Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Enabling the Audit Policy

File Access Manager relies on the standard Active Directory advanced audit. The advanced audit overrides the simple audit, making the former obsolete. Be sure to migrate existing simple auditing to Advanced Auditing before proceeding.

Note

This guide does not cover complex GPO scenarios. Be sure that changes do not affect GPO precedence or corrupt other GPOs.

Apply the following in a Domain Controller GPO:

  1. Open the Default Domain Controller Policy.
  2. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  3. Select Audit to success in the following settings:

    • Account Management > Audit User Account Management
    • DS Access > Audit Directory Services Changes
    • Logon/Logoff > Audit Account Lockout
    • Policy Change > Audit Policy Change
    • Policy Change > Audit Authentication Policy Change
    • Policy Change > Audit Authorization Policy Change

To enable login audits, set Audit Kerberos Authentication Service to Success in Account Logon.

Active Directory User Permissions

The Active Directory user configured in the Application configuration must be granted permissions to manage the audit settings of the domain objects, as well as to access the Domain Controller event logs.

To grant permission to manage auditing and security log:

  1. Open the Default Domain Controller Policy.
  2. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  3. Select Manage auditing and security log. Add the domain user to the Users/Groups list.

    Note

    The syntax of the user added to the list must be Domain\User.

  4. Add the user to the Event log readers security group.

Communications Requirements

Requirement Source Destination Port
File Access Manager Message Broker Permissions Collector RabbitMQ 5671
File Access Manager server access Activity Monitor/Permissions Collector File Access Manager Servers 8000-8008
Event log remote Activity Monitor All Domain Controllers MS RPC (135)
SYSVOL access Activity Monitor All Domain Controllers CIFS/SMB (139, 445)
Additional queries Activity Monitor/Permissions Collector All Domain Controllers LDAP (389)

The Remote Event Log Management (RPC) inbound allow firewall rule must be enabled on the Active Directory Domain Controller servers.