EMC-Isilon Connector Overview

Capabilities

File Access Manager can connect to EMC Isilon for:

Storage structure analysis.
Checking user permissions.
Data classification.
Performing access fulfillment.

Important

This connector does not support Isilon NFS.

File Access Manager provides full support for multiple-access zones, and full tenant isolation, across all its Isilon connector components.

Configuring Clusters with Multiple Access Zones

There are several methods of configuring File Access Manager to support Isilon clusters containing multiple access zones:

Separate application per access zone - This is the recommended configuration. Set up each access zone as a new application in File Access Manager, adding the access zone in the Connection Details page.
Single application for the entire cluster - Configure one application for the Isilon cluster, regardless of access zones.
- Leave the Access Zone field in the application configuration empty.

The File Access Manager configuration should mimic the way your organization uses the Isilon cluster and access zones. If you treat the access zones as different file servers - they should be configured as different applications in File Access Manager as well.

Connector Overview

For more information and a deep technical understanding of the EMC architecture and CEE, refer to EMC CEE version 7.0 using the Common Event Enabler for Windows.

CEE

The CEE service is the EMC gateway for auditing. The Isilon OneFS communicates with the CEE service to receive event notifications.

CEE & Activity Monitor

Every Activity Monitor can communicate with one or more CEE servers.
Every CEE service can be configured to work with a multiple Activity Monitor services.

Activity Monitor

File Access Manager Connector for EMC Isilon uses EMC CEPA over the Common Event Enabler Framework (CEE, formerly known as CAVA) infrastructure to retrieve audit events from Isilon to access both CIFS files.
Similarly, The connector uses the same CEE/CEPA architecture as the File Access Manager Connector for EMC Celera/VNX.
The Activity Monitor for EMC Isilon can be installed on the same server as other EMC Celera/VNX CIFS/NFS Activity Monitors, and communicate with the same CEE service.
The first Activity Monitor which is installed on a physical server creates the Activity Monitor service.
Unlike other File Access Manager Activity Monitors, all subsequent Activity Monitors will not create additional Activity Monitor services.
Every Activity Monitor that is installed adds a bamconfig.xml file under the Activity Monitor to add itself to the same service.

Important

The first Activity Monitor installed must be the LAST Activity Monitor uninstalled. If you uninstall the first Activity Monitor before uninstalling the other Activity Monitors, those Activity Monitors will not work, and it will not be possible to uninstall them.

Important

This connector does not support Isilon NFS.

Important

All activity monitors for access zones of the same cluster must be installed on the same File Access Manager server. Refer to Installing Activity Monitors for Access Zones of the Same Cluster for more details.

Permissions Collection Operation Principle

File Access Manager connects to the EMC Isilon OneFS shares and analyzes folders permissions.
File Access Manager utilizes the Isilon OneFS Platform API to gather local users, groups and share permissions.

Monitored Activities

The following activities are monitored by the EMC-Isilon connector:

Create File - A new file was created.
Create Folder - A new folder was created.
Create from Move - A Create Folder event generates this event on the newly created folder.
Create from Rename - A Rename Folder event generates this event on the newly created folder.
Delete File - A file was deleted.
Delete Folder - A folder was deleted.
Move File - A file was moved.
Move Folder - A folder was moved.
Permission Change File - A file’s permissions were changed.
Permission Change Folder - A folder’s permissions were changed.
Read File - A file was read.
Rename File - A file was renamed.
Rename Folder - A folder was renamed.
Write File - A file was modified.

Sample Architecture

In the schema below, the first physical Data Mover is configured to send events to CEE 1 & 2. CEE 1 & 2 are configured to send event notifications to the Activity Monitor.

The second physical Data Mover is configured to send events to CEE 2 & 3. CEE 2 & 3 are configured to send event notifications to the Activity Monitor.

CIFS Server 1
CIFS Server 2
NFS Export 1

The Activity Monitor monitors using CEE 2 & 3:

CIFS Server 4
CIFS Server 5
NFS Export 2

Multiple Access-Zone and Tenant Isolation Support

File Access Manager offers tenant isolation and full capabilities for multiple access-zones on Isilon Clusters. With the addition of the activity monitoring and permissions collection capabilities for multiple access-zones within an Isilon cluster and removing the dependency on the administrative (system)-zone-based OneFS API, each access zone within the cluster functions as an independent Isilon application within File Access Manager, with the complete set of File Access Manager capabilities.

This mode of access requires knowledge, connectivity and access rights of and to the managed access zone. This allows for a complete delegation of the configuration, administration and monitoring of an Isilon access zone to the tenant owner, and does not require centralized management. Tenant Isolation and management is critically valuable in multi-tenant hosted environments, where such isolation enhances data privacy and autonomous management.

The access zone and management API (optional) settings can be configured through the application configuration wizards.

With full tenant isolation, and full capability support for multiple access zones on the Isilon cluster, each access zone is treated as a separate entity.

Installing Activity Monitors for Access Zones of the Same Cluster

Due to limitations of the CEPA architecture, all activity monitor services, monitoring access zones of the same cluster, must be installed on the same File Access Manager Server.

The File Access Manager Isilon Activity Monitor is a multi-instance service, i.e. a single service serves multiple instances of the activity monitor, e.g., for the different access zones. As a result, only a single service will be created (and appear in the Windows Services list), however, this single service will create activity monitors instances for all the Isilon access zones it is configured to monitor.

There is no limitation to the number of clusters that can be monitor by a single File Access Manager service. Although all monitors for access zones of the same cluster must reside on the same File Access Manager server, activity monitors for other clusters and their access zones can also be installed on the same File Access Manager server, provided that sufficient resources are allocated for that machine.

We recommend that instances be added gradually, and resources be allocated appropriately to accommodate for the increase in activity volume, as the scope of the monitored environment grows, and more activity monitors are added to the server.

EMC-Isilon Installation Flow Overview

To install the EMC-Isilon connector:

Configure all the prerequisites.
dd a new EMC-Isilon application in the Business Website.
Install the relevant services:
- Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.
- Permissions Collector
  
  If you are using EC2 login, the collector should be installed on the EC2 instance.
- Data Classification Collector

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.