Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Software Requirements
File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.
Configuring the CEE Service
Make sure that CEE is installed on a Windows machine in the domain, and that the log on user for the CEE services is an administrative user in the domain.
Supported Versions
Use the latest version of CEE.
Remote CEE
For enterprises with an existing central CEE infrastructure, where the Activity Monitor will be installed on a different server than the CEE service:
-
On every CEE server, make the following changes in the registry:
[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]
Endpoint=whitebox@<File Access Manager Activity Monitor server ip address>
Enabled=1
If multiple monitor servers exist, the list should look like: whitebox@ip, whitebox@ip, ...
-
Restart the EMC CEE service.
Local CEE (no central infrastructure)
When installing the CEE service and the Activity Monitor service on the same server:
-
Install CEE Pack on the monitor server.
The CEE service must be installed on a server in the same domain as the NAS server CEE server, otherwise the communication between the NAS server and the CEE service will fail.
-
Make the following changes in the registry:
[HKLM\Software\EMC\CEE\CEPP\Audit\Configuration]
Endpoint=whitebox
Enabled=1
-
Set the logon user for the services to a user according to the “Permissions” section.
-
Restart EMC CEE service.
Configuring Event Publishing in Unity
To enable event publishing on a share, Events publishing must be enabled on its NAS server and its File System as described in the following sections.
Enabling Event Publishing in the NAS Server
-
Open Unisphere and navigate to the File tab in the left pane under Storage.
-
Select the NAS Servers tab.
For each NAS Server that you wish to enable activities, run the following:
-
Double-click the NAS Server.
The Server’s properties appear.
-
Open the Protection & Events Tab, and choose Events Publishing in the left pane.
The Events Publishing details appears.
-
Check Enable Common Event Publishing.
The New Event Pool window appears to create the first Event Pool.
-
Select Add.
The Add new server window appears.
-
Fill the Server name of the CEE service and select Add.
The New Event Pool window will reappear, with the list of servers listed.
-
Select Add to add additional servers with CEE service.
-
To configure the post events, select Configure next to Post Events.
This will open the Configure PostEvents… window.
-
Check the following Event Types:
-
OpenFileRead
-
CreateFile
-
CreateDir
-
DeleteFile
-
DeleteDir
-
CloseModified
-
RenameFile
-
RenameDir
-
SetAclFile
-
SetAclDir
-
-
Select OK to return to the CEPA Properties window.
-
Optionally, rename the Event Pool in the Name field.
-
Select Configure to return to the NAS Properties window.
-
Select Close.
Enabling Event Publishing in the File System
-
Open Unisphere and navigate to the File tab in the left pane under Storage.
-
Select the File Systems tab.
To enable activities for a file system:
-
Double-click the File System to open the File System Properties window.
-
Select the Advanced tab to open the Advanced Configuration tab.
-
Check Enable SMB Events publishing and select Apply.
Permissions
File Access Manager requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the file server:
-
Share Read permissions to all shares on the file server
-
Full Control permission for each normalized folder
-
Member of the local Backup Operators group on the file server
-
Member of the local Administrators group on the file server
Why do we need this access?
The following detailed explanation describes required permissions by each File Access Manager task:
-
Activity Monitoring - No special permission is required, since the Activity Monitor service runs locally on the monitored service with Local System privileges.
-
Crawling - The user must have Share Read permissions to all the shares on the file server.
The user must be a member of the local Backup Operators group on the file server.
-
Permission Collection - The user must have Share Read permissions to all the shares on the server.
The user must be member of the local Backup Operators group on the server.
The user must be a member of the local Administrators group to read the Share Permissions, and the local Users and Groups of the server.
-
Access Fulfillment - The user must have Full Control permission on the normalized folders to be able to set the permissions.
-
Data Classification - The user must have Share Read permissions for all the shares on the server.
The user must be member of the local Backup Operators group on the server.
Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager Message Broker | Permissions Collector/Data Classification Collector | RabbitMQ | 5671 |
File Access Manager Access | Activity Monitor | File Access Manager Servers | 8000-8008 |
EMC CEE | EMC NAS server | CEE Server | RPC (135 + Dynamic) |
CEPA Events Push | CEE Server | File Access Manager Application | RPC (135 + Dynamic) |
Permissions Collector & Data Classification Analysis | Permissions Collector/Data Classification Server | Monitored server | CIFS/SMB (139, 445) |