Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Software Requirements
File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.
PreSoftwareRequirements
EMC Isilon
OneFS 7.1 and above.
EMC Common Event Enabler
CEE 6.5 and above.
Configuring the CEE Service
Connecting to a Remote CEE
For enterprises with an existing central CEE infrastructure, where the Activity Monitor will be installed on a different server than the CEE service:
-
On every CEE server, open the registry and perform the following changes:
[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]
Endpoint=whitebox@<File Access Manager Activity Monitor server ip address>
Enabled=1
Note
If multiple monitor servers exist, the list should look like: whitebox@ip, whitebox@ip, ...
-
Restart the EMC CEE service.
Connecting to a Local CEE (No Central Infrastructure)
When installing the CEE service and the Activity Monitor service on the same server:
-
Install CEE Pack on the monitor server.
The CEE service must be installed on a server in the same domain as the physical data mover CEE server, otherwise the communication between the data mover and the CEE service will fail.
-
Open the registry and perform the following changes:
[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]
Endpoint=whitebox
Enabled=1
-
Set the logon user for the services to a user according to the Required Permissions section.
-
Restart EMC CEE service.
Enabling CEE Using Isilon OneFS WebUI
-
Select Cluster Management, then Auditing.
-
Select Enable Protocol Access Auditing.
-
Add Access Zone(s) you want to audit.
Event Forwarding - Enter the uniform resource identifier (URI) where the CEE service is installed. The format of the entry is:
http://fully.qualified.domain.name:port/cee
Port - The default is 12228.
Storage Cluster Name - Enter the same Host Name as in the File Access Manager Application configuration wizard.
Enabling and Configure Auditing Using CLI
Action | Command |
---|---|
Enable auditing | isi audit settings global modify --protocol-auditing-enabled on |
Disable auditing | isi audit settings global modify --protocol-auditing-enabled off |
Add access zone to audit | isi audit settings modify --audited-zones <ZONE> |
View audit settings | isi audit settings global view |
Auditing Event Configuration Using CLI
Action | Command |
---|---|
Enable specific audit events | isi audit settings modify --audit-success create, rename, delete, read, write, get_security, set_security |
Enable all audit events | isi audit settings modify --audit-success all |
To monitor all the activities listed under the Monitored Activates section, enable all audit events.
Required Permissions
File Access Manager requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the Access Zone:
-
Share Read permissions to all shares
-
Full Control permission for each normalized folder
-
Member of the local Backup Operators group
-
Member of the local Administrator group
-
Permissions to access the OneFS Platform API
Adding Permissions
Add required permissions by creating a new role and associating the user with that role in one of the following ways:
Add Permissions via the Cluster Management Web Interface
-
Log in to the OneFS Cluster Management Web interface and performing the following actions:
-
Select Access > Membership and Roles.
-
Select the Roles tab.
-
Select the Create Role button.
-
Enter a name for the Role (ex. FileAccessManager).
-
Select the Add a member to this role button, and add the File Access Manager user which will be used in the Application configuration wizard.
-
Scroll down and select the Add a privilege to this role button and add the following Privileges:
-
‘Platform API: Log in to the Platform API and WebUI’ – read_only Access
-
Auth: Configure Identities and authentication sources – read_only Access
-
Audit: Configure audit capabilities – read_only Access
-
SMB: configure SMB server – read_only Access
-
Add Permissions via the Cluster Management Shell - Run the following commands from the cluster management shell:
isi auth roles create FileAccessManager
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_LOGIN_PAPI
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_SMB
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUTH
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUDIT
isi auth roles modify FileAccessManager --add-user=’<domain>\<user>’
Add Permissions via built-in roles - Associate the user with the SystemAdmin and SecurityAdmin built-in roles.
isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’
isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’
Add Permissions via the Cluster Management Shell
Run the following commands from the cluster management shell:
isi auth roles create FileAccessManager
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_LOGIN_PAPIisi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_SMB
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUTH
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUDIT
isi auth roles modify FileAccessManager --add-user=’
Add Permissions via built-in roles
Associate the user with the SystemAdmin and SecurityAdmin built-in roles.
isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’
isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’
Permissions Required for Each File Access Manager Task
The user must have the permissions listed below in order to perform these tasks:
-
Crawling - Share Read permissions to all the shares on the file server.
Be a member of the local Backup Operators group on the Access Zone.
-
Permission Collection - Share Read permissions to all the shares on the Access Zone.
Be member of the local Backup Operators group on the Access Zone.
Be a member of the local Administrators group to read the Share Permissions.
Permissions to the OneFS Platform API to read the local Users and Groups.
-
Access Fulfillment - Full Control permission on the normalized folders to be able to set the permissions.
-
Data Classification - Share Read permissions for all the shares on the Access Zone.
Be member of the local Backup Operators group on the Access Zone.
Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager Internal Access | Application | File Access Manager servers | 8000-8008 |
File Access Manager Message Broker | Permissions Collector / Data Classification Collector | RabbitMQ | 5671 |
EMC CEE | EMC Isilon cluster | CEE Service | HTTP in the port defined under the prerequisites section |
OneFS Plaform API | Activity Monitor and Permissions Collector | EMC Isilon | HTTP+HTTPS * 8080 |
CEE Events Push | CEE Service | File Access Manager Activity Monitor | RPC (135 + Dynamic) |
Permissions Collection & Data Classification | Permissions Collection service and / or Data Classification service |
EMC Isilon | SMB |
Important
For OneFS API state, the default port is 8080. The port is set by the administrator, and can be changed. Usually it will be 80, 8080 or 443. If this setting doesn’t work, consult your Isilon administrator.