File Director. Deployment Best Practices

(1)

www.ivanti.com | 801.208.1500

File Director

Deployment Best Practices

(2)

File Director Deployment Best Practices

Contents

Appliance Configurations ... 3

Certificates ... 3

Exporting Certificates from Windows ... 3

Certificates with Windows 7... 6

Map Point Configurations ... 6

HOME Map Point ... 8

Active Directory Settings ... 8

Appliance Backups ... 8

Cluster Configurations ... 9

Non-SSL Configurations ... 10

Windows Agent Configurations ... 11

Agent Settings ... 11

Auto Login Setting ... 12

Single Sign On (SSO) ... 13

Configuring SSO: ... 13

Non-SSL Configurations ... 13

Configuring HTTP connection: ... 13

In Location Sync (ILS) ... 14

Mapped Drives ... 15

Agent Configuration Template ... 16

(3)

Appliance Configurations

Certificates

One of the main challenges associated with configuring certificates is when the File Director appliance does not contain all the root and intermediate certificates by default. This can complicate the process of importing a certificate.

To simplify the process, first create the required web certificate in Windows and then export it out to a PFX file.

Both the Ivanti Management Center and Personalization Server require IIS and are therefore a great place to create the certificate required in the deployment of File Director.

With the exported certificate, including all the required root and intermediate certificates, only a simple import will be required to install the certificate on the File Director Appliances.

NOTE: that if you are clustering appliances, you only need to install the certificate on a single appliance as the cluster services will replicate the certificate.

NOTE: The certificate will be stored in appliance backups.

Exporting Certificates from Windows

1. Open the certificate from either IIS or the local certificate store.

2. Go to the Details tab and select Copy to File…

(4)

3. As you click through the screens the following settings will need to be selected.

a. Ensure the Private Key is exported with the certificate.

(5)

b. Ensure the following settings are selected.

(6)

Certificates with Windows 7

• Support for TLS 1.0 has become optional in the File Director. This will cause issues if Windows 7 still exists in the environment. When File Director agents on Windows 7 connect to the appliance they will receive an error. Windows 10 and web connections will work fine. The resolution is to install the following Microsoft KB fix and enable TLS 1.2 support on the endpoint:

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a- default-secure-protocols-in

Map Point Configurations

• When configuring Map Points, take note that variables such as %UserName% are case sensitive. If the case is incorrect, such as %username%, the Map Point will not map correctly and nothing will be displayed to the user.

(7)

• When configuring Map Points, there are two specific sync options available - Automatic and Manual. It is recommended to use Automatic for all user home-based Map Points or Map Points that will host ILS (In-Location Sync) settings. This will ensure that the files are locally stored and ready for users at logon.

(8)

HOME Map Point

HOME is a reserved Map Point name. It can only be used by the Active directory or OneDrive

connector as configured in the Directory Services Section as seen below. When creating a Map Point manually, you will need to use a different name such as UserHome.

Active Directory Settings

When configuring the active directory connection, HOME Map Point is configured by default to use the active directory setting for a mapped drive. If home drives are not controlled by active directory, then this setting will need to be set to NONE under the Home Map Point Source section.

NOTE: HOME is a reserved name and cannot be used for Map Points that are not either AD based or OneDrive based.

Appliance Backups

Appliance backups should be taken after initial setup and prior to any upgrades. If an appliance unexpectedly fails for any particular reason, the quickest recovery method is to upload a new VM, configure the networking, and restore the configuration settings from backup. Backups contain all required settings, excluding those related to clustering.

(9)

Cluster Configurations

When configuring clustering, it is recommended to configure clustering on a single File Director appliance first, including the connection to SQL, prior to adding additional appliances.

• Appliance Configuration

o Cluster Name: a name that is required to match on all File Director appliances that will be a member of the cluster.

o Any Port between 49152-65535

When Configuring Clustering on the File Director appliance, a question will may be displayed regarding resetting the counter. However, this should not apply when adding a new base image to a cluster, it should only occur if the node you are adding already has some configuration.

Normally, if changing from a standalone to clustered setup you would respond ‘No’ on the first node you use to create the cluster and then ‘Yes’ on subsequent nodes in the cluster so that they pick up the settings from the cluster.

o

(10)

• SQL Requirements:

o Clustering requires a Microsoft SQL database.

o An emptydatabase will need to be configured prior to setting up clustering.

o A local SQL service account will be required to connect to the database from the File Director Appliances.

o The SQL Service Account requires db_owner permissions to the database during initial configuration and during subsequent upgrades. After install and upgrades,

db_datareader and db_datawriter are sufficient permissions.

Non-SSL Configurations

While not recommended for production deployments, a non-SSL configuration is possible. This eliminates the requirement of a valid certificate. This can be done by enabling the HTTP Access feature in the Administrative Settings. Simply check the box to Enable access over HTTP and then select Update to save the settings.

NOTE: See Non-SSL configuration in Windows Agent for correctly configuring the Windows Agent to support this functionality.

(11)

Windows Agent Configurations

Agent Settings

During the initial launch of the File Director agent on a Windows system, users will need to provide information for configuring the connection to the File Director Appliance as seen in the following screenshots.

(12)

All local agent settings are managed in the system registry. The required information as seen above can be pre-populated with the required information by setting the following registry values prior to first launch.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_SZ "DataNowServer"="https://dn.acme.com"

REG_SZ "Username"[email protected]

NOTE: The base folder is the location where the user’s data will be stored locally. It is recommended to leave the users File Director folder in the default location.

Auto Login Setting

File Director can be configured to auto login after the initial login by configuring the following registry value.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_DWORD "DataNowAutoLogon"=00000001

NOTE: If Single Sign On (SSO) has not been configured the user will be prompted for the password during the first login. After the initial Login to File Director the user’s credentials will be stored in the local Microsoft Credential Manager and will be valid until the user’s password is changed.

(13)

Single Sign On (SSO)

Ivanti File Director supports Single Sign On (SSO). With SSO enabled, File Director will leverage the local credentials to authenticate. This prevents the user from ever getting a prompt for login

credentials. If the user is not using domain credentials, the File Director login will fail and the user will be prompted for credentials to login.

When a user changes their password, the client will still have access to the files until the domain login token expires. At that point the client will check the local system for the updated credentials.

Configuring SSO:

Configure SSO by adding the follow registry setting to the local machine.

HKEY_LOCAL_MACHINE\Software\AppSense\DataNow REG_DWORD "SSO"=00000001

It is also possible to setup Kerberos SSO (ticket forwarding) by setting the SSO registry value to 2 Note This requires that the appliance be configured with a valid Kerberos configuration.

Non-SSL Configurations

By default, the Windows File Director agent communicates via HTTPS over port 443. To leverage a Non-SSL connection with the Windows Agent, manual configuration is required. The easiest way to manage this is to set the correct registry values for the server and port to force the connection to HTTP over port 80.

Configuring HTTP connection:

The following registry setting are required for a Non-SSL agent configuration.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_DWORD "DataNowPort"=00000050

REG_SZ "DataNowServer"=http://dn.landesk.comWindows 7

• Support for TLS 1.0 has become optional in File Director. This will cause issues if Windows 7 still exists in the environment. When agents from Windows 7 connect they will get an error.

(14)

Windows 10 and web connections will work fine. The resolution is to install the following Microsoft KB fix and enable TLS 1.2 support on the endpoint:

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a- default-secure-protocols-in

See Certificates with Windows 7 for more information

In Location Sync (ILS)

In Location Sync or ILS is a mechanism to provide an user experience similar to folder redirection, but without the offline challenges. The main difference is the data used in ILS is stored in the native locations such as My Documents and Desktop. This makes it easy to give the user a native experience intended by Microsoft. No longer do you need to tell users to save to mapped drives or worry about the problems that come from folder redirection with offline files. ILS is configured by setting the following registry value.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_MULTI_SZ InLocationSyncFolders /My Documents,%USERPROFILE%\Documents /Desktop,%USERPROFILE%\Desktop

The value needs to be properly formatted to link the folder in the user’s profile to their File Director Map Point. Example as seen above is in the format of /<folder to sync>,<Folder location>

The default Map Point used for ILS is the HOME Map Point. See HOME Map Point in the Appliance configuration section above for more information on HOME. If you are going to be using a Map Point other than Home, then the PrivateMapPoint registry value must be configured in order to enable ILS.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_SZ "PrivateMapPoint"=/Map Point Name

NOTE: When ILS is configured, the Map Point will be hidden from the user and will not be visible in the File Director Folder.

(15)

Mapped Drives

In addition to ILS, Map Points can also be configured as Mapped Drives. For example, a user in the HR group might have a team share the is mapped as a U: drive. File Director can mimic this same

functionality to present a Map Point to a user as a mapped drive, yet make it searchable when offline.

Any previously synced files will also be accessible for opening. A Map Point can be configured to be presented as a mapped drive by setting the following registry value.

HKEY_CURRENT_USER\Software\AppSense\DataNow REG_MULTI_SZ MappedDrives

H,HR T,IT

The value needs to be properly formatted to set a Map Point as a mapped drive. Example as see above is in the format of <Drive Letter>,<Map Point Name>

NOTE: When a drive mapping is configured for a Map Point, the Map Point will be hidden and not visible in the File Director Folder. It will only be visible as the mapped drive.

(16)

Agent Configuration Template

All required registry settings can be deployed using Ivanti Environment Manager (EM). The following starting data can be easily imported into Environment Manager Policy by performing the following tasks.

1. To create a template, save the below information to a .REG file.

2. Create a NODE in EM policy under the Pre-Desktop trigger

3. In the action pane, right click and create a new registry action, and select Import a Registry File.

4. Once the settings are imported, update the settings as required to match the File Director environment.

NOTE: The below settings are a template and should be updated to the correct information prior to use.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\AppSense\DataNow]

"DataNowPort"=dword:000001bb

"DataNowServer"="https://ServerFQDN"

"DataNowAutoLogon"=dword:00000001

"MappedDrives"=hex(7):48,00,2c,00,48,00,52,00,00,00,44,00,72,00,69,00,76,00,65,\

00,4c,00,65,00,74,00,74,00,65,00,72,00,2c,00,4d,00,61,00,70,00,50,00,6f,00,\

69,00,6e,00,74,00,4e,00,61,00,6d,00,65,00,00,00,00,00

"Username"="%userdomain%\\%username%"

"PrivateMapPoint"="/MapPointName"

"DataNowRememberDetails"=dword:00000001

"InLocationSyncFolders"=hex(7):2f,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,\

6d,00,65,00,6e,00,74,00,73,00,2c,00,43,00,3a,00,5c,00,55,00,73,00,65,00,72,\

00,73,00,5c,00,25,00,75,00,73,00,65,00,72,00,6e,00,61,00,6d,00,65,00,25,00,\

(17)

5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,2f,00,44,\

00,65,00,73,00,6b,00,74,00,6f,00,70,00,2c,00,43,00,3a,00,5c,00,55,00,73,00,\

65,00,72,00,73,00,5c,00,25,00,75,00,73,00,65,00,72,00,6e,00,61,00,6d,00,65,\

00,25,00,5c,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00,00,00