_17 00:03] – steven | cloudappliance/applinstallation [2021_03_06 00:51] – [Preparation] steven | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Storage Made Easy Cloud Appliance | + | # Enterprise File Fabric |
- | For the latest installation guide see [[: | + | ##### last updated March 5, 2021 |
- | ===== 1 Requirements ===== | + | See Also: [[: |
- | You will need VMWare softwafre to run the virtual machine, | + | # Introduction |
- | * VMWare player | + | The Enterprise File Fabric platform is shipped as a virtual appliance. Once you have deployed it into your environment you have to follow a few steps to get the product set up and ready for use. This document will walk you through the initial install steps needed to get started. |
- | * VMWare Workstation 8.x | + | |
- | * VMWare Fusion 4.x | + | |
- | * VMWare ESX/i 4.x/5.x | + | |
- | Please note we provide | + | This document does not cover how to deploy |
- | **Hardware** | + | Images are provided for VMWare, KVM and Hyper V. For VMWare, vSphere 5.5 or above is required. |
- | For evaluation Purposes: | + | The File Fabric virtual appliances can run on public and private clouds as well as in your data center. |
- | * 2 GB RAM for the VM | + | |
- | * 2 cores dedicated | + | |
- | * 20 GB Hard Disk Space | + | |
- | For Production purposes: | + | * **Amazon Web Services (AWS)** platform see [[:aws-gettingstarted]] |
- | | + | |
- | | + | |
- | * 20 GB Hard Disk space | + | |
- | Please note we recommend tuning the appliance components in production and can provide help for that. You can also increase the size of the Hard Disk by following the instructions provided by VMWare: | + | * **Google Cloud Platform** see [[:googlecloud-gettingstarted]] |
- | http:// | + | * **Microsoft Azure**, see [[azure-gettingstarted]] |
- | **Configuration: | + | ## Architecture |
- | To configure the appliance you will need: | + | #### Single VM Deployment |
- | * A Domain Name that is registered (required for production or internet access. Can be run internally and tested without this) | + | |
- | * A wildcard SSL certificate for your chosen domain name (required if you wish to test SSL but can be self generated) | + | |
- | * You will need to register the following DNS entries(please note you can change the sub-domain names as you wish) | + | |
- | * sme.yourdomain.com | + | |
- | * webdav.yourdomian.com | + | |
- | * s3.yourdomain.com | + | |
- | (Please note webdav DNS entry should be webdav.DomainName e.g if the domain name is sme.yourdomain.com then the webdav url should be webdavsme.yourdomain.com.) | + | For evaluation and smaller production environments, |
- | * An IP address that configured to point to the domains | + | #### Multiple VM Deployment |
- | * An email address with SMTP server details to connect to that account. This will be used to send emails | + | |
- | * A catch all email address if you want to use filebox functionality. You will need IMAP server details for this email address | + | |
- | **Firewall** | + | The platform may also be deployed in High Availability with multiple virtual machines and an external database. Contact us for more information. |
- | You will need to following ingress ports open\\ | + | For production deployments see also [[sizingguide]]. |
- | If you want to use FTP/S then you will need to configure the firewall to allow FTP passive connections | + | # Requirements |
- | **Storage** | + | You need to prepare/ |
- | The appliance | + | - Provided with trial email |
+ | * Linux smeconfiguser password | ||
+ | * Linux root user password | ||
+ | * Appliance appladmin password | ||
+ | * File Fabric license key | ||
+ | - Access to request / update DNS names for appliance | ||
+ | - Outbound mail relay information (recommended) | ||
+ | - Default storage system connectivity details | ||
+ | - Active Directory service account, for connecting | ||
- | To attach your local storage you will need to provide an FTP or WebDav interface on top of your local storage. | + | # Part I - Configure Networking and Antivirus |
- | **Authentication details / License Key** | + | Out of the box, the File Fabric appliance comes configured for DHCP. For most production environments you will assign a static IP address. You can easily do this with tools provided and installed on the appliance. If you have DHCP with dynamic DNS enabled, you should be able to simply connect to “appliance.yourcompany.tld”. If not, and you do not know the IP address of the appliance, connect over a console session from your hypervisor. |
- | You will require | + | Once the File Fabric appliance is booted |
- | ===== 2 Configuring | + | Change |
- | The configuration server allows you to configure | + | Update the file with your real hostname. \\ \\ |
- | * Static IP address | + | {{ : |
- | * Domain name | + | |
- | * SSL certificate | + | Then identify the IP addresses, type ifconfig and look for the IPv4 IP address. \\ \\ |
- | **Login** | + | {{ : |
+ | \\ \\ | ||
+ | If ifconfig is not installed then please use: \\ \\ | ||
+ | < | ||
+ | \\ | ||
+ | to find the IP address. | ||
- | Start the VMWare instance and login to the appliance. The IP address is displayed in the console. | ||
- | {{:/ | + | Note: If you do not have DHCP enabled on your network, you can run the smenetconf script and quickly assign a static address from the commandline. This must be run as the smeconfiguser. |
- | **Setting the IP Address** | ||
- | Note if you don't see an IP address please contact your system admin to enable DHCP or if DHCP is not possible for your environment then login to the Appliance | + | Leave root privilege and as the smeconfiguser start the configuration server by typing **smeconfigserver**. You should see a confirmation that the config server is running: \\ \\ |
- | cd installer | + | {{ : |
- | | + | |
- | + | ||
- | This will invoke a wizard that will enable a static network IP address to be added. | + | |
- | **Change Password** | + | Now open your browser and navigate to: \\ \\ |
- | Please note that on first login it is strongly recommended | + | http://< |
+ | \\ \\ | ||
+ | Here you will be able to configure network details, including domain names, and you can apply a custom certificate for secure HTTPS traffic. \\ \\ | ||
- | passwd | + | {{ : |
- | + | ||
- | **DNS and SSL Certificates** | + | Click “Configuration” to get started. |
- | If you wish to configure the Appliance DNS and SSL certificates then, after login, you can launch the Appliance installer. If you wish to simply check out the features of the web Appliance and use the Appliance only in IP mode (rather than DNS) and test clients over http only you can navigate straight to the Appliance using the IP address and login using the authentication details | + | Give the system a static |
- | To move forward and configure the appliance DNS / SSL then either logged directly in to the Appliance, or from an ssh session, enter | + | Then don’t forget |
- | cd installer ./ | + | Follow |
- | + | ||
- | This will start the configuration server | + | |
- | Once the configuration server has been started, on your local machine, in the browser open the following URL: | + | You can rerun the smeconfigserver at any time to go back and modify, or correct any information in your setup. i.e. you can go back and place a new certificate here at any time. |
- | http://IP Address: | ||
- | You should see the Welcome Screen. To start configuration, | + | ## Let's Encrypt SSL Certificates |
- | {{:/ | + | This section creates and configures SSL certificates from Let's Encrypt. If you are using your own certificates (or a different service) you can use the smeconfigserver above to add certificates. |
- | The Configuration page shows different options that you can configure. | + | Elevate to the root user by typing the following command and entering the root password when prompted. |
- | {{:/ | + | su - |
+ | Note: The appliance will be inaccessible during the request which may be up to a minute. | ||
- | **Hostname Settings** | + | Run the following command: |
- | In the SME Server Hostname Settings options you set the domain names that will be used to access | + | certbot --authenticator standalone --installer apache --pre-hook " |
+ | This command will prompt for an email address. | ||
- | You should have the IP address that you want to use configured in your DNS server. This change requires a reboot | + | Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation. |
- | {{:/ | + | Certbot will automatically detect what FQDNs are setup for the Enterprise File Fabric and prompt for which should be included in the certificate. |
- | **Network Settings** | + | Which names would you like to activate HTTPS for? |
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | 1: files.example.com | ||
+ | 2: files-s3.example.com | ||
+ | 3: files-webdav.example.com | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Select the appropriate numbers separated by commas and/or spaces, or leave input | ||
+ | blank to select all options shown (Enter ' | ||
- | In SME Server Network Settings the Admin can set the static IP address, Gateway, IP Mask and DNS server | + | Lastly, Certbot will prompt |
- | {{:/ | + | Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. |
+ | ------------------------------------------------------------------------------- | ||
+ | 1: No redirect - Make no further changes to the webserver configuration. | ||
+ | 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for | ||
+ | new sites, or if you're confident your site works on HTTPS. You can undo this | ||
+ | change by editing your web server' | ||
+ | ------------------------------------------------------------------------------- | ||
+ | Select the appropriate number [1-2] then [enter] (press ' | ||
- | If you enter the wrong settings, you will not be able to ssh into the appliance. In this case, login from the console as smeconfiguser | + | After successful completion, the Enterprise File Fabric |
- | cd installer | + | ### Automatically renewing |
- | + | ||
- | and enter the following command: | + | |
- | | + | A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration. A simple cron job will run daily and handle renewals. |
- | {{:/ | + | Please Note: The File Fabric will be inaccessible during the renewal. Please ensure that the renewal time is during off hours. Downtime will only occur every 60 days when a renewal is required and may last up to one minute. |
- | This will set the configuration | + | While still logged in as root run the following command |
- | **SSL Certificates (recommended for production)** | + | |
- | The File Server uses https to communicate | + | In the example below the renewal attempt will process at 2:30AM in the timezone of the Enterprise File Fabric. |
- | {{:/cloudappliance: | + | 30 2 * * * /bin/certbot renew >> / |
- | This will require | + | This will create |
- | Please Note that if you donât set SSL certificates then some native clients that are set to use https will not be able to communicate with the appliance. You may be need to configure them to use http. | + | Use https:// |
- | **Generating a Certificate Signing Request** | ||
- | To generate a Certificate Signing Request(CSR) if you are applying for certificates please see: http:// | + | ## Configuring Antivirus |
+ | The File Fabric can use ClamAV antivirus software to scan files on upload. | ||
- | **Setting up self-certified Certificates** | + | # Part II - Configure Appliance and create the first organization |
- | If you wish to use a self-signed certificate to test https then we suggest following | + | You must perform |
- | The guide shows the use of the " | + | After the VM is restarted, log into %%https://< |
- | Once you have these run the SME Config installer open server.crt in a text editor and paste the content into the "SSL public certificate text". Similarly paste the contents of server.key into the "SSL certificate private key" text input. | ||
- | Now follow the wizard to save the settings and at the end choose the reboot option. You should now be set to use private certificate SSL but note you cannot use these outside of an internal network unless | + | ## 1. Enter the license, under Settings -> License Key: |
- | **System Update** | + | {{ : |
- | Here you can update the appliance with the latest release. You can check for a new version here. When the appliance is updated with the new version, the installed version is saved and allows you to rollback to the previous installed version. | + | A trial license key can be requested from https://www.storagemadeeasy.com/ |
- | {{:/ | + | Once you apply the key and save the change, you will see the features available to you. |
- | {{:/ | + | |
- | **Rebooting** | + | ## 2. Outbound Email (Recommended) |
- | Smeconfiguser has permissions | + | An SMTP server is used by the appliance |
- | sudo / | + | If you do not configure an email server remember not to use email notification when adding users. |
- | sudo / | + | |
- | Once you have configured and rebooted your appliance, open a browser at http:// | + | ### Using Gmail for Outbound Email |
- | **Customizing | + | Below is a sample what the configuration looks like, for an SMTP setup using a Gmail account. You will have to ask your email administrator for your specific details, or sign up for a free Gmail address: \\ \\ |
- | Using your browser login as **appladmin** . **Change the password after logging in for the first time**. You will see the home screen, on the right hand side you will see different options to customise the website. | + | {{ : |
- | The appladmin account is used to configure | + | The “Notification Email” address will receive emails from the system warning |
- | {{:/ | + | |
- | **Entering the License Key** | + | ### Change Appliance Admin Email |
- | Enter the license key and depending on the key new functionality will become available in the right hand side menu. If the key is expired or you have not entered a valid key then you will only be able to use clouduser account. | + | With an SMTP server configured you can change |
- | {{:/ | + | You can also set up Two Factor Authentication (2FA) for the Appliance Admin from this screen. |
- | **Changing the look and feel** | + | ### Server Notification Email |
- | You can brand and change logos for the of the appliance including | + | Server errors |
- | Also see the [[cloudappliance/ | + | The " |
- | {{:/ | ||
- | {{:/ | ||
- | **Email Templates (Optional)** | + | ## 3. Look & Feel |
- | The default email templates that are used with the Appliance for customer interactions can be changed here. | + | {{ : |
- | {{:/ | + | Under Look & Feel is where you can upload your logos for the login page, and set a site title for the site. |
- | **Site Wide Functionality** | + | ## 4. Site Functionality |
- | This screen allows | + | Here you can enable |
- | {{:/cloudappliance: | + | If you will be providing SFTP access through the File Fabric' |
- | **Email and Filebox Settings** | + | ## 5. |
- | **SMTP Settings:** | + | The File Fabric platform uses templates for organizations, |
- | The File Server uses an external email SMTP server to send registration and notification emails. Here you enter the account details that will be used to send emails. | + | {{ : |
- | FileBox IMAP Settings (Optional): | + | Click “User Packages” and then click the pencil to modify “Organisation Cloud 20 Users” This is a good template to start from. |
+ | Scroll down to the “Extra options” section and add “Content Search Enabled” and Dropfolders. \\ \\ | ||
- | The filebox feature provides each user and shared folder a dedicated email address. This is an optional feature. A user can send email with attachment to the firebox address. For this you will need a catch all email address and IMAP server. | + | {{ : |
- | {{:/ | + | “Crtl-Click to add to the selection” |
- | **Integration Settings (Optional)** | + | ## 6. |
- | SME appliance can use Zoho to view and edit MS Office (Word, Powerpoint and Excel) and RTF documents. You will need to register for Zoho API at http:// | + | In the hamburger menu, click “Users” |
- | {{:/cloudappliance: | + | {{ : |
- | **Meta Data Backup** | ||
- | The only data that is stored is data about the files and any classification information the user adds. This can be backed up for disaster recovery (as this data is stored in a database it can also be made highly available.) | + | ## 7. |
- | {{:/ | + | This can be done by clicking the red “X”. |
- | **Changing the Password**\\ | + | ## 8. Click “Add a User” |
- | You can change | + | On the Add a User screen create your Organization admin user. (This will also be your organization.) |
- | {{:/ | + | |
- | You can see a list of all users and the packages that are assigned | + | 1. User Login: Admin user login and Organization short name |
+ | 1. E-mail: Email address of organizational admin, must be unique to the system, do not use your own. | ||
+ | 1. Password: | ||
+ | 1. Name (Company Name): Full organization name. | ||
+ | 1. Package: The template from step 5. | ||
+ | 1. We do not need to split the license between organizations, | ||
- | You can change a users password, activate or inactivate and delete users and also configure the functionality available to him. | + | Click Save. \\ \\ |
- | {{:/cloudappliance: | + | {{ : |
- | {{:/ | + | |
- | **Creating a new User** | + | # Part III - Configure the organization |
- | To Add a user Click on Add User and enter the details. A new user can also be added using the API. | + | Log out from the Appliance Admin, appladmin |
- | {{:/ | + | You will first see the “Add Storage Provider” screen. You have to add storage before you can continue. Select your provider and follow the instructions on the next couple of screens. There are many providers to choose from, but a CIFS share, google drive or S3 bucket are easy examples to get started with. Do not use a storage location with existing production data for the initial trial. |
- | **User Packages** | + | Once you have added your storage, Select Options from Organization Menu: \\ \\ |
- | You can edit and create User packages that are assigned to users. Sample packages are provided. User Packages allow you configure available functionality and default setting for new users. | ||
- | {{:/cloudappliance: | + | {{ : |
- | {{:/ | + | |
- | **Summary: | + | There are of course a lot of different was to configure your organization based on your specific use case(s). In this example I will set them to what I think are good starting points. |
- | This is the end of the configuration guide for the SME Cloud Appliance. | ||
+ | ## User Governance | ||
+ | |||
+ | Enable personal clouds by toggling “Private User Clouds”. Enabling this will allow for both a per user home folder (Admin managed) and for users to add a personal drop box, or google drive into the SME file manager. | ||
+ | |||
+ | ## File Sharing Policy | ||
+ | |||
+ | Here I like to turn on most of the options in order to get a feel for the SME sharing features. See screenshot below. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ## Security | ||
+ | See screenshot below for how to toggle the options on this page: \\ \\ | ||
+ | {{ : | ||
+ | |||
+ | |||
+ | ## Encryption | ||
+ | |||
+ | You can provide a key here and enable encryption for all data at rest. Note, if you do, you will not be able to access your data from outside of SME. | ||
+ | |||
+ | ## Versioning/ | ||
+ | |||
+ | I enable versioning, it is a nice feature to have in case of conflicts or accidental end user overwrites and deletions. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ## Data Classifications | ||
+ | |||
+ | Leave the defaults here. | ||
+ | |||
+ | ## User Interface | ||
+ | |||
+ | Leave the defaults here. | ||
+ | |||
+ | ## Notifications | ||
+ | |||
+ | Toggle “Send email notification for file comments: | ||
+ | |||
+ | ## Branding | ||
+ | |||
+ | Options for you to create your organizations specific here | ||
+ | |||
+ | At this stage you either create local users or you tie SME into your corporate directory. | ||
+ | |||
+ | |||
+ | ## Configure Active Directory | ||
+ | |||
+ | Under Organization, | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | There are a many options to consider and there is the possibility to make the integration with a highly customized AD schema, but for the sake of evaluation the product, we don’t have to make it that complicated. Below I have listed the fields where you have to add site specific information. I will skip the lines you don’t have to configure, so when you follow this list below, make sure to match the names on the screen, as they are not sequential. | ||
+ | |||
+ | - Auth System: Toggle the dropdown to LDAP | ||
+ | |||
+ | - Auth System Name: Give it a friendly name | ||
+ | |||
+ | - LDAP Server host or IP: IP address or hostname of AD controller | ||
+ | |||
+ | - Base DN: Enter a base OU of your directory to limit searches to certain sub-OUs, or leave it as “DC=domain, | ||
+ | |||
+ | - Administrator User DN: The service account that can connect and validate AD info, should be an unprivileged service account. On the following format: “CN=LDAP Bind, | ||
+ | |||
+ | - Administrator User Password: Password of above user. | ||
+ | |||
+ | - Update user roles/ | ||
+ | |||
+ | - Login Field: What AD attribute is the login name, I suggest using sAMAccountName | ||
+ | |||
+ | - User Name Field: I switch this to displayName, | ||
+ | |||
+ | - Role Name Field: I prefer to switch this to “name” | ||
+ | |||
+ | |||
+ | |||
+ | These are the 10 fields you have to fill in to enable AD authentication, | ||
+ | |||
+ | |||
+ | |||
+ | Roles, in order to simplify management of ACLs for your data, we recommend that you assign permissions on a group – or role – level. Open up the configuration page: \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | If you set up AD authentication in the above step, leave the two default roles, (“Administrator”, | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | On the next page, you can select to put in a partial or full name in the “Role:” field, to act as a filter before clicking “Get roles” \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | I chose to filter on “gs_” and can select all for import. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | This process can be done many times until all desired groups are imported. | ||
+ | |||
+ | |||
+ | If you are doing this without AD, simply click Add new role and add the different roles you need to provide adequate segregation for your users. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | When the roles are populated, proceed to importing / creating the users: \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | This page is set up much the same way, select “Import users from a remote source” | ||
+ | \\ \\ | ||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | The import screen works much like the Roles import screen with one important difference. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | As you can see in the Role section to the right we will show you what AD groups the user is a member of, so you can ensure the relevant groups are imported. | ||
+ | |||
+ | Repeat the user import until you have imported your users. | ||
+ | |||
+ | |||
+ | |||
+ | Once again, if you had skipped the AD setup, you can manually create local users. Simply click one of the Add new user buttons. Without confirmation will still give you the option to send the user a welcome email. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | ## Setting up shared storage and access. | ||
+ | |||
+ | Earlier we connected to our default storage, now let’s configure it. | ||
+ | |||
+ | Click File Manager \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | And navigate into your default storage provider, in my case it is a bucket called “smestoragesme” \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Unless this is the name of the root share you want your end users to see, create a new folder inside the root. I created one called FinanceShare and one called EngineeringShare. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | Right click the first folder and select Convert to Shared Team Folder \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Then repeat for any other folder you have created and want to be a share root. By default, in SME, a shared folder is shared with no one (except the admins) so we have to modify permissions. | ||
+ | |||
+ | Go to the settings page for shared folders: \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | The default tab should be the Permissions tab: \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Go ahead and select the permissions Icon (2) | ||
+ | |||
+ | |||
+ | |||
+ | In the popup windows (below) select the user or group from the dropdown (1), select the permissions (2), and click apply. (3) | ||
+ | |||
+ | When you are done with the permissions, | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | Your initial setup is complete, now when a member of the Engineering group logs in, he or she will only see the EngineeringShare folder: \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | While the members of the finance group will see only FinanceShare. \\ \\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | For any questions or comments on this document, please contact support@storagemadeeasy.com | ||