• Given the deployment schedule, for users in each fulfillment group:
• Distribute and install Groove software using engineered packages and delivery methods to the user fulfillment group.
• Create Groove identities from the list of qualified and approved Groove user candidates.
• Deliver basic end user training to users in the fulfillment group
• Distribute ID activations to users in the fulfillment group.
Result
Performing the above tasks results in all users in each fulfillment group receiving Groove software, and being able to logon to Groove and become active Groove users.
Deployment Process for Groove Onsite Servers
If you decide to install Groove Enterprise Management and Relay Servers, and/or Groove
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 73
component servers onsite at the enterprise, additional onsite server deployment steps are necessary, beyond the basic Groove deployment processes described above for hosted ser-vices. Bear in mind the following important aspects of any onsite relay-management server deployment:
• Servers must be deployed in a DMZ and allow external client access over port 80.
• Communications can be optimized by opening port (2492) to native Groove protocols.
• Servers can be secured by limiting administrative access to servers and by controlling port access.
Install (or upgrade) Groove servers and clients in this recommended order:
1. Enterprise Relay Servers 2. Enterprise Management Servers 3. Groove Client Audit Servers 4. Enterprise Data Bridge Servers 5. Groove Virtual Office clients
The flow chart below presents an overview of deployment activities in an environment of onsite Groove servers. Each activity in the chart is discussed in more detail in the sections that follow:
• Designing an Onsite Groove System
• Design the DMZ Network Infrastructure
• Plan the Enterprise Management Server Implementation
• Plan the Enterprise Relay Server Implementation
• Plan the Component Server Implementation
• Installing and Configuring the Servers
• Anti-Intrusion Hardening
• Acceptance-Testing the Production System
For details about installing and configuring an Enterprise Management Server (ENS) at your site, see the G.roove Management Server Administrator's Guide. For detailed infor-mation about installing and configuring an Enterprise Relay Server (ERS) at your site, see
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 74
the Groove Enterprise Relay Server Administrator's Guide.
Designing an Onsite Groove System
This activity involves assessing the expected Groove user community, existing network infrastructure, and operational requirements in order to design a suitable onsite system that may include DMZ infrastructure(s), Enterprise Management Server(s), Enterprise Relay
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 75
Server(s), Component server(s).
Tasks
• Create an architecture that may include:
• Data center - Server location(s) and user location(s)
• Intranet WAN, DMZ and Internet topology considerations
• Server types: EMS, ERS, and Component servers
• Capacity plan for each type of server vs. expected users
• Failover / Load Balancing
• Integration - SMTP, LDAP, DNS Result
Performing the above task results in a basic Groove deployment architecture and plan that specifies the number and types of servers needed, their locations in the enterprise topology and their various integrations with existing systems.
Design the DMZ Network Infrastructure
This activity involves assembling the implementation details for locating the onsite serv-ers in the enterprise DMZ. The design should address the requirements set forth by the enterprise architecture and incorporate current enterprise practices and security policies.
Tasks
• Review and incorporate enterprise practices and security policies for building DMZ systems into the design.
• Define Network / Firewall configurations and rules.
• Define a public-facing network.
• Define a private administrative network.
• Define the administrative VPN to private administrative network.
• Consider and design for secure back channel inter-server communications.
• Consider and design for intrusion detection system.
Result
Performing the above tasks results in a detailed design for securely implementing Groove onsite servers into the DMZ. Specific network topology, routing and firewall configura-tions, etc. are described in the design.
Plan the Enterprise Management Server Implementation
This activity involves assembling the implementation details for the management server.
It assumes the basic requirements defined in your Groove design plans (discussed above) and incorporates current enterprise practices for production servers operated in the DMZ.
Tasks
• Specify the Enterprise Management Server hardware.
• Specify the hard disk channel I/O and partitioning configurations.
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 76
• Specify the operating system version, service pack level, updates and patch requirements.
• For the Internet Information Server (IIS) and SQL 2000 servers - specify the software versions, service pack levels, updates and patch requirements.
• Specify the Audit Server hardware (if utilizing this application)
• Specify the operating system options to be installed.
• Specify the server software options to be installed.
• Specify the network interface card (NIC) configurations.
Result
Performing the above tasks results in a detailed design for implementing and configuring the Enterprise Management Server (and optional Audit Server) on the specified host hard-ware. The design includes explicit server specifications and configuration recommenda-tions for the server hardware, operating system, Web server, SQL server and EMS.
Plan the Enterprise Relay Server Implementation
This activity involves assembling the implementation details for the relay server. It assumes the basic requirements as set forth by the enterprise architecture activity and incorporates current enterprise practices for production servers operated in the DMZ.
Tasks
• Specify the Enterprise Relay Server hardware.
• Specify the Hard Disk channel I/O and partitioning configurations.
• Specify the Operating System version, service pack level, updates and patch requirements.
• Specify the Operating system options to be installed.
• Specify the server software options to be installed.
• Specify the NIC configurations.
Result
Performing this activity results in a detailed design for implementing and configuring the Enterprise Relay Server on the specified host hardware.
Plan the Component Server Implementation
This activity involves assembling the implementation details for the component server. It assumes the basic requirements as set forth by the enterprise architecture activity and incorporates current enterprise practices for production servers operated in the DMZ.
Tasks
• Specify the Component Server hardware.
• Specify the Hard Disk channel I/O and partitioning configurations.
• Specify the Operating System version, service pack level, updates and patch requirements.
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 77
• For the IIS servers - specify the software versions, service pack levels, updates and patch requirements.
• Specify the Operating system options to be installed.
• Specify the NIC configurations.
Result
The result of the activity is a detailed design for implementing and configuring the compo-nent server on the specified host hardware. Explicit server specifications and configura-tion recommendaconfigura-tions for the server hardware, operating system and component server are made. Using the information provided by this design, the server may be built.
Installing and Configuring the Servers
This activity implements the architecture and design for the onsite servers and their related DMZ network infrastructure. All specified onsite server and DMZ hardware and software must be available to complete this activity.
Tasks
• Build, install and configure the designed DMZ network infrastructures.
• Install and configure the Enterprise Management server(s) and associated SQL server in the respective DMZ infrastructures. (This process includes options for incorporating a company directory server and Groove Client Auditing Service into the system.) See the Groove Enterprise Management Server Administrator’s Guide for installation instructions.
• Install and configure the Groove Enterprise Relay server(s), and an XMPP Proxy Server if desired, in the respective DMZ infrastructures. See the Groove Enterprise Relay Server Administrator’s Guide for installation instructions.
• To support onsite Groove component services, install and configure any Groove Component Server(s) into the respective DMZ infrastructures. See the Groove Software Deployment Administrator’s Guide for installation instructions.
• To support Groove integration with other applications, install and configure the Groove Enterprise Data Bridge Server. See the Groove Enterprise Data Bridge Server Administrator’s Guide for installation instructions.
Result
Performing the above tasks results in a completely built and configured onsite server sys-tem that follows the planned architecture and design. This will become the operational production system for the enterprise upon successful system acceptance.
Anti-Intrusion Hardening
This activity involves analyzing the entire onsite server system with the goal of preventing and mitigating system intrusions. The activity investigates each server, the DMZ network infrastructure and the overall onsite system for intrusion susceptibility and proposes steps to identify and correct problems
Tasks
Groove Enterprise Planning and Deployment General Server Deployment Guidelines 78
• Check Service Packs, critical updates, patches, and related items.
• Uninstall unnecessary components.
• Disable unnecessary OS services.
• Harden logon accounts.
• Apply NIC protocol filters.
• Implement DMZ infrastructure restrictions and lock-downs.
• Check and tune intrusion detection system.
Result
Performing the above tasks results in a methodical anti-intrusion hardening of the onsite server system so that it may operate securely as a production service to the enterprise.
Once anti-intrusion hardening is completed, the system is ready for production acceptance testing.
Acceptance-Testing the Production System
This activity involves evaluating the overall functionality and production readiness of the onsite server system as it relates to the system's architecture and design.
Tasks
• Test EMS functionality.
• Test ERS functionality.
• Test component server functionality.
• Test system penetration (for all servers and DMZs).
• Test intrusion detection system (for all DMZs).
• Test full system (Groove virtual office software, EMS, ERS, component server, network infrastructure).
Result
Performing the above task results in a production ready and fully operational onsite server system suitable for hosting the expected user community.
Groove Enterprise Planning and Deployment FAQs 79
FAQs
This section presents answers to questions commonly asked with regard to Groove client-server deployments in a business setting.
What impacts does a Groove deployment have on network performance?
A Groove system of clients and servers does not measurably disrupt network performance.
See “Network Topology and Groove” in the Site Planning section of this guide for a dis-cussion of Groove interaction with other network devices and tools.
How is performance affected compared to browser-based systems?
A Groove system of clients and servers compares with most currently available browser or platform-based communications products in terms of bandwidth consumption and perfor-mance. See “Groove Bandwidth Usage” in the Site Planning section of this guide for a dis-cussion of Groove performance and bandwidth usage.
Do all servers need to communicate with the Internet?
If you intend to support Groove users outside your local network or if you employ Groove Networks-hosted servers (or any other external Groove-related servers), at least some of your Groove servers, must have Internet access. However, in closed network environ-ments, when all Groove clients and servers are on a private network, Internet connectivity is not a requirement.
The following table summarizes when Internet access is required for the various servers (and client devices):
This Device Needs Internet Access:
If any of the following are external:
Management Server • Groove clients
• Relay services (such as Groove-hosted)
• Corporate directory (LDAP)
• Component services (such as Groove-hosted)
• Backup services
Relay Server • Groove clients
• Component services (such as Groove-hosted)
• Backup services
Groove Enterprise Planning and Deployment FAQs 80
Should all machines be in a DMZ?
Yes, unless you are running Groove on a closed network, locating Groove servers - includ-ing management, relay, and data bridge servers - in a DMZ is highly recommended to pro-tect the integrity of corporate data. Note that, if you employ Groove Hosted Management, Relay, or Component services, you need not be concerned with setting up a DMZ to sup-port Groove.
How do I control network bandwidth utilization?
Groove management servers allow you to control overall Groove network bandwidth utili-zation within your organiutili-zation via a device policy setting. However, bear in mind that Groove does not limit its use of communications bandwidth except when addressing the requirements of “sociable communications,” when bandwidth usage is determined by an internal optimization protocol. Typically, this policy should remain disabled or the value field left blank. Enabling the policy and specifying a value to limit Groove network band-width usage substantially impedes Groove performance. See the section on setting a Groove bandwidth limit for devices, in the Groove Enterprise Management Server Admin-istrator’s Guide for more information on this topic.
How do I prevent virus propagation in a Groove client/server environment?
Groove virtual office software, as of version 3.0, automatically performs virus scanning on all files that pass through Groove. If Groove finds the file to be infected, it prohibits the file transfer.
In a business environment, installing anti-virus software on the management server (and client) machines is recommended. When installing anti-virus software, make sure to dis-able Script Blocking, as script blocking can impede proper management server operation.
Note that Installing anti-virus software on a relay server machine can significantly impede relay performance and therefore is not recommended.