######################### 4 Cluster Administration ######################### To access your Cluster Administration features, log into the Web Portal on the server. **The description in this guide presumes that you are signed in as the Master Administrator** (aka., Cluster Administrator, Server Administrator). Some of the options listed may not be available if you are logged in with different permissions (e.g. Delegated Administrator). In this document the |prodname| will also be referred to as simply, Cluster Server. .. tip:: The Web Portal URL is the server’s DNS name, the IP Address or local host if you are on the server console. .. figure:: _static/image_ms_03.png :align: center **LOGIN SCREEN** .. note:: At the bottom of the Login screen, there is version information, which will be useful to see which version you have installed. **CLUSTER ADMINISTRATOR DASHBOARD** The following graphic shows the the Administrator Dashboard and its sub sections. Please refer to it as you read this guide to determine how to access and configure various features. After logging in, you will see the Cluster Administrator Dashboard. .. figure:: _static/image_ms_05.png :align: center **ALL SERVERS VIEW** After you are logged in, you will see all the servers in your environment, including the Triofox server and any other servers joined to the same domain as the configured Active Directory environment. .. figure:: _static/image_ms_06.png :align: center You can click on the file server(s) that you need to mobilize and enable secure remote access to. ******************* 4.1 File Servers ******************* **CHOOSE FILE SERVER(S)** Click the file server(s) that your users need to access from home or remote locations. It will list all the shares on that file server as show below: .. figure:: _static/image_ms_07.png :align: center Choose share(s) from the list of displayed shares: .. figure:: _static/image_ms_08.png :align: center **FILE SERVER SHARE OPTIONS** You have many options available to configure different settings for the file server shares you have chosen for remote access. **ACCESS CONTROL** In order to give access to users from home and remote locations, add groups (for example, Active Direcotory Security Groups) or individual users who need access. .. figure:: _static/image_ms_09.png :align: center *Allowed Users* Click the **+** icon to select users or groups. .. figure:: _static/image_ms_10.png :align: center You can select users or groups either by clicking on **Existing User/Group** option or by browsing to your Active Directory domain if you have already integrated your active directory environment. .. figure:: _static/image_ms_11.png :align: center *External Sharing* Under external sharing tab for the share, you can invite guest users to this share. Guest users have read and write permissions to the share. For every licensed user, you can create three free guest user accounts. .. figure:: _static/image_ms_12.png :align: center *Public Link(s)* You can also generate a public link which you can paste it in an email for distribution if desired. .. figure:: _static/image_ms_13.png :align: center For public links, you can click on the options gear icon to specify expiration and also make it 'View Only' in which case users will not be able to download the content. They can only view it inside the browser. .. figure:: _static/image_ms_14.png :align: center *Request a File* If there is a need to to just request files into a folder from external users who are not company employees, you can choose the 'Request a File' icon. This feature is great if the users just need to receive files into a folder from external non-company employees. Request a file from external users is free and unlimited. .. figure:: _static/image_ms_15.png :align: center When requesting files, you can also password protect the secure public link and also specify an expiration time. It is a good practice to password protect all public links and also let them automatically expire upon completion of tasks. You can also add some notes in the notes section to let the user know the intended purpose. The other two options are 'Only show upload box' which will only allow users to upload files into the link shared with them and 'Collect Uploader Information' which will force the recepients to also provide their names and company information before they are allowed to upload anything into the request folder link. .. figure:: _static/image_ms_16.png :align: center *Share (Invite)* You can also just share (invite) users to any share/folder also using the 'Invite' option. .. figure:: _static/image_ms_17.png :align: center You can share the folder with a single or multiple users and also add some notes in the 'Notes' section. .. figure:: _static/image_ms_18.png :align: center Some other options when sharing folders are shown in the screenshot below. For example, you can select an expiration time, make the share view/read only, view only, download only, or give the user full read and write permissions. You can also choose to password protect the share and subsribe to different notifications. .. figure:: _static/image_ms_19.png :align: center *Folder Permissions* Under folder permission you can define more granular permissions. Mostly you don't need to specify anything here for a file server share which already has security (NTFS) permissions assigned for the share. Triofox will read the security permissions directly from the share. You can specify granular permissions for normal folders if desired which are not joined to any Active Directory domain. .. figure:: _static/image_ms_20.png :align: center *Settings* You can change the display name for the share under the 'Settings' tab. .. figure:: _static/image_ms_21.png :align: center **ADDING SERVERS OR NAS DEVICES MANUALLY** If for any reason, your file servers are not discovered automatically after Active Directory integrations, then you can add them manually. You can also add your folders on NAS devices using the 'Add New Server' option on the dashboard. .. figure:: _static/image_ms_22.png :align: center Once you click on the 'Add New Server' selection, you will be taken to a page as show below where you can either add server manually or scan again to discover your file servers. .. figure:: _static/image_ms_23.png :align: center Clicking the 'Add New Server' option will take you to a screen where you can add your server name and user account which has access to that server. For NAS folders, you can just put in the IP address of the NAS device and user credentials. Once connected it will list all the available shares on the file server or the NAS device. .. figure:: _static/image_ms_24.png :align: center ******************* 4.2 User Manager ******************* In the right panel on your cluster admin dashboard, you will see 'Users' plugin to manage all your users. .. figure:: _static/image_ms_25.png :align: center Click the 'User' plugin to get into the 'User Manager' panel. .. figure:: _static/image_ms_26.png :align: center In the 'User Manager' panel, you can toggle the view to detail list or icon view by clicking on the view icon as show below: .. figure:: _static/image_ms_27.png :align: center You can also create a new user or migrate an existing user from your Active Directory domain by choosing the 'Create or Migrate User' icon. .. figure:: _static/image_ms_28.png :align: center You can also click the 'Refresh' icon to get an updated users list. .. figure:: _static/image_ms_29.png :align: center You have another icon which will allow you to 'Export Users' from 'User Manager', see all the disabled users, show users who have 2-FA enabled etc. .. figure:: _static/image_ms_30.png :align: center You can also use the search field to search for any user account. .. figure:: _static/image_ms_31.png :align: center You also have more selections for each user on the right for example, delete a user, storage usage details for a user, edit and other options. .. figure:: _static/image_ms_32.png :align: center ******************* 4.3 Device Manager ******************* As a cluster admin, you can also monitor all the devices which have been connected to your environment to access the data under 'Device Manager'. The 'Devices' plugin is in the right panel as shown in the screenshot below: .. figure:: _static/image_ms_33.png :align: center Click the 'Devices' plugin in the right panel to get into the 'Device Manager'. .. figure:: _static/image_ms_34.png :align: center Under 'Device Manager', you will see all the devices connected and found as shown in the screenshot below: .. figure:: _static/image_ms_35.png :align: center You can remotely wipe the data from a device or you can delete the device. These two features play a critical role to ensure that the admin has full control and visibility on all the devices that are in use. You can also disable a device using the on and off toggle button in the upper right on each device. .. figure:: _static/image_ms_36.png :align: center **Settings** There are more options available under settings for advanced device access controls. Click the 'Settings' icon to get into the page. .. figure:: _static/image_ms_37.png :align: center The options under 'Device Settings' are listed below: **Require approval for device access** - When a user attempts to log in from a new device via native client applications, the connection will be rejected until the cluster admin approves the new device. **Require Approval for device access from external networks** - When a user attempts to log in from a new device via native client applications from external networks, the connection will be rejected until the cluster admin approves the new device. **Enable auto-installation of the Outlook Plugin** - To enable auto-install of Microsoft Outlook plugin for users. **Create shortcut in documents library** - When enabled, the windows client will create a shortcut to the mapped drive in the documents library. **Create shortcut on Desktop** - When enabled, the windows client will create a shortcut to the mapped drive on the desktop. You can also download the clients from the 'Device Manager' page if desired. .. figure:: _static/image_ms_38.png :align: center The client downloads page lists all the clients available for downloads. .. figure:: _static/image_ms_39.png :align: center ******************* 4.4 Group Manager ******************* As a cluster admin, you can also manage groups native as well as Active Directory groups under 'Group Manager'. .. figure:: _static/image_ms_40.png :align: center Click 'Groups' in the right panel to get into the 'Group Manager' page. .. figure:: _static/image_ms_41.png :align: center Once inside 'Group Manager', you will see a list of groups already created or added. In order to see the users in a group, click the pencil icon on the right for the group. .. figure:: _static/image_ms_42.png :align: center It will give you a list of all the users in that group. .. figure:: _static/image_ms_43.png :align: center You can delete any user(s) inside a group by click on the delete bucket icon on the right next to the user(s). .. figure:: _static/image_ms_44.png :align: center You can also add more user to the group by clicking on the 'Add users to the group' icon on the right. .. figure:: _static/image_ms_45.png :align: center If there is a need to add any guest users to a specific group, you can do so by clicking 'Add Guest Users to the group' icon on the right. .. figure:: _static/image_ms_46.png :align: center In order to create a new group, click the 'Create New Group' icon in the upper left. .. figure:: _static/image_ms_47.png :align: center You can download all the groups as a *.csv.* file using the 'Download as a CSV file' icon. .. figure:: _static/image_ms_48.png :align: center Use the search icon to search for any groups. Searching is important if an organization has many groups and would just like to query a specific group quickly. .. figure:: _static/image_ms_49.png :align: center ******************* 4.5 Role Manager ******************* *Role Manager* is used to delegate administration controls to other members in the team and locking down the environment. For example, if you need to disable external sharing for a specific user or a group, you can create a role for that purpose. There are many lock down settings which can be enabled under roles. In order to get into the 'Role Manager', click on the 'Roles' icon in the right panel in cluster admin dashboard. .. figure:: _static/image_ms_50.png :align: center Once inside 'Role Manager', you can see a list of existing roles if already created or create a new role. .. figure:: _static/image_ms_51.png :align: center You can also export roles by using the 'Export Roles' icon. .. figure:: _static/image_ms_52.png :align: center You can also import roles using the 'Import Roles' icon. .. figure:: _static/image_ms_53.png :align: center In order to edit a role, use the pencil icon on the right for a specific role. .. figure:: _static/image_ms_54.png :align: center **Sharing Tab** Under the sharing tab for a role, you have some settings that can be enabled to control sharing options on the company data. .. figure:: _static/image_ms_55.png :align: center **Policies Tab** Polcies tab has a number of settings to lock down the environment. Some of the settings can be used to enforce a feature for specific users or groups, for example, 'Enforce 2-Step Verification on Users' which will force all the users to configure their 2-factor authentication. .. figure:: _static/image_ms_56.png :align: center **Assigned Users/Groups** You will see the users or groups assigned to the role under the 'Assigned Users/Groups' tab. .. figure:: _static/image_ms_57.png :align: center ************************ 4.6 Guest User Manager ************************ Guest user accounts can be created, deleted, and managed under the 'Guest User Manager'. Guest users are external users who have read and write permissions on the shares even though they are not company employees. Guest users accounts can be created by the admin or can be automatically created when initiating a share and choosing full read and write permissions for the share. .. figure:: _static/image_ms_58.png :align: center Click on the 'Guest Users' plugin in the right panel to get into the 'Guest User Manager' administration page. .. figure:: _static/image_ms_59.png :align: center ************************ 4.7 Reports ************************ **Triofox** has built-in auditing and reporting built-in. A cluster admin can look at different reports under 'Reports'. The cluster administrator can look at the environment specific reports for the entire cluster. .. figure:: _static/image_ms_60.png :align: center The Reports section has the following sub categories - Upload Report - Storage Statistics - Bandwidth Usage - Cloud Backup - Shared Objects - Audit Trace - File Change Logging - Folder Permissions - Distributed Locks - Pending Purged Folders .. figure:: _static/image_ms_61.png :align: center 4.7.1 Upload Report ^^^^^^^^^^^^^^^^^^^^^ Upload report tab shows you graphs for all the uploads that have taken place in the last sixty minutes, 24 hours, 30 days and a whole week. .. figure:: _static/image_ms_87.png :align: center UPLOAD REPORT 4.7.2 Storage Statistics ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Under storage statistics, you can see a quick overview of the overall storage statistics, size distribution file type distribution pie charts, and users who have used the most storage so far. .. figure:: _static/image_ms_88.png :align: center STORAGE STATISTICS REPORT 4.7.3 Bandwidth Usage ^^^^^^^^^^^^^^^^^^^^^^^^ This shows the overall bandwidth usage statistics as well as more granular tenant and user level statistics. .. figure:: _static/image_ms_89.png :align: center BANDWIDTH USAGE REPORT 4.7.4 Cloud Backup ^^^^^^^^^^^^^^^^^^^^^^^^ This shows the overall backup storage currently used. .. figure:: _static/image_ms_90.png :align: center CLOUD BACKUP REPORT 4.7.5 Shared Objects ^^^^^^^^^^^^^^^^^^^^^^^^ This shows all the files and folders that have been shared so far. .. figure:: _static/image_ms_91.png :align: center SHARED OBJECTS REPORT 4.7.6 Audit Trace ^^^^^^^^^^^^^^^^^^^^^^^^ This is a sample audit trace. Audit trace reports can be generated for an individual user, by the trace content, or by the action. For example, under action an admin can choose actions like 'Start Sharing', 'Delete User', and many other similar actions. .. figure:: _static/image_ms_92.png :align: center AUDIT TRACE REPORT 4.7.7 File Change Logging ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is a sample file change log report. File change log reports can be generated for an individual user, by the file name, or by the action. For example, under action an admin can choose actions like 'Add Comments', 'Create Folder', and many other similar actions. .. figure:: _static/image_ms_92.png :align: center FILE CHANGE LOGGING REPORT 4.7.8 Folder Permissions ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This shows all the permissions for all the folders. .. figure:: _static/image_ms_93.png :align: center FOLDER PERMISSIONS REPORT 4.7.8 Distributed Locks ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This shows all the locks on the files that are being currently edited by the users. .. figure:: _static/image_ms_94.png :align: center DISTRIBUTED LOCK REPORT 4.7.9 Pending Purged Folders ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This shows all the deleted content which will be purged. Deleted items are added here only after the retention policy period has been reached. .. figure:: _static/image_ms_95.png :align: center PENDING PURGED FOLDERS REPORT ********************************* 4.8 Active Direcotry Integration ********************************* You can integrate your existing Active Directory infrastructure by using the 'Active Directory' plugin in the right panel. Active Directory integration saves time by allowing users to automatically login with their existing Active Directory credentials. **Triofox** also maintains the existing NTFS security permissions on the shares. .. figure:: _static/image_ms_62.png :align: center In order to configure or make changes to Active Directory configuration, click the 'Active Directory' name to get into the Active Directory configuration page. .. figure:: _static/image_ms_63.png :align: center You can see the details of your Active Directory environment on the AD configuration page and to make changes click on the settings gear icon. .. figure:: _static/image_ms_64.png :align: center Once inside the settings page, you can change your domain controller server and specify the domain credentials which has access to the AD environment. You also have other settings that you can enable or disable if desired for example, publishing a Active directed user's home drive. .. figure:: _static/image_ms_65.png :align: center ********************************* 4.9 Single Sign-On ********************************* If there is a need to enable single sign-on, you can use the Single Sign On plugin in the right panel. .. figure:: _static/image_ms_66.png :align: center **Triofox** supports SAML integration with Azure AD, AD FS or other identity providers like Okta, OneLogin, Ping Federate etc. .. figure:: _static/image_ms_67.png :align: center You can also enable 'Personal Home Drive' for users so they can create folders and add content in their **Triofox** personal drive. This is different than the Active Directory Home Drive. .. figure:: _static/image_ms_68.png :align: center ********************************* 4.10 Ransomware Protection ********************************* Triofox adds ransomware protection and alerts to your file server. It will monitor the Triofox clients and automatically shuts them down if it sees a possible attack. It also sends an alert to the administrator when it detects the threat from the server-side and adds versioning and offsite or cloud backup of your file server, allowing you to recover from any attacks or accidental deletions. You can enable ransomware protection by enabling it in the right panel. .. figure:: _static/image_ms_69.png :align: center Once ransomware protection is enabled, click the settings icon to see more options. .. figure:: _static/image_ms_70.png :align: center Below is a list of all the additional ransomware settings that you can enable. .. figure:: _static/image_ms_71.png :align: center **“Only allow the following processes to access files (empty: allow all, separate using semicolon (;), i.e. winword.exe;excel.exe)”** If you want to only allow specific processes that users can access, you can specify them here. If left empty, all file types will be allowed. **“The following executables will not be allowed to open files directly from the cloud drive (i.e. qbw32.exe;excel.exe)”** If there are certain .exes that should not be allowed to open from the **Triofox** drive, you can add them here. **“Disable a device if the device changes more than n files in 10 minutes”** Specify the limit for the number of file changes from any device in this field. The default is 50. If any device tries to change more than 50 files in a period of 10 minutes, **Triofox** server will “Automatically take action and disable that device. **“Notify if more than n files changed in 1 minute”** You can specify how many files can be changed in one minute before an alert will automatically be sent to the cluster admin. The default is 100. **“Notify if more than n files are downloaded in 1 minute”** Specify a number in this for the amount of downloads before an alert should be sent to the administrator. The default is 1000. **"Ignore the following processes when applying the above policy (i.e. qbw32.exe; excel.exe)"** Input the processes where the above ransomware settings configured above should not apply. **"Disable uploading of files whose names contain the following text patterns i.e. badfile1;badfile2"** Add the files which contains certain file patterns which should be allowed to upload in this field. **"Disable uploading of files whose names start with the following strings i.e. bad1;bad2"** Specify the names of files which start with certain strings which should be disabled automatically from uploads. **"Disable uploading of files whose names end with the following strings i.e. bad1;bad2"** Input the filenames with certain ending strings which should be allowed to upload here. **"Disable client when upload is disabled"** When this setting is enabled, it will automatically disable the client. ********************************* 4.11 Cloud File Server ********************************* Cloud file server enables organizations to connect to data that is already in the cloud and present that data to users in a mapped drive on their desktops or on their mobile platforms. You can connect to many cloud storage services like AWS S3, Azure blob, Azure file shares, Wasabi, and many others. .. figure:: _static/image_ms_96.png :align: center In the screenshot below, you can see this environment has already attached data in AWS S3 and Azure blob. .. figure:: _static/image_ms_97.png :align: center In order to add a new cloud storage account, click the '+' icon in the upper right. .. figure:: _static/image_ms_98.png :align: center In the next panel, choose the cloud storage service that you would like to connect. .. figure:: _static/image_ms_99.png :align: center Then provide the Access keys and other details required to connect to the storage service. After that users who are given the access, will see the cloud data folders when they login. .. figure:: _static/image_ms_100.png :align: center In order to assign users to the cloud folders, click on the cloud folders. .. figure:: _static/image_ms_101.png :align: center Then you can go to the 'Access Control' tab and hit the '+' icon to add users. You can also define further restrictive granular permissions under 'Folder Permissions'. .. figure:: _static/image_ms_102.png :align: center