Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

PreSoftwareRequirements

EMC Isilon

OneFS 7.1 and above.

EMC Common Event Enabler

CEE 6.5 and above.

Configuring the CEE Service

Connecting to a Remote CEE

For enterprises with an existing central CEE infrastructure, where the Activity Monitor will be installed on a different server than the CEE service:

  1. On every CEE server, open the registry and perform the following changes:

    [HKLM\Software\EMC\CEE\CEPP\Audit\Configuration] Endpoint=whitebox@<File Access Manager Activity Monitor server ip address> Enabled=1

    Note

    If multiple monitor servers exist, the list should look like: whitebox@ip, whitebox@ip, ...

  2. Restart the EMC CEE service.

Connecting to a Local CEE (No Central Infrastructure)

When installing the CEE service and the Activity Monitor service on the same server:

  1. Install CEE Pack on the monitor server.

    The CEE service must be installed on a server in the same domain as the physical data mover CEE server, otherwise the communication between the data mover and the CEE service will fail.

  2. Open the registry and perform the following changes:

    [HKLM\Software\EMC\CEE\CEPP\Audit\Configuration] Endpoint=whitebox Enabled=1

  3. Set the logon user for the services to a user according to the Required Permissions section.

  4. Restart EMC CEE service.

Enabling CEE Using Isilon OneFS WebUI

  1. Select Cluster Management, then Auditing.

  2. Select Enable Protocol Access Auditing.

  3. Add Access Zone(s) you want to audit.

Event Forwarding - Enter the uniform resource identifier (URI) where the CEE service is installed. The format of the entry is:

http://fully.qualified.domain.name:port/cee

Port - The default is 12228.

Storage Cluster Name - Enter the same Host Name as in the File Access Manager Application configuration wizard.

Enabling and Configure Auditing Using CLI

Action Command
Enable auditing isi audit settings global modify --protocol-auditing-enabled on
Disable auditing isi audit settings global modify --protocol-auditing-enabled off
Add access zone to audit isi audit settings modify --audited-zones <ZONE>
View audit settings isi audit settings global view

Auditing Event Configuration Using CLI

Action Command
Enable specific audit events isi audit settings modify --audit-success create, rename, delete, read, write, get_security, set_security
Enable all audit events isi audit settings modify --audit-success all

To monitor all the activities listed under the Monitored Activates section, enable all audit events.

Required Permissions

File Access Manager requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the Access Zone:

  • Share Read permissions to all shares

  • Full Control permission for each normalized folder

  • Member of the local Backup Operators group

  • Member of the local Administrator group

  • Permissions to access the OneFS Platform API

Adding Permissions

Add required permissions by creating a new role and associating the user with that role in one of the following ways:

Add Permissions via the Cluster Management Web Interface

  1. Log in to the OneFS Cluster Management Web interface and performing the following actions:

  2. Select Access > Membership and Roles.

  3. Select the Roles tab.

  4. Select the Create Role button.

  5. Enter a name for the Role (ex. FileAccessManager).

  6. Select the Add a member to this role button, and add the File Access Manager user which will be used in the Application configuration wizard.

  7. Scroll down and select the Add a privilege to this role button and add the following Privileges:

    • ‘Platform API: Log in to the Platform API and WebUI’ – read_only Access

    • Auth: Configure Identities and authentication sources – read_only Access

    • Audit: Configure audit capabilities – read_only Access

    • SMB: configure SMB server – read_only Access

Add Permissions via the Cluster Management Shell - Run the following commands from the cluster management shell:

isi auth roles create FileAccessManager isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_LOGIN_PAPI isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_SMB isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUTH isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUDIT isi auth roles modify FileAccessManager --add-user=’<domain>\<user>’

Add Permissions via built-in roles - Associate the user with the SystemAdmin and SecurityAdmin built-in roles.

isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’ isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’

Add Permissions via the Cluster Management Shell

Run the following commands from the cluster management shell:

isi auth roles create FileAccessManagerisi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_LOGIN_PAPIisi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_SMBisi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUTHisi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUDITisi auth roles modify FileAccessManager --add-user=’\’`

Add Permissions via built-in roles

Associate the user with the SystemAdmin and SecurityAdmin built-in roles.

isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’ isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’

Permissions Required for Each File Access Manager Task

The user must have the permissions listed below in order to perform these tasks:

  • Crawling - Share Read permissions to all the shares on the file server.

    Be a member of the local Backup Operators group on the Access Zone.

  • Permission Collection - Share Read permissions to all the shares on the Access Zone.

    Be member of the local Backup Operators group on the Access Zone.

    Be a member of the local Administrators group to read the Share Permissions.

    Permissions to the OneFS Platform API to read the local Users and Groups.

  • Access Fulfillment - Full Control permission on the normalized folders to be able to set the permissions.

  • Data Classification - Share Read permissions for all the shares on the Access Zone.

    Be member of the local Backup Operators group on the Access Zone.

Communications Requirements

Requirement Source Destination Port
File Access Manager Internal Access Application File Access Manager servers 8000-8008
File Access Manager Message Broker Permissions Collector / Data Classification Collector RabbitMQ 5671
EMC CEE EMC Isilon cluster CEE Service HTTP in the port defined under the prerequisites section
OneFS Plaform API Activity Monitor and Permissions Collector EMC Isilon HTTP+HTTPS *

8080
CEE Events Push CEE Service File Access Manager Activity Monitor RPC (135 + Dynamic)
Permissions Collection & Data Classification Permissions Collection service and / or
Data Classification service
EMC Isilon SMB

Important

For OneFS API state, the default port is 8080. The port is set by the administrator, and can be changed. Usually it will be 80, 8080 or 443. If this setting doesn’t work, consult your Isilon administrator.