Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Table of Contents
TABLE OF CONTENTS DOCUMENT OVERVIEW Introduction Scope of Document Target Audience Acknowledgements NETWORK ISOLATION OVERVIEW Industry Trends Enterprise Vault Network Requirement Overview ENTERPRISE VAULT NETWORK REQUIREMENT DETAIL EV Client Connectivity using RPC EV Client Connectivity using Outlook RPC over HTTP EV Client Connectivity using Outlook Web Access EV Server Connectivity SECURE NETWORK SCENARIO MICROSOFT REFERENCES Server & Domain Isolation Articles Netbios over TCP/IP SQL References
2 3
3 3 3 3
4
4 5
6
6 7 8 9
10 11
11 11 12
Page 2 of 17
Document Overview
Introduction
This best practice document discusses the configuration requirements and considerations when operating Enterprise Vault servers in networks that use Firewalls to control network access. With the rise of viruses, worms, malware and other security issues some organisations have taken the decision to separate their corporate network and isolate segments that servers are attached to. Firewalls are then used to control what TCP/IP ports the clients can use to access the applications hosted on the servers. This paper considers the impact this has on Enterprise Vault and the actions that are required to ensure its smooth operation in a secure network.
Scope of Document
This document is concerned with the network configuration issues to ensure EV operates correctly in a secure network. This relates specifically to the TCP/IP port requirements that EV has in order to communicate correctly with clients and other infrastructure components such as Exchange, SQL and AD servers. The use of IPSEC policies to secure and manage access to an Enterprise Vault server is outside the scope of this document.
Target Audience
This document is aimed at customers, consultants and support staff and it is assumed the reader has a good understanding about the architecture and operational aspects of an Enterprise Vault server, Microsoft Exchange as well as Active Directory terminology. This document also discusses certain networking principles so its assumed that the reader is familiar with TCP/IP fundamentals.
Acknowledgements
I would like to acknowledge the contribution that other individuals made towards making this a successful and informative document. Contributions and feedback came from the following teams; technical product management, technical field enablement, engineering, development and the performance team. Thanks to them all.
Page 3 of 17
Page 4 of 17
This is a high level network diagram; the connection specifics for each component will be broken down into more detail in the next section of this document.
Page 5 of 17
Page 6 of 17
Page 7 of 17
Page 8 of 17
EV Server Connectivity
This diagram shows the various components that will be found in most types of EV environments. Not all environments will have all the components shown but they are represented here for the sake of completeness. There is a label next to each component with details about the TCP/IP ports which are used for communications to and from the EV server.
Page 9 of 17
Page 10 of 17
Microsoft References
Server & Domain Isolation Articles
Server and Domain Isolation TechNet Web site
http://www.microsoft.com/sdisolation
Server and Domain Isolation Using IPsec and Group Policy Guide
http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx
Microsoft IT Showcase: Improving Security with Domain Isolation: Microsoft IT Implements IP Security (IPsec)
http://www.microsoft.com/downloads/details.aspx?FamilyId=A97DDC48-A364-4756-BB3C91DA274118FE&displaylang=en
Page 11 of 17
SQL References
EV obviously has a major dependency on SQL and a clear communication channel is required at all times from the EV to the SQL server. Its not the intention of this document to specify the best practices for configuring SQL specifically for EV because its quite likely that the SQL server being used for EV purposes will also be hosting other databases. Therefore this page has been included to draw the reader to some of the relevant references when considering the network placement of the SQL server within an EV infrastructure The following paragraphs are extracted from Microsofts SQL Online MSDN content.
Prior to Microsoft SQL Server 2000, only one instance of SQL Server could be installed on a computer. SQL Server listened for incoming requests on port 1433, assigned to SQL Server by the official Internet Assigned Numbers Authority (IANA). Only one instance of SQL Server can use a port, so when SQL Server 2000 introduced support for multiple instances of SQL Server, SQL Server Resolution Protocol (SSRP) was developed to listen on UDP port 1434. This listener service responded to client requests with the names of the installed instances, and the ports or named pipes used by the instance. To resolve limitations of the SSRP system, SQL Server 2005 introduces the SQL Server Browser service as a replacement for SSRP, more information can be obtained at the following MS link
http://msdn2.microsoft.com/en-us/library/ms181087.aspx
sending a request to the server using the port or named pipe of the desired instance.
Page 12 of 17
http://support.veritas.com/docs/284292 to a colleague
When Enterprise Vault (EV) is installed into an Active Directory infrastructure with at least one resource domain and at least one logon domain you are unable to access archived items through Outlook Web Access (OWA). Exact Error Message
201 - Basket restoring The user 'DOMAIN\OWAAnonymous' attempted to restore a message into Exchange mailbox 'user05' and they were not the mailbox owner or an Administrator User 'DOMAIN\OWAAnonymous' failed to restore an item into mailbox 'user05'
Details: When users in the Logon domain attempt to open an archived item in OWA, the item cannot be retrieved. Clicking the yellow banner with the writing "Item is currently unavailable...", a pop up window appears: "201 - Basket restoring". In the EV Event Log, the following warnings appear:
Event Type: Warning Event Source: Enterprise Vault Event Category: Retrieval Task Event ID: 2177 Date: 12/07/2006 Time: 15:08:57 User: N/A Computer: CRASH Description: The user 'DOMAIN\OWAAnonymous' attempted to restore a message into Exchange mailbox 'user05' and they were not the mailbox owner or an Administrator Event Event Event Event Date: Type: Warning Source: Enterprise Vault Category: Retrieval Task ID: 2227 12/07/2006
Page 13 of 17
Time: 15:08:57 User: N/A Computer: CRASH Description: User 'DOMAIN\OWAAnonymous' failed to restore an item into mailbox 'user05'. SavesetID: 732000000000000~200607121125520000~0~CF813066FE034AF28 DD65357F3F0A64
Information on the authentication process 1. The OWA user requests an archived item from Exchange. 2. The IIS process running as the Anonymous OWA user account invokes a directory lookup, which includes the domain\username credentials of the Exchange user making the request. 3. AuthServer.exe performs the Active Directory lookup, calling the Win APIs to look up account SID based on name, running under the context of the Vault Admin account. If the Vault Admin account has no rights in the domain in which the user resides, then the lookup will fail. There are two solutions: 1. Give the Vault Admin rights to perform lookups in the domain (i.e. a trust) 2. Allow pass through authentication "Pass through" authentication works by duplicating the Vault Admin account in the lookup domain with exactly the same username and password. When the lookup requests credentials, authserver supplies the Vault Admin accounts details. If this matches another user in the lookup domain, the lookup will be successful. Workaround 1: Create an account in the logon domain with same name and password as the Vault Service Account that exists in the resource domain. Workaround 2: Create the Vault Service Account and OWA Anonymous account in the Logon domain, and configure the Enterprise Vault services to use this account. Both the suggested workarounds are also suitable for environments where the Resource domain and the Logon domain are Children of a parent domain. Only a mono-directional (one way / non transitive) trust, where the resource forest trusts the logon domain, is required besides the default parent-child trusts between the child and the root domain.
Page 14 of 17
http://support.veritas.com/docs/288088 to a colleague
The Event ID 2227 will be reported in the Enterprise Vault event log when a user attempts to view an Enterprise Vault archived mail item using Microsoft Exchange OWA (Outlook Web Access). Exact Error Message
Click on the "The archived item is currently unavailable." message and the error displayed in Figure (2) will be returned. Figure (2) 201 Basket Restoring
Page 15 of 17
The following error will be captured in the DTRACE of the shopping service. DTRACE BEGIN: 594 16:33:46.066 [7044] (RetrievalTask) <22332> EV~W Event ID: 2227 User '<unavailable>' failed to restore an item into mailbox 'Phil Earhart'. |SavesetID: 165500000000000~200703301852270000~0~78B298C3007F431EB6533B0A902 C209 | 595 16:33:46.082 [7044] (RetrievalTask) <22332> EV~W Event ID: 2270 A queued operation exceeded the retry count and has been discarded|(Retrieval)|m_pIExchangeRestorationAgentUpdate>SavesetAvailable(OriginatingClient = "189F3EE2634E34A44AA9A09B506DD5BEC1c10000EVClusServer",| pISaveset, | AgentParamsSize = 663,| pAgentParams,| NULL,| nRetryCount = 3,| NULL,| PSTFile = "", RestoreAndDelete = "FALSE",| PSTFormat = "UNICODE",| RestoreShortcuts ="FALSE");|HRESULT: 0x80040B36 | DTRACE END:
Resolution: Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes. 1. Open "Regedit" on the Enterprise Vault Server under the security context of the Vault Service Account (VSA). 2. Create a string value named "AnonymousUser" under the following hive "HKEY_CURRENT_USER\Software\KVS\Enterprise Vault". 3. Set the value to match the user account that was created for the Enterprise Vault OWA anonymous access. Verify that the domain name is placed behind of the account as displayed in Figure (3). Figure (3)
Page 16 of 17
Related Documents:
http://support.veritas.com/docs/276120 284292: When Enterprise Vault (EV) is installed into an Active Directory
infrastructure with at least one resource domain and at least one logon domain you are unable to access archived items through Outlook Web Access (OWA).
http://support.veritas.com/docs/284292
Page 17 of 17