Nterprise Branch Office

Nterprise Branch Office, originally released as a standalone product, is now included as part of NetWare 6.5. Nterprise Branch Office lets you simplify the management and integration of remote locations by creating a multifunction appliance that efficiently links your branch offices to your HQ, using the Internet as your link. This way, existing security and management policies can be transparently extended to your branch offices without requiring a bunch of additional infrastructure to make it happen.

Nterprise Branch Office software combines with your hardware to create a branch office server appliance that is designed to provide those network services that are best provided locally (such as authentication, file access, and printing), while letting the central office manage more strategic services (such as security, directory management, and file replication). The basic architecture of an Nterprise Branch Office solution is shown in Figure 12.1.

Users access file and print services from Nterprise Branch Office using the same tools that can be used with a standard NetWare 6.5 file server. They can authenticate through multiple protocols, including HTTP, CIFS, NCP (Novell Client), FTP, AFP, and NFS and access their files in the method with which they are familiar.

Installing Nterprise Branch Office

There are just two tasks related to installing Nterprise Branch Office:

• Creating the branch office appliance

• Installing the central office software

Depending on how you plan to use the Nterprise Branch Office appliance, there may be some other supporting tasks that you need to perform. The Nterprise Branch Office appliance can be installed either standalone, or as an integral part of your central office infrastructure, as shown in Figure 12.1. The process of creating the appliance is similar, but central office integration requires a few additional tasks in order to prepare the central office to communicate with and support the branch office appliance.

Extending Authentication to the Branch Office

In order to leverage the same user authentication provided by the eDirectory environment at your central office, the User Access Provisioner on the branch office appliance will automatically create accounts for users the first time they log into the appliance. These branch office accounts will have the same username and passwords that are used at the central office so that users don't have to manage multiple accounts. In order to support the proper creation of these new branch office accounts, do the following:

• Configure an LDAP server: The branch office appliance will authenticate users using the LDAP protocol to communicate with your central office eDirectory tree. Therefore, your central office must have at least one LDAP server with which the branch office appliance can communicate. For more information on creating an LDAP server on NetWare 6.5, see Chapter 5, "Novell eDirectory Management."

• Universal passwords: Several potential authentication protocols, such as CIFS and HTTP, require the use of the simple password capabilities of NetWare 6.5. Simple password is introduced in Chapter 2, "Novell Clients." To effectively manage the needs of these protocols, enable universal passwords on the central office servers. This will allow you to synchronize and manage passwords regardless of the method that users might use to authenticate at the branch office. For more information on Universal Passwords, see Chapter 6, "Users and Network Security."

  NOTE

  If your branch office users will use the Novell client for their first login attempt to the branch office appliance, make sure that NMAS is disabled at the client in order for the user account provisioning to work properly. You can disable NMAS from the Novell client property pages at the workstation. For more information on the Novell client, see Chapter 2 .

• Install an SSL certificate: In order to communicate authentication information with your central office server, the branch office appliance requires an appropriate SSL certificate. Your NetWare 6.5 server will create an SSL certificate automatically during its installation. Use ConsoleOne or iManager to export this certificate to a binary .DER file. Subsequently, you will install this certificate as part of the branch office appliance initialization. To export an SSL certificate with iManager, complete the following steps:

  1. Launch iManager and click the View Objects button in the header frame.

  2. In the left navigation frame, browse to the container in which your LDAP server is located. The SSL certificate for the LDAP server will be in the same context. The SSL certificate object will have a name of the form (where < servername > is the name of your LDAP server):

      SSL CertificateIP-<servername> 

  3. Click the SSL Certificate object and select Modify Object.

  4. Select the Certificates tab in the right frame and click Export.

  5. Select No to export the private key with the certificate, and click Next.

  6. Select File in binary DER format and click Next.

  7. Click Save the exported certificate to a file. Save the certificate file to your local drive or to a floppy disk. When the file has been created, click Close to exit the Certificate Export Wizard.

With these preparatory tasks out of the way, your branch office appliance will be ready to perform authentication based on user credentials initially created at your central office. Existing usernames, passwords, and rights can all be leveraged to jumpstart your branch office environment.

Replicating Branch Office Data to the Central Office

One critical requirement of a branch office server is that branch office data be protected just as carefully data at the central office. Prior to Nterprise Branch Office, this required a separate data backup/restore solution for remote servers. However, Nterprise Branch Office solves this problem by making it possible to synchronize branch office data to a central office server where it can be backed up and archived at the same time as the rest of the central office data. The result is that you no longer require someone at the branch office to manage the storing and changing of backup tapes or other media in order for the backup routine to run smoothly.

Nterprise Branch Office leverages a technology known as rsync to accomplish the transparent synchronization of data from the branch office appliance to a designated central office server. rsync is an open source technology that performs incremental data replication from one file system to another. The incremental nature of rsync means that, once the initial replication is complete, subsequent updates can occur very quickly, because only changes are replicated instead of entire files or directories.

To use rsync , the chosen central office server must be configured as an rsync server. To configure an existing server as an rsync server, complete the following steps. You can also configure a new server as an rsync server by installing the rsync server option during the NetWare 6.5 installation. For more information on NetWare 6.5 installation, see Chapter 1.

1. Insert the NetWare 6.5 Operating System CD-ROM into your workstation.

2. Launch iManager and open the Install and Upgrade link in the left navigation frame.

3. Select Install NetWare 6.5 Products, and then click Remote Product Install in the right frame.

4. At the Target Server screen, select the server to which you want to install Nterprise Branch Office and click Next. Authenticate as an Admin user for your eDirectory tree and click OK.

5. At the Components screen, click Clear All and select only Nterprise Branch Officersync Server. Click Next.

6. At the Summary screen, click Copy Files. You will be prompted to insert the NetWare 6.5 Products CD-ROM.

7. At the Rsync License Agreement screen, click I Accept.

8. At the Installation Complete screen, click Close to complete the installation of rsync server.

Once installed, make sure that rsync is loaded, and that the configuration pages are available from NoRM by loading the following rsync modules at the server console:

 SYS:RSYNC\RSYNCST.NLM RSYNCNRM.NLM 

For best results, insert these commands into your central office server's AUTOEXEC.NCF so that they load automatically each time the server starts.

With rsync loaded, you can now finish the configuration from NoRM. To do so, complete the following steps:

1. Launch NoRM and select RSync Configuration in the left navigation frame. The rsync options are grouped under the Manage Applications heading.

2. Select Global Configuration in the right frame (see Figure 12.2). The Global settings will be applied to all branch office appliances linked to this rsync server. Provide the required information and click Apply to save your settings:

   • RSync IP Address: Provide the IP address of the rsync server that you are installing at the central office.

   • Port: Provide the port number that will be used by rsync activities. By default, rsync will use port 873 .

   • Enable SSL: Check this box to use an SSL connection when replicating data via rsync . This option is enabled by default.

   • Enable Progress Logging: Check this box to create a detailed log of data transfer activities. This log can get very large and require significant server resources. Because of this, it is typically only used while troubleshooting an rsync -related issue.

   • Log File: Specify the location of the log file that will be used for progress logging. The log is stored as a text file and can be viewed with any text editor.

   Figure 12.2. RSync global configuration settings in NoRM.

   

3. Select Branch Office Configuration in the right frame and click Add Branch Office. At the Branch Office Name and Volume screen, provide the required information and click Apply to save your settings:

   • Branch Office Name: Type the branch office appliance name that you want to replicate to this rsync server. The appliance name is case-sensitive, so make sure you enter the same value as that entered when initializing the actual branch office appliance. For more information on initializing the branch office appliance, see "Creating the Branch Office Appliance," later in this chapter.

   • Volume for File Transfer: Specify the volume on the central office server where you want replicated files to be stored. rsync does not use encryption, so this volume must be large enough to hold all data from the branch office appliance.

   WARNING

   The volume used for rsync replication should be restricted so that only administrator's have access. Otherwise, potentially sensitive data from the branch office could be exposed to unauthorized users in the central office.

4. At the RSync Branch Office Configuration screen (see Figure 12.3), provide the required information and click Apply to save your settings:

   • Branch Office Name: This is the name of the branch office appliance (provided previously).

   • File Transfer Path : Specify the path to which rsync will replicate the branch office appliance data. By default, rsync appends the following path to the volume you chose previously:

      \rsync\<Branch Office name> 

   • (Optional) Comment: Provide any type of descriptive comment about the branch office appliance.

   • Transfer Logging: Check this box to create a detailed log of data transfer activities. This log can get very large and require significant server resources. As such, it is typically only used while troubleshooting some rsync -related issue.

   • Branch Office IP Address: Specify the IP address of the branch office appliance. This must be a public IP address through which the appliance will be accessible. If your branch office uses Network Address Translation (NAT), specify the public IP address and not the private server address.

   • Timeout: Specify the amount of time, in seconds, that the rsync server will wait while attempting to contact a branch office appliance. If your Internet connection is slow, this value should be set fairly high. The default setting of 3600 seconds is the maximum timeout value.

   Figure 12.3. Branch office appliance configuration settings in NoRM.

   

5. Export the SSL IP certificate from your rsync server. This certificate will be needed during the branch office appliance configuration, and before the first data replication can occur. The process for exporting a server certificate was described previously.

At this point, your central office is configured to support branch office appliances. The following sections look at the installation and configuration of the branch office appliances themselves .

Creating the Branch Office Appliance

The Nterprise branch office appliance is created by installing a preconfigured image onto existing computer hardware so that it will function as a branch office appliance. NetWare 6.5 includes the Nterprise Branch Office CD-ROM, which is a bootable CD that launches the imaging process automatically. Because, under the covers, the branch office appliance is a limited functionality NetWare server, Novell recommends the following minimum hardware requirements:

• Server class PC with a Pentium II or AMD K7 processor (up to 32 processors).

• Minimum 512MB RAM (1GB recommended).

• Minimum 9GB local storage. The operating system will occupy 4GB of this space, with the rest available for user data. You should assume 12GB per user for data storage.

• Bootable CD-ROM drive and floppy drive. Make sure the BIOS settings for the appliance hardware list the CD-ROM as the first boot device, and then the hard drive, and then the floppy disk.

• Up to four Novell PCI Ethernet network boards . The branch office appliance can recognize up to four network adapters and provide automatic failover should one board fail.

• SVGA display adapter and monitor, keyboard, and mouse.

To create a new branch office appliance, complete the following steps:

1. Insert the Nterprise Branch Office CD-ROM into the system that will become your new branch office appliance and reboot the system.

2. At the prompt, type Y to re-image the machine as an Nterprise Branch Office server.

   At this point, the branch office appliance image will create new disk partitions to support Nterprise Branch Office, and overwrite all data on the destination hard drive with the appropriate appliance files. This process might take some time. Once the imaging process is complete, the appliance will automatically reboot and move on to an automated configuration routine. Following this you will continue with the installation process.

3. When they are displayed, review both the Nterprise Branch Office and the rsync license agreements. You can also elect to press C to bypass the actual reading part and get on with the installation.

4. Press Y to accept the Novell License Agreement. Press Y to accept the rsync license agreement.

5. Enter the IP address of the branch office appliance.

6. Enter the subnet mask of the branch office appliance.

7. Enter the IP address of the default gateway.

   At this point, the appliance is installed and you are ready to move onto the Web-based appliance configuration. You can access the configuration utility from your Web browser by entering the following URL:

   https ://<server IP address>:2222

8. Authenticate as user Supervisor with no password to enter the appliance configuration utility, as shown in Figure 12.4. You will be able to set the password as part of the configuration process.

   Figure 12.4. The initial Web-based branch office appliance configuration screen.

   

9. Click Start to begin the appliance configuration wizard.

10. At the Set General Settings screen (see Figure 12.5), provide the required information and click Next.

    • Supervisor Password: Specify a password that will be used to access the appliance configuration wizard.

    • Appliance Name: Specify a unique name of the branch office appliance. If you are going to use rsync with this server, make certain that the name specified matches the one provided in the rsync server configuration, described previously. Names are case sensitive !

    • (Optional) DNS Name, Domain, and DNS Server Address: Provide the requested DNS information if users will use DNS to access printers within the branch office firewall. The Nterprise branch office appliance provides iPrint functionality for network printing.

    Figure 12.5. Configuring general settings on the branch office appliance.

    

11. (Optional) At the Setup User Access Provisioner screen, provide the required information and click Next (see Figure 12.6). The User Access Provisioner is necessary if you want to allow the branch office appliance to recognize LDAP users from an existing eDirectory tree at the central office.

    • Central office LDAP Server Information: Provide the IP address, SSL port (default 636 ), and SSL certificate for the LDAP server at the central office.

    • (Conditional) LDAP Context for User Access Provisioner: If all the LDAP users who will authenticate to the branch office appliance are in a single container, provide the appropriate context here. Be sure to use the LDAP syntax (comma delimiters) instead of the familiar eDirectory syntax (period delimiters).

    • (Conditional) LDAP ID for Use by User Access Provisioner: If you want the branch office appliance to search multiple containers during LDAP user authentication, provide a valid user ID and password that the appliance will use to connect to the LDAP tree and query for users. This LDAP user must have sufficient rights to read and scan all common names in the central office LDAP-enabled tree.

    Figure 12.6. Configuring user access provisioner settings on the branch office appliance.

    

    NOTE

    The LDAP user ID and password will not be stored in the branch office appliance configuration file, for security reasons. If an appliance is ever restored from the central office, this information will have to be provided manually before the User Access Provisioner will work again.

12. (Optional) At the Setup Replication screen, provide the required information and click Finish. Configure these settings is you are using rsync to replicate branch office appliance data to a central office server.

    • Central Office rsync Server Information: Provide the IP address, SSL port (default 873 ), and SSL certificate for the rsync server at the central office.

Once the configuration is complete, the branch office appliance will save all the specified settings and reboot one more time to start up with the specified settings. You will be prompted to authenticate to the appliance again. Remember to use the user ID Supervisor, and the password that you specified during the appliance configuration. Once you've been authenticated, you will see the Nterprise Branch Office Web Administrator, as shown in Figure 12.7.

Configuring Nterprise Branch Office

Nterprise Branch Office is relatively easy to configure from a Web interface. As you navigate and configure the appliance, changes are tracked and stored in a local buffer. With the exception of printing and date/time settings, changes are not actually applied until you click the Apply All Settings button at the bottom of the content frame (right side). Because some settings require the appliance to restart, accumulating changes can make the configuration process a lot more efficient. Similarly, clicking Cancel All Settings will ignore accumulated changes.

At the bottom of the navigation frame, you will see links that will let you shut down or restart the appliance. As you can see, these options make it possible for the appliance to function in a "headless" environment such as a rack-mounted server room. Broad control over the appliance is provided through the Branch Office Web Administrator. The following sections look at the various pages and options available through the Web Administrator.

Configuration

This is the default view when Web Administrator is launched. Configuration page options are available as links in the left navigation frame:

• IP Address: This page, the default page shown in Figure 12.7, lets you configure the basic IP environment for your appliance, including IP addresses, subnet masks, gateway servers, DNS information, and Ethernet adapter settings.

• IP Access Protocols: This page lets you select and configure the protocols that can be used for file access and administrative access on the branch office appliance. You can also add IP addresses to your appliance and configure protocols per IP address. Supported file access protocols include AFP, NFS, HTTP, FTP, HTTPS, NCP, and CIFS. Administrative protocols include HTTPS, FTP, and Telnet.

• Authentication Sources: Selects and configures the authentication protocols that will be supported by the branch office appliance. Options include LDAP, NIS, and NT DOMAIN.

• Date & Time: Configures the time synchronization environment for the branch office appliance. The appliance can locate NetWare or NTP time sources automatically, or you can specify a particular server. For more information on time synchronization, see Chapter 4.

• Time Zone: Configures the time zone and daylight saving time options for the branch office appliance. These settings will be used in the appliances time calculations to determine whether it is in proper time synchronization.

• Replication: Configures data replication from the branch office appliance to a central office rsync server. For more information on data replication, see "Replicating Branch Office Data to the Central Office," earlier in this chapter.

• Local Backup: If you choose not to replicate data to the central office, you should configure a local backup/restore device and attach it to the branch office appliance so that data will be properly protected.

• Import/Export Settings: Creates (exports) or imports a settings file that contains a branch office appliance configuration. These settings files can be used to store a specific configuration. They can also be used, after some modification, to configure another appliance with similar settings to those configured on the source appliance.

• End User Web Access: Provides some basic portal configuration for the branch office appliance. You can customize the company logo that will appear on the branch office portal Web page, and define a set of shared Web links that will be accessible by all branch office users.

• Portal Administration: This link will take you to more advanced portal configuration options from which you can customize most any aspect of the branch office appliance portal. As you will see, Branch Office leverages Novell Portal Services to provide its portal environment.

• Printers: Lets you add, delete, modify, and manage branch office printers. Nterprise Branch Office leverages iPrint to deliver its print services. For more information on iPrint, see Chapter 7.

• Printer Drivers: Lets you manage printer drivers available from the iPrint system.

• Upgrade: Allows you to apply Novell appliance upgrade files to your branch office appliance.

As you can see, most of the configuration necessary to get your branch office appliance up and running is available from this page.

File Access

This page, shown in Figure 12.8, provides the branch office appliance administrator with access to the appliance's file system. As you can see from the left navigation frame, the same file management options are available for the branch office appliance as are used with a regular NetWare 6.5 server.

From these pages you can manipulate folders and files, configure folder and file properties, configure user access rights, and recover deleted files. For more information on file access and security, see Chapter 6.

User Access

This page, shown in Figure 12.9, lets the branch office appliance administrator manage users and groups within the appliance environment, including creation, deletion, and modification of users and groups.

From here, you can also reset user passwords if necessary. Users and groups on the branch office appliance function in exactly the same way as they do in a regular Novell network. For more information on users and groups, see Chapter 6.

Monitoring and Statistics

This page, shown in Figure 12.10, lets the branch office appliance administrator monitor appliance activity and performance, gather statistics on disk usage, and perform basic troubleshooting tasks should the need arise.

Monitoring and statistics options are organized into five categories in the left navigation frame:

• Status: The default page (see Figure 12.10) gives you a quick view of the status of the primary systems in the appliance so that you can be aware of any potential problems. Selecting any of the health indicators will show the characteristics included in the indicator.

• Performance: Provides graphical views of CPU, memory, connection, and network performance over time. Click the appropriate link to view the performance of that appliance subsystem.

• Storage: Provides graphical views of the various storage resources available to the branch office appliance, including data volumes and floppy drives .

• Hardware: Provides basic configuration information concerning storage adapters, network adapters, CPU, and memory.

• Tools: Provides three basic tools for testing your network environment, and provides information for troubleshooting problems in the branch office. The Ping utility lets you see if IP communications are occurring normally. Trace Route records the path of an IP packet from source to destination computer and displays the time necessary to make the trip. DNS Lookup lets you test the DNS environment to see whether addresses can be properly converted into IP addresses and vice versa.

Nterprise Branch Office Portal

One of the easiest ways for users to access their data and resources on the branch office appliance is through the branch office portal (see Figure 12.11). Based on Novell Portal Services, the branch office portal is completely customizable, and provides Web-based, authenticated access to folders and files stored on the branch office appliance. As mentioned previously, you can customize the branch office portal to display company logos and deliver other common content such as shared files and shared Web links. You can make the branch office portal into a powerful desktop that provides users with everything they need to do their jobs.

To access the branch office portal, users simply point their Web browsers to the IP address of DNS name of the branch office appliance. You can configure the portal to accept either secure (HTTPS) or insecure (HTTP) connections. For example:

https://137.65.192.110

or

http://www.waltham.quills.com

For more information, see "Configuring Nterprise Branch Office," earlier in this chapter.