Groove Enterprise Management ServerEnterprise Management Server Administrator’s Guide Overview of...

Groove Enterprise Management Server

Version 3.1

Administrator’s Guide

Enterprise Management Server Administrator’s Guide Copyright ii

Copyright

Copyright © 2001-2005, Groove Networks, Inc. All rights reserved.

You may not reproduce or distribute any part of this document in any form or by any means, without the written permission of Groove Networks, Inc., nor may you use it to create derivative works.

Groove Networks, Groove, the interlocking circles design, Groove Virtual Office, and groove.net are registered trademarks of Groove Networks, Inc. Other product or company names may be the trademarks of their respective owners.

Use of Groove Networks, Inc. software is subject to the terms of a license agreement and applicable export and import restrictions. Restricted rights for U.S. government users.

This product includes software used under license from third parties, including those par-ties identified by the following notices. Copyright © 1995 - 2001 International Business Machines Corporation and others. All rights reserved. VcardParser.cpp © Copyright Apple Computer, Inc., AT&T Corp., International Business Machines Corporation and Siemens Rolm Communications Inc. Outside In® ActiveX Control © 2002 IntraNet Solu-tions Chicago, Inc. All rights reserved. This software is based in part on the work of the Independent JPEG Group. ACME Labs Freeware Copyright © 2000 by Jef Poskanzer <[email protected]>. All rights reserved.

Table of Contents

Copyright ii

Table of Contents iii

Overview of Server Administration 1Management Server Architecture 1Communications Protocols 3

Website Component 4

Management Domains 5

Database Component 7

Management Server Functionality 8Management Server Administration 8

Management Domain Administration 8

The Management Server Administrator’s Guide 10

Site Planning 11Capacity Planning 11 Security 12Network Requirements 12Recommended Best Practices 13Failure Contingencies 15

Installing and Configuring EMS 16Requirements 17Hardware 17

Software 18

Expertise 19

Setting Up the SQL Server 20 Setting Up the Internet Information Services (IIS) Server 20Configuring IIS 21

EMS Web Site Setup 22

Creating a Custom EMS Web Site (optional) 22

Installing the EMS Software 23Information You’ll Need During the Installation 23

Installing EMS 23

Securing the EMS Administrative Web Site 27Accessing the EMS Administrative Web Site 27 Accessing the Management Server Administrative UI 28

Enterprise Management Server Administrator’s Guide Table of Contents iii

Getting Help 28

Setting Administrative Preferences 29

Setting Up the Management Server 29Before You Begin 29

Configuring Management Domains 30

Defining Administrator Roles 31

Configuring Directory Servers 33

Monitoring the Management Server 33

Configuring SMTP on the Management Server 33Deploying Groove on Client Devices 34Setting Up Groove Client Auditing 34Overview of Groove Client Auditing 35

Audit Server Requirements 35

Installing and Configuring Groove Client Auditing 36

Upgrading the Management Server 38Uninstalling the Management Server 39

Adding and Configuring Domains 40Viewing Domains on the Server 40Adding a Groove Management Domain to a Server 41Enterprise vs. Groove PKI 41

Password/Smart Card Reset Private Key 42

Defining a Management Domain 42

Editing a Groove Management Domain 45Deleting a Groove Management Domain from a Server 45

Managing Administrative Roles 47Setting Administrator Roles 47Administrative Access Control 47

Adding Administrators 48

Enabling Role Based Access Control 50

Editing Administrator Roles 50Deleting Administrators 51

Defining a Directory Server 53Overview of Directory Integration 53Adding a Directory Server 54Before You Begin 54

Defining a Directory on the Management Server 54

Editing a Directory Server 57Customizing Management and Directory Server Mapping 58Configuring Directory Synchronization 60Scheduling Directory Synchronization 60

Manually Triggering Data Synchronization 62

Viewing Directory Synchronization Status 62Automating Directory Integration 63Deleting an Integration Point 65Deleting a Directory Server 66

Enterprise Management Server Administrator’s Guide Table of Contents iv

Monitoring the Management Server 67Viewing the Audit Log 67Exporting Reports 68Using the Windows Event Viewer for Server Diagnostics 68Responding to Alerts 68 Customer Support Notification Feature 69

Troubleshooting 71Management Server Problems 71Auto-Activation Problems 75

Appendix A. Recommended Model for EMS Installation 77SQL Server Preparation 77Optimal Processor and Network Interface Requirements 78

Installing the Windows Server Operating System 78

Partitioning the Disk 78

Installing Windows Server Components 78

Configuring Internal Network Interfaces 79

Setting Performance Options 79

Setting Startup and Recovery Options 80

Setting Event Viewer Options 80

Installing Windows Server Updates 81

Installing the SQL Server Software 81

Installing SQL Server Updates 81

Configuring the SQL Server Network Utility 81

IIS Server Preparation 81Processor and Network Interface Requirements 82

Installing the Windows Server Operating System 82

Installing .NET Framework 82

Partitioning the Disk 82

Installing Windows Server Components 83

Configuring the Internet Information Service (IIS) for EMS 84

Installing the Management Server Software 85

Configuring Internal Network Interfaces 85

Configuring External Network Interfaces 86

Setting Performance Options 87

Setting Startup and Recovery Options 87

Setting Event Viewer Options 88

Installing Windows Server Updates 88

Preparing the Virtual SMTP Server 88

Post SQL Installation 88Configuring Internal Network Interfaces on SQL Server 89

Setting Windows Services to Manual Start on SQL Server 90

Post EMS Installation 91Restricting Access to EMS Administrative Directory 91

Supporting EMS Administrative Login Authentication 91

Setting Up SSL for the EMS Administrative Web Pages 91

Configuring EMS Internal Network Interfaces 92

Enterprise Management Server Administrator’s Guide Table of Contents v

Configuring EMS External Network Interfaces 93

Setting Windows Services to Manual Start on Management Server 94

Appendix B. EMS SQL Views 96

Appendix C. Setting up Groove Auto-Activation 100

Appendix D. Management Server Keys and Certificates 102

Appendix E. Interpreting Client Audit Data 104

Glossary 106

End User License Agreement 111

Index 124

Enterprise Management Server Administrator’s Guide Table of Contents vi

Overview of Server Administration

The Enterprise Management Server (EMS) and Groove® Hosted Management Services are Web-based applications that provide comprehensive services for managing Groove Virtual Office (formerly Groove Workspace) in an enterprise. EMS runs on servers oper-ated by an enterprise while the Groove Hosted Management Services application runs on servers operated by Groove Networks®. The option employed at an organization depends on its IT objectives, requirements, and resources.

Regardless of the management server hosting option, Groove administrators and clients communicate with the management server via its Web site, which provides both an admin-istrative and a client interface. The site’s administrative Web interface allows two levels of interaction - server management, and user management. The Enterprise Management Server presents the full interface, for both levels of administration. Groove Networks Hosted Management Services presents only the user management portion of this interface, as Groove Networks runs the server.

The management server’s SOAP-based client interface allows Groove users to access the management server for Groove product licenses, Groove usage and security policies, and relay server assignments, and to report Groove-related activities.

This guide supports the Enterprise Management Server and focusses on the server man-agement portion of the administrative Web interface. The Groove Management Server Domain Administrator’s Guide provides detailed information about managing Groove users.

Summary information in this overview, covers the following topics:

• Management Server Architecture

• Management Server Functionality

• The Management Server Administrator’s Guide

Management Server Architecture

The main physical components of a Groove Enterprise Management Server are an IIS server and a SQL server. A set of communication protocols, the application’s Web inter-faces, and underlying software reside on the IIS server; the system’s databases reside on the SQL server. Other integral components of the Groove management system are

Enterprise Management Server Administrator’s Guide Overview of Server Administration 1

Groove clients and supporting relay servers. Hosted by Groove networks or installed at an enterprise site, relay servers provide virtual peer-to-peer services when direct client con-nections are unavailable or infeasible. Optional components include a Groove client audit-ing server, Groove component server, and corporate LDAP directory servers. Figure 4, below, shows the relationships between management (IIS and SQL) servers, supporting relay servers, and Groove clients.

Management domains, defined by the server administrator, are the fundamental manage-ment unit of a Groove management server. All managed Groove users must be members of a management server domain in order to access the required Groove licenses, relay server assignments, and Groove usage policies. Similarly, managed Groove devices must be registered with a management domain in order to respond to device policies.

The following sections describe the main components of a Groove management server:

• Communications Protocols

• Website Component

• Management Domains

• Database Component

For information about the Enterprise Relay Server (ERS), see the Groove Enterprise Relay Server Administrator’s Guide.


Figure 4. Interaction of Groove Servers and Clients

Communications Protocols

The management server is a Web application and utilizes various Web-compatible proto-cols, primarily HyperText Transfer Protocol (HTTP). The management server processes Groove administrative input and client requests through its Web site. Administrators communicate with the server from a browser. Groove clients communicate with the man-agement server by sending Simple Object Access Protocol (SOAP) requests over HTTP to which the management server responds. The management server never initiates connec-tions with Groove clients.

The management server also uses SOAP to communicate with any relay servers that it is managing. SOAP exchanges with the relay server are always initiated by the management server.

To communicate with the SQL server which stores all EMS data, the management server uses Microsoft’s OLE DB data access specification. To communicate with any LDAP-based directory servers that the management server is configured to support, the manage-ment server uses Lightweight Directory Access Protocol (LDAP).


The Groove management server uses protocols as summarized in the following table:

Website Component

The interactive portion of the management server is its Web site, built on a Windows IIS server. The IIS login procedures in place at an enterprise secure the site. The Web site con-sists of two interfaces: an administrative interface and an Internet-accessible client inter-face.

The following sections describe the main features of the management server Web inter-faces:

• Administrative Interface

• Client Interface

Administrative Interface

The management server administrative Web interface, created during EMS installation on the IIS server, enables server administrators to manage server operation and Groove usage in their organization. While this interface relies on underlying security configured in IIS by the site administrator, a built-in role-based access control system allows administrators to apply another level of security.

The server administration interface consists of the following major elements:

• Domains - Collections of Groove users, policy templates, license sets, and relay sets.

• Administrative roles - Administrative roles and permissions, defined by management server administrators as part of the EMS Role Based Access Control

Groove Server and Client Protocols

Listening Ports Used Functions

SSTP over Hypertext Transfer Protocol (HTTP)

Port 80 Used by Web-based management server, Groove clients, and relay servers. Supports HTTP encapsulation of SSTP.

Simple Object Access Protocol (SOAP)

Listening Port 80 Used by management server to listen to client SOAP requests.

Open Database Connectivity (ODBC)

Port 1433 (typically)

Inbound on SQL database server.

Outbound from management server to SQL database server port 1433 (typically).

Used by management server to contact the SQL database server.

LDAP Port 389 (typically) Used by management server to integrate with optional LDAP-based directory server.

Simple Message Transfer Protocol (SMTP)

Port 25 Used by a Microsoft API, called by the management server, to forward email containing activation keys to a mail host for sending to Groove clients.


(RBAC) system. When RBAC is enabled, administrators determine who can access which parts of the management server administrative Web interface

• Reports - Server-wide audit log reports.

• Corporate directory support - Corporate directory server definitions for integrating user information with EMS, if an LDAP server directory is installed onsite at an enterprise.

Once management domains are configured on the management server, administrators can access domain-level Web pages. Domain pages allow administrators to manage Groove users and devices, provisioning them with Groove licenses and relay servers, and subject-ing them to usage and security policies.

Domain administration does not require server-level permissions and is usually assigned to domain administrators. Hosted management services present only this domain portion of the management server interface; Groove Networks manages the server. For detailed information about the domain management portion of the administrative interface, see the Groove Management Server Domain Administrator’s Guide.

Client Interface

Groove clients access the management server via an Internet-accessible SOAP interface on the management server. The management server does not initiate communications with Groove clients, but responds to requests from client devices.

At periodic intervals (generally every 5 hours), clients contact the management server for the latest user and device polices, product activation keys, and relay server assignments. Clients also report Groove user events to the management server via this SOAP interface. This periodic contact is the primary mechanism by which all information is exchanged between the management server and the Groove client software.

Relay servers facilitate Groove peer communications at various levels, including storing and forwarding messages, enabling firewall navigation, overcoming network discontinui-ties. As part of a managed Groove environment, specific relay servers - either onsite or Groove-hosted - must be registered with the management server. Management servers contact managed relay servers to exchange user identity information. For more informa-tion about the role of Groove relay servers in a managed Groove installation, see the Groove Enterprise Relay Server Administrator’s Guide.

Management Domains

A management domain is an organizational unit, such as XYZ Corporation. One or more domains form the top-level management units on a management server. Each domain contains one or more groups of Groove users, along with a collection of identity and device policy templates, license sets, and relay server sets.

The management server provides an initial domain but server administrators can add oth-ers. Each management domain is independent of other management domains; users and devices in one domain cannot access another domain’s product licenses or be governed by its policies. The management server’s cross-domain certification feature allows adminis-trators to establish a trust relationship among domains.


Users gain domain membership via a managed Groove identity defined for them on the management server. Once a user activates this identity on a client device, the Groove cli-ent software begins polling the management server periodically for updates to products and policies, and to report statistics.

Domains encompass the following types of objects:

• Groups

• Managed Identities

• Managed Devices

• Device and Identity Policy Templates

• Product License Sets

• Server Sets

Groups

Managed Groove users reside in groups within a management domain. Each group (such as a Sales Division group) consists of a collection of Groove identities (members), associ-ated with specific identity and device policy templates, a Groove license set, and a relay server set. The management server provides an initial top-level domain group which may contain administrator-defined subgroups and/or individual Groove users.

Managed Identities

A managed user is a member of a management domain. Administrators add Groove users to a domain by entering user identity information into a domain group or importing it into the group from a corporate directory server. The management server associates each defined user with an activation key which the administrator distributes to the users. Once these keys are applied to the client, Groove uses the associated identity information to cre-ate a managed identity for each user. Activated identities then become domain members, gain access to domain products, are directed to any relay server(s) defined for the domain, and are subject to domain rules (policies).

In order to invite each other to Groove workspaces and collaborate, Groove users must first find each other’s identities on the network. The primary means by which Groove users publish their identity information is by exchanging Groove contacts, which contain all the information that two independent Groove users identify, authenticate, and commu-nicate with one another. The management server provides a central directory which lists contacts so that fellow employees can find each other.

Managed Devices

A managed device is a client PC that an administrator has registered with a management server. Once an administrator downloads a management domain registry key to a client device, the devices becomes subject to domain rules (policies). Administrators can config-ure a domain property to remove devices from the domain after 90 days of inactivity.

Device and Identity Policy Templates

Policies are rules that control Groove activities within a management domain group. Cer-tain policies apply to managed identities; others to managed (registered) devices. Collec-


tions of policy settings reside in identity or device policy templates, which are then assigned to groups or individual users. The management server supplies an initial, modifi-able, identity and device policy template for each domain, to which administrators can add others.

All policy changes to identities and devices are propagated to Groove clients automati-cally during periodic contact with the management server. Once a policy setting arrives at the Groove client (or in some cases at Groove startup or login), Groove prevents policy violations.

Identity policy templates include settings that control the following:

• Availability of Groove contact information.

• Whether managed identities must be used on managed devices.

Device policy templates include settings that control the following:

• Password creation, such as minimum length and expiration period, that apply to managed devices in a domain or group.

• Restrictions on which Groove components can be downloaded to managed devices.

• User password reset.

• Groove client event auditing.

Product License Sets

A Groove product license is a collection of technical data that enables access to Groove client tools or components. A license set is a container of one or more product licenses, which can then be assigned to groups or individual users. Administrators can also supply individual Groove users with product license activation keys - giving these users product access without making them managed domain members.

Server Sets

Administrators can use the management server to assign specific servers to managed Groove users - Groove Relay or XMPP Proxy servers (as of Groove Virtual Office version 3.1), for example. The servers must first be registered with the management server in order for provisioning to take place. A server set is a container of one or more servers, which can then be assigned to groups or individual users. Managed relay servers may be installed onsite at an enterprise or hosted by Groove Networks.

Managed Groove relay and XMPP proxy server assignments override default assignments to public Groove relay or XMPP proxy servers. If multiple servers are installed at a site, administrators can assign managed users to a sequence of servers, to provide redundancy and fallback. Administrators can also use the management server to configure certain parameters for onsite servers, such as message retention time before purging on relay serv-ers.

Database Component

Groove management servers store all data, including user account and device information, on a Microsoft SQL Server accessible to the management server. The local IIS/EMS server is not used for data storage. If a Groove client auditing server is part of the installa-


tion, the same SQL server can support data from both the auditing and management serv-ers.

Management Server Functionality

The management server provides central control of Groove usage within an enterprise. Groove clients periodically connect to the management server in order to receive provi-sioning, policy, managed contact updates and to report Groove usage events. Via an administrative Web interface, Administrators can configure and monitor the server, and accomplish tasks essential to managing Groove use on a corporate scale.

Management servers provide two levels of administration: server administration and the administration of management domains defined on the server. The Enterprise Manage-ment Server involves both levels of administration, while Groove Hosted Management Services involves only domain-level administration.

The following sections describe the functionality associated with two levels of administra-tion:

• Management Server Administration

• Management Domain Administration

Management Server Administration

With an Enterprise Management Server installed onsite, administrators can manage the server itself, in addition to managing Groove users and devices. With Groove Hosted Management Services, enterprise administrators manage Groove users and devices only; Groove Networks administrators manage the server.

Server configuration and management involves the following tasks, carried out from the management server administrative Web interface:

• Defining administator roles to control access to management server features.

• Defining management domains. The server supplies an initial domain, but administrators can create additional domains or remove them.

• Monitoring server activity, via the server audit log.

• Defining LDAP directories for use with the management server (optional). This interface allows server administrators to import user identity information from directory server organizational units (OUs) into the management server, automating the process of adding Groove identities to a management domain.

Once the management sever is configured with management domains domain administra-tors can add users to the domain and provision them.

Management Domain Administration

The interface for administering management domains appears in full on both onsite EMS and Groove Networks-hosted management servers, providing that administrators have the necessary privileges. This section highlights the most important aspects of domain admin-istration. For detailed information about management domain administration, see the Groove Management Server Domain Administrator’s Guide.


Management domain administration involves the following tasks, carried out from the management server administrative Web interface:

• Defining domain member groups - Each domain member group is a container for Groove user and device information. The server supplies an initial member group, but administrators can create additional groups, or remove them (with the exception of the initial top-level group).

• Managing Groove users - Provisioning Groove users with the necessary Groove licenses, security policies, and relay servers is a major part of managing them. Groove users must each have a managed identity in a domain member group in order to be provisioned. Once user information has been entered, administrators send activation keys, associated with each entry, to Groove users who apply the keys to their accounts, guided by the Groove activation process. This results in the creation of a managed, provisioned identity for each user.

• Managing Groove devices - Registering Groove client devices with the management server allows administrators to manage them through centralized device usage and security policies.

• Setting Groove user policies - Setting Groove identity policies controls publishing of Groove identity information, user account backup, peer authentication, and other user activities.

• Setting Groove device policies - Setting device policies controls Groove password creation, Groove component download, cross-domain certification, and other Groove-related activities on managed devices.

• Distributing Groove licenses - This task involves importing Groove product licenses to the management server and assigning license sets to users or groups.

• Assigning Groove users to Groove relay servers - This task involves registering any onsite relay servers with the management server and assigning server sets to users or groups.

• Setting up password reset - A management server device policy allows administrative access to Groove data on managed devices in the management domain, and/or to enable users to reset an unknown or forgotten user password.

• Backing up Groove user accounts - A management server identity policy allows administrators to schedule automatic account backup for users in a management domain. Backed up information includes user contacts, the user’s Groove space list, identities and contact information, licenses and identity policies.

• Viewing Groove usage reports - When a managed identity or device exists on a Groove client, the Groove software periodically reports various usage statistics and audit log events to the management server, including information about managed user activities, Groove spaces, Groove tool usage.

• Hosting Groove components - If Groove’s Component Server is installed onsite, administrators can set a device policy that directs Groove clients to that server for Groove component downloads.

• Enabling Groove client auditing - If Groove’s client auditing application is installed onsite, administrators can set a management server device policy that enables auditing of managed Groove clients.


• Assigning Groove users to XMPP proxy servers - As of Groove Virtual Office version 3.1, XMPP proxy servers allow Groove client communication with Jabber and other XMPP clients. If Groove XMPP Proxy Servers are installed onsite at an enterprise, administrators can provision users to dedicated servers that support their Jabber and other XMPP-based communications.

The Management Server Administrator’s Guide

This Groove Enterprise Management Server Administrator’s Guide provides instructions for using the Enterprise Management Server (EMS). This Guide has the following sec-tions:

• Overview - Describes the management server’s role in the Groove ecosystem, its functionality, and its architecture.

• Installing and Configuring the Server - Provides instructions for installing, configuring, and monitoring an onsite management server and supporting SQL server, and guidelines for setting up Groove clients.

• Managing Administrative Roles - Provides guidelines for defining management server administrator roles and permissions.

• Managing Groove Domains - Provides instructions for adding, modifying, and deleting management domains.

• Monitoring the Management Server - Provides instructions for accessing Groove server audit and Event Viewer logs.

• Integrating EMS with a Corporate Directory Server - Provides guidelines for integrating an existing corporate directory server (if installed at your site) with the Enterprise Management Server.

• Troubleshooting - Lists common problems related to the management server and suggests ways to address them.

• Glossary - Defines terms used in this Guide.

• Appendices - Provide information about preparing for EMS installation, customizing SQL reports and other supplementary material.

20050315


Site Planning

The Groove Enterprise Management Server (EMS) is a Web-based application, for man-aging Groove clients. With an Enterprise Management Server at your site, you can man-age the server itself, as well as Groove users and devices. As an alternative, Groove Hosted Management Services allows you to manage Groove users and devices without the overhead of monitoring server operation. Similarly, supporting relay services can be onsite Enterprise Relay Servers or Groove Hosted Relay Services.

The Groove Management Server Domain Administrator’s Guide provides comprehensive information about using management servers to administer Groove users and devices. The following sections summarize basic site planning issues and best practices to consider when deploying an Enterprise Management Server at your site:

• Capacity Planning

• Security

• Network Requirements

• Recommended Best Practices

• Failure Contingencies

For comprehensive coverage of Groove server deployment options and methodologies, see the Groove Enterprise Planning and Deployment Administrator’s Guide.

For specific information about Enterprise Relay Servers, see the Enterprise Relay Server Administrator’s Guide.

Capacity Planning

Groove Networks generally recommends using one server to support up to 10,000 users, with the hardware configuration recommended for a standard installation. A second man-agement server device is typically recommended to support a larger user base. Larger-scale implementations can leverage the scalability of the underlying IIS and SQL plat-forms. When Groove is being used heavily in a workspace with fifty members, each mem-ber of the workspace sends, on average, approximately 350 bytes/second over the network during a typical workday.

The number of users that your system can support largely depends on the hardware config-uration of the Internet Information Service (IIS) and SQL servers that comprise the man-agement server installation. The stated minimum requirements should support a user community of up to 3,000 users. Larger deployments will require additional RAM and

Enterprise Management Server Administrator’s Guide Site Planning 11

disk storage capacity. Monitor Groove and management server performance to consider if and when additional hardware or software may be necessary.

For the SQL server, plan on 20 KB storage per managed Groove user and approximately 5 transactions per hour.

Security

Groove client and server software both provide built-in security systems designed to pre-vent unauthorized access and protect data resources. In addition to the built-in security mechanisms provided by the Groove Virtual Office application, Groove management servers provide the following additional layers of security:

• User identity policy settings allow administrative control over identity publication and to schedule periodic account backups.

• Device login policies allow administrators to determine Groove password and smart card login requirements.

• Device component download policies allow administrators to control what Groove components can be downloaded.

• Peer authentication policies allow administrators to determine whether Groove users in different management domains can communicate with each other.

• Cross-domain certification policies allow administrators to certify managed Groove identities across specific management domains.

• Certificates (signed contact information) provided by the management server’s stand-alone Public Key Infrastructure (PKI) functionality provide for automatic user authentication. As of EMS 3.0, the management server also supports user authentication via third- party, enterprise PKI issued certificates. See the Groove Management Server Domain Administrator’s Guide for more information about the management server’s implementation of PKI.

• Administrator role-based access control enables administrators with varying levels of responsibility to contribute to Groove user and device management.

Security is an important consideration when distributing Groove activation keys that enable the deployment of managed identities among your PC users. Groove's preferred activation key distribution method is secure email; this document assumes that you are using an email system that satisfies your company’s security policy.

See “Recommended Best Practices” below for important security measures that manage-ment server administrators can take to secure the EMS administrative Web site.

For more information about network and Groove client security, see the Groove Enter-prise Planning and Deployment Guide.

Network Requirements

Inbound port 2492 must be open on all Groove client devices in order to enable peer-to-peer communications.

The Enterprise Management server has the following network interface requirements:


• Inbound port 80 must be open in order to receive Simple Object Access Protocol (SOAP) requests from Groove clients over HTTP.

• Outbound TCP ports must be open in order to send messages to the relay server and to the Customer Support Notification service at groove.net.

• Outbound SMTP port must be open in order to send email and activation keys to Groove users.

Recommended Best Practices

The location of specific management and relay servers at your site is largely governed by the performance and security objectives at your organization, as well as on the location and distribution of users with respect to your network topology. Groove Networks can suggest ways to address some of these requirements, based on experience with deploying onsite servers, but much ultimately depends on your network setup. Work with your Groove Networks representative to determine how to implement a management server configuration that accommodates the Groove user base at your site(s).

In administrating a management server, follow the best practices generally recommended for hosting an Internet server. Some useful URLs are:

http://www.sans.org/top20.htm - for information about internet vulnerabilities

http://www.sans.org/infosecFAQ/index.htm - for general information about security.

http://www.sans.org/dosstep/roadmap.php - for information about Denial of Service issues

http://www.cert.org/nav/index_green.html - for up-to-date reports about a wide range server issues.

The following basic measures can help assure a reliable and secure installation:

• Install the management software on a clean stand-alone Windows 2000 or 2003 machine. Do not try to install a management server on a domain controller or a machine where Groove is running. Doing so will cause the install process to fail.

• To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the management server on a machine with redundant hard drive capability, typically a hardware RAID (software RAIDs provide protection for data only, not the operating system).

• Consider installing the latest Critical Update Package and Security Rollup on the directory (SQL) server.

• The management and relay servers run exclusively on the Windows Server 2000 and 2003, and are susceptible to systems and network-level vulnerabilities that are related to Microsoft’s Windows Server 2000 and 2003. For more information about Windows security, see the Microsoft Web site, http://www.microsoft.com. For discussions of server vulnerability mitigations, see the System Administration, Networking, and Security (SANS) Institute Web site, http://sans.org/.


• Proxy devices may be used to force transmissions through a single port, in order to prevent access to other ports, limiting transmissions to those using HTTP, for example.

• If your company uses proxy servers to control traffic out to the internet, Groove users should login to the network before installing Groove to facilitate the process.

• Locate the management server and any relay server(s) in a DMZ. Figure 5 shows an example of a generally acceptable management server setup.

• If your site plan includes multiple management servers, install the administrative portion of the Web site on a secure server, separate from the server supporting the client-accessible portion of the site. The SQL server is typically shared by the management servers. Consult your Groove Networks support representative for information about this configuration.

• Secure your administrative Web interface by enabling Secure Socket Layer (SSL) encryption and setting the server SSL port to 443. See Microsoft Windows 2000 and IIS 5.0 Administrators Pocket Consultant for information about SSL.

• Secure the EMS administrative Web pages with Windows or other login authentication. Avoid using Basic Authentication, as this authentication option results in passwords being transmitted over the network without encryption.

• To ensure secure distribution of Groove activation keys to your users, use one of the following methods:

• If possible, use an existing secure communication channel. For example, you could use security-enhanced email, such as Lotus Notes®, or email on a trusted local area network.

• Manually distribute activation keys.

• Make sure to keep labeled copies of any certificates or private keys you use in a known secure location (such as on disk in a locked cabinet or in a directory on a secure private network). You may need access to these old certificates or private keys in the future (for example, if you need to recover client data but the client has an older version of the data recovery certificate).

• Establish administrative roles which govern physical access to management server machines, access to server-level controls, and access to management domain controls.

• Install anti-virus software on the management server (and client) machines. When installing anti-virus software, make sure to disable Script Blocking, as script blocking can impede proper management server operation.


Figure 5. Example of Management Server Setup

Failure Contingencies

To protect your data and the server operating system from the effects of component fail-ure, the management server and SQL server machines should be equipped with reliable redundant hard-drive capability, or other fault-tolerant technology, such as clustering. As with any server installation, you are probably also concerned about total server failure. To address this risk, you want to consider an additional management server to provide backup in the event that you initial installation fails.


Installing and Configuring EMS

The following sections provide a list of requirements and instructions for installing the Groove Enterprise Management Server (EMS) software on a server machine at your site. The process involves setting up a SQL server machine, setting up the Microsoft Internet Information Services (IIS) on a Windows server machine, installing the EMS software on the IIS server machine, configuring the Enterprise Management Server, and configuring SMTP.

Installing the management server software requires that you prepare the operating system to support the management server functionality within the context of your existing sys-tems. Therefore, these preparatory steps vary depending on your network environment. This document presents a general setup designed to meet the needs of many enterprises and to guide you in the pre-install (and post-install) processes involved in bringing a man-agement server online at your organization. For a recommended approach to a secure EMS installation, see “Appendix A. Recommended Model for EMS Installation”.

Note: Configuration of any onsite Groove Enterprise Relay Servers is best per-formed BEFORE configuring the Enterprise Management Server.

For information about upgrading from a previous version of the Enterprise Management Server or for information about uninstalling the management server, refer to “Upgrading the Management Server” and “Uninstalling the Management Server” at the end of this chapter.

Upon successful completion of the procedures described in this chapter, the management server will be ready for domain administration, described in the Groove Management Server Domain Administrator’s Guide.

The initial EMS installation and configuration process involves the following basic steps, each of which is described in detail in subsequent sections:

• Checking hardware and software Requirements

• Setting Up the SQL Server

• Setting Up the Internet Information Services (IIS) Server

• Installing the EMS Software

• Securing the EMS Administrative Web Site

• Accessing the EMS Administrative Web Site

• Setting Up the Management Server

• Configuring SMTP on the Management Server

Enterprise Management Server Administrator’s Guide Installing and Configuring EMS 16

• Deploying Groove on Client Devices

• Setting Up Groove Client Auditing

Requirements

The following sections list hardware and software requirements for installing and running the Groove Enterprise Management Server software at your site. If you are supporting your management server with an onsite Enterprise Relay Server, see the Groove Enter-prise Relay Server Administrator’s Guide for information about relay setup and configura-tion.

Hardware

To run the Enterprise Management Server, you need the hardware listed in the following table.

Note: Because the a relay server cannot run with IIS and the Enterprise Management Server (EMS) requires IIS, the Enterprise Relay Server should not be installed on the EMS machine.

Machine Specifications

Groove Enterprise Management server

• Dual-processor Intel® Pentium® III

• 1 GHz or higher

• 2 GB RAM

• 10 GB data volume (for Internet Information Services, IIS, server)

SQL database server • Dual processor Intel Xeon™

• 2.0 GHz or higher

• 2 GB RAM

• 40 GB data volume

LDAP directory server machine (optional)

Standard directory setup at your enterprise.

Groove Audit Server (optional)

Same as for Enterprise Management Server (above).

Groove Components server (optional)

Same as for Enterprise Management Server (above) except that data volume for IIS is optional.

See the Groove Software Deployment Administrator’s Guide for information about installing and using the Groove Components application.

Groove Enterprise Relay Server machine (optional if you use Groove Hosted Relay Services)

As described in the Enterprise Relay Server Administrator’s Guide.


Software

You need the software listed in the following table to support the current set of EMS features.

Groove client machines • Intel® Pentium® II processor, 400 MHz or higher.

• 128 MB RAM for Groove Virtual Office (formerly Groove Workspace) software

256 MB RAM for synchronizing a Groove® Mobile Workspace with a Microsoft® SharePointTM site.

• 100 MB free disk space, with additional space required for your data.

• Display resolution 1,024 x 768 pixels, 15-bit (32,768) color minimum.

• Sound card, speakers, and microphone required to use voice features.

• Internet Connection:

> 56 kbps dialup connection minimum.

> LAN (Local Area Network) with Internet access, DSL, or cable modem preferred.

See http://docs.groove.net/htmldocs/readme/sysreq.html for the latest client specifications.

For this Machine You Need this Software

Groove Enterprise Management Server

• Microsoft Windows® 2000 Server or Advanced Server, with Service Pack 2 (or later)

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, or Windows Server 2003 Web Edition) recommended

• Microsoft® Internet Information Services (IIS) server, with Service Pack 2 (or later)

IIS version 6.0 for Windows Server 2003 platform

• Simple Message Transfer Protocol (SMTP) virtual server

• Microsoft Internet Explorer (IE) 5.5 (or later), with JavaScript, Cookies, and Forms enabled

• Microsoft .Net Framework 1.1, including ASP.NET

• Groove Enterprise Management Server version 3.0 or later

Database (SQL) server • Windows 2000 Server or Advanced Server, with Service Pack 2 or later

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, or Windows Server 2003 Web Edition recommended

• Microsoft Standard Query Language (SQL) Server 2000 (or later)

Directory server (optional) • LDAP 3.0-based software.

• Microsoft Active Directory, IPlanet, and Lotus Domino R5 (or later) are supported and recommended.

Machine Specifications


Expertise

As a server administrator, you need expertise with the following:

• Windows Server 2000 and/or 2003

• Internet Information Services (IIS)

• SQL database administration

• SMTP server administration

• Internet Domain Name System (DNS) naming

• Network security and topology

Groove Audit Server (optional)

Same as for Enterprise Management Server (above), plus the following:

• Groove Audit Server for Groove version 3.0 (or later)

Groove Components server (optional)

Same as for Enterprise Management Server (above), plus the following:

• Microsoft Windows® 2000 Server, with Service Pack 2 (or later)

• Optional, Microsoft® Internet Information Services (IIS) server, with Service Pack 2 (or later)

• Groove Components for Groove version 2.5 (or later)

See the Groove Software Deployment Administrator’s Guide for information about installing and using the Groove Components application.

Groove Enterprise Relay Server (optional if you use Groove Hosted Relay Servcies)

Groove Enterprise Relay Server 2.5 (or later), configured as described in the Enterprise Relay Server Administrator’s Guide.

Groove Enterprise Relay Server 3.0 (or later), recommended.

Groove client (with client licenses)

Operating Systems supported:

• Microsoft Windows 98

• Microsoft Windows ME

• Microsoft Windows NT® 4.0 (with Service Pack 5 or later)

• Microsoft Windows 2000

• Microsoft Windows XP

Browsers supported:

• Microsoft Internet Explorer (IE) 6.0 or later

Internet Connection:

• 56 kbps dialup connection minimum

• LAN (Local Area Network) with Internet access, Digital Subscriber Line (DSL), or cable modem preferred

Groove platform, one of the following:

• Groove Virtual Office version 3.0 (or later) recommended, to utilize the full set of EMS 3.0 (or later) features

• Groove Workspace 2.5 (or later) supported

See http://docs.groove.net/htmldocs/readme/sysreq.html for the latest client specifications.

For this Machine You Need this Software


• Groove operation

Domain administrators must be familiar with the following:

• Software deployment and administration

• License distribution and maintenance

• Password policy

• Software usage and security policy

• Software usage reports

• Groove operation

Setting Up the SQL Server

The management server stores most of its data, including user information and certificates, on a Microsoft SQL server machine. The management server communicates with the SQL server via Microsoft’s OLE DB data access specification.

Set up an SQL server to support the management server installation as follows:

1. Install Windows 2000 or 2003 Server on a Pentium III (or higher) machine.

2. Install SQL Server on the Windows server machine using your company’s standard practices for SQL server configuration.

3. Configure disk storage to allow for 100 KB of storage per managed Groove user and approximately 5 transactions per hour.

4. Make sure that the MS-SQL port (usually 1433) is open for incoming transmissions from the management server.

5. Define a unique SQL server host name, recognizable to your management server. Preferable, use a fully qualified Domain Name System (DNS) or Internet Corporation for Assigned Names and Numbers (ICANN) name, such as emssql.xyzcorp.com.

6. Select an authentication system for the SQL server, native SQL or NT-based. When setting up the authentication system, select the Mixed mode option.

7. Specify an SQL login name and password with sufficient permissions to create a database on the SQL server.

Note: Once EMS is running with your SQL server, be sure to backup the EMS databases and log files on the SQL server each day, to ensure that sufficient space is main-tained on the SQL server for the EMS database and transaction log. If the SQL server cannot accommodate the EMS database and transaction log, EMS opera-tions can cease.

When you are finished configuring the SQL storage, communications, and authentication settings, proceed to setting up another Windows 2000 machine with IIS.

Setting Up the Internet Information Services (IIS) Server

The management server is a Web-based application accessible by administrators from a Web browser. As such, it relies on Microsoft Internet Information Services (IIS). There-


fore, you must configure IIS to support the management server Web site. You configure IIS on the same Windows server machine where you will install the management server software.

The following sections provide guidelines for properly configuring IIS for a management server:

• Configuring IIS

• EMS Web Site Setup

• Creating a Custom EMS Web Site (optional)

Configuring IIS

The following sections describe how to set up IIS to support your EMS installation. The EMS installation process creates an EMS Web site for you or you can create one yourself prior to installation.

To set up IIS for the management server, follow these steps:

1. Install Windows 2000 Server or Advanced Server (with Service Pack 2 or later), or Windows 2003 Web Server Edition on a Pentium III machine that will be used for installing the management server.

Note: Install the management software on a clean stand-alone Windows 2000 (or 2003) Server machine. Do not try to install a management server on a domain controller or a machine where Groove is running. Doing so will cause the install process to fail. Installing EMS on an existing production Web server falls outside of the scope of the guide; if you choose to do so, consult with Groove Support for guidance.

2. Implement a reliable administrator login authentication scheme, to secure your EMS administrative Web interface, as described below in “Installing the EMS Software”.

3. From IIS, enable SMTP, and configure it as described below in “Configuring SMTP on the Management Server”, so that administrators can send email containing activation keys to Groove users.

4. If you are familiar with using IIS to create Web sites and have specific site setup requirements, you can create a management server Web site manually as described below in “Creating a Custom EMS Web Site (optional)”. Otherwise, skip this step and use a default Web site created during EMS installation.

5. To enhance security, once you have created the EMS Web site as described below, bind the client access (gms.dll) and administrative UI (GMS directory) portions of the site to separate network interface cards (NICs). Secure the administrative card as needed to meet your organization’s IT standards.

Note: Because the management server Web site depends on active server pages (ASPs), Scripts and Executables must be enabled in IIS. This parameter is set automati-cally during creation of the default EMS Web site.

The following sections describe the directory structure for the management server Web site files that will be set up in IIS during the Install process, and provide guidelines for


securing the administrative Web pages.

EMS Web Site Setup

During installation, the EMS software creates a default Web site, installing the necessary files in IIS, or it uses an existing custom Web site that you created in IIS (described below in “Creating a Custom EMS Web Site (optional)”). In either case, the management server Web site consists of two main parts: a client URL interface, and an administrative user interface. Both the client-accessible entry point (a .dll file) and the directory containing the administrative Web pages reside in the management server Web site’s root directory.

The following list describes the main components of the management server Web site, including the optional Auto-Activation feature:

• gms.dll - This data link library (DLL) is the main entry point for transactions from Groove clients. The management server URL (that you define during installation) must point to this DLL.

Groove clients must be able to connect to the gms.dll in the home directory as anonymous users, so the top-level gms.dll file must be accessible from the Internet and must not be secured.

Note: Do not set up login authentication for this directory.

• GMS directory - If you install the full EMS application (with both client and administrative interfaces), this directory is created to hold the administrative interface Web pages (.aspx files) and the index.htm file which contains the main entry point to the administrative interface.

Note: Due to the sensitive information available through the administrative inter-face, you should secure this administrative directory and all of its files with a reliable IIS authentication scheme.

• AutoActivation directory - If you install the full EMS application (with both client and administrative interfaces), this directory is created to support the Groove Auto-Activation feature, described in “Appendix C. Setting up Groove Auto-Activation”.

Creating a Custom EMS Web Site (optional)

The management server install process creates a management server Web site for you. You need not create one. However, if you are experienced with creating Web Sites in IIS and have specific requirements, follow the guidelines below to create an EMS Web Site that will be used in EMS installation process:

• When defining your Web site in IIS, follow the directory and file hierarchy described above in “EMS Web Site Setup”.

• Because the management server Web site depends on active server pages (ASPs), be sure to enable Scripts and Executables in IIS.

• During the EMS installation process, specify the Web site that you created (instead of accepting the default option).


Installing the EMS Software

This section describes the steps involved in installing the Groove Enterprise Management Server. The installation will guide you through the process of defining the management server, establishing its relationship to the SQL server that will store all administrative data, and creating a Web site by which you will access the EMS administrative interface. Dur-ing this installation, EMS uses your inputs to create a database on your SQL server.

Before you begin, review the “Information You’ll Need During the Installation” section below, then proceed to the section, “Installing EMS”

Information You’ll Need During the Installation

Before you begin, have the following information on hand:

• SQL server host name

• SQL authentication credentials, native SQL or Windows NT-based

• Certification authority name for the management server and initial management domain

This must be an official, fully qualified, unique name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN).

• Home directory and network location of the EMS Web site

• Name and network location of the EMS administrative Web interface

Installing EMS

To install the Enterprise Management Server on the IIS machine, follow these steps:

1. From the Windows server machine where you set up IIS for the management server Web site, insert the Groove Management Server CD.

2. Run setup.exe and follow the Install Wizard instructions for entering EMS server information, defining the installation directory, identifying the SQL database server where EMS will store all user identity and device data, and specifying the EMS Web site URL, as described in the next steps.

If .NET Framework is not installed, an informational message appears, asking you to install .NEt before proceeding. You will also be given the option to install ASP.NET if that is not installed. The .NET Framework is part of the Windows Server 2003 installation.

If the Microsoft Installer must be updated, the update will occur at this point and your server must be rebooted. After reboot, manually start the setup again to continue.

3. When prompted, choose whether or not to include the management server administrative UI in the installation, as follows:

• To install the complete management server application, including the Groove client interface and the administrative interface, accept the default condition and click Next.

• If your site plan includes multiple management servers and you want to install a version of the management server with only the Groove client interface


(excluding the administrative interface), click the ManagementServer UI drop-down menu and select ‘This feature will not be available.’ Then click Next. This option allows you to locate a full EMS with its administrative Web site securely behind a firewall, while the EMS client interface can be installed on another server located in a DMZ with controlled Internet access. The management servers can share the SQL databases. Contact your Groove Networks support representative for more information about this option.

4. When prompted, enter the EMS Server information listed in the following table:

5. Click Next.

EMS Server Information Fields

Explanations

Organization Type the name of your organization, which will form the basis of the management server name and the initial domain name used in the EMS administrative interface.

Administrator Email Address

Type the email address of the administrator who is responsible for this server. This email address may be used by Groove Networks to send you emails concerning your server, as part of the Customer Support Notification (CSN) feature.

If you need to change this address in the future, you can do so on the Server Properties page by selecting Server Properties in the tool bar, available on all main server-level tabs. See “Customer Support Notification Feature” in the Monitoring the Management Server section, later in this guide for more information.

Certification Authority Name

Type the unique official name of your management server (such as ems.xyzcorp.com).

The name you enter must meet the following requirements:

• Must be a fully qualified DNS name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN). This name need not map to an Internet Protocol (IP) address of an active machine. Similarly, it may be but is not required to be the management server machine’s DNS name.

• Must be a third-level domain or higher within your organization. Therefore, it must have at least three text blocks (components) and two dots - one dot (.) separating each section, such as ems.xyzcorp.com where:

com =Customary DNS generic top-level domain (gTLD) identifier of com for company, net for network, or org for organization.

xyzcorp = DNS second-level domain, such as your company name.

ems = DNS third-level domain, such as company branch or department.

If you are registered in a country-code top-level domain (ccTLD), you may need to use at least four components, separated by three dots.

This domain CA name canNOT be a second-level domain name (such as xyzcorp.com).

• Must be unambiguous and unique. No two domain CA names should ever be the same.


http://www.ntia.doc.gov/ntiahome/domainname/domainhome.htm

http://icann.org

6. In the Destination folder field, accept the default destination for the EMS installation files, C:\ProgramFiles\GrooveNetworks\Management Server. Or, change the entry by clicking the Change button and entering another destination folder.

7. When prompted, enter your SQL Server information, as described in the table below.

Have on hand the SQL server host name, and, if SQL authentication is chosen, your SQL login name and password. EMS uses this information to establish a connec-tion to the database server on which the management server depends for data stor-age. Make sure that the login name and password have sufficient permissions to allow you to create a database on this server:

8. Click Next. A few (5-10) seconds may pass while the system creates the database.

9. When prompted, enter the SQL Login Information - a SQL (or Windows NT) login ID and password that will permit administrative access to the newly created EMS database on your SQL server. (Previous EMS versions created these login credentials automatically, preventing custom control over the login name.)

10. Click Next.

SQL Server Information Fields Explanations

Server Type the host name or Internet Protocol (IP) address of your SQL server, or click the Browse button to select it from a list.

Database Accept the default SQL database name, gmsdb, or change it if necessary. The management server will create this database when you complete this portion of the install.

Connect using Click the appropriate radio button to specify your company’s chosen authentication credentials for the SQL server, as described below:

• Windows authentication - To specify Windows authentication.

• SQL server authentication - To specify native SQL server authentication (the preferred authentication method).

Login Appears only if the SQL server authentication is selected.

Type the SQL server login.

Note: Make sure that the login gives you database creation rights.

Password Appears only if SQL server authentication is selected.

Type the SQL server password.

New Database If you are upgrading EMS to version 3.0 or higher, enter the name of the database to be used for 2.5 data converted for use in EMS 3.0 (or higher).


11. When prompted, enter your EMS Web site information in the fields as described in the table below.

12. Click Next.

13. When prompted, enter the Universal Resource Locator (URL) for the management server, using the format

http://<hostname>/gms.dll

where <hostname> is the registered fully qualified DNS or ICANN name of the management server. For example, ems.xyzcorp.com.

The management server appends gms.dll to this URL, if it is not already present, to generate the URL that the Groove client software will use to communicate with the management server. This URL must be accessible from the Internet and the host name must be resolvable into an IP address.

Note: If this value is incorrect Groove clients will not be able to communicate with the management server.

Note: The EMS URL is propagated to all clients in your domain. You should not change this value once the server is established; doing so requires that you uninstall and re-install the server, then re-activate all Groove clients.

14. Follow the Install Wizard to the final window and click Finish.

15. To properly secure the EMS administrative Web pages, enable Secure Socket Layer (SSL) encryption as described in “Appendix A. Recommended Model for EMS Installation”. SSL protection is optional but strongly recommended.

A management server Web site is now created for you. Clients access this site via the URL that you defined, http://<hostname>/gms.dll. If you installed the complete EMS applica-

EMS Web Site Fields Explanations

Web Site Name Do one of the following:

• Accept the default EMS Web site (the first listed in IIS) provided by the management server.

• Select an existing EMS Web site that you already created in IIS.

• Type a new name for a new site. EMS then generates a Web site with the name, home directory, and TCP port that you specify.

Note: Creating separate Web sites for the client and administrative interfaces is highly recommended. See “EMS Web Site Setup” above for more information about this topic.

Home Directory If you selected a pre-existing Web site, accept the default value in this field.

Otherwise, type the path of the Home directory for the management server Web site.

TCP port If you selected a pre-existing Web site, accept the default value in this field (typically port 80).

Otherwise, type the Transmission Control Protocol (TCP) port number that this Web site should use. If you selected a pre-existing Web site, this field will default to the appropriate value.


tion, the site includes an administrative Web interface that you can access through the URL, http://<hostname>.

An initial management domain is also created for you. Associated with the domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a set of default policies that the domain administrator can edit. The certification authority name that you defined applies to this domain.

Note: If at some point you need to migrate large numbers of Groove users from one machine to another (for a hardware upgrade, for example), a Groove migration utility can expedite the process of relocating user workspace data. For information about obtaining this utility, contact Groove Support.

Securing the EMS Administrative Web Site

Like other Web applications, the management server administrative Web interface requires proper authentication. The management server’s administrative Web interface (in the GMS directory of the management server root directory in IIS), should be secured by a reliable authentication system (via passwords, smart cards, or SecureID tokens). Designed to be independent of any authentication system, the management server allows you to choose the authentication system that will properly secure your EMS administrative Web pages. For instance, you may choose a scheme already in place for your other Web sites.

Windows Internet Information Services (IIS) supports several authentication schemes that can help secure the administrative Web interface, including Basic Authentication, Active Directory Authentication, LDAP authentication, and Kerberos authentication. Or, you can implement your own custom login authentication mechanism for the management server.

You can further secure your administrative Web interface by enabling Secure Socket Layer (SSL) encryption and setting the server SSL port to 443. This measure is highly rec-ommended. See “Appendix A. Recommended Model for EMS Installation” for informa-tion about setting up SSL for the management server. For more information about SSL, see Microsoft Windows 2000 and IIS 5.0 Administrators Pocket Consultant.

As stated above, you can bind the administrative UI portion of the EMS Web site to a sep-arate NIC for the internet-accessible client portion of the site. You can then configure the NIC that supports the administrative pages to meet the necessary security requirements, leaving an Internet-accessible NIC available for client access.

Once an administrator logs into the administrative Web interface as required by the chosen authentication system, access within the site may be controlled by the administrator's role. If enabled, the optional Role Based Access Control (RBAC) features provides an added layer of security to the administrative Web pages.

Accessing the EMS Administrative Web Site

The sections below provide instructions for accessing and using the management server administrative Web site:

• Accessing the Management Server Administrative UI


• Getting Help

• Setting Administrative Preferences

Accessing the Management Server Administrative UI

When you are finished installing the EMS software, go to the administration Web site to configure EMS settings. You can access the EMS administrative Web site from any PC.

As mentioned above, EMS does not have a built-in login authentication mechanism but allows you to secure the EMS Web site using your organization’s preferred authentication mechanism. Once an administrator accesses the server, EMS controls the features avail-able to that administrator through an optional role-based access control (RBAC) system, configurable through the administrative Web pages.

To access the EMS administrative Web interface, follow these steps:

1. Open an Internet Explorer (IE) browser.

2. Enter the URL for your new Enterprise Management Server site (typically, HTTP://<hostname>). Depending on your authentication system, a login window may appear.

3. If asked to login, enter the Web site log in information required by your authentication system.

Note: When you access the site after restarting IIS, the Web page may take up to 10 seconds to appear, as IIS initializes the management server ASP.NET application object.

The EMS administrative Web interface appears, with a navigation pane on the left, which displays the server name along with an initial management domain automat-ically created for you. The domain name is based on the Organization that you entered during EMS installation. A set of tabs lets you access server administration tasks, as summarized in the following table:.

Getting Help

To get help using the Enterprise Management Server, follow these guidelines:

• Click the Help link in the upper left of a management server administrative Web page to access management server Help.

Domain Tabs Descriptions

Reports Allows you to view Groove audit log reports, as described in “Monitoring the Management Server” in this guide.

Directory Integration

Allows you to integrate an LDAP-based directory server of user identity data with the management server, providing that a directory server is installed at your site, as described in “Defining a Directory Server” in this guide.

Domains Allows you to add and delete management domains, as described in “Adding and Configuring Domains” in this guide.

Roles Allows you to add, edit, and delete administrator roles as described in “Managing Administrative Roles” in this guide.


• Go to http://groove.net/go/ms (or the Groove EMS product CD) for a printable .pdf version of the Groove Enterprise Management Server Administrator’s Guide.

• For management domain-level information, see the Groove Management Server Domain Administrator’s Guide.

• For specific information about installing the Groove client in an enterprise, see the Groove Software Deployment Administrator’s Guide.

Setting Administrative Preferences

You can change administrative Web page preferences (such as setting a home page) by using the Preferences link next above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins.

To edit administrative preferences, follow these steps:

1. Go to the EMS administrative Web interface and click the Preferences link in the top left side of the current page. The Start Page window appears with an image of your navigation tree.

2. To change the default number of list items that appear on any list page, select a number from the Display drop-down box. The initial default setting is to display 25 items per page.

3. To select a start (or home) page, select an item from the Start Page tree.

4. Click OK.

Your changes should take effect immediately.

Setting Up the Management Server

Configuring the management server to facilitate management of Groove users and devices involves a few recommended (though not required) configuration steps. These recom-mended steps include enabling administrative role-based access control, configuring man-agement domains, and, optionally if you have an LDAP-based directory server installed onsite, setting up directory integration.

To prepare the management server for domain administration, review the “Before You Begin” section below. Then you can log in to the EMS Web site from your PC and use the management server’s administrative Web interface for the following tasks, described in the sections below:

• Configuring Management Domains

• Defining Administrator Roles

• Configuring Directory Servers

• Monitoring the Management Server

Before You Begin

Before you begin to configure the management server, have the following information on hand:


• Your administrator login name, based on the Internet authentication scheme that you set up for the management “Setting Up the Internet Information Services (IIS) Server” section of this chapter for more information about the administrative Web interface.

• The login names of any other administrators that you want to access the EMS administration pages.

• The name of any LDAP-based directory that you want to integrate with the management server.

Familiarize yourself with the role-based access system that helps secure the management server’s administrative Web site.

Configuring Management Domains

In the context of a management server, the fundamental unit of Groove management within an enterprise is the management domain. A management domain contains groups of Groove users and devices that the domain administrator places under domain manage-ment. Associated with each new domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a private key for password/smart card login reset and data recovery. Customizable usage and security policy templates, and Groove license and relay server sets apply to groups in the domain.

Management domains are independent and secure from each other. However, if Groove PKI authentication is in effect at an organization, domain administrators can use the EMS interface to export the domain certificate to other domains, either within the organization or on a management server at another organization, to establish a trust relationship with those domains (cross-domain certification). See the Groove Management Server Domain Administrator’s Guide for information about setting up cross-domain certification.

The EMS installation process supplies an initial management domain. However, as part of the domain configuration process, the management server requires administrative input in two areas:

• User authentication practices

• Password/smart card login reset preferences

Clicking the initial domain allows you (or any administrator with full domain-level privi-leges) to specify the required information. Once you have completed domain configura-tion, it is ready for any administrator with domain-level permissions to populate it with users and devices, and associated licenses, policies, and relay server assignments. Domain-level administrators can also edit configurable domain properties.

Note: You can define administrator roles via Role Based Access Control (RBAC), described below in “Defining Administrator Roles”.

To configure the initial Groove management domain, follow these steps:

1. From the EMS administrative interface, click the domain that appears under the server name in the navigation pane on the left. The initial domain setup window appears.


2. Edit the value in the Domain Name and optional Description fields if you wish. The name for this initial management domain is supplied automatically during the EMS installation process and can be edited by any administrator with server or domain-level privileges.

3. Accept or change the Identity Authentication option as appropriate for your corporate security practices. The default setting is to use Groove PKI to certify member identities but you can choose to use your enterprise PKI.

Note: The Identity Authentication setting is not reversible once you have clicked the OK button to exit this dialog box.

For more information about PKI and Groove identity authentication options, see “Adding a Groove Management Domain to a Server” in the Adding and Configuring Domains section, later in this guide.

4. If ‘Use Groove PKI’ is the chosen identity authentication option, enter a value in the ‘Certificate Authority name’ field. Make sure to enter a unique, fully qualified, registered DNS name, as described above for the server CA name in, “Installing EMS”.

5. Accept or edit the Password or Smart Card Reset Setup options as necessary.

For more information about Groove password reset and data recovery options, see “Adding a Groove Management Domain to a Server” in the Adding and Configuring Domains section of this guide.

Note: If you do not finish configuring this domain, you cannot proceed to other administrative pages. Once you provide the required information, adminis-trative options will be available to you.

6. Click the OK button.

Note: You can create additional domains from the management server’s Domains tab, as described in “Adding a Groove Management Domain to a Server” in the Adding and Configuring Domains section, later in this guide.

Once you set up the SMTP environment as described below in “Configuring SMTP on the Management Server”, the initial management domain is ready for administrators with domain-level permissions to populate with users and devices, and associated licenses, usage and security policies, and relay server assignments. Domain-level administrators can also edit configurable domain properties. For more information about domain-level management, see the Groove Management Server Administrator’s Guide.

Defining Administrator Roles

To control access to the management server administrative Web site, you must enable the management server’s Roles Based Access Control (RBAC), which requires that you establish yourself as the server manager, as described below. RBAC lets you specify who can access the management server administrative interface and which tasks they can per-form. You determine the degree of access that an administrator has by assigning that administrator a scope of authority, over a management server or a selected management domain on the server, and setting their permissions to manager or reader within that scope.


Note: If you have not set up an authentication system for the GMS directory in IIS, RBAC cannot effectively safeguard the management server’s administrative inter-face.

For more information about roles-based access control, see “Managing Administrative Roles” in the Managing Administrative Roles section in this guide.

To define administrator roles and enable role-based access control, follow these steps:

1. Open a browser and go to the EMS Web site, as described above.

The EMS home page appears, with a navigation pane on the left and a main win-dow that displays pages that reflect the navigation selection. The navigation pane lists the server and its constituents as follows:

• Management server name

• Management domain(s) - An initial default management domain appears in the list.

• Member group(s)

• Groove Identity and device policy templates

• Groove Licenses sets

• Relay sets

2. Select the management server from the navigation pane. The management server page appears.

3. Click the Roles tab.

4. From the server Roles tab, select Add Administrator in the tool bar. The Add Administrator page appears. For reference, this page displays the name that you used to login to the management server administrative Web site.

5. In the Name field, enter the exact login name (in this initial case, your login name) that the administrator will use to log in to the management server Web site (as defined by your authentication system).

Note: Make sure that the administrator name that you specify exactly matches the login name used by your Web site authentication scheme, or you will not have any privileges on the server after RBAC is enabled.

6. From the Scope drop-down menu of the server and domains defined on this machine, select a server in which the administrator will have a role.

7. Click the Add button. The selected server name appears in the Assigned Scopes scrolling list and the role of Server Administrator appears under Assigned Roles Within Select Scope.

Later, if you enter a domain as the scope for an administrator name, selecting that domain in the Assigned Scopes displays a list of Assigned Roles options that you can select. Note that at least one administrator must be assigned the Scope of servername and the Role of Server Administrator.

8. Click OK to accept the server name and Server Administrator role.

This enters your name as the first administrator in the name list on the front page of the Roles tab and gives you, as Server Administrator, management access to all management server fields. You cannot remove this role. However, if you assign


another administrator to the Server Administrator role, that administrator can edit your role.

Note: You must set your own role to Server Administrator before setting Enable role-based access control.

9. From the server Roles page, select the option to Enable role-based access control. This allows only those administrators listed in the Name list to access the management server.

Note: If you do not turn on Enable role-based access control, anyone who accesses the management server’s administrative site will have full access to all administrative fields and pages on the site.

10. Click Ok.

Note: You can add only one administrator at a time in the Add Administrator dialog box. To add another, select Add Administrator in the tool bar again.

For information about adding more administrators or deleting administrators, see “Manag-ing Administrative Roles” later in this guide.

Configuring Directory Servers

If you have a corporate directory server of user information at your organization and you want to integrate this directory with the management server, you can do so from the man-agement server’s administrative Web interface, using the Directory Integration tab. Direc-tory integration is invaluable in enterprises that need to support large numbers of users who need to be defined on the management server. See “Defining a Directory Server” later in this guide for information about setting up a directory integration to facilitate this process.

Monitoring the Management Server

Once the Management Server is functional on your system, you can monitor it through the audit log, accessible from the management server Reports tab. See “Monitoring the Man-agement Server” later in this guide for information about monitoring the management server.

Configuring SMTP on the Management Server

In order to enable the management server to send email and activation keys to Groove users, you must configure the IIS Simple Message Transfer Protocol (SMTP) virtual server. The management server uses Microsoft’s Collaboration Data Object Application Programming Interface (CDO API) which forwards email to a mail host (SmartHost) via SMTP.

To configure the IIS SMTP virtual server to deliver mail via your enterprise’s SmartHost, follow these steps:

1. Open Internet Information Services on the management server machine.

2. Right-click on Default SMTP Virtual Server and select Properties. The Default SMTP Virtual Server Properties page appears.


3. Click Delivery tab.

4. Click the Advanced button.

5. In the Host name field, enter the fully qualified domain name (in the form EMShostname>.domain.com).

6. In the SmartHost field, enter the name of the SMTP server that will be used for mail routing (in the form, <smarthostname>domain.com), then click OK.

You have now set up the management server to support sending emails. While the man-agement server does not require any special settings, as it is sending only small textual emails without attachments, you may need to configure other properties for the SMTP server.

Best security practices for configuring the SMTP virtual and actual servers include the fol-lowing:

• Configure the SMTP virtual server not to accept external connections (allowing only connections from itself, LocalHost).

• Set Access\Relay Control on the virtual SMTP server as follows:

• Set to Only the list below: <null list>

• Set Delivery\Advanced Delivery on the virtual SMTP server as follows:

• Set to only the list below: <null list>

• Disallow all computers...

• Enable logging and define a Logfiles drive.

Deploying Groove on Client Devices

The Groove Virtual Office (formerly Groove Workspace) application can be installed and activated on individual client devices but the most efficient way to deploy Groove in an enterprise is to use Groove’s MSI-based Enterprise Installer application in conjunction with compatible centralized distribution software. Groove activation can also be auto-mated, by enabling the Enterprise Management Server’s Auto-Activation feature. For information about using the Enterprise Installer and centralized distribution software, see the Groove Software Deployment Guide. For information about the management server’s auto-activation feature, see “Appendix C. Setting up Groove Auto-Activation” of this guide.

Note: In order to install activation keys and access domain licenses, users must have Groove version 2.0 (or later) installed on their machines.

Note: If your company uses proxy servers to control traffic out to the internet, users should login to the network before installing Groove to facilitate the process.

Setting Up Groove Client Auditing

Groove client auditing is an optional feature that allows administrators to audit Groove activities on client devices. This new 3.0 feature requires an Enterprise Management Server (EMS) installed onsite. The following sections describe the Groove auditing fea-ture and provide instructions for setting up Groove client auditing at your site:


• Overview of Groove Client Auditing

• Installing and Configuring Groove Client Auditing

Note: The EMS 3.0 Audit Server is a separate feature from EMS 2.5 client auditing; no direct upgrade path exists. See the information in “Audit Server Requirements” below for guidance in moving from the earlier feature to the new.

Overview of Groove Client Auditing

Groove Auditing consists of four parts: the client audit log which logs Groove user activ-ity to an encrypted file, the Audit Service which secures the audit log for upload to the Audit Server, the Audit Server which collects the logs and stores them in a SQL server database, and the management server device policy that controls what data should be audited.

Correspondingly, Groove client auditing depends on the following conditions:

• The Groove Audit Service, provided with Groove Virtual Office, must be enabled on client devices.

• The Groove Audit Server must be installed at your site, along with a properly configured Enterprise Management Server.

• The appropriate device policies must be defined on the management server in order to allow client devices to log Groove user activity. (Client devices must be managed to use the audit server.)

Groove audit logs are immediately encrypted on clients upon event creation, and are decrypted only after arrival at the audit server, affording a highly secure auditing environ-ment. In addition, NTFS permissions are used to prevent unauthorized manipulation of logs and the Audit Service to manage them. The Audit Service purges client logs once they have been uploaded to the Audit Server and applies security credentials that prevent spoofing of the Audit Server (and of other operating system users on the client).

Each audit server is associated with and depends upon a single management server. If you have multiple management servers installed at your site and want to enable auditing for all of them, you must install separate audit servers for each.

Note that auditing can have substantial impact on system resources, including:

• Disk space to store the logs on client devices and the Audit Server.

• Bandwidth to upload the logs.

• Processing time to encrypt and decrypt logs.

With this fact in mind, administrators should set device policies to enable auditing judi-ciously.

Audit Server Requirements

Before you begin setting up Groove client auditing, do the following:

• Install the Enterprise Management Server BEFORE installing the Audit Server.

• Upgrade audit-targeted Groove clients to Groove version 3.0.


Note: To audit activities in managed 2.5 workspaces (with older tool versions), create new Groove 3.0 workspaces and copy the contents from the old spaces to the new.

• Make sure that Groove clients are members of a management domain and that their devices are registered with the management server, as described in the Groove Management Server Domain Administrator’s Guide.

• Ensure that the Groove Audit Server meets the overall EMS requirements described in the “Requirements” section above.

• Install the Audit Server on a separate machine from the management server. The Audit Server SQL database can reside on a dedicated SQL server or on an EMS SQL server.

Installing and Configuring Groove Client Auditing

Installing the Groove Audit Server requires your SQL server information, so have on hand the SQL server host name, and your SQL login name and password.

Note: An Audit Server is dedicated to a single specific Enterprise Management Server; one Audit Server cannot support multiple management servers (although multiple Audit Servers may be associated with a single management server).

To install and enable Groove client auditing at your site, follow these steps:

1. Insert the Groove Audit Server CD into a Windows server machine that meets the requirements listed in “Audit Server Requirements”.

2. Run setup.exe and follow the Install Wizard instructions.

If the Microsoft Installer must be updated, it will be done at this point and your server must be rebooted. After reboot, manually start the setup again to continue.

3. When prompted, enter your Groove Management Server Information, as described in the table below. The Audit Server refers to EMS SQL databases for domain information:

4. Click Next.

5. In the Destination folder field, accept the default destination for the EMS install files, C:\ProgramFiles\GrooveNetworks\Audit Server. Or, change the entry by clicking the Change button and entering another destination folder.


Management Server SQL Server Type the previously specified name of the EMS SQL server.

Management Server Database Name

Type the previously specified name of the EMS SQL server database.

Management Server SQL User Name

Type the previously specified EMS SQL server administrator name.

Management Server SQL User Password

Type the previously specified EMS SQL server administrator password.


6. When prompted, enter your audit server SQL Server Information, as described in the table below. Note that this server may be the same as the EMS server, or a separate server.

The audit server uses this information to establish a connection to the database server on which it depends for data storage. Make sure that the login name and password have sufficient permissions to allow you to create a database on this server:

7. Click Next. A few (5-10) seconds may pass while the system creates the database.

8. When prompted, enter the SQL Login Information - a SQL Login ID and Password that will permit Groove client access to the newly created database on your SQL server.

9. Click Next.

10. When prompted, enter your Audit Server Web site information, in the fields as described in the table below.


Server Type the host name or Internet Protocol (IP) address of your SQL server, or click the Browse button to select it from a list.

Database Accept the default SQL database name gasdb, or change it if necessary. The Audit Server will create this database when you complete this portion of the install. The Audit Server will store collected Groove client audit logs in this database.

Connect using Click the appropriate radio button to specify your company’s chosen authentication credentials for the SQL server, as described below:

• Windows authentication - To specify Windows authentication.

• SQL server authentication - To specify native SQL server authentication (the preferred authentication method).

Login Appears only if the SQL server authentication is selected.

Type the SQL server login.

Note: Make sure that the login gives you database creation rights.

Password Appears only if SQL server authentication is selected.

Type the SQL server password.


Web site name If you already created an Audit Server Web site in IIS, select the name of the site from the browse list. The default is the first Web site name listed in IIS.

Otherwise, type a new name. The Audit Server installation will then generate a Web site with the name, home directory, and TCP port that you specify.


11. Follow the Install Wizard to the final window and click Finish.

12. To allow uploading of client logs to the Audit Server, enable the Groove Audit Service on client devices using one of the following methods:

• To enable the Audit Server as part of an enterprise-wide Groove installation, use the Groove Enterprise Installer (EI) with a central deployment service, such as Microsoft SMS, and include the Audit Service option (NewServiceInstall2) in an MSI-based Enterprise Installer transform. See the Groove Software Deployment Administrator’s Guide for information about setting the Audit Service switch and using EI and MSI transforms for Groove installations.

• To manually enable the Audit Service on individual client devices, set the Windows service manager startup option to Automatic Startup.

13. Enable Groove client auditing on the management server as follows:

a. Go to the management server administrative Web site and in the navigation pane, click a domain device policy template that you want to edit. The Account Policies tab appears.

b. Click the Audit Policies tab.

c. In the Audit Server Policies section of the page, enter the URL for your Groove Audit Server (for example, http://grooveaudit.xyzcorp.com) in the Audit Server URL field.

d. Enter the number of days, hours, or minutes in the ‘Upload audit logs’ field to set the audit log upload interval.

e. Address any remaining options as appropriate for your IT practices.

f. Click Save Changes in the tool bar.

See the Groove Management Server Domain Administrator’s Guide for more information about setting management server device policies.

14. For information about viewing and understanding client audit reports, see “Appendix E. Interpreting Client Audit Data” in Appendix E of this guide.

Upgrading the Management Server

The procedure for upgrading an existing version of the Enterprise Management Server to the current version is similar to that described above for installing a new management server application, once you take the necessary measures to backup your data.

Home Directory If you selected a pre-existing Web site, accept the default value in this field.

Otherwise, type the path of the Home directory for the Audit Server Web site.

TCP port If you selected a pre-existing Web site, accept the default value in this field (typically port 80).

Otherwise, type the Transmission Control Protocol (TCP) port number that this Web site should use. If you selected a pre-existing Web site, this field will default to the appropriate value.



To upgrade the Enterprise Management Server, follow these steps:

1. Backup the EMS database that resides on the SQL server.

2. Backup your existing version of the management server (if you do not have access the original installation CD).

3. Shut down the EMS Web site.

4. Run the installation for the new version of EMS. This will upgrade the existing version. See “Installing EMS” above for details about the installation.

Migrating the EMS database is part of the EMS upgrade process (accomplished during installation of the latest version).

Note: Upgrading to EMS version 3.0 or higher involves data conversion so be sure to specify a New Database for converted data, when prompted during the upgrade installation.

5. When the installation is complete, reboot the management server.

You should now be able to run the upgraded management server as usual, with your set-tings and data intact.

Upon successful completion of the procedures described in this chapter, the management server should be ready for domain administration, described in the Groove Management Server Domain Administrator’s Guide. The Domain Administrator’s Guide provides instructions for defining groups in a domain, setting domain policies, assigning domain relay servers, adding users and devices to a domain, and supporting Groove clients in applying activation keys.

Uninstalling the Management Server

To uninstall the Enterprise Management Server, use Add/Remove Programs from the Windows Control Panel. If you encounter problems during uninstall or re-install, contact your Groove Networks support representative.


Adding and Configuring Domains

This section provides information about adding, editing, and deleting Groove management domains on the Enterprise Management Server (EMS). Management domains are organi-zational units defined by the management server administrator. They contain groups of users, and sets of licenses, usage and security policies, and relay server assignments. Any administrator with at least domain-level permissions can configure domain contents, as described in the Groove Management Server Domain Administrator’s Guide.

Once an initial management domain has been generated by the management server and configured by the server administrator during the EMS setup process (as described in “Configuring Management Domains” in the Installing and Configuring EMS section of this guide), you can create additional domains, edit them, or delete them, as described under the sections below.

• Viewing Domains on the Server

• Adding a Groove Management Domain to a Server

• Editing a Groove Management Domain

• Deleting a Groove Management Domain from a Server

Viewing Domains on the Server

You can view domains defined for a server from the Domains tab. The management server provides an initial domain, along with a default group, identity template, device template, license set, and relay server set. You can define new domains on the server, as described in this chapter. You or any domain administrator can edit the domain, as described in the Groove Management Server Domain Administrator’s Guide.

To view domains already defined for a domain, follow these steps:

1. Go to the Enterprise Management Server administrative Web site and select the server name from navigation pane on the left. The Server tabs appear: Reports, Directory Integration, Domains, and Roles, as described in “Accessing the EMS Administrative Web Site” in the Installing and Configuring Domains section of this guide.

Groove Management Server Administrator’s Guide Adding and Configuring Domains 40

2. Click the Domains tab. A list of domains on this server appears, as described in the following table. Only the default domain appears until you add other domains.

Adding a Groove Management Domain to a Server

Server administrators can create management domains to supplement the domain that the management server provides initially. You define a management domain by supplying the following information:

• Domain display name.

• A user identity authentication system - either an existing Public Key Infrastructure (PKI) system in place at your enterprise or Groove’s PKI implementation.

• Domain Certificate Authority (CA) name (if you choose to use Groove PKI identity authentication when creating the domain).

• Name and password for the certificate and private key that will enable administrators to reset (not recover) user passwords and to recover user data when necessary, providing that management server device policies support these capabilities.

The following sections provide background information and instructions for creating man-agement domains:

• Enterprise vs. Groove PKI

• Password/Smart Card Reset Private Key

• Defining a Management Domain

Note: If you have registered Groove Hosted Relay servers with the management server, the hosted relays are assigned to any existing domain groups. They will also be assigned to any additional domains or groups upon domain/group creation.

Enterprise vs. Groove PKI

Groove supports integration with corporate PKI systems, and also supplies a PKI imple-mentation of its own. If a PKI system is already in place at your organization, you can specify it as the identity mechanism for managed users in EMS.

Typically, corporate PKIs are general and apply to various applications in use at your site. If you select the Enterprise PKI option when configuring a management domain, Groove integrates your corporate PKI system, along with a set of identity policies (configurable on the management server by domain administrators) to provide the following functionality:

• Ability to set Groove identity policies on the management server that control which enterprise-PKI certificates managed Groove users can use for Groove identity

Server Domain Information Description

Domain Name The supplied domain name.

Certificate Authority The domain’s Certificate Authority name if Groove PKI is the chosen identity authentication method. If a corporate PKI system is used, ‘Integrating with Enterprise PKI’ appears in place of the CA name.


authentication - By default, users can choose any certificate in the personal certificate store on their device.

• Automatic validation of enterprise PKI-certified certificates in Groove contact lists - The certificate validation process applies to the entire enterprise PKI certificate chain and checks Certificate Revocation Lists (CRLs, often generated by Certificate Authorities) using Microsoft’s CryptoAPI.

• Identity authentication level indicators, as shown in the following table:.

Groove’s PKI implementation is application-specific; it applies only to the Groove Virtual Workspace application. This authentication scheme allows domain administrators to set up cross-domain certification to facilitate collaboration between users in different man-agement domains. The table above summarizes identity authentication indications under the Groove PKI schema. Groove PKI is a viable option if you do not have an existing PKI system or if your corporate security policies favor the use of application-specific authenti-cation systems.

For more information about Groove’s application of PKI and about establishing cross-domain trust, see the device policies and domain properties sections of the Groove Man-agement Server Domain Administrator’s Guide.

Password/Smart Card Reset Private Key

When creating a management domain, in addition to generating the certificate and private key used by the Groove Certification Authority (if Groove PKI is enabled), you also create a certificate and private key for resetting Groove passwords and smart card logins. This second certificate/key pair can also be used for recovering Groove data. The password/smart card login reset private key resides in a password-protected private key (.xml) file, generated during initial domain configuration. The public key (.cer) file is captured in the device policy that enables resets and data recovery.

See the Groove Management Server Domain Administrator’s Guide for detailed informa-tion about Groove user password reset and data recovery.

Defining a Management Domain

This section provides instructions for creating new domains on a management server installed at your site. Once a server administrator creates a domain, any administrator

Enterprise PKI Identity Authentication Indicators

Groove PKI Identity Authentication Indicators

Manually authenticated Manually authenticated

Inside the organization and certified

Enterprise PKI-certified Outside the Organization and certified

Conflicting identity names Conflicting identity names

Not authenticated Not authenticated


with at least domain-level privileges can edit its properties, and populate it with groups of users, and sets of licenses, policies, and relay assignments, as described in the Groove Management Server Domain Administrator’s Guide

To add a new Groove management domain to the management server (or to complete ini-tial or .net domain creation), follow these steps:

1. Go to the Enterprise Management Server administrative Web site and select the server name from navigation pane on the left, then click the Domains tab.

If you have not completed initial domain configuration, click the domain in the management server navigation pane and complete the configuration, as described in “Configuring Management Domains” in the Installing and Configuring EMS section of this guide. Or, you can use the following steps as guidelines.

2. Click the Add Domain button. The Add Domain page appears.

If this is the initial domain on the server, clicking the domain displays a domain setup popup window, similar to the Add Domain fields shown below.

3. Fill in the Add Domain fields described in the following table:.

Add/Edit Domain Fields Explanations

Domain Name Type the display name of the domain. This name is used in the management server user interface to refer to the domain.

If this is an initial or .net domain, the management server supplies a domain name, which you can edit.

Description Optional. Type a description of the domain.

Identity Authentication Settings (cannot be undone)

Click one of the following radio buttons, depending on the security practices and policies in place at your organization:

• Use Enterprise PKI to authenticate member’s identities - Select this option if your organization has an existing Public Key Infrastructure (PKI) system that you want to use for managed user identity authentication, instead of Groove’s PKI.

• Use Groove PKI to authenticate member’s Identities - Select this option if you do not have a corporate PKI system in place at your organization.

Note: This decision cannot be undone after you click the OK button.

See “Enterprise vs. Groove PKI” above for more information about these options.

Default: Use Groove PKI


4. Click OK to submit your entries. The domain name and associated Certificate Authority information appear in the domain list for the server.

This process may take up to 10 seconds to complete, while the management server creates

Certificate Authority (CA) name

If you selected the Groove PKI option above, type the unique registered Domain Name Service (DNS) name of your EMS domain (such as sales.xyzcorp.com).

If you selected the Enterprise PKI option, you cannot enter a CA name.

Domain names must be unambiguous (no two domains on the management server can share the same DNS name). Entering an EMS name that is not a registered DNS name may result in ambiguous names. Version 2.5 (or later) of the management server normally detects this condition when domains are created and displays an informational message alerting you when a name already exists on the server.

For more information about DNS names, see the description of Certification Authority name in “Installing EMS” in the Configuring and Installing EMS section of this guide.

Private Key Name Accept the default private key name or type another one. This private key (and its associated certificate (public key)) allows for Groove user password or smart card login reset, and data recovery on managed Groove devices.

Note that password or smart card login reset, and data recovery require setting device security policies accordingly, as described in the Groove Management Server Domain Administrator’s Guide.

See “Password/Smart Card Reset Private Key” above for more information about the password or smart card login reset private key.

Create Private Key Password

Type a password to protect access to the password/smart card reset private key.

Verify Private Key Password

Verify the private key password that you entered.

Remember Private Key Password

This option is available if Store private key on the management server is selected.

Select this option if you want the management server to remember your password for the password/smart card login private key.

Default: checked (enabled)

Private key storage options Select a storage option for the password/smart card login reset private key:

• Store private key on the management server. - Select this option to store the password/smart card login reset private key (an .xml file) on the management server, when you press OK to submit your entries.

• Save private key to a file. - Select this option to browse to a directory on your network where the password/smart card login reset private key (an .xml file) should be stored when you press OK to submit your entries.

Default: Store private key on the management server.

Add/Edit Domain Fields Explanations


the encryption and authentication keys used for domain authentication, and stores them in a SQL database. The new management domain now appears in the domain list, ready for domain administrators to populate with users, devices, licenses and relay server assign-ments.

Editing a Groove Management Domain

Any administrator with server or domain-level permissions on the Groove management server can edit the configurable properties of a Groove management domain. Note that domain-wide changes (including changes to management domain names, domain affilia-tion, and domain group names) apply to groups in the domain, to all users in those groups, and to those users’ Groove space contacts. To manage network traffic, the management server distributes these changes to Groove clients over time, so changes may not take effect immediately. Depending on the number of Groove clients affected, a domain-wide change can take up to 4 days (for 5,000 or more users).

To edit domain properties, follow these steps:

1. Go to the Enterprise Management Server administrative Web site and select a domain from the navigation pane.

2. Select Domain Properties in the tool bar. The domain Properties page appears.

3. Edit the fields as needed.

For detailed information about editing management domain properties and other aspects of domain management, see the Groove Management Server Domain Administrator’s Guide.

Deleting a Groove Management Domain from a Server

You can delete a management domain from the Domains tab. Removing a domain deletes the managed identities and devices that belong to that domain and has the following effects:

• Users from the removed domain cannot use the managed identities that belonged to the removed domain.

• Users cannot access Groove spaces to which their managed identities belonged.

• Users cannot access domain licenses.

• Users can no longer access any of the relay servers associated with the domain.

• Users are no longer subject to domain policies governing their managed identity.

• Devices are no longer subject to domain device policies.

Caution:Deleting a management domain deletes all user data for all Groove users who are members of that domain or any of its groups.

To delete a domain (including all members, and associated groups and group members), follow these steps:

1. Go to the Enterprise Management Server administrative Web site and select the server in the navigation pane. A set of server tabs appears.

2. Click the Domains tab.


3. Select the domain(s) that you want to delete.

4. Click the Delete Domains button, then click OK to confirm the removal.

You have now removed the selected domain(s), along with the associated identities and devices.


Managing Administrative Roles

The sections below discuss how to utilize the management server’s an optional role-based access control (RBAC) system to strengthen the security provided by the Web site’s user authentication mechanism. Administering RBAC involves the following tasks:

• Setting Administrator Roles

• Editing Administrator Roles

• Deleting Administrators

Setting Administrator Roles

Defining server administrators takes place on the server Roles pages. The sections below provide background and procedures for setting up Groove administrator roles:

• Administrative Access Control

• Adding Administrators

• Enabling Role Based Access Control

Administrative Access Control

The management server employs an optional role-based access control (RBAC) system to strengthen the security provided by the Web site’s user authentication mechanism. Once a server administrator chooses to enable this system, whenever an administrator logs in to the Enterprise Management Server administrative Web-site (using the organization’s established IIS authentication system), the role that has been assigned to that administrator determines what fields that user can access on the server. Enabling RBAC requires that at least one administrator be defined as Server Administrator.

This access mechanism lets you specify who can access the management server adminis-trative interface and which tasks they can perform. Entering any user as an administrator gives that user some degree of access to management server administration. You deter-mine the degree of access that the user has by setting the scope of authority as a manage-ment server or a selected management domain, and specifying the user’s role.

Unlike an authentication system which specifies who someone is, role-based access is an authorization system which specifies what someone is allowed (authorized) to access. The initial management server administrator, defined during server installation, has the role of server manager, allowing full access to all management server features, including the ability to add other administrators and define roles for them. Note that assigning a role

Enterprise Management Server Administrator’s Guide Managing Administrative Roles 47

to an Administrator in RBAC affects only the management server; it does not affect any users, roles, or groups in the NT Domain.

Note: If you have not set up an authentication system for the Admin directory in IIS, RBAC cannot effectively safeguard the management server’s administrative inter-face.

To control access to this site, you must enable role-based access control as instructed in the procedures below.

Adding Administrators

If you choose to employ the recommended role-based access control system (described in “Administrative Access Control” above), you must first establish yourself as server administrator. Once you have assigned this role to yourself, you can add other administra-tor roles and enable the management server’s Roles Based Access Control (RBAC).

To define administrator roles and enable role-based access control, follow these steps:

1. Set up an authentication mechanism for the administrative portion of the EMS Web site, as described in “Setting Up the Internet Information Services (IIS) Server” earlier in the Installing and Configuring EMS section of this guide.

2. Open a browser and go to the EMS Web site, as described above.

The EMS home page appears, with a navigation pane that lists the management server name and its domain(s) and group(s).

3. Select the management server from the navigation pane on the left, then click the Roles tab. The Roles page appears, listing any administrators that have been defined, along with associated server names or domain scopes.

4. From the server Roles tab, click the Add Administrator button. The Add Administrator page appears. For reference, this page displays the name that you used to login to the management server administrative Web site.

5. In the Name field, enter the exact login name that the administrator will use to log in to the management server Web site (as defined by your authentication system).

Note: If the administrator name that you specify does not exactly match the login name used by your Web site authentication scheme (specially important to remember when adding an administrator whose login name is in LDAP Common Name (CN) format, which may not suggest a typical login name), the new administrator will not have any privileges on the server after RBAC is enabled.

6. From the Scope scrolling list, select a server or domain from the drop-down menu, to indicate the scope of the administrator’s role.

7. Click the Add button. The selected server or domain name appears in the Assigned Scopes scrolling list and the default role appears under Assigned Roles Within Select Scope.

Note: At least one administrator must be assigned the Scope of servername and the Role of Server Administrator. This allows at least one administrator to


access all levels of management server administration and to enable or dis-able role-based access control.

8. If you need to delete an assigned scope, select it and click the Remove From Scopes button.

9. If you entered a domain as the scope for an administrator name and you want to assign a role now, select that domain in the Assigned Scopes list, then select the appropriate options in the Assigned Roles list. These roles control what aspects of the management server’s administrative UI, the administrator can access. The following table describes how each role determines UI access and tasks:

Assigned Roles

Descriptions Tasks

Server Administrator

Allows full UI access to all server and domain administration fields. At least one administrator must be assigned the Server Administrator role.

Note: You must set your own role to Server Manager before setting Enable role-based access control

• Adding and deleting management domains

• Adding and deleting administrators

• Monitoring server events

• Configuring corporate directory server if present

• All domain-level tasks.

Domain Administrator

Allows full UI access to domain-level administration within a selected management domain (scope).

All domain-level tasks, including:

• Configuring management domains (editing the domain name and setting up identity authentication, password reset, and data recover systems)

• Adding, deleting, and modifying domain member groups

• Adding, deleting, and editing identity policy templates

• Adding, deleting, and editing device policy templates

• Adding, deleting, and editing license sets

• Adding, deleting, and editing relay server sets

• Reassigning roles to other administrators of the domain (not to Server Administrators)

Member Administrator

Limits UI access to fields that affect domain member administration, within a selected management domain.

• Adding Groove users to management domain groups (creating managed user identities, including assigning licenses, identity and device policies, and relay servers to groups and identities)

• Editing managed user identities

• Removing domain group members

License Administrator

Limits UI access to fields that affect Groove license administration within a selected management domain.

• Assigning Groove licenses to management domain groups and users

• Removing license assignments and removing licenses from license sets.


10. When you are ready, click OK.

The added administrator appears in the list of administrator names and scopes on of the Roles tab. To add another administrator, return to the beginning of this proce-dure and click the Add Administrator tool again (you can add only one administra-tor at a time in the Add Administrator dialog box).

11. To enable role-based access control (RBAC), enable the feature from the main Roles page as described below, in “Enabling Role Based Access Control”.

The administrator(s) you added now have management server administration access as according to your specifications.

Enabling Role Based Access Control

You must be a Server Administrator in order to enable role-based access control, described above in, “Administrative Access Control”.

To enable-role based access control on the management server, follow these steps:

1. Go to the server Roles page of the management server administrative Web site.

2. From the server Roles page, select Enable role-based access control. This allows only defined administrators (described above in “Adding Administrators”) to access the management server.

Note: If you do not turn on Enable role-based access control, anyone who accesses the management server’s administrative site will have full access to all administrative fields and pages on the site.

Editing Administrator Roles

Any administrator with at least domain-level permissions on the Groove management server can edit administrator scopes and roles, by going to the Roles page for a selected

Support Administrator

Limits UI access to fields that control Groove user passwords and data recovery within a selected domain.

• Reset managed Groove user passwords or SmartCard login credentials upon request.

• Restore backed up Groove user accounts upon request.

Report Administrator

Limits UI access to Groove usage reports for a selected management domain.

• Review Groove usage reports of managed user activities, Groove use, and Groove tool use.

no roles selected

Blocks access to management domain tasks. The domain (scope) appears in the navigation pane of the management server administrative Web site, along with a message instructing the administrator to see the server or domain administrator to gain domain access.

None.

Administrators without a role can access domain tasks only after a server or domain administrator assigns them a role.

Assigned Roles

Descriptions Tasks


server or management domain.

To edit administrator roles, follow these steps:

1. Go to the Enterprise Management Server administrative Web site and select a server from the navigation pane.

2. Click the Roles tab. The Roles page appears with a list of administrator names and their associated server name or domain scope.

3. From the Roles tab, click the administrator name that you want to edit. The Edit Administrator page appears.

4. Edit the fields shown in the following table as needed.:

5. To delete a scope assignment for the administrator being edited, select the scope and click the Remove From Scopes button.

6. Click OK.

Deleting Administrators

Any administrator with the Server Manager role can delete administrators, with the excep-

Edit Administrator Fields Descriptions

Name The exact login name that the administrator will use to log in to the management server Web site (as defined by your authentication system).

Scope Drop-down menu of defined management server and domains. Clicking the Add button displays the server name in the Assigned Scopes scrolling list and the administrator’s role in the Assigned Roles Within Selected Scope check-list for that scope

Assigned Scopes Scrolling list of management servers and domains that have been assigned to an administrator. Selecting a server or domain in this list, displays the possible roles available for the selected scope.

Assigned Roles Within Selected Scope

Displays possible roles for a selected scope, as follows:

• Server Administrator - Allows full access to all server and domain-level administration for the selected server.

• Domain Administrator - Allows full access to all domain-level administration for the selected domain.

• Member Administrator - Allows access to management domain member administration only, within the selected domain.

• License Administrator - Allows access to Groove license administration only, within the selected domain.

• Support Administrator - Allows access to Groove identity authentication and data recovery/password reset administration only, within the selected domain.

• Report Administrator - Allows access to Groove usage reports for the selected domain.

Select any roles that you want to apply to a selected scope for the administrator that you are editing.

For more information about assigned roles, see “Adding Administrators” above.


tion of the initial Manager for Server, which cannot be deleted.

To remove an administrator from the management server, do the following:

1. Go to the Enterprise Management Server administrative Web site and select a server from the navigation pane.

2. From the Roles tab, select the administrator(s) that you want to delete

Note: You cannot delete yourself.

3. Click the Delete Selected Administrator button.

4. When a confirmation pop-up appears, click OK.


Defining a Directory Server

The Enterprise Management Server’s optional directory integration feature lets you incor-porate user information from a Lightweight-Directory Access Protocol (LDAP) v3.0-based database at your site into management server domain user lists. This expedites the administrative task of provisioning Groove to a large number of users.

The sections below describe the following directory server tasks:

• Overview of Directory Integration

• Adding a Directory Server

• Editing a Directory Server

• Customizing Management and Directory Server Mapping

• Configuring Directory Synchronization

• Viewing Directory Synchronization Status

• Automating Directory Integration

• Deleting an Integration Point

• Deleting a Directory Server

Overview of Directory Integration

If your management network includes a corporate LDAP directory of user information, you can utilize these databases on the management server to populate management domains with users. You begin by defining the directory server on the management server so that the machines can communicate.

Once a directory server is defined on your management server, you can apply directory user information to management domains in one of two ways: by allowing domain admin-istrators to import directory information to specific domain groups, or by enabling auto-matic directory integration via defined integration points that may or may not involve the full directory structure. Automatic data integration eliminates the need for domain admin-istrator input because the server administrator has already initiated the data exchange and synchronization through specified integration points.

In summary, the management server provides three options for integrating user informa-tion from an LDAP server with management server domain user lists:

• Manually importing members from a directory server using the Add Members Wizard.

Enterprise Management Server Administrator’s Guide Defining a Directory Server 53

• Automatically importing members from a directory server through an integration point created with the auto-import users option.

• Automatically importing members from a directory server through an integration point created with the auto-import users and directory structure option.

EMS uses an internal mapping scheme, shown in “Table 1. EMS to LDAP Attribute Map-ping” below, to map user directory attributes to EMS user attributes. EMS is designed to support Microsoft Active Directory, iPlanet, and Lotus Domino R5 (or higher) directory applications. Changes in the directory can be synchronized on the management server automatically at scheduled intervals, or manually as needed.

Adding a Directory Server

In order to enable directory integration, you must first identify the directory server to the management server. The following sections provide detailed instructions about defining and configuring a corporate directory server on your Enterprise Management Server:

• Before You Begin

• Defining a Directory on the Management Server

Before You Begin

Before you define a directory server on the management server, note the following requirements and recommendations:

• Each user record that you intend to import to the Groove management server must include a valid email address, particularly when using Domino directories. The Domino format automatically populates blank user email addresses with default entries that are not valid email addresses on the management server.

• The directory server login administrator must have at least read-only access rights to the distinguished name (DN), name, email, and unique identifier attributes on the directory server. See “Table 1. EMS to LDAP Attribute Mapping” below for mapping details. The Unique Identifier (UID) is used to locate users who cannot be located using DN or email. If all attempts fail, the user is treated as deleted.

• A hidden unique identifier (UID) for each user on the management server maps to a unique identifier on the directory server, as shown in the table below. The unique identifier must point to a unique attribute of the user. Users who cannot be located in the directory are treated as deleted users.

• The distinguished name (DN), name, email, and unique identifier attributes on the directory server should not be null.

• You cannot use the management server to modify identity contact properties for users that have been imported from a directory server - that information should be maintained on the directory server itself, followed by management server synchronization as described in “Configuring Directory Synchronization” later in this section.

Defining a Directory on the Management Server

To define a directory server to the management server, follow these steps:


1. Select the management server from the list in the management server navigation pane, then click the Directory Integration tab.

2. Select Add Directory Server in the tool bar. The Add Directory Server page appears with tabs as described in the following table

3. From the Add Directory Server/Server Properties page, select a server from the Directory Type scrolling list and fill in the remaining required and optional fields described in the following table.:

Add/Edit Directory Server Tabs

Explanations

Server Properties Allows server administrators to configure and edit directory server properties.

Field Mapping Allows server administrators to map management server fields to directory server fields.

Synchronization Options Allows server administrators to synchronize the management server with the latest changes on the directory server.

Directory Server Properties Fields

Explanations

Directory type One of the following directory types:

• Microsoft Active Directory

• iPlanet

• Lotus Domino R5 (or greater)

• Generic LDAP Server

This field is required.

Display Name Optional. Display name of the directory server.

Server Name Registered, fully qualified DNS name of the directory, such CompanyA.EmpDirectory.net. This field is required.

Server Port Port number (usually 389 or 636). This field is required.

Root Naming Context Lets you specify a default root name to be used for executing a search. This name will indicate where in your directory hierarchy the search should begin.

For example, if you want search entries to begin with your organization name by default, type the name for your organization in this field. An Active Directory entry might be: dc=company,dc=net.

This is a required field for iPlanet and Lotus Domino (which do not expose a default root naming context) but not for Active Directory.


Unique Identifier The name of a field in your directory server which contains a unique, unchanging identifier for each user. The management server uses this field to map users on your directory server to management domain user lists.

If the default entry specifies a field that may change, enter another directory field (such as EmployeeID or BillingCode) that contains permanent user identifiers. This mechanism allows the management server to locate individual users even if you relocate them in the directory server hierarchy or update other user information.

Default: the name of a commonly used field that uniquely identifies each user within a specific LDAP server environment (Active Directory, Domino. or iPlanet)

Require SSL Lets you specify that EMS use Secure Socket Layer (SLL) connections to your directory server, providing that your server has the necessary SSL certificates and ports enabled.

Chase directory referrals Lets you specify that EMS continue directory searches to referral devices if other servers support your main directory server. If you do not set this feature, the management server will return a null set when searching for user data that does not reside on the main directory server but on a referral server.

Note: This feature requires that the directory server and any referral device must share the same login name and password.

Login name Name for logging into the directory server from the management server - preferably an LDAP Distinguished Name (DN), such as CN=Administrator,CN=users,DC=company,DC=com).

The name should correspond to a directory server account that has full read access to user directories. The management server uses this login name to access the directory server for data synchronization and to import names into a domain (when configured to do so by a domain administrator).

Access to user directories depends on how you define permissions for the account associated with this login sequence on the directory server. Successful integration of management and directory servers requires full read access to user directories. Therefore defining a dedicated account (and login sequence) for management server access to the directory server is highly recommended.

CAUTION: Allowing management server logins to multiple directory server accounts can result in irretrievable loss of Groove user accounts during data synchronization. See the Caution in “Scheduling Directory Synchronization” later in this section for more information.

Login password Password for logging into the directory server from the management server. The management server will use this password to access the directory server for data synchronization and to import names into a domain (when configured to do so by a domain administrator).

Note: Do not leave the login password blank. The LDAP server treats logins with blank passwords as anonymous logins which can result in data loss, as described in the above Note. Due to this LDAP authentication issue, the management server requires that you supply a password for any LDAP accounts used in conjunction with the management server, thus preventing possible data loss.


Explanations


4. When you are ready, click OK. This creates a directory connection with EMS and displays the directory name in the list of integration servers on Directory Integration tab. You have now defined the directory server so that domain administrators can import a corporate directory of user identities to a management server domain or you can define directory integration points that automate this process. Once the user directory information is applied to the management server, domain administrators can oversee Groove user and device activities via management domain groups. For information about Groove domain management, see the Groove Management Server Domain Administrator’s Guide.

At the server level, you can further specify directory server settings as follows:

• Modify the default management server-directory server field mapping, as described in “Customizing Management and Directory Server Mapping” later in this section.

• Configure data synchronization (user attributes and integration points), as described in “Configuring Directory Synchronization” later in this section.

• Automate directory integration through integration points, as described in “Automating Directory Integration” later in this section.

Editing a Directory Server

To edit directory configuration information, follow these steps:

1. Select the server from the list in the management server navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

2. From the list of directory servers, click the server that you want to edit. The Edit Directory Server Properties page appears, with three tabs Directory Server Properties, Field Mapping, and Synchronization Options, as described above in the “Add/Edit Directory Server Tabs” table.

3. From the Server Properties page, edit the values you want to change, as described above in the “Directory Server Properties Fields” table.

4. To edit the default management server-directory server field mapping, click the Field Mapping tab and edit the values you want to change, as described below in the “Field Mapping Text Boxes” table.

5. To edit synchronization parameters or integration points, click the Directory Synchronization tab and edit the values you want to change, as described below in the “Configure Directory Synchronization Fields” and “Select Integration Point Options” tables.


Use secure binding Lets you instruct EMS to use your local administrative platform to secure the login information before sending it to the directory server. Enabling this feature is the more secure login method, providing that your directory server is configured to support this method.


Explanations


Customizing Management and Directory Server Mapping

The management server follows a default schema for mapping the user information fields on each of the three directory server types (Active Directory, IPlanet, and Domino) to Groove contact properties. See “Table 1. EMS to LDAP Attribute Mapping” below for mapping details.You can edit the way in which these fields are mapped by using the direc-tory server field mapping pages. Usually, you customize attribute mapping before import-ing directory server user information to the management server. However, you can also perform this task after users have been imported, providing that you synchronize the serv-ers after making the mapping changes.

Table 1. EMS to LDAP Attribute Mapping

To customize the mapping of management server user information fields to corresponding fields on the directory server, follow these steps:

1. Define a directory server, as described in “Adding a Directory Server” above.

2. Select the management server from the list in the management server navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

EMS/Groove Contact Properties

Active Directory IPlanet Domino

Full Name cn cn cn

First Name givenName givenName givenName

Last Name sn sn sn

title title title title

EMail mail mail mail

orgPhone telephonenumber telephonenumber telephonenumber

orgCell mobile mobile mobile

orgFax facsmileTelephoneNumber Fax facsimileTelephoneNumber

Company company o CompanyName

orgStreet streetAddress street officestreetaddress

orgState st st st

orgCity l l l

orgCountry c c c

orgPostalCode postalcode postalcode postalcode

Unique Identifier (not in Groove contact properties)

objectGUID nsuniqueid UID


3. From the list of directory servers, click the server for which you want to customize field values. The directory Server Properties page appears.

4. Click the Field Mapping tab. The Field Mapping form for the selected directory appears. The form displays the Groove contact properties used on the management server along with text boxes where you can enter the corresponding field names used on your directory server.

Note: All text box entries, including blank entries, overwrite the default field map-ping values. Make sure to enter a value in each field that you do not want to lose. You must enter at least a full name and email address in order to pro-cess this form.

5. Fill out the form as advised in the following table:.

Field Mapping Text Boxes

Explanations

Full Name This is a required field. Enter the name of the attribute that holds user identity names on the selected directory server. This is the Full Name field in Groove contact properties.

For example, to map a user’s full name in Groove to a name on an Active Directory server, you would enter one of the following in the Full Name text box.

• Full/Common Name (cn) - To use the directory’s common name.

• Unique Identifier (UID) - To use the directory’s unique identifier.

• Common Name + Unique identifier - To use both the directory’s common name and unique identifier.

This field is especially useful with Windows Active Directory which does not ensure unique common names. In this case you would choose one of the unique identifier options.

Note: If you are using Enterprise PKI integration in any domain with users from the current directory server, map the full name field to either the Subject Distinguished Name or the Subject Alternative Name email address in the user's certificate to avoid member authentication failure.

Default: Common Name

Email This is a required field. Enter the name of the attribute that holds user email address on the selected directory server.

Default: Email

Other fields Enter attribute name equivalents for all other attributes on the directory server that you want to map to Groove contact properties. These fields reflect the directory type you are specifying. Remember that all text box entries, including blank entries, overwrite the default field mapping values. Make sure to enter a value in each field that you do not want to loose.

To reset fields to their default values, click the Restore Defaults button.


6. If at any you time you need to restore the original defaults, click the Restore Defaults button.


8. If users have already been imported into a domain on the management server, make sure to synchronize the management and directory servers either manually, or on schedule. as described in “Configuring Directory Synchronization” below.

The management server will now use your customized field mappings to match user infor-mation on the directory server with user identity contact information. Custom fields appear on the Member details page at the bottom of the field list (after the Fax field), as described in Viewing and Editing Member information section in the Managing Users sec-tion of this guide.

Configuring Directory Synchronization

The management server allows you to synchronize the management server with changes (updates or deletions) made to user contact information on your directory server. You can configure either scheduled or on-demand synchronization. Only those user records that have already been imported will be synchronized on the management server. To add new users from the directory server to a management server, a server or domain administrator must import them to a domain group, as described in the Groove Management Server Domain Administrator’s Guide. Or, you can automate this process by defining integration points, as described in “Automating Directory Integration” below.

You can enable and schedule management server synchronization with the latest corporate directory updates from the Directory Synchronization tab. Once you have enabled direc-tory synchronization, you can also trigger on-demand synchronization.

This section covers the following topics:

• Scheduling Directory Synchronization

• Manually Triggering Data Synchronization

Scheduling Directory Synchronization

The Synchronization Options tab allows you to enable data synchronization on the man-agement server, schedule periodic data synchronization, and define integration points that allow automatic transfer of directory user information to the management server. Before setting up directory synchronization, note the cautions below.

Custom Fields Labels #1 - 10

Enter any custom field values (such as EmployeeID or BillingCode) that you want to define in your mapping scheme but which are not among Groove contact properties. Specified values will appear in the management server member contact details for all users originating from the directory server.

Restore Defaults Click this button whenever you want to restore the original system defaults in this Field Mapping form.

Field Mapping Text Boxes

Explanations


To schedule directory synchronization, follow these steps:

1. Define a directory server, as described in “Adding a Directory Server” above.

2. Select the management server from the list in the management server navigation pane, then click the Directory Integration tab. The list of defined directory servers appears.

3. From the list of directory servers, click the server for which you want to schedule synchronization. The directory Server Properties page appears.

4. Click the Synchronization Options tab. A page of data synchronization parameters appears.

5. Select the Enable directory synchronization box.

6. Fill in the remaining Configure Directory Synchronization fields as described in the following table:

7. When you are finished, click OK to update the management server with your data synchronization specifications.

Configure Directory Synchronization Fields

Descriptions

Enable directory synchronization

Enables or disables scheduled synchronization of the management server with the latest updates on a defined corporate management server.

Synchronize every__ ___ Specifies the number of hours, days, or weeks between synchronizations. This field is required when ‘Enable directory synchronization’ is selected.

Enter the information as follows:

• Text box - Enter a number from 1 to24 for hours, from 1 to 31 for days, or from 1 to 52 for weeks.

• Drop-down menu - Select Hours, Days, or Weeks.

Default: 1 Day (daily synchronization)

Begin Synchronization at Specifies the date and time when scheduled synchronization should begin. This field is required when ‘Enable directory synchronization’ is selected.

Enter date and time information, as follows:

Date - In the date text box, enter a date in the mm/dd/yyyy format (such as 10/31/2002) or click the calendar pop-up and select a date, using the arrow tools at top of the calendar to navigate to different dates. Clicking a specific date closes the calendar and enters the date.

Time - In the time text box, enter a time in the hh:mm format (such as 12:30)

AM/PM - From the time drop-down menu, select AM or PM.

Add Integration Point The Integration Point portion of this page allows you to customize management server-directory server integration points. The Integration Point option appears on the Directory Synchronization page only if you are editing existing directory server properties, not if you are defining a new directory server.

For information about defining integration points, see “Automating Directory Integration” below.


Note: Users deleted from the directory (since the last synchronization) will remain on the management server until an administrator manually removes them from a domain group (as described in the Groove Management Server Domain Adminis-trator’s Guide).

Manually Triggering Data Synchronization

To manually synchronize management server user data with your directory server, follow these steps:


2. From the management server Directory Integration tab, check the Scheduled column and confirm that synchronization is Enabled. If the status is Disabled, you can enable it from the Synchronization Options page, as described above in “Configuring Directory Synchronization”.

3. Synchronize the management server with the associated directory server by clicking the Synchronize button.

Viewing Directory Synchronization Status

Once you have defined a directory server on the management server, as described above in “Adding a Directory Server”, you can check the directory synchronization status of the management server from the main Directory Synchronization page.

The following table describes the columns of information provided in the directory server list:

To view directory server synchronization status, do the following:


Directory Server List Column Entries

Descriptions

Server The name of the corporate user directory server, as defined on the management server, as described above in “Defining a Directory on the Management Server”. This field shows the Display Name for the server if one exists or the Server Name if no display name exists.

Last Synchronized The date of the most recent management server synchronization with directory server updates.

Scheduled Enabled or Disabled, indicating whether scheduled synchronization has been enabled on the management server (via the fields on the Directory Synchronization tab), as described above in “Configuring Directory Synchronization”.

Mapped To Specified integration points on the directory server, as defined on the Directory Synchronization page, described below in “Automating Directory Integration”.

Synchronize A button that lets you initiate data synchronization (of user attributes and/or data integration points) now.


2. From the management server Directory Integration tab, check the Last Synchronized and Scheduled columns to see when synchronization is scheduled and if synchronization is Enabled or Disabled, respectively.

3. If synchronization is enabled and you want to synchronize the management server with the associated directory server now, click the Synchronize button. For information about enabling and scheduling data synchronization, see “Configuring Directory Synchronization” above.

4. If a data synchronization alert appears the top of the navigation pane, click it to display details on what machine (directory server) is out of synch with the management server. The management server presents the following two types of synchronization alerts:

• An alert that appears when a directory mapping is changed and you have imported users from the directory.

• A user deletion alert generated by the synchronization process when a user is manually removed from a domain group on the management server.

Automating Directory Integration

Once you define a corporate directory server on the management server, as described above in “Adding a Directory Server”, you can automate data integration by defining one or more integration points. An integration point is a location in the management server hierarchy where managed domain users or groups originating from the directory server will automatically be created on the management server, based on a defined synchroniza-tion schedule. If no integration points are selected, automatic data integration cannot occur and server or domain administrators must import directory server user information into specified domain groups. If you define multiple integration points, the most recent takes precedence over previous points. The procedure below explains how to automate directory integration.

Note: You cannot edit an integration point once you create it. However, you can delete an integration, as described below in “Deleting an Integration Point”.

Note: In scenarios where you have already imported users from a directory (from a pre-vious EMS version, for example), EMS does not re-import existing users; only new users are added to the directory at the integration point for the automated data integration.

To specify an integration point for automate directory integration, follow these steps:


2. From the list of directory servers, click the server for which you want to define integration points. The directory Server Properties page appears.


4. Set up data synchronization as described above in “Configuring Directory Synchronization”.


5. Click the Add Integration Point button to launch a wizard that allows you to create a directory integration point. The Select Integration Point Options page appears.

6. From the Select Integration Point Options page, fill in the fields as described in the following table:

7. Click the Next button. The Select Member Group page appears.

8. Select a target group on the management server, as follows:

• If you selected the option to import users only, you can select any group that is not already an integration point under to alternative condition (of importing users and directory structure).

• If you selected the option to import users and directory structure, you can select only groups which have no subgroups or existing members and which are not already integration points.

Select Integration Point Options

Explanations

Name Enter a name for the integration point, such as CompanyA.

From Enter the location in the directory server hierarchy of the user data to be transferred. The string value that you enter depends on your directory structure, but generally you use the following format:

<fieldname>=<value>,<fieldname>=<value> etc.

For example:

ou=Boston Office,dc=XYZCorp,dc=com

where ou =Organizational Unit

dc = Domain Context

Search Filter If you want to add users who reside in the From location and match a particular search criteria, enter a search string in this field. For information about creating LDAP search strings, see the Groove Management Server Domain Administrator’s Guide.

Import users options Select one of the following options:

• Automatically import users - Automatically imports users from the specified location in the directory hierarchy into the member group selected on the next page of the Add Integration Point wizard.

‘Include users from all sub-OU’s’ - Select this option to include users from all sub-OU’s of the specified location. The users will be imported without regard to their existing directory structure.

• Automatically import users and directory structure - Recreates the directory structure specified in the directory server From location in the member group selected on the page of the Add Integration Point wizard. The directory server controls the creation and deletion of member groups beneath the selected member group and the location of members within those groups.

Note: Any previously imported users will be ported to the proper location in the structure, as determined by the integration point, at the time of synchronization.

Default: Automatically import users.


Groups unavailable for selection in either case appear in gray.

9. Click the Finish button. The integration point that you defined appears in the Integration Points list on the Synchronization Options page and in the Integration Server Settings list on the group Properties page of the associated group, as shown in the following table:

Deleting an Integration Point

You can delete an integration point from the Synchronization Options page. Deleting an integration point means that automatic data transfer and ongoing synchronization will not occur for that point.

To delete an integration point from the management server, follow these steps:


2. From the list of directory servers, click the server from which you want to delete an integration point. The directory Server Properties page appears.


4. Click the Delete button in the row of the integration point that you want to delete. A Delete Integration Point pop-up window appears.

5. From the Delete Integration Point pop-up window, select one of the following options:

• Do not delete members from this integration point - Retains member identities imported from the chosen integration point.

• Delete members imported from this integration point - Deletes from the management server domain, member identities imported from the chosen integration point. Members will continue to be synchronized and will be treated in the same way as members who are manually imported from the directory server.

6. Click OK.

Integration Point Information

Field Descriptions

Name The name of the integration point defined via the Synchronization Options page.

From Point of integration from the directory server hierarchy (defined on the first page of the integration wizard).

To (on the Synchronization Options page only)

Point of integration on the target management server (the member group defined on the second page of the integration wizard).

Search Filter (on the group Properties page only)

Search filter, if specified.


Deleting a Directory Server

You can delete selected directory servers from the management server from the Directory Integration tab.

To delete a directory server from the management server, follow these steps:

1. Select the server from the list in the management server navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

2. From the list of directory servers, select the server(s) that you want to delete.

3. Select Delete Directory Server in the tool bar.


Monitoring the Management Server

The management server reports server events to an audit log which you can access from the EMS Web site. It also reports operational problems to the Windows Event Viewer. In addition, the management server contacts the Groove Networks Web site, confirming its

Internet connectivity via the Customer Support Notification (CSN) feature.

Refer to the following server monitoring procedures as needed:

• Viewing the Audit Log

• Exporting Reports

• Using the Windows Event Viewer for Server Diagnostics

• Responding to Alerts

• Customer Support Notification Feature

For information about producing customized reports of Groove usage statistics stored in the SQL database, see “Appendix B. EMS SQL Views”.

Viewing the Audit Log

The EMS audit log displays server events that allow you to monitor server and domain events, such as when a domain or user is added to the server. The server audit log also reports an event when a disconnect causes the management and onsite relay or directory servers to become unsynchronized or when the management server cannot connect to an onsite relay or directory server.

To view the audit log, follow these steps:

1. Go to the management server administrative Web site and select the server from the navigation pane. The Reports tab displays the Audit Log report.

2. To customize the current report, click the Filter expansion arrow and use the Filter controls.

3. To specify the number of list items to display per page, select a value in the Display drop-down menu (25 events per page is the default).

4. Click the Display Report button to display the report. You can use the First, Previous, Next, and Last page controls to navigate within the report

5. To sort on a specific field, click an underlined title in the column that you want to sort on. To reverse the sort order, click the title again.

Enterprise Management Server Administrator’s Guide Monitoring the Management Server 67

6. A list of audit log entries appear.

For more information about audit log report entries and about using the EMS report and filtering controls, see the Groove Management Server Domain Administrator’s Guide.

Exporting Reports

You can export a displayed report to an .xml or a .csv file from the Server Reports tab.

To export a server report, follow these steps:

1. Go to the management server administrative Web site and select the management server from the navigation pane. The Reports page appears with a list of recently audited server events.

2. To filter the events included in the report, from the Reports tab, use the Period and Display fields to filter the events shown, then click the Display Reports button. An updated list of audited events appears, based on your filter specification.

3. Click Export Report in the tool bar. An Export pop-up window appears.

4. Select CSV or XML as a target file type, then click OK. A File Save pop-up window appears.

5. Browse to a file location for the exported report, then click OK.

Using the Windows Event Viewer for Server Diagnostics

The management server reports errors to the Application Log section of the Windows 2000 Event Viewer. The source of these entries is GrooveManagementServer. Error codes displayed in the Event Viewer correspond to Win32 error codes (under 10,000), or Winsock error codes (above 10,000). Proficiency with kernel debugging is required to understand these error codes. Event Viewer error entries can help diagnose server prob-lems, so, if you encounter problems that require assistance from Groove Support, you may be asked to supply Event Viewer information.

To access the Windows 2000 event log, do the following:

1. Go to Start --> Programs --> Administrative Tools --> Event Viewer.

2. If you want to filter the log for certain types of events, click the Event Viewer Filter tab and select one of the following filters:

• Information - Displays informational messages that do not require administrative action.

• Error - Displays onsite management server error events that require administrative action.

• Warning - Displays onsite relay server events that may require administrative action in order to prevent an error condition.

Responding to Alerts

Under certain conditions when corrective action is required by the administrator, an EMS Alert appears on the screen. A typical alert might appear to notify you that a directory


server must be synchronized with the management server. Clicking the Alert displays details.

To respond to a server alert, follow these steps:

1. Click the Alert icon. A pop-up window appears that displays the date and time that the condition occurred, the type of alert, and the name of the device (management or onsite relay server) that generated the alert. Management server time reflects the time zone of the management server. This pop-up window lists all managent server Alerts that have not yet been resolved.

2. In the Alert Type column, click the link for the alert that you want to resolve. This displays context-sensitive Help for fixing the Alert condition. Once you clear the Alert condition, the Alert disappears.

3. Click OK to close the window.

Customer Support Notification Feature

EMS offers the Customer Support Notification (CSN) feature to further supplement your server monitoring practices. Periodically, the Enterprise Management Server contacts Groove Networks (www.groove.net) to deliver customer support data, indicating that the server is functioning normally. If server contact ceases, Groove Customer Support has the information necessary to notify you of this condition, using the email address you speci-fied during server installation.

The reported information is packaged in a SOAP/BASE64 encoded envelope and contains the following items:

• Version number of the management server

• Globally unique ID (GUID) of the management server

• SOAP URL of the management server (http://your.companyname.com)

• Your administrator email address ([email protected])

If relay servers are installed at your site, the following relay information is also reported:

• Version number of the relay server

• Device URL of the relay server (used by Groove clients)

• Communication status between the relay and EMS - Pending, OK, Error

• Relay synchronization needed - Yes, No

• Time of last relay-EMS server status check

If you need to change your contact email address (originally set during management server installation), you can do so on the Server Properties page by clicking Server Properties in the tool bar on all the main server-level tabs.

To change your contact email address, follow these steps:

1. Select a server from the management server navigation pane. The management server page appears.

2. Click Server Properties in the tool bar.

3. In the Email field, update the email address.


4. Click the OK button.


Troubleshooting

This section describes how to resolve problems you may encounter while managing your server. For help with management domain-related problems, see the Troubleshooting sec-tion of the Groove Management Server Domain Administrator’s Guide.

For further help, contact Groove Support. To help diagnose server problems, you may be asked to supply information from the Windows 2000 Event Viewer, which reports server application errors, or from the management server Audit Log for problems involving con-tact with managed relay servers. See “Using the Windows Event Viewer for Server Diag-nostics” for information about using the Windows 2000 Event Viewer, and “Viewing the Audit Log” for information about using the management server Audit Log.

For the latest information about addressing specific management server conditions, go to:

• http://www.groove.net/default.cfm?pagename=SupportFAQIndex for answers to frequently asked questions

• http://www.groove.net/support/technotes/index.gtml?id=6 for Support notes

The following sections suggest solutions to server problems that may arise in a managed Groove environment:

• Management Server Problems

• Auto-Activation Problems

Management Server Problems

This section suggests ways to address typical problems that you may encounter during management server use.

Problem

You receive an Email from Groove Networks indicating that the Customer Support Notifi-cation (CSN) feature is not operating.

Solution

Check that the management server is running properly and communicating over the Inter-net. If both conditions are true, contact Groove support and inform them of the email. The CSN feature enables your management server to report its Internet-accessible name to Groove

Networks to assure its Internet connectivity. CSN is included with your management server installation. See “Customer Support Notification Feature” the Monitoring a Management

Enterprise Management Server Administrator’s Guide Troubleshooting 71

Server section for information about CSN.

Problem

User installation of a domain activation key fails, displaying the message ‘Activation server cannot be reached.

Solution

The client (user’s device) cannot communicate with the server to download the license(s), associated with the activation key. Check the Activation Server name sent to the user (the management server name) to make sure that it is correct.

Problem

Groove clients are not updated with management server settings and policies.

Solution

Groove clients may not be able to access gms.dll, the main point of contact between Groove clients and the management server. Check your IIS settings and make sure that Scripts and Executables is enabled.

Problem

The color of the EMS screens does not display properly.

Solution

Set the color parameter of your Windows Display Properties to at least 16-bits.

Problem

Groove clients cannot connect to the management server.

Solution

You may have set up authentication for the entire management server Web site, prevent-ing client contact. If this is the case, reconfigure authentication to protect the management server administrative interface in the Admin directory of IIS, leaving the home directory accessible to the Internet.

Problem

A managed Groove identity tries to connect to a relay server but the connection is unsuc-cessful and the relay server logs Event Log messages similar to the following:


RQS-Manager: User open failed - user object initialization failed, user name (86etwfwjijhpibxschk6wxwbewrg6zmra99kcci), hr(0x80210009)

PreauthRequired and no User ID found in users database, user 86etvfwjijhpibxschk6wxwbewrg6zmra99kcci,account grooveAccount://3tuf966hej5zaw3w8upkk2x48wezs984iag7rws@

192.168.1.24:1133 user layer message verification failed for user grooveAccount://3tuf966hej5zaw3w8upkk2x48wezs984iag7rws@ on device dpp://r030.groove.net/eurovpsx53khzrffdm3uxaphqh64bzzktggwxk2

Solution

The Enterprise Management Server has not successfully downloaded the managed identity information to the relay server. This unsynchronized condition can occur if an administra-tor registers a relay server with management server domain or group and adds users to the domain or group, but does not immediately start up the relay server.

To fix this problem, synchronize the relay servers by going to the management server administrative Web site, selecting a domain from the navigation panel, and synchronizing any relay servers that are indicated as out-of-sync. See the Groove Management Server Domain Administrator’s Guide for detailed instructions.

If the problem persists, contact Groove Support for assistance.

Problem

The time stamp reflects a different time than the local administrative machine.

Solution

Your management server may be located in different time zone from your login time zone. The Enterprise Management Server records and displays times based on the server time zone. For example, if you are using Groove-Hosted Management Services which is based in Massachusetts, and you log in from a location in another time zone, the reported times on the server will differ from your local time.

Problem

Previously imported domain members have disappeared.

Solution

Possibly, a management server administrator has used a legitimate account to import users from a directory server, then synchronized using an anonymous account.

Data synchoronization problems can arise when an anonymous login is successful but the anonymous account has no access to any member lists. Using a legitimate account to access a list of members (for synchronization, for example) that differs in any way from the account that was used to import members into the management server domain, can dis-


rupt your directory entries on the management server when data synchronization has occurred. If user accounts are lost as a result, the only solution is to re-add the users to the domain and send them all new activation keys.

Remember that allowing management server logins to multiple directory server accounts, including an anonymous login account, can result in irretrievable loss of Groove user accounts if data synchronization is scheduled or triggered on demand. The management server does not distinguish between deleted directory entries and directory entries that an administrator cannot access due to limited login permissions.

These conditions are likely to arise only if the Automatically remove users option is selected at the time of synchronization. (If the Manually remove users option is selected, the administrator can preview any users who were manually deleted before any deletion takes place.)

Problem

Clicking a button on a management server administrative interface page has no effect.

Solution

This may be the result of utility software settings that suppress the display of advertise-ment pop-up windows, thereby affecting EMS pop-up windows also. Disable software for suppressing the display of pop-up advertisements or, if the software allows, exempt the EMS server URL from pop-up prevention settings.

Problem

JavaScript errors or missing dialog boxes appear on the management server.

Solution

Advertisement-blocking software that interferes with the management server user inter-face may be present. To correct this issue, configure any advertisement-blocking software to exclude filtering on the management server Web site.

Problem

The management server is installed on a Windows 2003 machine and the EMS administra-tive active server pages do not appear when you log in.

Solution

Make sure that the following IIS Web service extension is set to Allow:

• ASP.NET v1.1.4322

On a Windows 2003 Server machine, EMS installation sets the status for this extensions to Allow (if not already allowed). This setting must not be changed.


Problem

The management server Audit log reports that the SQL server has reached capacity so that no more space is available for the EMS database and transaction log. The management server may cease operation.

Solution

Backup the existing EMS database and transaction log to make more space on the SQL server, then restart the management server if necessary. To avoid this problem in the future, backup the EMS database and transaction log on the SQL server on a daily basis.

Problem

Sending email from the management server results in an error.

Solution

In order to successfully send email from the management server, be sure to grant permis-sion to your local computer to relay email through your SMTP server (via the Relay restrictions setting on the SMTP Virtual Server Properties/Access tab).

Auto-Activation Problems

This section suggests ways to address auto-activation problems, most of which have asso-ciated error messages.

Problem

Groove could not find a user’s account information on the management server.

Solution

Try the following approaches to resolve the problem:

• The Windows Active Directory User that the logged in as on the Windows client may not have been imported into the management server. Or, an old account with the same name may exist on the management server. Use the management server’s directory synchronization capability (as described in “Configuring Directory Synchronization” in the Defining a Directory Server section of this guide) to verify that the directory account is current.)

• The Groove client may be a managed device for a different management domain than the user’s account was imported into. Check the client registry to verify the correct management server domain name.

• Authentication may be misconfigured for the AutoActivate directory in IIS on the management server. Configure the directory as described in “Appendix C. Setting up Groove Auto-Activation” of this guide.


Problem

A managed Groove account already exists for a user on another device.

Solution

The user has a valid directory login that has already been activated on another client (or previously activated from the same client). Check the user’s status (Active or Pending) on the management server administrative Web site. Verify that no one is using this Groove account on another device. Delete the existing account from the management server, then re-import it from a directory (or manually re-instating it) and re-activate it.

Problem

Groove cannot reach the Activation Server (management server).

Solution

Your management server is unable to connect to the directory server. Check the connec-tion by using the management server’s directory synchronization capability (as described in “Configuring Directory Synchronization” in the Defining a Directory Server section of this guide) to verify that the directory account is current.

Problem

The user receives a Windows login prompt during an auto-activation attempt.

Solution

If the user is correctly logged into the Windows domain on their device, activation uses this information to continue activation. However, if either of the following conditions occurs, corrective action is necessary:

• If the user is logged into the Windows LOCAL machine instead of the Windows domain, the correct credentials for the Windows domain login should be entered.

• The user is logged into a non-trusted Windows domain client. If the Windows client is in a different domain than the management server, correct this condition and retry auto-activation.


Appendix A. Recommended Model for EMS Installation

This appendix supplements the “Installing and Configuring EMS” section of this guide. It presents a recommended approach to Groove Enterprise Management Server (EMS) installation. It also provides an example of post-installation measures that can help assure secure and reliable management server operation. Recommendations are based on net-work and system requirements commonly found in enterprises hosting more than 500 Groove users. Modify these generally recommended parameters as necessary to meet your IT conditions.

Hosting an Enterprise Management Server at your site involves two Windows Server machines:

• IIS machine where you enable IIS and SMTP virtual servers and install the EMS software.

• SQL database machine which supports EMS.

This chapter covers the following topics:

• SQL Server Preparation

• IIS Server Preparation

• Post SQL Installation

• Post EMS Installation

Note: Refer to the first two sections of this appendix to set up your server machines before installing and configuring the Enterprise Management Server as described in Installing and Configuring a Management Server chapter. Refer to the last two section after you have completed the server installation and configuration.

SQL Server Preparation

The following sections provide a procedure for configuring the Windows 2000 server and the Standard Query Language (SQL) machine to support the Groove Enterprise Manage-ment Server.

1. Checking the Optimal Processor and Network Interface Requirements

2. Installing the Windows Server Operating System

3. Partitioning the Disk

4. Installing Windows Server Components

Enterprise Management Server Administrator’s GuideAppendix A. Recommended Model for EMS Installation

5. Configuring Internal Network Interfaces

6. Setting Performance Options.

7. Setting Startup and Recovery Options.

8. Setting Event Viewer Options

9. Installing Windows Server Updates

10. Installing the SQL Server Software

11. Installing SQL Server Updates

12. Configuring the SQL Server Network Utility

Optimal Processor and Network Interface Requirements

• 2 Pentium III processors, of 1000 MHz each

• 512 MB RAM or higher (512 MB supports approximately 2,000 to 3,000 users)

• 2 Network Interface Cards (NICs) - 100 Mbps Ethernet or higher

For fault tolerance, 4 NICs grouped as two virtual cards is recommended.

Installing the Windows Server Operating System

Install the Windows 2000 or 2003 Server software on a stand-alone machine. This machine should not be a domain controller).

Partitioning the Disk

The following table provides an example of an optimal disk setup.:

Installing Windows Server Components

The Windows server operating system provides dozens of components and services that you can install if you choose to. The following tables list the recommended components and services to install and to avoid when setting up an SQL server to support a manage-ment server installation.

Install ONLY the Windows server operating system components listed in the following

Drive Label NTFS Partition Size

Disk Channel Contents

C: Boot 9 GB NTFS Ch1, Disk1, RAID 1 OS, Memory Dump, MSSQL Program

D: Compact Disk

IDE-internal (typically) CD-ROM

E: Page 9 GB NTFS Ch1, Disk2, RAID 1 OS Page File

F: IIS Log 9 GB NTFS Ch2, Disk1, RAID 1 EMS SQL Logs

G: EMS 18 GB NTFS

(for 2,000 - 3,000 users)

Ch3, Disk1, RAID 5 EMS SQL Data


table. Omit all other WIndows components.

Configuring Internal Network Interfaces

Configure each of the management server’s internal network connections (network inter-face cards) as described in the procedure below.The internal network settings listed here are general guidelines only. Customize these settings based on your local network config-uration.

1. Right-click on My Network Places, and select Properties open the Network and Dial-Up Connections window. Then right-click on the internal connection that you want to edit and select Properties.

2. Disable the Client for Microsoft Networks component.

3. Disable the File and Printer Sharing for Microsoft Networks component.

4. Enable the Internet Protocol (TCP/IP) component.

5. Select the IP connection and click the Properties button.

6. Click Use the following IP address and fill in the following IP address information:

• IP address (internal IP address of the network interface).

• Subnet Mask (internal subnet mask for the network interface)

• Default Gateway (internal default gateway)

7. Click Use the following DNS address and enter the following DNS address information:

• Preferred DNS (internal DNS#1)

• Alternate DNS (internal DNS#2)

8. Click the Advanced button to display the Advanced TCP/IP Settings page.

9. Click the DNS tab and do the following:

• Enable Append Primary and Connection-specific DNS Suffixes.

• Uncheck Append parent suffixes of the Primary DNS suffixes.

• Uncheck Register this connection’s addresses in DNS.

10. Click the WINS tab and do the following:

• Uncheck Enable LMHOSTS lookup to disable it.

• Check Enable Netbios over TCP/IP to enable it.

11. Press Ok until you return to the Network and Dial-Up Connections screen.

Setting Performance Options

Adjust system performance options as follows:

1. Open the System control panel applet, click the Advanced tab.

Install These Components:

Management and Monitoring Tools:

• Network Monitoring Tools

• Simple Network Management Protocol


2. Click the Performance Options button to configure the system performance options.

3. In the Optimize performance for field, select Background services.

4. Click the Change button to display the Virtual Memory options and enter values as shown in the following table:

5. Click OK to save your changes and again to exit the System control panel.

Setting Startup and Recovery Options

Configure system startup and recovery options as follows:

1. Click the Startup and Recovery button, and entering recommended values as shown in the following table.

g. Click OK when you are finished.

Setting Event Viewer Options

Set the properties for each Windows Event Log (application, security, and system logs), by clicking Start --> Program Files --> Administrative Tools, and launching the Event Viewer applet, then selecting each log. To avoid loss of important event data, set proper-ties for each log as shown:

Virtual Memory Options Value

Paging volume Select drive E.

Initial size 3 x real RAM

Maximum size 3 x real RAM

System Startup and Recovery Options

Value

Send an administrative alert

On

Automatically reboot On

Write Debugging Information

None

Overwrite any existing files On

Windows Event Logs Properties

Application log Maximum log size: 32000 KB

Overwrite events as needed

Security log Maximum log size: 32000 KB



Installing Windows Server Updates

Make sure to install the following Windows server updates:

• Windows 2000 Server Service Pack (SP) 2 if using Windows 2000

• Windows 2000 Server Security Rollup Service Pack 2SRP1 if using Windows 2000

• Critical Updates Package

Installing the SQL Server Software

Install the Microsoft Standard Query Language (SQL) Server 2000 (or higher) software on the Windows server machine. The following installation settings are suggested:

1. Install the SQL Database Server.

2. Install a new instance, named Default, on the Local Computer.

3. Create a new instance of SQL Server, or install Client Tools, named Install server.

4. For Setup type, specify Typical.

5. Install program files in the C:\Program Files\Microsoft SQL Server directory.

6. Install data files in F:\SQL Server Data directory.

7. Use a single system account for each SQL service, and Autostart the SAL Server Service using the locally system account.

8. Set up the Authentication Mode as follows:

• Specify Mixed Mode (Windows Basic Authentication and SQL Server Authentication.

• For login Name, enter sa.

• For login password, enter <password>.

• For Licensing Mode, enter Processor License: 2.

Installing SQL Server Updates

Install the SQL Server 2000 Service Pack 2.

Configuring the SQL Server Network Utility

Enable only TCP/IP port 1433.

IIS Server Preparation

The following sections provide a procedure for setting up a Windows server, Internet Information System (IIS), and the Enterprise Management Server (EMS) software. The process involves the following basic steps, each of which is described below:

1. Checking the Processor and Network Interface Requirements.

2. Installing the Windows Server Operating System

System log Maximum log size: 32000 KB




3. Installing .NET Framework

4. Partitioning the Disk

5. Installing Windows Server Components

6. Configuring the Internet Information Service (IIS) for EMS

7. Installing the Management Server Software

8. Configuring Internal Network Interfaces

9. Configuring External Network Interfaces

10. Setting Performance Options

11. Setting Startup and Recovery Options

12. Setting Event Viewer Options

13. Installing Windows Server Updates

14. Preparing the Virtual SMTP Server

Processor and Network Interface Requirements

The following hardware is necessary for optimal management server installation support-ing up to approximately 3,000 users. Note that at least two network interface cards are rec-ommended: one for public Groove client access to the management server, and a second for private administrative access to the management server.

• 2 Pentium III processors, of 1000 MHz each

• 512 MB RAM or higher (512 MB supports approximately 2,000 users) - 1024 MB is recommended

• 2 Network Interface Cards (NICs) - 100 Mbps Ethernet or higher

For fault tolerance, four network interface cards grouped as two virtual cards are recommended.

Installing the Windows Server Operating System

Install the Windows 2000 or 2003 Server software on a stand-alone machine. This machine should not be a domain controller.

Installing .NET Framework

Install Microsoft .NET Framework 1.1 on the IIS/EMS machine. Also install ASP.NET provided as part of the .NET package.

Partitioning the Disk

The following table provides an example of an optimal disk setup.:

Drive Label NTFS Partition Size

Disk Channel Contents

C: Boot 9 GB NTFS Ch1, Disk1, RAID 1 OS, Memory Dump, EMS Program

D: Compact Disk

IDE-internal (typically) CD-ROM


Installing Windows Server Components

The Windows server operating system provides dozens of components and services that you can choose whether to install. The following tables list the recommended components and services to install and those you should avoid when setting up an IIS server for man-agement server.

Install the Windows operating system components listed in the following table.

E: Page 9 GB NTFS Ch1, Disk2, RAID 1 OS Page File

F: IIS Log 9 GB NTFS Ch2, Disk1, RAID 1 IIS Log

G: EMS 9 GB NTFS Ch2, Disk2, RAID 1 EMS Web site

Install These Components:

Internet Information Service (IIS):

• Common Files

• Internet Information Services Snap-In

• SMTP Service

• World Wide Web Server


• Network Monitoring Tools

• Simple Network Management Protocol


Omit the Windows operating system components listed in this table:

Configuring the Internet Information Service (IIS) for EMS

Setting up the Enterprise Management Server is easier if you prepare the Windows Inter-net Information Server properly before-hand as recommended below:

• Delete (or at least disable) the IIS Default Web Site.

• Create \Inetpub\gemsroot subdirectories in EMS drive (G:).

• Create the EMS Web site: Groove Management Server.

• Set the home directory path to: G:\Inetpub\gmsroot.

Do NOT Install These Components:

Accessories & Utilities

Accessories:

• Calculator

• Character Map

• Clipboard Viewer

• Desktop Wallpaper

• Document Templates

• Mouse Pointers

• Object Packager

• Paint

• Wordpad

Communications

Games

Multimedia

Certificate Services:

• Certificate Services CA

• Certificate Service Web Enrollment Support

Indexing Services

Internet Information Service (IIS):

• Documentation

• File Transfer Protocol (FTP) Server

• Front Page 2000 Serve Extensions

• Internet Services Manager (HTML)

• Network News Transfer Protocol (NNTP) Service

• Visual InterDev Rapid Application Development (RAD) Remote Deployment Support


• Connection Manager

Messaging Queuing Services

Networking Services

• COM Internet Services Proxy

• Domain Name Server (DNS)

• Dynamic Host Configuration Protocol (DHCP)

• Internet Authentication Protocol

• QoS Admission Control Service

• Simple TCP/IP Services

• Site Server ILS Services

• Windows Internet Name Services (WINS)

Other Network File and Print Services:

• File Services for Macintosh

• Print Services for Macintosh

• Print Services for UNIX

Remote Installation Services

Remote Storage

Script Debugger

Terminal Services:

• Client Creator Files

• Enable Terminal Services

Terminal Service Licensing

Windows Media Services

• Windows Media Services

• Windows Media Services Admin


• For the Enable Logging option, select Web site logging and set the log path to: F:\Logfiles.

• Create the \Logfiles subdirectory in F:\IISLog:

• Create a new Server certificate and certify it by a Certificate Authority (CA). You will eventually add the CA-processed server certificate to the Groove Management Server Web site.

• Enable an administrator login authentication scheme to secure the EMS administrative Web interface (recommended).

• To further secure the EMS administrative Web interface, make sure you can support Secure Socket Layer (SSL) encryption (optional but strongly recommended) . For more information about setting up SSL, see Microsoft Windows 2000 and IIS 5.0 Administrators Pocket Consultant.

Installing the Management Server Software

Install the Enterprise Management Server (EMS) software and create the required EMS Web site(s) on the IIS machine, as described in “Installing the EMS Software” in the Installing and Configuring EMS section of this guide. The EMS installation process lets you install the complete EMS application (including both Groove client and administra-tive interfaces) or install the Groove client interface without the administrative interface. If your site plan includes multiple management servers, you can locate one server hosting the administrative portion of EMS securely behind a firewall on your network and locate a client-only version EMS in a DMZ for controlled public access.

Configuring Internal Network Interfaces

Configure each of the management server’s internal network connections as described in the procedure below. The internal network settings cited here are general guidance. Cus-tomize these settings based on your local network configuration.

Microsoft leaves all ports open and unprotected (no lock-downs are in place), so consider your connection settings carefully. On an internal network, the suggested settings are typi-cally satisfactory, though you may need to provision and apply filters to them in order to further protect certain ports. However, blocking all ports on internal connections is not recommended as doing so can disrupt communications between the relay and management servers.

To configure internal network interface cards on the management server, use the follow-ing procedure as a guide:

1. Right-click on My Network Places, and select Properties open the Network and Dial-Up Connections window. Then right-click on the internal connection that you want to edit, and select Properties.






















Configuring External Network Interfaces

Configure each external network connection on the management server as described in the procedure below.

Customize these settings based on your local network configuration. Microsoft leaves all ports open and unprotected (no lock-downs are in place), so consider your connection set-tings carefully. The settings cited below are general guidelines.

1. Right-click on My Network Places, select Properties to open the Network and Dial-Up Connections window, and right-click on the external connection that you want to edit.






• IP address (external IP address of the network interface)

• Subnet Mask (external subnet mask for the network interface)

• Default Gateway (external default gateway)


• Preferred DNS (external DNS#1)

• Alternate DNS (external DNS#2)










11. Press Ok to exit.

Setting Performance Options

Adjust system performance options as follows:

1. Open the System control panel applet, click the Advanced tab.

2. Click the Performance Options button to configure the system performance options.

3. In the Optimize performance for field, select Background services.

4. Click the Change button to display the Virtual Memory options and enter values as shown in the following table:

5. Click OK to save your changes and again to exit the System control panel.

Setting Startup and Recovery Options

Configure system startup and recovery options as follows:

1. Click the Startup and Recovery button, and entering recommended values as shown in the following table.

h. Click OK when you are finished.

Virtual Memory Options Value

Paging volume Select drive E.

Initial size 3 x real RAM

Maximum size 3 x real RAM

System Startup and Recovery Options

Value

Send an administrative alert

On

Automatically reboot On

Write Debugging Information

None

Overwrite any existing files On


Setting Event Viewer Options

Set the properties for each Windows Event Log (application, security, and system logs), by clicking Start --> Program Files --> Administrative Tools, and launching the Event Viewer applet, then selecting each log. To avoid loss of important event data, set proper-ties for each log as shown:

Installing Windows Server Updates

Make sure to install the following Windows Server updates:

• Windows 2000 Server Service Pack (SP) 3 if using Windows 2000 Server

• Windows 2000 Server Security Rollup Service Pack 2SRP1

• Critical Updates Package

Preparing the Virtual SMTP Server

The management server email functionality relies on the virtual Simple Message Transfer Protocol (SMTP) server enabled on the IIS machine. The following list shows sample set-tings for configuring the SMTP server:

• Customized server name: Groove SMTP Virtual Server

• Enable Logging: enabled

• Log path: F:\Logfiles

• Access\Connection Control, Set to only the list below: enter <null list>

• Access\Relay Restrictions: Set to only the list below: enter <null list>

• Disallow: all computers

• Delivery option: Advanced Delivery

• Fully qualified domain name: <EMShostname>.domain.com

• Smarthost: <SmartHostname>.domain.com

Post SQL Installation

Once you have installed the SQL server and configured it as described above, additional system configurations can help assure the secure and reliable EMS-SQL interaction.

Configuring the SQL server after installation involves the following recommended steps, each of which is described in the sections that follow:


Application log Maximum log size: 32000 KB


Security log Maximum log size: 32000 KB


System log Maximum log size: 32000 KB



• Configuring Internal Network Interfaces on SQL Server

• Setting Windows Services to Manual Start on SQL Server

Configuring Internal Network Interfaces on SQL Server

The following are suggested settings for your SQL server internal (private) network inter-face cards (those that support communication with the Enterprise Management Server):






















i. Configure TCP/IP security controls by clicking the Options tab, selecting TCP/IP Security, pressing the Properties button, and entering the following


settings:

j. Click OK to exit.

Setting Windows Services to Manual Start on SQL Server

Stop the following Windows services (if they are running) and set them to manual start:

• Alerter

• Clipbook

• Computer Browser

• DHCP Client

• DHCP Server

• Distributed Link Tracking Server

• Fax Service

• File Replication

• Indexing Service

• Infrared Monitor

• Internet Connection Sharing

• Intersite Messaging

• IPSEC Policy Agent

• Kerberos Key Distribution Center

• Messenger

• NetMeeting Remote Desktop Sharing

• Network DDE

• Network DDE DSDM

• NWLink NetBIOS

• NWLink IPX/SPX

• Print Spooler

• Remote Access Auto Connection Manager

• Remote Access Connection Manager

• Remote Registry Service

• Routing and Remote Access

• RunAs Service

Security Properties Value

Enable TCP/IP Filtering (All adapters)

Click-check this box to configure all network interface cards on your network.

TCP Ports Click Permit All.

UDP Ports Click Permit All.

IP Protocols Click Permit All.



• TCP/IP NetBIOS Helper Service

• Telnet

• Telephony

• Uninterruptible Power Supply

• Utility Services

• Windows Installer

Post EMS Installation

Once you have installed and configured the management server, as described above, these additional system configurations can help assure the security and smooth operation of your server:

• Restricting Access to EMS Administrative Directory

• Supporting EMS Administrative Login Authentication

• Setting Up SSL for the EMS Administrative Web Pages

• Configuring EMS Internal Network Interfaces

• Configuring EMS External Network Interfaces

• Setting Windows Services to Manual Start on Management Server

Restricting Access to EMS Administrative Directory

To further secure management server access, use the Windows Server administrative tools to set the following:

• Disable Anonymous access.

• Set Directory Security for the management server Admin subdirectory.

Supporting EMS Administrative Login Authentication

Create local Windows accounts for each EMS administrator to support Basic Authentica-tion (or other authentication) login to EMS. These accounts should include the following:

• Enterprise Management Server manager (for example, emsadmin)

• Other administrators assigned to the EMS roles of manager or reader

Setting Up SSL for the EMS Administrative Web Pages

Securing the administrative portion of the Enterprise Managent Server Web site with the Secure Socket Layer (SSL) encryption protocol is strongly recommended. To enable SSL for the Administrative Web pages, configure the following Windows system communica-tions settings:

• Require SSL; 128-bit.

• Bind SSL port 443 to the internal (private) administrative network interface card (NIC) as follows:


Using the IIS user interface, go to the Properties for the Enterprise Management Server Web site, then go to the Advanced configuration settings to assign SSL port 443 to the private administrative NIC.

Configuring EMS Internal Network Interfaces

The following are suggested settings for your management server internal (private) net-work interface cards (those that support your private management server administrative interface):






















k. Configure TCP/IP security controls by clicking the Options tab, selecting TCP/IP Security, pressing the Properties button, and entering the following


settings:

l. Click OK to exit.

Configuring EMS External Network Interfaces

The following are suggested settings for your management server external network inter-face cards (those that support client-manage server communication):






















m. Configure TCP/IP security controls by clicking the Options tab, selecting




TCP Ports Click Permit All.


IP Protocols Click Permit All.


TCP/IP Security, pressing the Properties button, and entering the following settings:

n. Click OK to exit.

Setting Windows Services to Manual Start on Management Server

Stop the following Windows services (if they are running) and set them to manual start:

• Alerter

• Clipbook

• Computer Browser

• DHCP Client

• DHCP Server

• Distributed Link Tracking Server

• Fax Service

• File Replication

• Indexing Service

• Infrared Monitor

• Internet Connection Sharing

• Intersite Messaging

• IPSEC Policy Agent

• Kerberos Key Distribution Center

• Messenger

• NetMeeting Remote Desktop Sharing




TCP Ports Click Permit Only and specify port 80


IP Protocols Click Permit Only and specify the following protocols, both required for functioning of the Customer Support Notification (CSN) feature:

6 - Supports User Datagram Protocol (UDP), allowing name-service access.

17 - Supports Transmission Control Protocol (TCP).

Note: If you need to block Internet Core Messaging Protocol (ICMP) traffic (to prevent external users from pinging your servers) along with TCP/IP filtering, you must configure IP packet filters through Routing and Remote Access. For more information, see “Unicast IP Routing” in the MS Windows 2000 Server Internetworking Guide at http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/intnetwk/wsrvingd.asp.


• Network DDE

• Network DDE DSDM

• NWLink NetBIOS

• NWLink IPX/SPX

• Print Spooler

• Remote Access Auto Connection Manager

• Remote Access Connection Manager

• Remote Registry Service

• Routing and Remote Access

• RunAs Service


• TCP/IP NetBIOS Helper Service

• Telnet

• Telephony

• Uninterruptible Power Supply

• Utility Services

• Windows Installer


Appendix B. EMS SQL Views

All management server data is stored in an SQL database installed in conjunction with the Enterprise Management Server. The management server queries this SQL database to pro-duce Groove usage reports, accessible from the management server administrative Web pages. This appendix provides information about the SQL views which underlie Groove usage reports. You can use this information to create customized Groove usage reports using Crystal or other SQL-compatible reporting tools.

Note: Do not add to or alter the database schema as this can cause the management server to malfunction.

The EMS SQL database contains three main Groove usage data views: workspace, tool, and user views, as shown in Figure 7 below. These views, each containing the ‘Public_’ prefix in their names, are fixed (and unlikely to change with Groove versions).

Enterprise Management Server Administrator’s Guide Appendix B. EMS SQL Views 96

Figure 7. EMS SQL Views




Appendix C. Setting up Groove Auto-Activation

The Enterprise Management Server (EMS) Groove Identity Auto-Activation feature auto-matically activates managed user accounts without requiring users to enter an activation key. Instead, the management server relies on managed users’ Microsoft Windows domain logins to authenticate users defined in its database.

The Auto-Activation feature relies on a correctly configured Windows intranet environ-ment using IIS Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication). Note that Auto-Activation operates only in a Windows intranet environment. For information about extending this capability beyond your intranet environment, consult Groove Networks Support.

Before you begin, make sure you meet the following requirements:

• Groove Workspace 3.0 or later must be installed on user devices

• Groove Enterprise Management Server 3.0 or later should be installed and configured on your network, as described in the “Installing and Configuring EMS” section of this guide.

• A management server domain must be populated with Groove user contact information, as described in the Groove Management Server Domain Administrator’s Guide for information about adding users to a domain.

• Windows authentication (NTLM) must be configured on the IIS machine that supports your management server. Refer to Microsoft documentation for information on configuring IIS Integrated Windows authentication environments.

To enable Groove Auto-Activation, follow these steps:

1. If you are integrating your management server with a directory server installed at your site, import (or integrate) the user information onto the management server, as described in “Defining a Directory Server” in this guide. When setting up directory integration, note the following guidelines:

• Define a fully qualified Windows domain login name with read access to the import directory (such as cn=Administrator,cn=users,dc=company,dc=com for Active Directory). Note that this login name does not appear in Groove contact properties (vCards); it resides only in the management server’s user database.

• Verify that each user entry includes a valid email address.

Enterprise Management Server Administrator’s Guide Appendix C. Setting up Groove Auto-Activation 100

2. On the IIS machine that hosts both the EMS client and administrative Web sites, secure the AutoActivate/gms.dll file by enabling Integrated Windows Authentication as the only authenticated access. The AutoActivate directory is provided by the Enterprise Management Server during full EMS installation (including the client and administrative interfaces). Anonymous access to the AutoActivate directory is not permissible.

3. Configure Groove client devices, as follows:

• Install Groove 3.0 or higher.

• Register client devices with a management server domain that contains the EMS accounts that were imported from the Windows Active Directory server. See the Groove Management Server Domain Administrator’s Guide for information about registering devices in a domain.

• Update the Windows registry by setting the AutoActivate registry setting:HKLM\Software\Groove Networks, Inc.\Groove\ManagementDomain\"AutoActivate"=dword:00000001

• Make sure that clients are logged into a Windows domain (not the LOCAL machine).

4. Start the Groove clients. This sends an activation request from the client to the AutoActivate/gms.dll URL on the management server. If the Windows authentication check passes, the management server checks the EMS account name, comparing the Windows client logon name with the imported Active Directory Server account name in EMS. If both of these authentication checks succeed, the Groove Workspace will be auto-activated.

For information about troubleshooting any problems that may arise, see “Auto-Activation Problems” in the Troubleshooting section of this guide.

Enterprise Management Server Administrator’s Guide Appendix C. Setting up Groove Auto-Activation 101

Appendix D. Management Server Keys and Certificates

The management server stores encryption and authentication key information in its associ-ated SQL database. The management server accesses this information to generate key and certificate files whenever an administrator requests one - for example, to register a relay server with a management server or to establish cross-domain certification - during the administration of a management server or domain.

The following table lists and describes the key and certificate files used at various points as part of administering Groove from a management server.

Key Files Description and Contents Location

ManagementServer.reg Management server public key file that includes the management server’s certificate (containing its public key and identifying information). This file is generated on demand by the server administrator. This file is used to register relay servers with the management server.

Directory defined by server administrator

domainname.cer Domain certificate file, generated upon domain creation by a server administrator. Domain administrators exchange these files in order to set up cross-domain certification in Groove PKI domains.

Directory on administrative machine

RelayID.xml Relay server ID file that contains two certificates: a SOAP certificate which is used by the management server to authenticate the relay server, and an SSTP certificate which is used by Groove clients provisioned to this relay server. This file is generated during relay server installation.

SQL management server database

Device registry key file (.reg)

Device registry file that contains management server registry settings that are added to the Windows registry of each client device in a domain or group. This file is generated upon demand by a domain administrator via a button accessible from any device policy page.

Windows registry of each managed device

EMS Administrator’s Guide Appendix D. Management Server Keys and Certificates 102

Data RecoveryPublicKey.cer The data recovery public key file (certificate) that contains the generated public key that Groove uses to encrypt a Groove user’s data. This file is generated during domain creation, using the Change Key in the Domain Properties window, or via the Data Recovery Tool. Data that is encrypted by a public key can be unlocked only by the corresponding private key.

Directory location on management server. Sent down to managed devices in device policy.

DataRecoveryPrivateKey.xml

The data recovery private key file that contains the generated private key. A domain administrator uses this key to decrypt a Groove user’s data that is protected by a corresponding data recovery public key. This file is generated during domain creation, using the Change Key in the Domain Properties window, or via the Data Recovery Tool.

Directory location on management server or defined by domain administrator

Key Files Description and Contents Location

EMS Administrator’s Guide Appendix D. Management Server Keys and Certificates 103

Appendix E. Interpreting Client Audit Data

Groove Auditing data, generated via the optional Groove Client Auditing feature, is encrypted and stored on the client so that only the Groove Audit Server can decrypt and read the data. Once the client sends the data, the Audit Server decrypts and parses the data into relational database tables in a SQL directory. The following information provides background for understanding the data and the relationships among data tables. You can use this information to create customized Groove audit reports using Crystal or other SQL-compatible reporting tools. In addition, the Groove Audit Server provides two Views that you may want to use as a starting-point for generating your own SQL Views from the audit server tables:

• Auditv_EventAttributes

• Auditv_EventProperties

A typical Groove client audit log entry looks as follows, once decrypted:<E _ag="s3shybqzefebxvp9h8zgg68hs3un89ggr6qqr4i" _c="7" _dt="06/30/2004

13:03:39:28" _in="2137 Bill 3" _iu=grooveIdentity://9ht6sitjgpv69xa93ez2iirp77ibugbi@"

_q="886" _t="903"><INV _bd="" _rc="0" _rn="2139 Bill 2" _ro="Manager" _ru="grooveIdentity://

wcdfuqfaf8h5jet43cx9s9pxm4zxqqws@" _sip="" _sn="http://wss1/sites/Site1/WeB%203/default.aspx" _su="grooveTe-

lespace://pk4vegikcyf7sqaeg3t4habyq9fasgnpmr582hs" _vm="0" _zn="2137 Bill 3" _zu="grooveIdentity://

9ht6sitjgpv69xa93ez2iirp77ibugbi@" /> </E>

The table below lists and summarizes the SQL tables associated with this client informa-tion.

Client Auditing SQL Tables Description and Contents

Main Event-specific Data

EMS Administrator’s Guide Appendix E. Interpreting Client Audit Data 104

audit_LogEntryProperties Seven attributes, common to all audit log entries:

• Account GUID (_ag)

• Event Category (_c)

• Event Time (_dt)

• Identity Name (_in"

• Identity URL (_iu)

• Sequence Number (_q)

• Event Type "_t)

One table entry is associated with each device GUID/Sequence Number pair (sequence numbers are unique to each Groove device).

audit_EventCatagoryReadableNames

Mapping of Event Categories to their readable names.

audit_EventTypeReadableNames Mapping of Event Types to their readable names

Other Event-specific Data

audit_LogEntryAttributes This data (which only exists in an enclosed XML element) is stored in a series of name/value pairs that correspond to the XML attribute name/value pairs found in the enclosed XML element. One table entry is associated with a DeviceGUID/Sequence Number/Attribute name tuple (triplet). Typically, this table holds many entries - one for each Groove client event. Each ‘known’ attribute name is preceded with an underscore and is usually relatively short to minimize network traffic.

audit_AttributeReadableNames Maps the attribute names to their readable names.

Session Data

audit_LogSessionProperties Logs four pieces of data that are unique to a device:

• Device GUID

• Time that the session started

• Hostname of the devices

• Logged in (OS) user

Current Device-specific Data

audit_Devices Current device-specific data, including the last time log data was received and the last sequence number received for a device

Files

audit_FileStorage Files, indexed by their digests, so that no file names appear in the table. The Groove Audit log file-specific entries reference files by these digest values.

Client Auditing SQL Tables Description and Contents

EMS Administrator’s Guide Appendix E. Interpreting Client Audit Data 105

Glossary

This document defines the main administrative terms used in describing Groove Manage-ment Services.

Account See User Account.

Activation key A key that allows users to activate Groove with a managed identity.

Authentication Term used in security contexts, such as PKI, to mean proof of a person’s (or data’s) identity. Authentication usually involves an objective party, such as an admin-istrator, confirming the identity of a computer user (or data), by comparing user-submitted information with filed information, for example. Authentication generally takes place between people. Groove supports the following types of identity authentication: digital fingerprint for unmanaged users, and Groove PKI or Enterprise PKI for managed users.

Certificate Term used in security contexts, such as PKI, to mean a data structure that con-tains a public key and identifying information for a domain, device or identity. The public key is digitally signed with the private key of the CA which issued it.

Certification Authority (CA) Term used in security contexts, such as PKI, to mean an entity which creates and assigns certificates. In a managed Groove environment, the man-agement server can be the certification authority.

Certification Term used in security contexts, such as PKI, to mean the deployment and assignment of public keys by a certification authority (CA) to a domain, device, identity. In a managed Groove environment, the management server can be the certification author-ity.

Component A feature or tool created by Groove Networks or a third party for use in the Groove virtual office software.

Default identity The user identity assumed for all subsequent Groove spaces (those cre-ated after the default is set). When a user installs the product activation key (sent to them by their domain administrator) into Groove, that identity becomes the default identity for workspaces that the user creates from then on. Users can change their default identity at any time by setting another identity as the default.

Device A device is a client (user) computer that is running Groove. Devices are automati-cally associated with users during the initial Groove installation. Administrators can man-age these devices by applying a registry setting (a pointer to a management domain) to the devices. This makes the devices part of a management domain. Once devices are regis-tered with a management domain, administrators can apply device policies, for example, to control password creation or regulate Groove component downloads on these devices.

Enterprise Management Server Administrator’s Guide Glossary 106

Digital fingerprint Also called digital thumbprint. An identifier (usually a certificate’s hash) associated with a certificate. Typically, fingerprints are used for out-of-band authen-tication. In Groove, fingerprints are used to authenticate Groove users, Groove relay serv-ers, and Groove component publishers.

Digital Thumbprint Another term (used in the Windows Certificate Viewer) for Digital fingerprint.

DMZ In the context of computer networks, a DMZ (demilitarized zone) is an area on a corporate network that houses corporate servers that require limited access to external communications. A combination of firewalls, proxy devices, and other related equipment determine the extent of external network access.

Domain See Management Domain.

Domain member A managed Groove user - one who has installed the identity activation key sent by the Groove administrator. Domain members are subject to the domain admin-istrator’s management, gaining access to Groove licenses, usage and security policies, and specified relay servers.

Enterprise Management Server (EMS) A Groove Networks Web application that pro-vides comprehensive services for deploying and managing Groove use in an enterprise. The application resides on an IIS server installed on a corporate network and is supported by a SQL server. With an onsite management server, server administrators can install, configure, and monitor the server, as well as manage Groove users and devices, distribute product licenses, set device and user policies, deploy managed relay servers, and monitor Groove usage.

Enterprise PKI An organization’s enterprise-wide implementation of the Public Key Infrastructure (PKI) that typically allows users to employ their enterprise-issued certifi-cates in multiple PKI-enabled applications. Groove users can employ these enterprise-issued certificates for smart card login or, in a managed environment, with Enterprise PKI identity authentication. Groove management servers support Enterprise PKI as an alterna-tive to Groove PKI identity authentication.

Enterprise Relay Server (ERS) A Groove Networks server-based application, that facil-itates data transmission among Groove users. This server, installed at a company site, pro-vides various services that support Groove software, including message handling for offline devices, device presence detection, firewall transparency, and bandwidth optimi-zation.

Fingerprint See Digital fingerprint.

Groove Hosted Management Services Groove management services hosted by servers at Groove Networks. These services allow administrators to manage Groove users and devices, distribute Groove product licenses, set policies to ensure the security of its resources, deploy any onsite relay servers, and monitor Groove usage.

Groove Hosted Relay Services Groove relay services hosted by servers at Groove Net-works. These services allow administrators to manage the distribution of relay services to Groove users.


Groove PKI Groove’s implementation of the Public Key Infrastructure (PKI) used solely for authenticating Groove identities. With this implementation, an EMS domain functions as a Certificate Authority (CA) to all its users.

Groove space See Workspace below.

Group In a management server context, a sub-category of a domain.

GUID A Globally Unique Identifier that identifies an object.

Identity See User Identity.

IIS - Microsoft Internet Information Services, installed on a Windows Server machine.

Identity authentication See Authentication.

Integration point The location in a directory server hierarchy from which user data will be integrated on the management server. Integration points support automated directory integration, eliminating the need for domain administrators to import users from a desig-nated directory.

Key (security) A cryptographic sequence of symbols that control the operations of encrypting and decrypting.

License In the context of this guide, the formal permission to access a specific Groove tool set, tool, or tool component. Licenses are purchased by a company for a management domain as part of Groove product packages.

Managed device An end-user PC, registered with a Groove management server domain and subject to device policies (governing password creation and Groove component downloads, for example) defined for that domain. A device becomes managed when its Windows registry has been updated with a management server key and Groove starts up on that device.

Managed identity A Groove user identity defined for a Groove management server domain and distributed to end-users in an activation key.

Management domain A management domain (in the context of this guide) is a manage-ment unit defined on a Groove management server. Each management contains a collec-tion of domain member groups, identity policy templates, device policy templates, license sets and relay server sets.

Management server A Groove Enterprise Management Server or Groove Hosted Man-agement Services.

Member See Domain Member.

Policy A rule applied to all managed identities in a domain or group, or to all managed devices associated with a managed user. Preventing publication of managed identity con-tact information is an example of an identity policy. Restricting downloads of Groove components on managed devices is an example of a device policy.

Private key One half of a key pair, kept private by the owner and used in conjunction


with a matched public key. This strictly private key is used to decrypt messages that have been encrypted by a public key. A private key may be stored in an .xml file.

Public key One half of a key pair, used to verify signatures created with a matched pri-vate key and to encrypt messages which can only be decrypted using the matched private key. This publicly-listed key is associated with a user, device, or server and is available to other users, devices, or servers for sending encrypted messages to the public key owner. The public key owner then uses a private key to decrypt the message. A public key is usu-ally stored in a certificate (.cer) file along with other identifying information.

Public Key Infrastructure (PKI) The set of hardware, software, people, policies and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography.

Public relay server Groove Networks-hosted relay server employed when managed onsite Enterprise Relay Servers or Groove Hosted Relay Services are not in use.

Role Based Access Control (RBAC) - A method of controlling access to the administra-tive Web site through the assigning of administrator roles.

Relay server See Enterprise Relay Server, Groove Hosted Relay Services, or Public relay server.

Registry file A .reg file that contains information to be applied to the Windows Registry. In the context of Groove Enterprise Management Services, the registry file contains set-tings to allow devices to join a domain, placing them under domain management. Once an administrator applies the registry settings in this file to a device, that device becomes sub-ject to the component installation and other policies that the domain administrator sets for devices in the domain.

Seat A purchased place-holder for a user of a specific product license. Each product license package in a domain has a maximum number of seats associated with it. The seats are purchased by an enterprise and specified in the purchase agreement. Domain adminis-trators populate these seats by adding users to their domain and by sending individual products to specific Groove users.

Smart card Hardware token containing user credentials. Groove and Groove manage-ment servers accept smart cards in lieu of Groove passwords for login to user accounts. Smart cards can also be used with the management server’s Enterprise PKI identity authentication option, which allows users to authenticate one another using smart card cre-dentials added to their Groove contact properties.

SQL server The Microsoft Standard Query Language (SQL) database application, installed on a Windows Server machine.

Tool A Groove program or application that workspace members use to interact. Each member of a workspace has access to the same tools (such as chat, calendar, and sketch-pad tools) and can use them to affect workspace data.

Trust A term used in Public Key Infrastructure (PKI) contexts to mean an understanding between two entities that allows them to perform certain predetermined tasks. For exam-ple, a Groove user in one domain may trust another user in the same domain to access and


review reports in a Groove space. This differs from authentication which specifically involves identifying who someone is, not what they are allowed to do. Trust, therefore may depend on (but is not equivalent to) authentication. Trust also differs from certifica-tion which is official and objective, involving a third-party (the CA, and usually an administrator), while trust is personal and subjective, normally involving two people and not requiring a third-party.

User A Groove user. From the perspective of a Groove administrator, a user is a domain member - one who has installed the product activation key and associated identity infor-mation sent by the Groove administrator, giving them membership in their company’s domain and access to associated licenses, or a non-member - one who has installed a prod-uct package (with licenses) directly via the product’s activation key.

User account A file, stored on a user’s computer, that maintains usage data, including information about the user’s identities, secret encryption keys, devices (computers) on which the user runs Groove, workspaces, and contacts.

User identity A persona in Groove. Groove users create an initial default identity when they install Groove. A user can have one or more identities in a single account and selects one to be the default.

Contact properties Contact (vCard) information for each domain member identity. Con-tact properties are created from the information assembled to define the identity.

Workspace A user-created space, accessible via the Groove transceiver, that enables col-laboration among small groups of users.


End User License Agreement

END USER LICENSE AGREEMENT (for Groove Server Software)

Thank you for licensing Groove software. Please read this End User License Agreement ("EULA") carefully and be sure you understand it. This EULA is a legal agreement between you (either an individual or a single entity) and Groove Networks, Inc., a Dela-ware corporation ("Groove Networks"). You must review and either accept or reject the terms of this EULA before installing or using the Software. Clicking the "I ACCEPT" button below is just like signing a contract written on paper. By clicking the "I ACCEPT" button or installing or using the software, you acknowledge that you have read all of the terms and conditions of this EULA, understand them, and agree to be legally bound by them.

If you or your employer has entered into a separate agreement with Groove Networks per-mitting you to use the Software, that agreement, rather than this EULA, will govern your use of the Software. If the Software you are installing is beta or other pre-release Soft-ware, however, the terms of this EULA will apply. Third party software of which Groove Networks is an authorized reseller may be accompanied by a separate license agreement, in which case that agreement, rather than this EULA, governs your use of the third party software.

If you are installing evaluation use or beta Software, please note that special terms and conditions apply, as described below in Sections 4 and 5.

1. DEFINITIONS. The following capitalized terms used in this EULA have the meanings indicated:

(a) "Client Access License" or "CAL" means the licensed right to permit one End User to use third party software or services to access or use the Software's functionality on the terms and conditions specified in this EULA.

(b) "Delivery Date" means (i) in the case of Software that utilizes an activation key, the

Enterprise Management Server Administrator’s Guide End User License Agreement 111

date on which Groove Networks sends or otherwise makes available to you the activation key(s) for the Software or a method for creating them; and (ii) in the case of Software that does not utilize an activation key, the date on which Groove Networks sends you a CD, diskette, or a digital file containing the Software.

(c) "Documentation" means any online help text and/or manuals provided with the Soft-ware.

(d) "End User" means a human being using a computer or other digital device.

(e) "Server" means a computer server owned, leased or otherwise controlled by you, or operated on your behalf, on which a licensed a copy of the Software is installed. If you utilize virtual server technology or any similar technology that enables a single hardware unit to function as multiple computer servers, each virtual server operating on a single hardware unit will be deemed a single "computer server" for purposes of this definition.

(f) "Service Access License" or "SAL" means the licensed right to permit one Account to access the services or functionality of one or more specified Server(s) on the terms and conditions specified in this Agreement.

(g) "Services" means software maintenance, support services (including deployment sup-port services), and any other services Groove Networks may provide you in connection with your use of the Software.

(h) "Software" means the Groove Networks server-based software product licensed by you pursuant to this EULA, and (A) any other software applications or components that subsequently may be provided by Groove Networks for use with it, and (B) any Updates to or Upgrades of any of the foregoing.

(i) "Updates" means bug fixes, patches, or other revisions to or modifications of Software that Groove Networks provides to you, including those it makes generally available to customers that subscribe to its software maintenance services. An Update typically is identified by a change in a number and/or letter to the right of the first decimal point in a product's version number. Updates do not include Upgrades.

(j) "Upgrade" means a major release of Software, as determined by Groove Networks in its sole discretion. An Upgrade typically is identified by a new product name or a new


number to the left of the first decimal point in the version number of an existing product name.

(k) "Web Site" means Groove Networks' web site located at http://www.groove.net.

2. OWNERSHIP. The Software is licensed, not sold. All Software (including any changes you may request or suggest) is the property of Groove Networks and/or its licen-sors. Title to each copy of the Software and all related intellectual property rights embod-ied in or represented by the Software will remain with Groove Networks and/or its licensors at all times, as will all other rights not explicitly granted to you under this EULA.

3. LICENSE GRANT. Groove Networks grants you the following perpetual, nonexclu-sive, worldwide, limited license rights to use the Software solely in object code form, pro-vided you comply with all the terms and conditions of this EULA:

(a) You may install and use the Software on one (1) Server that contains no more than two (2) central processing units. If you utilize virtual server technology or any similar technol-ogy that enables a single hardware unit to function as multiple servers, you must license one (1) copy of the Software for each virtual server that utilizes the Software. If you have licensed the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege and have not paid a separate license fee permitting you to use the Groove Enterprise Data Bridge Server Software independent of the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege, you may use the Groove Enterprise Data Bridge Server Software solely to support your use of the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege. If the Software you are installing is evaluation use Software or beta Soft-ware, your rights are limited as described below in Section 4 or 5. You may make one (1) copy of the Software solely for backup or archival purposes, one (1) copy solely for disas-ter recovery purposes, and one (1) copy solely for use for internal development purposes. .

(b) Each Account to which all required SALs have been allocated may access the services or functionality of the Server(s) covered by the SAL(s). Each End User who has been allocated all required CAL(s) corresponding to the type and major version number of the Server Software covered by the CAL(s) may access and use the functionality of such Server software via a third party software program or service. Each End User who accesses the services or functionality of Groove Networks' Enterprise Data Bridge Server Software via another server or service that directly or indirectly identifies or differentiates End Users, or that tracks or maintains session context for distinct End Users, must be allo-cated a CAL. Each time you acquire an Upgrade of any Server Software, you must upgrade all CALs and SALs associated with the Server Software, so that each CAL and


SAL version matches the major version number of the Server Software product(s) to which the CALs and SALs relate.

(c) U.S. Government End Users. The Software is a "commercial item" as defined at 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation." Notwithstanding anything to the contrary in this EULA, the U.S. Government sometimes makes certain minimum rights of use, reproduction, and dis-closure a condition of its purchase or acquisition of commercial software. Accordingly:

(i) GSA Supply Schedule Acquisitions. For government purchases or acquisitions through a GSA Supply Schedule contract, use, reproduction, and disclosure of the Soft-ware are subject to restrictions set forth (in March 2002) in 8 of GSA's "Terms and Con-ditions Applicable to . . . [SINs] 132-32 . . ., 132-33 . . . and 132-34 . . .." Note, however, that any modification or combination of the Software under those rights will entirely void the warranty per Section 8(a) of this EULA.

(ii) FAR Acquisitions. For government purchases or acquisitions under the authority of Federal Acquisition Regulation ("FAR") Part 12, the rights of use, reproduction, and dis-closure are only as stated in Section 3 and 7 of this EULA.

(iii) DOD Acquisitions. For government purchases or acquisitions by the Department of Defense, the rights of use, reproduction, and disclosure are only as stated in Section 3 and 7 of this EULA, per DFARS 227.7202-3(a).

(iv) RESTRICTED RIGHTS NOTICE (JUN 1987). For all other government purchases or acquisitions (that is, under authority other than a GSA Supply Schedule contract, FAR Part 12, or the DFARS), the Software is submitted with restricted rights under FAR 52.227-14 Alt. III. It may not be used, reproduced, or disclosed by the government except as provided in paragraph (b) of FAR 52.227-14 Alt. III or as otherwise expressly stated in Section 3 and 7 of this EULA. Note, however, that any modification, adaptation, or com-bination of the Software under those rights will entirely void the warranty per Section 8(a) of this EULA.

4. EVALUATION SOFTWARE. Notwithstanding anything to the contrary in this EULA, if Groove Networks has provided the Software to you for evaluation use, then (a) you may use the Software (and any Services Groove Networks chooses to provide you in connection with it) in a manner consistent with the terms of this EULA solely for evalua-tion purposes for 90 days from the Delivery Date (or such other period as may be indicated in writing by Groove Networks at the time of delivery); (b) your use of the Software (and any Services provided in connection with it) may be terminated by Groove Networks without notice at any time; and (c) in light of the fact that evaluation Software is provided to you free of charge, Groove Networks disclaims the limited warranty set forth below in


Section 8, and neither Groove Networks nor any Released Party will be liable for direct damages related to evaluation Software, as explained more fully in Section 9(b). Evalua-tion copies of Software may contain a "time-out" mechanism that will automatically reduce the functionality or disable use of the Software at the end of the evaluation period.

5. BETA SOFTWARE.

(a) Use. If the Software is designated as pre-release or beta software, then you may use it (and any Services Groove Networks chooses to provide you in connection with it) in a manner consistent with the terms of this EULA solely to test the product internally, test the compatibility of your application or other product(s) that operate in conjunction with the Software, and to evaluate the Software for the purpose of providing feedback regard-ing it to Groove Networks. You may use the Software until the earlier of (i) 120 days from the Delivery Date, (ii) the date of the commercial release of the non-beta version of the Software, or (iii) 10 days after the date on which you or we send written notice to the other terminating your right to use the beta Software, which either of us may do at any time. You may not use the Software in a live operating environment where it may be relied upon to perform in the same manner as a commercially released product or with data that has not been sufficiently backed up. You may not use the Software for bench-mark or performance testing.

(b) Acknowledgement and Additional Liability Limitation and Warranty Disclaimer. You acknowledge that all Software designated as pre-release or beta Software may contain bugs, may not operate properly or perform all intended functions, may interfere with the functioning of other software applications, and may cause errors, data loss or other prob-lems. WE STRONGLY ADVISE YOU NOT TO INSTALL BETA SOFTWARE ON A COMPUTER ON WHICH YOU HAVE INSTALLED AN EARLIER VERSION OF THE SOFTWARE. YOU SHOULD NOT INSTALL BETA SOFTWARE ON THE SAME COMPUTER ON WHICH YOU HAVE INSTALLED AN EARLIER VERSION OF THE SOFTWARE, UNLESS YOU ARE CERTAIN YOU HAVE CONFIGURED YOUR COMPUTER SO THAT THE BETA SOFTWARE WILL NOT REPLACE THE EARLIER VERSION. In light of the fact that pre-release or beta Software is provided to you free of charge, Groove Networks disclaims the limited warranty set forth below in Section 8 with respect to pre-release or beta Software, and neither Groove Networks nor any Released Party will be liable for direct damages related to pre-release or beta Soft-ware, as explained more fully in Section 9(b).

(c) Feedback. You agree to provide to Groove Networks reasonable suggestions, com-ments and feedback regarding beta Software, including but not limited to usability, bug reports and test results, with respect to Software testing (collectively, "Feedback"). You grant Groove Networks, under all of your intellectual property and proprietary rights, the following worldwide, non-exclusive, perpetual, irrevocable, royalty free, fully paid up rights: (i) to make, use, copy, modify, and create derivative works of, the Feedback as part


of any Groove Networks product, technology, service, specification or other documenta-tion (collectively, "Groove Offerings"), (ii) to publicly perform or display, import, broad-cast, transmit, distribute, license, offer to sell, and sell, rent, lease or lend copies of the Feedback (and derivative works thereof) as part of any Groove Offering, (iii) solely with respect to your copyright and trade secret rights, to sublicense to third parties the forego-ing rights, including the right to sublicense to further third parties, and (iv) to sublicense to third parties any claims of any patents owned or licensable by you that are necessarily infringed by a third party product, technology or service that uses, interfaces, interoperates or communicates with the Feedback or portion thereof incorporated into a Groove Net-works product, technology or service. Further, you warrant that your Feedback is not sub-ject to license terms that will require, or claim to require, that any Groove Offering that incorporates any Feedback (or any intellectual property therein) be licensed to any third party on specified terms. Due to the nature of the development work, Groove Networks provides no assurance that any specific errors or discrepancies in the Product will be cor-rected.

(d) Confidentiality. All beta Software, including its existence and features and related information, are proprietary and confidential information to Groove Networks. You agree not to disclose or provide beta Software, its Documentation, or any related information (including the Software features or the results of use or testing) to any third party, for a period of one year following the Delivery Date of the Software or until its commercial release, whichever occurs first; provided that, thereafter, you agree not to disclose or pro-vide to any third party any information regarding the Software that has not been made public by Groove Networks as of its commercial release. These restrictions will not apply to any information that (a) is publicly known at the time of its disclosure; (b) is lawfully received from a third party not obligated to maintain it in confidence; (c) is published or otherwise made known to the public by Groove Networks; (d) you generated indepen-dently before you received it, as evidenced by your records; or (e) is required to be dis-closed under any law, governmental rule or regulation or a valid court order, provided you give Groove Networks reasonable written notice prior to disclosure and comply with any applicable protective order or equivalent.

(e) Support and Maintenance. Groove Networks is not obligated to provide maintenance, technical support, or updates to you for beta Software, but any Updates or other supple-mental Software provided to you in connection with beta Software will be subject to the terms and conditions of this EULA. In no event will Groove Networks be obligated to provide you, free of charge, a copy of the commercial release version of the Software in connection with your participation in any testing program. Groove Networks is not obli-gated to make beta Software commercially available.

6. RESTRICTIONS. You agree not to violate any of the following restrictions, or permit others to violate them:


(a) Copying, Distribution and Use. You may not copy the Software, except as provided above in Section 3(a). You may not sell, rent, lease, sublicense or redistribute Software, or use or permit others to access, install or use the Software, except as provided in this EULA.

(b) Proprietary Notices. You may not alter or remove any copyright, trademark, patent, or other protective notices contained in or on Software.

(c) Reverse Engineering, Decompilation, and Disassembly. You may not reverse engi-neer, decompile, or disassemble the Software or otherwise attempt to derive its source code, except and only to the extent that any of these activities is permitted by applicable law despite this restriction. To the extent that the right to decompile, disassemble, or reverse engineer the Software is permitted by applicable law, you agree not to do so if Groove Networks makes available to you a separate software module that allows you to achieve interoperability of an independently created computer program for use with the Software. You agree that, prior to attempting to achieve such interoperability, you will obtain written notification from Groove Networks that it is unwilling to make such a soft-ware module available within a reasonable period of time.

(d) Modifications and Derivative Works. You may not modify or create derivative works of the Software, but computer code written to current application programming interfaces for the Software that are published by Groove Networks or otherwise disclosed by Groove Networks to you or a third party and are which are not marked "preview" or "beta" (or some similar designation) will not be considered modifications or derivative works for purposes of this restriction.

(e) Interference with Certain Features. You may not modify, disable, circumvent, deacti-vate or otherwise interfere with features of the Software that enforce license restrictions or limits or report technical or statistical information regarding the Software or its use to Groove Networks.

(f) Use of Prior Versions. You may not continue to use prior versions of any Software after installing an Upgrade of the Software or any Update that wholly replaces the Soft-ware.

(g) Client Access Licenses. You agree not to permit any End User to use or obtain func-tionality from Software directly or indirectly (including by "pooling," "multiplexing," or other uses of hardware or software that reduce the number of users or computers directly accessing or using Software) without first obtaining a current CAL for that End User.


(h) Commercial Hosting Services. You may not use the Software to provide commercial hosting services.

(i) Acceptable Use. You may not use the Software for a purpose or in a manner not per-mitted by the terms of Groove Networks' Acceptable Use Policy (as it may be amended from time to time), including, without limitation, infringement of intellectual property rights. Groove Networks' Acceptable Use Policy is accessible on the Web Site.

(j) Enterprise Data Bridge Server Software. You may not use Groove Networks' Enter-prise Data Bridge Server Software with software applications whose primary function is to integrate distinct software systems through the exchange of data and interconnection of processes, as contrasted with software applications whose primary function is to directly offer services to End Users, without first obtaining a separate license from Groove Net-works.

7. MAINTENANCE AND SUPPORT. Technical support for the Software may be found in the Help menu within the Software and on the Web Site. Unless you subscribe to an enhanced maintenance and/or support offering, you are not entitled to receive additional maintenance or support for the Software (though any Updates or Upgrades Groove Net-works may provide you will be covered by this EULA, unless Groove Networks requires you to accept a new agreement at the time they are provided). If you subscribe to a Groove Networks maintenance and/or support offering, Groove Networks will provide you with maintenance and/or support services corresponding to the service level(s) to which you have subscribed, as set forth in the Maintenance and Support Terms and Condi-tions accessible on the Web Site (at http://www.groove.net/support/maintenance.html) or the terms of any separate agreement you may enter into with Groove Networks related to such services. Any technical information you provide Groove Networks in connection with support services it provides you may be used by Groove Networks for its business purposes, including product and service development, subject to the terms of Groove Net-works' Privacy Policy, which is accessible on the Web Site.

8. LIMITED WARRANTY AND WARRANTY DISCLAIMER.

(a) Groove Networks warrants that, for a period of 90 days after the Delivery Date, the Software (including any Upgrades for which Groove Networks does not require you to accept the terms of a replacement agreement, but excluding Updates) will function sub-stantially in accordance with its Documentation. As your exclusive remedy for breach of this warranty, Groove Networks will, at its option, either replace or repair the defective Software or refund the license fee paid for it, as well as any associated fees pre-paid for maintenance and support for the twelve (12) month period following the Delivery Date of


the defective Software; ; provided, however, that, with respect to a defective Upgrade that you received as part of a maintenance and support plan subscription, the total fees to be refunded to you will be the maintenance and support fee for the twelve (12) month period during which the Upgrade was delivered to you. Notwithstanding the foregoing, Groove Networks will not be responsible for any breach of warranty not reported during the war-ranty period; any malfunctioning of Software that you or a third party has modified, mis-used, or damaged; or any malfunctioning of Software caused by hardware or network configuration or malfunctioning or by third party software or services. THIS WAR-RANTY DOES NOT APPLY TO SOFTWARE COVERED BY SECTION 4 OR 5 OF THIS EULA.

This warranty gives you specific legal rights. You may also have other rights that vary from state to state and country to country.

(b) EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), GROOVE NETWORKS AND ITS LICENSORS AND LICENSORS' DISTRIBUTORS DISCLAIM ALL WARRANTIES WITH RESPECT TO ALL SOFTWARE AND SER-VICES AND ALL THIRD PARTY PRODUCTS OR SERVICES YOU MAY UTILIZE IN CONNECTION WITH SOFTWARE OR SERVICES, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NONINFRINGEMENT. IN PARTICULAR, GROOVE NETWORKS DOES NOT REPRESENT THAT THE SOFT-WARE OR SERVICES ARE ERROR FREE, WILL OPERATE IN AN UNINTER-RUPTED MANNER, ARE COMPLETELY SECURE, OR WILL INTEROPERATE WITH THIRD PARTY SOFTWARE OR SERVICES. THE SOFTWARE AND SER-VICES ARE NOT DESIGNED OR MANUFACTURED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMU-NICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT SYS-TEMS, OR WEAPON OR COMBAT SYSTEMS, IN WHICH THEIR FAILURE COULD LEAD DIRECTLY TO PERSONAL INJURY, DEATH, OR PROPERTY OR ENVIRONMENTAL DAMAGE. GROOVE NETWORKS DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR SUCH USES.

(c) U.S. Government Customers and End Users. The Software is a "commercial item," as that term is defined in 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation." For government purchases or acquisi-tions through a GSA Supply Schedule contract, the government customer and end user accept the standard, commercial Groove Networks warranty terms per 2.a of GSA's "Terms and Conditions Applicable to . . . [SINs] 132-32 . . ., 132-33 . . . and 132-34 . . .." For government purchases or acquisitions under the authority of Federal Acquisition Reg-ulation ("FAR") Part 12, the government customer and end user accept the standard, com-mercial Groove Networks warranty terms and 48 C.F.R. 52.212-4(p). For all government purchases or acquisitions that are not through a GSA Supply Schedule contract or FAR


Part 12, the government customer and end user accept the standard, commercial Groove Networks warranty per 48 C.F.R. 46.709 (prime contracts) or 52.244-6 (subcontracts).

9. EXCLUSION OF DAMAGES AND LIMITATION OF LIABILITY.

(a) TO THE MAXIMUM EXTENT PERMITTED BY LAW (INCLUDING ANY APPLICABLE CONSUMER PROTECTION LAW OF A FOREIGN JURISDICTION), NEITHER GROOVE NETWORKS NOR ANY OF ITS DIRECTORS, OFFICERS, EMPLOYEES, CONTROLLED OR CONTROLLING ENTITIES, LICENSORS OR LICENSORS' DISTRIBUTORS (EACH, A "RELEASED PARTY"), WILL HAVE ANY LIABILITY TO YOU OR ANY END USERS FOR INDIRECT, INCIDENTAL, SPE-CIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, ANY LOSS OF USE, LOST PROFITS, BUSINESS OR REVENUE, LOSS OF GOODWILL OR OTHER ECONOMIC ADVANTAGE, OR LOSS OF PRI-VACY) ARISING OUT OF OR RELATED TO THIS EULA, EVEN IF GROOVE NET-WORKS OR A RELEASED PARTY HAS BEEN ADVISED OF, OR KNEW OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES.

(b) NOTWITHSTANDING PARAGRAPH 9(a) ABOVE OR ANYTHING ELSE TO THE CONTRARY SET FORTH IN THIS EULA, IF YOUR CLAIMED DAMAGES ARISE FROM OR RELATE TO SOFTWARE OR SERVICES COVERED BY SEC-TION 4 OR 5 OF THIS EULA, THEN, TO THE MAXIMUM EXTENT PERMITTED BY LAW (INCLUDING ANY APPLICABLE CONSUMER PROTECTION LAW OF A FOREIGN JURISDICTION), NEITHER GROOVE NETWORKS NOR ANY RELEASED PARTY WILL HAVE ANY LIABILITY TO YOU OR ANY END USERS FOR DAMAGES OF ANY KIND ARISING OUT OF OR RELATED TO THIS EULA, THE SOFTWARE OR THE SERVICES, INCLUDING BUT NOT LIMITED TO DIRECT DAMAGES, EVEN IF GROOVE NETWORKS OR A RELEASED PARTY HAS BEEN ADVISED OF, OR KNEW OR SHOULD HAVE KNOWN OF, THE POS-SIBILITY OF SUCH DAMAGES.

(c) WITHOUT LIMITING THE SCOPE OR EFFECT OF SECTIONS 9(a) OR (b) ABOVE, IN NO EVENT WILL GROOVE NETWORKS' AND THE RELEASED PAR-TIES' TOTAL LIABILITY WITH RESPECT TO ALL CLAIMS ARISING OUT OF OR RELATED TO THIS EULA, THE SOFTWARE OR THE SERVICES (INCLUDING CLAIMS OF NEGLIGENCE AND STRICT LIABILITY) EXCEED THE LOWER OF (i) THE AGGREGATE DIRECT DAMAGES ACTUALLY INCURRED BY YOU AND YOUR END USERS, OR (ii) US$5OO.

(d) SOME JURISDICTIONS LIMIT THE EXCLUSION OF DAMAGES OR LIMITA-TION OF LIABILITY, SO THE ABOVE EXCLUSIONS AND LIMITATIONS MAY


NOT APPLY TO YOU. IF ANY PART OF THE EXCLUSIONS OF DAMAGES OR LIMITATIONS OF LIABILITY SET FORTH IN THIS EULA IS UNENFORCEABLE UNDER APPLICABLE LAW, GROOVE NETWORKS' AND THE RELEASED PAR-TIES' AGGREGATE LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.

10. TERM AND TERMINATION. The term of this EULA will commence upon installa-tion or use of the Software and continue perpetually, unless you and Groove Networks enter into a new agreement that entirely replaces this EULA or Groove Networks termi-nates this EULA as provided herein. Without prejudice to any other rights, Groove Net-works may terminate this EULA if you fail to comply with its terms and conditions. If Groove Networks terminates this EULA, (i) you must immediately stop using the Soft-ware and destroy all copies of the Software and all of its component parts, and (ii) Groove Networks will have no further obligation to provide any Services being provided to you as of the termination date. The parties' respective rights and obligations under Sections 2 (Ownership), 6 (Restrictions), 8 (Limited Warranty and Warranty Disclaimer), 9 (Exclu-sion of Damages and Limitation of Liability), and Section 11 (General Provisions) will survive the termination of this EULA. The term of any Services offering to which you subscribe will be extended automatically for successive periods of twelve (12) months (or, if greater than twelve (12) months, the duration of the initial subscription period), and on Groove Networks' standard terms and prices then in effect, unless either party gives notice of cancellation to the other at least sixty (60) days before the subscription expires.

11. GENERAL PROVISIONS.

(a) Export Restrictions. You agree to comply with all applicable laws and regulations of governmental bodies and agencies related to use of the Software and Services and your performance under this EULA. In particular, you acknowledge that the Software is of United States origin, is subject to United States export laws and regulations. Some Groove Networks server software (including, without limitation, its Relay Server software and Enterprise Data Bridge Server Software) is encryption software and may not be exported or re-exported to certain countries (currently Cuba, Iran, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (includ-ing Denied Parties, Specially Designated Nationals, and entities on the Bureau of Export Administration Entity List or involved with missile technology or nuclear, chemical or biological weapons). The Software also may be subject to the export, import or other laws of other countries. You represent that you are eligible to receive favorable treatment under current United States export control laws and regulations, and that you will not use or transfer the Software in violation of any U.S. or foreign laws or regulations, or permit others to do so.

(b) Data Protection. Each party undertakes to comply with its obligations under the rele-vant EU data protection and privacy legislation including (where applicable) the EC Data


Protection Directive (95/46) and equivalent national legislation.

(c) Waiver. No delay or omission by either party to exercise any right or power arising upon the other party's nonperformance or breach will impair that right or power or be con-strued as a waiver of it. Any waiver must be in writing and signed by the waiving party. A waiver on one occasion will not be construed as a waiver of any subsequent event of nonperformance or breach.

(d) Severability. If any provision of this EULA is declared to be unenforceable for any reason, the remainder of this EULA will continue in full force and effect, and the unen-forceable provision will be deemed modified to the extent necessary to comply with the applicable requirements of law, while retaining to the maximum extent permitted by law its intended effect, scope and economic effect.

(e) Governing Law. The interpretation and performance of this EULA will be governed by the laws of the Commonwealth of Massachusetts, USA, applicable to contracts exe-cuted in and performed entirely within Massachusetts, but excluding any choice of law principles that would result in the application of the laws of another jurisdiction. The par-ties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this EULA.

(f) Dispute Resolution. Any litigation arising under or related to this EULA will be brought only in the United States District Court for the District of Massachusetts, or, if federal subject matter jurisdiction is lacking, then in the Massachusetts state trial court for the division and county in which Groove Networks' or its successor's or assign's principal office in Massachusetts is then located. You hereby submit to the personal jurisdiction of these courts and waive all objections to placing venue exclusively before them. The pre-vailing party in any litigation arising under or related to this EULA, in addition to any other relief granted to it, will be entitled to recover from the losing party its reasonable attorneys' fees and costs incurred in connection with the litigation. Notwithstanding the foregoing, Groove Networks acknowledges that the Contract Disputes Act, its implement-ing regulations, and its judicial interpretations may take precedence when the U.S. Gov-ernment is the party accepting this EULA, if required by law; whenever commercial item protections or other exceptions permit the commercially offered disputes resolution clause to apply, however, it applies in full force.

(g) Payment and Taxes. You agree to pay all applicable fees and other charges for Soft-ware and Services you acquire. Unless prepaid, all fees and charges are payable in U.S. dollars and are due net thirty (30) days from the date of invoice. Groove Networks may charge a late fee of 1.5% per month or the maximum rate allowable by law, whichever is greater, on any balance remaining unpaid for more than thirty (30) days, except that inter-


est on payments by U.S. government customers will be calculated according to the Prompt Payment Act and its implementing regulations. Prices are exclusive of all applicable taxes. You agree to pay all taxes (including but not limited to sales, use, excise, and value-added taxes), tariffs, duties, customs fees or similar charges imposed or levied on all Soft-ware and Services you acquire, with the exception of taxes on Groove Networks' net income.

(h) Software and EULA Transfer. Except with respect to Software covered by Section 4 or 5, the initial licensee of the Software may make a one-time, permanent transfer of this EULA and the Software directly to an individual or a single entity. The transfer must include all of the Software (including all component parts and Documentation) and this EULA, and it may not occur by way of consignment or any other indirect transfer. The transferee of the one-time transfer must agree to comply with the terms of this EULA, including the obligation not to further transfer this the Software. You may not otherwise transfer the Software or assign any of your rights or obligations under this EULA.

(i) Entire Agreement. This EULA and Groove Networks' Acceptable Use Policy and Pri-vacy Policy for Groove users, and product and service descriptions for Software and Ser-vices, all of which are accessible on the Web Site and incorporated by reference into this EULA as they may be amended from time to time, set forth the entire agreement between you and Groove Networks with respect to their subject matter, and they supersede all prior communications, understandings and agreements, as well as the terms and conditions set forth in or on any purchase order, acknowledgement form, check, or any other document or instrument you may issue to Groove Networks or transmit in connection with any pay-ment for Software or Services.

Copyright Groove Networks, Inc. 2000-2005. All Rights Reserved. Groove, Groove Net-works and the Groove interlocking circles logo are trademarks of Groove Networks, Inc. U.S. and foreign patents pending.

Groove Server Software v. 3.1 (and later) EULA


Index

AAccount, definition 106Account, defintion 106Activation key,definition 106Add Directory Server 55Adding a Domain to the Server 42Administrative Architecture 8, 10Administrative Interface 4Administrator Name 51Administrator name 32Administrator, setting UI preferences 29Administrator’s Guide, management server 10Administrators, adding 48Alerts, responding to 68Architecture, management server 1Assigned Roles Within Selected Scope 51Assigned Scopes 51Assigning relay server 9Assigning XMPP server 10Audit log, viewing server 67Audit Server 35Audit Server Requirements 35Audit Service 35Auditing, setting up 34Authentication, definition 106Auto--activation, setting up 100

BBest practices 13

CCapacity planning 11Certificate Authority, definition 106Certificate, definition 106Certification Authority (NA) name, domain 44Certification, definition 106Chase directory referrals 56Client auditing 9Client auditing data 104Client auditing, interpreting data 104Color display, correcting 72Component, definition 106Configuring Directory Synchronization 60

Enterprise Management Server Administrator’s Guide Index 124

Configuring Management Domains 30Connect using, field in SQL installation 25, 37Contact Propagation and Discovery 6, 7Contact properties, definition 110Create Private Key Password 44Custom Fields Labels 60Customer Support Notification 69Customizing 58

DData Recovery 9Database field in SQL setup 25, 37Database reports, viewing 96Default identity, definition 106Default identity, defintion 106Defining domain member groups 9Device and Identity Policies 6Device policies 6Device, definition 106Device, defintion 106Devices, managing 9Diagnosing server problems 68, 71Diagnostics, relay-related problems 67Digital fingerprint

definition 107Digital Thumbprint 107Directory and management server attribute mapping

editing 58Directory Integration tab 55, 62Directory server list 57Directory server mapping 58Directory server mapping, customizing 58Directory server properties

directory type 55Require SSL 56Root naming context 55

Directory server properties, Chase directory referrals 56Directory server properties, display name 55Directory server properties, server name 55Directory server properties, Use secure binding 57Directory server synchronization status 62Directory Server Tabs 55Directory server, adding 33, 54Directory server, adding, prerequisites 54Directory server, defining 33, 54Directory server, editing 57Directory server, login name 56Directory server, login password 56Directory server, removing 66Directory server, viewing information about 57Directory synchronizatioin, configuring 60Directory synchronization, scheduling 60


Directory type field 55Display Name 55DMZ, definition 107Domain

Certification AUthority name 44friendly name 43

Domain Administrator, definition 49Domain fields 43, 59Domain member 107Domain member, definition 107Domain member, defintion 107Domain Name 43Domain, adding to management server 41Domain, definiion 107Domain, management, adding 42Domain, management, deleting 45Domain, management, editing 45Domains

managing 40Domains tab 41, 43, 51Domains, viewing on server 40Domain-wide changes 45

EEditing a Groove Management Domain 45EMS 1EMS installation, post- 91EMS installation, post-install 81EMS installation, recommended model 77EMS installation, server preparation 77EMS to LDAP Attribute Mapping 58EMS Web site authentication 23EMS, overview 1End 111End User License Agreement 111Enterprise Installer 102Enterprise Management Server 1

upgrading 38, 39Enterprise Management Server (EMS) 1

definition 107Enterprise PKI 41Enterprise PKI, definition 107Enterprise Relay Server (ERS)

definition 107Enterprise vs. Groove PKI 41EULA 111EventViewer 68

FFailure contingencies 15Field Mapping, definition 55Field mapping, Email field 59Field mapping, Full Name field 59


Field mapping, restore defaults 60Fingerprint

definition 107Friendly name for the domain 43Functionality, management server 8

GGetting Help 28Glossary 106GMS directory 22gms.dll 22Groove Auto-activation,configuring 100Groove client auditing 9Groove Client Auditing, installing and configuring 36Groove Client Auditing, overview 35Groove client requirements, hardware 18Groove client requirements, software 19Groove Enterprise Management Server 1Groove Hosted Management Server 1Groove Hosted Management Services 1

definition 107Groove Hosted Relay Services

definition 107Groove PKI 42Groove PKI, definition 108Groove space, definition 108Groove space, defintion 108Groove usage monitoring 9Groove Usage Reporting 9Groove user auditing 9Groove users, migrating to new machines 27Group, definition 108GUID, definition 108

HHardware requirements 16Help, accessing 28Hosted relay servers, domain assignment 41Hosting Groove components 9HTTP encapsulation 4

IIdentity Authentication Settings 43Identity authentication, definition 108Identity policies 6Identity, definition 108IIS configuration 21IIS, setting up server 20Include users from all sub-OU’s 64Integratioin points, definition 63Integration point options, Automatically import users 64Integration point options, Import users and directory structure 64Integration point options, Name field 64Integration point, definition 63, 108


Integration point, deleting 65Internet Information Services (IIS), setting up server 20

KKey (security), definition 108Key Files 102Key, definition 108

LLDAP 4LDAP Attribute Mapping 58License Administrator, definition 49License, definition 108Licenses 7Login name

for directory server 56Login password 56

MManaged device, definition 108Managed Devices and Identities 6, 7Managed identity, definition 108Management domain, adding to server 41Management domain, definition 108Management domain, defintion 108Management server

upgrading 38, 39Management server architecture 1Management Server keys and certificates 102Management server protocols 3Management server protocols, LDAP 4Management server protocols, SOAP 4Management server Web site, setup 22Management Server, Administrator’s Guide 10Management server, audit log 67Management server, best practices 13Management server, definition 108Management server, Help 28Management server, managing 8, 10Management server, monitoring 67Management server, overview 1Management server, requirements 12Managing domains 40Managment server functionality 8Managment server, site planning 11Member Administrator, definition 49Member, definition 108Monitoring Groove usage 9Monitoring the Management Server 67

NName field, Administrator 51Name field, adminstrator 32Network connections, external 86Network connections, internal 79, 85


Network requirements 12New Database, for upgraded, converted 3.0 data 25

OOLE DB 4Overview 1

PPassword and Data Recovery Private Keys 42PKI

definition 109Policy, definition 108Post EMS Installation 91Post SQL Installation 88Preferences, editing administrator 29Private Key Name 44Private key, definition 108Protocols 3Protocols, LDAP 4Protocols, SOAP 4Provisioning users 9Public Key Infrastructure (PKI)

definition 109Public key, definition 109Public relay server 109

RRBAC, definition 109Registry file, definition 109Relay Protocols 4Relay server connection, unsuccessful 72Relay Server Management 7Relay server, definition 109Remember Private Key Password 44Report Administrator, definition 50Reports tab, domain 68Reports tab, server 67Require SSL 56Requirements, network 12Restore defaults button 60Role Based Access Control, definition 109Roles tab 32, 48Root naming context 55

SSchedule Synchronization button 61Scheduling Directory Synchronization 60Scope, administrator 51Seat, definition 109Security 12Security controls 89, 92, 93Security properties 90, 93, 94Server Administrator, definition 49Server diagnostics 68, 71Server Name 55


Server Port 55Server Properties 69Server Properties, definition 55Server, viewing domains on 40Setting device policies 9Setting user policies 9Simple Object Access Protocol (SOAP) 4Site planning 11Smart card 109SMTP configuration 21, 33SOAP 4Software requirements 16SQL database specification 25, 37SQL Installation, post- 88SQL server login 25, 37SQL server password 25, 37SQL server setup 20SQL server, viewing database reports 96SSTP over Hypertext Transfer Protocol 4Support Administrator, definition 50Synchronization options, definition 55Synchronization status, directory data 62Synchronizing management and directory servers, sheduling 61System Performance Options 79, 87System performance options 80, 87System Startup and Recovery Options 80, 87

TTCP/IP security controls 89, 92, 93Tool, definition 109Trouble shooting 71Trust, definition 109

UUI, help using 28Uninstalling the management server 39Upgrading the management server 38, 39Use secure binding 57User account 110User account, definition 110User account, defintion 110User auditing 9User identity 110User identity, definition 110User identity, defintion 110User, definition 110Users, managing 9Users, migrating user data to new machines 27Users, provisioning 9

VVerify Private Key Password 44

WWeb site authentication 27


Web site, setup 22Windows 2000 components 84Windows EventViewer 68Workspace, definition 110Workspace, defintion 110


Date post:	27-May-2020
Category:	Documents
Upload:	others
View:	26 times
Download:	0 times

Groove Enterprise Management ServerEnterprise Management Server Administrator’s Guide Overview of...

Documents