V11 SP8
Loading...

Configuration - Web Console - OnePass for Hitachi HNAS (BlueArc) and Isilon

The following sections describe the configurations required to provide end-users with the ability to access and manage their data from the Web Console or from the mobile application.

Adding a Domain

Note: If you have already configured a domain in the CommCell with single sign-on (SSO), the Tomcat service on the computer where the Web Console is installed must be restarted for SSO to work properly.

To allow Active Directory domain users access to the Web Console, provide the details to communicate with the Active Directory service provider so that they are maintained in the Web Server database for authentication purposes. Adding a new domain controller registers the domain with the Web Server.

Note: By default, the Kerberos protocol is used for single sign-on (SSO). If you use the NT LAN Manager (NTLM) authentication protocol, add the SecurityProtocol additional setting. For instructions on adding the additional setting, see Single Sign-On with the NTLM Authentication Protocol.

  1. Obtain the domain name and fully qualified domain name of the Active Directory server.
  2. Ensure that LDAP is configured on the Active Directory (AD) server:
    1. From the AD Server, select Start > Run.
    2. In the Run dialog box, type ldp and click OK.
    3. From the Connections menu, click Connect.
    4. In the Connect dialog box, enter information about the server:
      • In the Server box, type the name of the external domain server, for example, computer.domain.com.
      • In the Port box, type 636 as the port number for the external domain server.
      • Select the SSL check box to check for the proper certificate.
      • Click OK.

      When the LDAP is properly configured, the external domain server details are displayed in the LDP window. Otherwise, an error message appears indicating that a connection cannot be made using this feature.

  3. From the CommCell Browser, go to Security.
  4. Right-click Domains > Add new domain > Active Directory.
  5. In the Add New Domain Controller dialog box, enter the information about the domain controller:
    1. In the NetBIOS Name box, enter the domain name, for example, mydomain.
    2. In the Domain Name box, enter the Fully Qualified Domain Name (FQDN), for example, mydomain.mycompany.com.
    3. To allow users to automatically log on to the CommCell Console and Web Console, select the Enable SSO check box.
    4. Next to the User Account box, click Edit.
    5. In the Enter User Account Information dialog box, enter the user account information.

      The user account must have at least read access to the domain.

  6. Click OK.
  7. Restart the Tomcat service on the computer where the Web Console is installed.

    For instructions on restarting the Tomcat service, see Restarting a Service.

Single Sign-On with the NTLM Authentication Protocol

You can use single sign-on (SSO) with the NT LAN Manager (NTLM) authentication protocol.

  1. On the Web Console computer, add the SecurityProtocol additional setting:
    Property Value
    Name SecurityProtocol
    Category WebConsole
    Type STRING
    Value 2

    For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.

  2. Restart the Tomcat services on the Web Console computer.

    For instructions on restarting the Tomcat service, see Restarting a Service.

Assigning Owner for Client Computers

By default, the following users are designated as owners of a client in the CommCell and will also be able to manage the client data using the Web Console:

  • Active Directory users who are member of the Local Administrators group of the client.
  • The user account used while registering a new client with the Register Me tool.
  • The user account used for installing the Laptop Backup package.

You can add other users as owners to a client computer to enable future backup and restore operations through the Web Console.

Use the following steps to include users who are not members of the Administrators group. These steps will add new owners to a client in the Laptop Backup group as example.

  1. From the CommCell Browser, expand the Client Computer Groups | Laptop Clients.
  2. Right-click the <Client> and then click Properties.
  3. Select the Security tab.
  4. Specify owner in the Client Owner box.

    You can specify the Active Directory user accounts or CommCell user accounts.

  5. Click OK.

Setting Up Permissions for End-Users

Before You Begin

On the Active Directory Domain, the external user group to which the user belongs must have Group Scope defined as Global:

  1. Go to Start > Administrative Tools > Active Directory Users and Computers.
  2. Right-click the external group and select Properties.
  3. From the Group Scope section, select Global and click OK.

Procedure

  1. From the CommCell Browser, go to Security > Domains > domain_name.
  2. Right-click External Groups and select Add New Group.

    The Add new External Group dialog box appears.

  3. In the General tab, click Browse and select the external user group to which the user belongs.
  4. To set the security for the external user group, do the following:
    1. Click the Associated Entities tab.
    2. Click Add.

      The Add Association dialog box appears.

    3. In the Entities section, select the client computers to be browsed.

      Note: Select entities at either the client or backup set levels. Subclient level browsing restrictions are not supported for Web Console.

    4. In the Roles section, in the Please select Role box, click Create Role.

      The New Role dialog box appears.

    5. Create a new role selecting the following permissions based on the type of users in the external user group:
      User Type Permissions
      end users
      • End User Access
      compliance search users
      • Browse
      • Compliance Search
      • In Place Recovery (to restore data)

      For information on creating a role, see Creating a Role.

    6. In the Please select Role box, select the new role.
    7. Click OK to save the security settings.
  5. Click OK to add the external group.

Ensure that all of the relevant domains (of which emails will be content indexed) are registered in the CommCell before running a content indexing job to avoid the duplicate entries of the users in the refinements and also to avoid the Globally Unique Identifier (GUID) instead of email address in the Custodian refinement.