Enterprise Relay Server

(1)

Enterprise Relay Server

Version 3.1

(2)

Copyright

You may not reproduce or distribute any part of this document in any form or by any means, without the written permission of Groove Networks, Inc., nor may you use it to create derivative works.

Groove Networks, Groove, and groove.net are registered trademarks of Groove Networks, Inc. Groove Workspace and the interlocking circles design are trademarks of Groove Net-works, Inc. Other product or company names may be the trademarks of their respective owners.

Use of Groove Networks, Inc. software is subject to the terms of a license agreement and applicable export and import restrictions. Restricted rights for U.S. government users. Groove Relay Copyright © 2001 - 2004 Groove Networks, Inc. All rights reserved. Use of this software is subject to the terms of a license agreement and applicable export restric-tions. Restricted Rights for U.S. government users.

This product includes software used under license from third parties, including those par-ties identified by the following notices. Crypto++ Copyright © 1995-2000 by Wei Dai. All rights reserved. Copyright © 1995 Eric Young. All rights reserved. Copyright © 1992 Peter Gutmann. All rights reserved. Sleepycat Berkley DB Copyright © 1990-2001 Sleepycat Software. All rights reserved. Copyright © 1990, 1993, 1994, 1995 The Regents of the University of California. All rights reserved. Copyright © 1995, 1996 The President and Fellows of Harvard University. All rights reserved. Truerand Version 2.1 © 1995, 1996 by AT&T. International Components for Unicode Copyright © 1999, 2000, 2001 Compaq Computer Corporation, Copyright © 1999, 2000, 2001, Hewlett-Packard Com-pany, Copyright © 1999, 2000, 2001 IBM Corporation, Copyright © 1999, 2000, 2001 Hummingbird Communications Ltd., Copyright © 1999, 2000, 2001 Silicon Graphics, Inc., Copyright © 1999, 2000, 2001 Sun Microsystems, Inc., Copyright © 1999, 2000, 2001 The Open Group. All rights reserved. ACME Labs Freeware Copyright © 2000 by Jef Poskanzer <[email protected]>. All rights reserved. This software is based in part on the work of the Independent JPEG Group. Copyright © 1995 - 1998 Eric Young ([email protected]). All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Copyright © 1998 - 2004 The OpenSSL Project. All rights reserved.

(3)

Overview

The Groove® Enterprise Relay Server (ERS) is a software application that lets you run and manage your own relay server (or servers) at your site, instead of depending on relay services hosted by Groove Networks®. Relay servers facilitate communications among Groove Virtual Office (formerly Groove Workspace) users in many ways, enabling com-munications across firewalls, offering temporary storage when users are offline, fanning-out high-volume data transmissions, and providing alternative communications paths for clients operating over slow links.

Note: This guide also contains information about the optional Groove XMPP Proxy Server, which relies on the ERS model. See “Appendix A. XMPP Messaging” in this guide for a description of and configuration instructions for the XMPP Proxy Server.

The relay server application runs as a Windows service on a Windows server machine. Relay administration occurs through the relay server user interface and the Groove Enter-prise Management Server with which it co-operates.

This overview provides background information about the following topics: • Relay Server Functionality

• Relay Server Architecture

• The Relay Server Administrator’s Guide

For information about the Enterprise Management Server (EMS), see the Groove

Enter-prise Management Server Administrator’s Guide.

Relay Server Functionality

Groove relay servers provide services that support Groove platform communications. Groove Networks hosts these services from its headquarters, for users around the world. Companies can purchase dedicated Groove Enterprise Relay Servers to manage at their own sites.

Whenever possible, Groove transmits data directly from peer to peer, sending out individ-ual packets of data from one Groove Virtindivid-ual Office user to another. However, when fire-walls and proxy devices block this direct communication, relay servers provide a way for peer transmissions to navigate these obstacles and reach their destinations. When data is addressed to a peer that cannot be reached directly (because the user is offline, for exam-ple), the relay’s store and forward service enables otherwise inaccessible peers to receive

(7)

timely data. And, when conditions call for a relatively large amount of data to be sent to a number of users, Groove uses relay servers to fan out data transmission, reducing the amount of data an individual user sends across the network.

Any of the data types transmitted by the Groove client can be transported or stored by the relay server, including:

• Workspace and contact information, addressed to a specific device, identity, and workspace (device-targeted messages).

• Instant messages and workspace invitations, addressed to a specific identity (identity-targeted messages).

The relay server accepts Groove client and management server transmissions only; it does not initiate them. Client machines and the management server connect to the relay server to deposit and receive messages and data.

The following sections discuss the following aspects of relay functionality: • Message Flow

• Firewall Transparency • Disconnected Operation • Device Presence Detection • Fanout

• Relay Client Provisioning via the Management Server • Groove Client Support

• Multi-Relay Installation

Message Flow

Relay servers operate between Groove clients, enabling peer communications even when security devices, network conditions, and system down time impede successful informa-tion exchange. Relay servers enable message transmission under these condiinforma-tions in three stages, accepting messages from Groove clients, storing messages temporarily, then dis-patching messages when their target clients contact the relay server for updates. Messages are dispatched to recipients over the same client port used for the initial relay contact and the relay enlists whatever protocols are necessary to allow messages through the ports that are open on the recipient’s network.

Each Groove user has an assigned relay server (or sequence of relay servers), which is noted in the user’s identity (contact or vCard) information. This relay server assignment occurs when users log in to the Groove Virtual Office (formerly Groove Workspace) application for the first time, or, in the case of managed users, when they become mem-bers of a domain defined on the management server to point to specific relay servers. When a Groove user sends a message across the Internet to a Groove contact that cannot be accessed directly, the Groove client software seeks the relay server specified in the intended recipient’s contact information. It then contacts the target relay and deposits the message in a queue associated with the recipient. When the intended recipient next con-tacts the assigned relay server for updates, it retrieves the message from the queue.

(8)

The following process occurs every time a Groove user (UserA) sends a message or work-space update to a peer (UserB) via the relay server:

1. Groove UserA sends an instant message or a workspace update to a relay server associated with UserB.

2. The relay server queues the message for UserB.

3. UserB contacts the relay server to collect any messages.

4. The relay server authenticates UserB and returns User A’s instant message or workspace update to UserB.

If the message is an instant message or workspace invitation, it is deposited on the first device found that UserB is logged into. If the message is a workspace update, it is deposited on the device specified in the relay queue entry.

Figure 1 presents a basic relay server setup for an enterprise with Groove users located at two sites.

Figure 1. Basic Relay Server Configuration

Firewall Transparency

Ideally, Groove communicates via its preferred and most efficient protocol - Simple Sym-metric Transfer Protocol (SSTP) over port 2492. To support the transmission of Groove messages across firewalls that block port 2492 but allow HTTP traffic over port 80, relay servers encapsulate SSTP commands and messages within an HTTP data stream. Encap-sulating SSTP involves wrapping each SSTP transmission, along with additional header information, in the body of an HTTP message. The additional header information allows compliance with SSTP delivery semantics. In this way, SSTP messages reach the target

(9)

client over port 80. Similarly, if firewalls block these ports but allow SSL traffic over port 443, relay servers can transmit SSTP messages using the HTTP Connect method to enable communications over port 443.

Figure 2 shows how the relay server enables LAN endpoints behind firewalls to communi-cate over the Internet. Normally, the LAN IP addresses and protected locations of these endpoints would prevent them from recognizing each other. The relay server overcomes this condition by acting as an intermediary.

Figure 2. Relay Server Device Discovery

Disconnected Operation

The relay server provides store-and-forward services to collect and forward messages for Groove clients regardless of their connection state. Messages are held in queues until the relay is contacted by the Groove clients to whom the messages are targeted. This asyn-chronous communication enables continued operations among Groove collaborators even when some peers are offline.

Device Presence Detection

Relay servers use WAN Device Presence Protocol (DPP) to determine a device’s online status and the list of active Internet Protocol (IP) addresses for that device. This device presence (or ‘awareness’) service uses a publish and subscribe approach to making other Groove users aware of the online/offline presence of other contents.

Fanout

Groove expedites communications when transmitting large amounts of data, or when transmitting over a slow network link, by employing the relay’s fanout capability. Fanout is a process for conveying a stream of data from a Groove client to a relay server for repli-cation and distribution, applicable when a Groove user sends a single workspace message (such as an invitation) or update to multiple recipients.

(10)

process by grouping messages according to the target relay of the various recipients. It then determines if fanout should be applied, based on a complex algorithm that considers the fanout capability of the sender’s device, the number of recipients, the amount of data being sent, and the sender’s line speed, among other factors. If fanout is merited, the client sends a single copy to each of the identified relay servers. The relay servers function like multi-cast routers, distributing copies of the message to each of the recipients. This pro-cess helps maximize the efficiency of communications links and minimizes bandwidth usage. This basic functionality, known as multi-drop fanout, is shown in Figure 3 below. Single-hop fanout extends the multi-drop functionality to encompass multiple relay serv-ers. When Groove 2.5 (or higher) is running with ERS 2.5 (or higher) and Groove resolves the fanout algorithm in favor of fanout, Groove sends a single copy of a message to the local home relay server which then groups copies of the message by recipient relay and distributes message copies to target users’ relay servers. This process, known as single-hop fanout, is shown in Figure 4 below. Note that single-single-hop fanout messages are not queued on the sender’s home relay server; they are sent to and stored on the target relay, or if the target relay is down, fanout messages are stored on the sending client device. When fanout is not in effect, Groove sends a single message addressed to multiple recipi-ents just as it would send multiple messages to multiple recipirecipi-ents, issuing separate trans-missions for each copy of the message (whether a relay server is called for or not), as shown in Figure 5 below.

(11)

Figure 4. Single-Hop Fanout

Figure 5. Relay Transmission without Fanout

Relay Client Provisioning via the Management Server

(12)

site, provides an administrative interface for provisioning Groove users to specific relay servers and for managing relay servers in an enterprise. From the management server, the following administrative actions can be performed on relay servers:

• Registering a relay server, or series of relay servers, with the management server. • Assigning the relay server(s) to domains.

• Assigning Groove clients to a relay server, or series of relay servers via their domain membership.

• Setting relay message retention time. • Purging individual user message queues.

The management server communicates with the relay server via the Simple Object Access Protocol (SOAP). The management server always initiates communication with the relay server (the relay server does not initiate communication with the management server). For information about managing your onsite (managed) relay server via the management server, see the Groove Management Server Administrator’s Guide.

Groove Client Support

Groove clients must have access to a relay server in order to fully utilize Groove. By default, unmanaged users are automatically assigned to a Groove Networks relay server when they install Groove and create an identity. Managed users, defined by an onsite man-agement server, gain their relay server assignments from their manman-agement domain. When a client device contacts the assigned relay server for the first time, a key exchange occurs between the client device and the relay, providing initial user authentication. The client has then registered with that relay server. Client keys are stored in a database located on the relay server. Groove clients are always assigned to specific relays; they are never directed to relay servers at random. A key exchange is always involved. In an enter-prise environment, administrators assign Groove users to Enterenter-prise Relay Servers using the Groove Enterprise Management Server (located on a separate server machine from the relays).

Multi-Relay Installation

Multi-relay installations enable more scalable relay support for a large client base and pro-vide redundancy in case of equipment failure. Using the management server Web inter-face, administrators can assign multiple relay servers to a domain and prioritize them for use by domain members. When a Groove client sends to a domain member that has access to multiple relay servers, the client attempts delivery to the first relay in the series and if the server is down, it attempts delivery to the next relay in the series, and so on.

Relay Server Architecture

The relay server architecture includes of the following basic elements: • Protocol Support

• Message queue databases • Database management utilties

(13)

• Relay Server Configuration Control Panel Applet • Relay Server Administrative Pages

Protocol Support

The Groove relay server is implemented as a multi-protocol server platform. Among the supported protocols, Groove’s native Simple Symmetric Transmission Protocol (SSTP) across a TCP (port 2492) connection is the preferred protocol for Groove client-to-relay connections. If port 2492 is blocked by a firewall, Groove clients can also establish SSTP connections to a relay server over Secure Socket Layer (SSL) port 443. If port 443 is also blocked, Groove clients can encapsulate SSTP within HTTP, and connect to relay servers over port 80. However, these port 80 connections are less efficient, as the encapsulation and connection management of the HTTP connections results in significant overhead. Groove clients can also communicate to relay servers across proxies using SSL port 443 or HTTP port 80. To detect client online and offline status, relays also support Groove’s WAN Device Presence Protocol (DPP).

Like the Groove client, relay servers depend on SSTP for processing Groove messages, including Groove instant messages, workspace invitations, and workspace updates. SSTP is designed to augment standard transport protocols (such as TCP and UDP) with features such as multiplexed messaging to multiple devices over a single connection, efficient streaming of large messages, and application detection of connection outages. SSTP oper-ates over TCP on the Internet Assigned Numbers Authority (IANA)-assigned port 2492. It supports bi-directional application-level connections between two machines. All Groove application-level protocols, such as workspace updates, instant messages, and presence notifications are generally based on SSTP messages.

(14)

The following table lists the relay server protocols and summarizes their functions:

Message queue databases

The Groove Relay Server contains a transactional database system that stores basic user information (including authentication keys and identity information), queues of Groove device-targeted messages (updates to Groove workspaces), and queues of identity-targeted

Relay Protocols Functions

Simple Symmetric Transport Protocol (SSTP) via TCP over port 2492

WAN Device Presence Protocol (DPP) over SSTP

Used to transport Groove messages. Inbound port 2492 supports:

• Groove message queues for identity and device targeted messages

• Fanout of SSTP message streams to multiple identities on the same relay server

• Device and user authentication for dequeuing SSTP messages

• WAN device presence detection (WAN DPP) Outbound port supports:

• Single-hop fanout SSTP over Secure Socket Layer

(SSL) on port 443 Used to transport messages when SSTP transmissions over port 2492 are blocked by firewalls or for transmissions from Groove clients via proxies that support the HTTP Connect method. Inbound port 443 supports:

• HTTP Connect encapsulation of SSTP messages from Groove clients

• Firewall transparency (via SSL) SSTP over Hypertext Transfer

Protocol (HTTP) on port 80

Used to transport messages when direct SSTP transmissions are blocked by firewalls. Inbound port 80 supports:

• HTTP encapsulation of SSTP messages from Groove clients

• Firewall transparency (via HTTP) Outbound port supports:

• Customer Support Notification (CSN) HTTP over Secure Socket Layer

(SSL) on administrative port 8010

Used to transport HTTP administrative requests to the relay server, secured by SSL technology. Inbound port 8010 supports:

• Relay server administrative Web interface. Simple Object Access Protocol

(SOAP) over administrative port 8009

Used to transmit relay server administrative settings from the management server to the relay server.

Inbound port 8009 supports:

• Relay server administration from the Web-based Enterprise Management Server.

(15)

messages (instant messages and invitations). The size of these queues changes continu-ously as Groove clients deposit (enqueue) and retrieve (dequeue) messages.

The relay server stores all Groove message queues in a series of database files. These files reside by default in the FFQ database subdirectories of the relay server installation direc-tory. User identity information, authentication keys, and other ‘metadata’ reside in another set of database files in the RQS subdirectories of the relay server installation directory.

The relay server creates these databases at startup, if they are not already present. It also pre-allocates a number of FFQ database files (Extents). The database system also creates transaction log files that are used to maintain the integrity of the relay server databases in the event of system failure. The relay server depends on these log files to recover message queues and other related databases when restarting after an outage.

Database management utilties

The relay server clears transaction logs and purges old message queues automatically. In addition, it provides utilities that enable relay server administrators to manually perform other relay queue management tasks. These utilities include the following:

• RQExport/RQImport - Allows server administrators to save and rebuild databases when necessary

• FFQBackup - Allows server administrators to ‘mirror’ all or selected queued data to another disk volume or another system.

• FFQRebuild - Allows server administrators to recover queued data after a catastrophic failure (such as disk failure).

Contributing to database management is the relay server’s administrative interface which enables administrators to start queue purge and compress cycles, as well as to generate detailed queue report files.

Relay Server Configuration Control Panel Applet

The relay server, which is installed as a Windows service, provides a control panel applet for configuring the relay server. The applet is accessible only when the relay server is NOT running.

From the applet’s configuration windows, administrators can configure various relay parameters, including the following:

• Defining relay server public and private keys for enabling communications with Groove clients.

• Defining SOAP keys for enabling communications with the Enterprise Management Server.

• Defining SSL keys for accessing the relay server administrative Web pages. • Limiting SSTP message sizes.

(16)

Relay Server Administrative Pages

The relay server provides a set of administrative Web pages that are accessible whenever the relay server is running. From the site, administrators can do the following:

• View statistics that help monitor relay server health. • Examine device, identity, and queue information. • Generate reports.

• Manually purge and compress data queues, as necessary. (The relay server clears transaction logs and purges old message queues automatically.)

The Relay Server Administrator’s Guide

This Groove Relay Server Administrator’s Guide provides instructions for setting up and managing a relay server at your site. Information is categorized as follows:

• Overview - Provides a general description of the Groove relay server and its role in your network.

• Site Planning - Presents important site planning considerations and a discussion of “best practices.”

• Installing and Configuring a Relay Server - Outlines the procedure for installing and configuring a relay server and setting up relay server clients.

• Managing a Relay Server - Provides instructions for ongoing relay server management tasks, including disk management, tuning, and data backup.

• Monitoring a Relay Server - Describes how to monitor the relay server by checking relay server statistics, viewing relay server usage and availability reports, and purging databases of old data.

• Troubleshooting - Lists common problems related to the relay server and suggests ways to address them.

• Glossary - Defines terms used in this Guide.

• Appendix A XMPP Messaging - Describes optional XMPP Proxy Server functionality and configuration.

(17)

Site Planning

Many factors affect where and how you should position relay servers at your site. How many Groove users you intend to support, where your users are located geographically, your company’s security policies, how a relay server will interact with other nodes on your system, and existing network topology are some of the issues you should address before bringing a relay server and its supporting management server online in your orga-nization. While Groove Networks recommends that you follow certain guidelines and best practices for optimizing the effectiveness of your installation, the specific conditions at your site will drive most of the decisions about relay server placement on your network. The site planning discussion covers the following topics:

• Capacity Planning • Security

• Network Requirements • Relay Server Best Practices • Server Failover

You must install an Enterprise Management Server at your sight to manage your onsite relay server(s). See the Groove Management Server Administrator’s Guide for specific information about Enterprise Management Server site planning.

Capacity Planning

Approximately 15 megabytes (~8 MB in, ~7 MB out) of data may pass through the relay server per user per day, based on Groove Networks’ average usage tests. Therefore, an environment of 3,000 concurrent Groove users, would generate about 45,000 megabytes (45 GB) of data per day. The amount of data directed to the relay server depends on the amount of data being sent in each transmission, communications speed, whether clients are behind firewalls, and the state of client connections.

Plan on supporting a community of no more than 10,000 Groove users on a single relay server. However, actual limitations on relay capacity may be lower and you should moni-tor Groove client and relay performance to determine when additional hardware or soft-ware may be necessary. Work with your Groove Support representative to determine how to implement a relay configuration that accommodates Groove client traffic at your site. For more comprehensive coverage of Groove server capacity planning and related infor-mation, see the Groove Enterprise Planning and Deployment Administrator’s Guide.

(18)

Security

The relay server uses public key cryptography for initial authentication of devices and users via its primary protocol (SSTP), and for authentication of transactions received from the management server via SOAP. The relay server Web-based statistics interface is pro-tected by the Secure Socket Layer (SSL) standard. In addition, the SSL port (8010) and the port used for SOAP transactions with the management server (8009) can both be secured by restricting access to these ports to a specific network interface card. Note that SSTP provides no protection against connection take-over, eavesdropping, or message modifica-tion, insermodifica-tion, or delemodifica-tion, as the Groove client software provides this protection.

Several features are built in to Groove relay servers that address specific security con-cerns. These include:

• Device authentication when dequeueing device-targeted data (including workspace and contact information) from the relay server.

• User account authentication when dequeueing identity-targeted data (including Groove instant messages and invitations) from the relay server.

• Server authentication when dequeueing both device-targeted and identity-targeted data.

The Groove client contains a list of Groove relay servers and the public key certificate of each relay server. Upon installation, the Groove software randomly selects a relay server from the list (or, in a managed environment, selects the assigned Enterprise Relay Server or Groove Networks-hosted relay server) and uses that relay server's public key to register the new account data. Henceforth, the software uses that relay server. User contact infor-mation includes the selected relay server's URL to establish a complete communication path for other Groove users.

When the Groove user account registers with a relay server, the account establishes a shared secret key with the relay server that provides a mutually authenticated link for all relay-to-client communication. The secret key shared solely with that user account over the life of the account prevents a false user or relay server from mounting a denial-of-ser-vice attack on the system.

The relay server can access only the message header information that is needed to locate devices (or a target device's relay server). Groove's end-to-end data encryption prevents the relay server from reading data inside messages (either update messages or instant mes-sages).

In a managed environment, users are assigned to specific relay servers (installed onsite at an enterprise or hosted by Groove Networks). These relay servers are then subject to

Network Requirements

The relay server requires specific inbound ports to be open for client and management server transmissions. It requires only one outbound port to open for server status reporting. Other open inbound ports are highly recommended (and therefore listed here) but are not required.

(19)

Required inbound and outbound ports on the relay server are:

• Inbound port 2492 must be open for SSTP transmissions from Groove clients. • Inbound port 80 must be open for SSTP over HTTP transmissions from Groove

clients.

• Inbound port 443 must be open for SSTP transmissions from clients via proxies that support the HTTP Connect method and for clients that can directly access the server via port 443 (SSTP over SSL) but not 2492.

• Inbound port 8009 must be open on interfaces that the management server accesses to send transactions to the relay server. The management server sends these transactions using the Simple Object Access Protocol (SOAP).

• If the relay server is behind a firewall, the firewall’s outbound port 80 must be open for HTTP traffic, so that the relay server can communicate status information to www.groove.net.

The corresponding ports on firewalls and related devices must allow communications across these ports for transmissions to (and from) relay servers.

Recommended inbound port availability is as follows:

• Port 8010 should be open on administrative interfaces if you want to allow administrative access via a browser to view the relay server’s Web-based statistics pages. Communications on this port is protected via the Secure Socket Layer (SSL) standard.

In addition, DNS access must be enabled for Domain Name Service (DNS) lookup traffic. The server uses DNS to locate other relay servers and to communicate with servers hosted by Groove Networks.

Relay Server Best Practices

The location of specific relay servers at your site is largely governed by your security con-straints. Based on its experience with deploying onsite servers that support Groove clients, Groove Networks can suggest ways to address some of these requirements but they ulti-mately depend on your network setup and objectives.

As a general guideline, the objective is to logically locate the relay server on your network to allow the minimum number of Internet protocols through while meeting user demand. Figure 6 shows a network configuration that is suitable in typical corporate environments.

(20)

Figure 6. Typical Relay Server Setup in a DMZ

The following basic measures can help assure a reliable and secure installation:

• Locate the relay server in a DMZ or on an internal/external network boundary to provide basic relay security.

• When configuring a proxy server in a relay server environment, place TCP/443, and TCP/80 near the top of the protocol list, if the order affects the efficiency of the proxy server. The Groove client tries these protocols, in the order shown here. • Configure your external network interface cards to filter all but inbound TCP/IP

traffic on ports 2492, 80, and 443.

• Port 8009 should be open for relay server management but assigned to a network interface card connected to a private internal network. You may want to block inbound port 8009 on the relay server external interface unless your management server is configured to access the relay server over an external interface (on the relay).

• Port 8010 should be open for access to relay server administrative Web pages. You may want to block inbound port 8010 on the relay server external interface unless you are using relay statistics interfaces to monitor the relay server over an external interface.

(21)

Note: If the relay server is behind a firewall, configure the firewall to allow traffic on port 8010 if you want to view statistics for a relay server outside of the firewall.

• Disable Windows Active Directory and other Windows services as these impact relay performance. The relay server utilizes the services of the Enterprise Management Server instead of Active Directory services.

• As a general guideline, install the platform and relay software on a clean machine. Do not try to install a relay server on a domain controller, Web server (such as IIS), or a machine with any client server application. Do not install the relay server on a machine where Groove is running.

• To protect the operating system and data from damage or loss as a result of

hardware component failure, make sure to install the relay server on a machine with redundant hard drive capability, typically a hardware RAID configuration. Also, provide backup power via an uninterruptable power supply (UPS).

• Installing anti-virus software on the relay server machine can significantly impede relay performance. When installing and configuring anti-virus software, disable Real-Time protection, at least on the FFQ and RQS directories.

• Configure your firewall and proxy ports to support your Groove client and relay server installations.

Groove operates with the security infrastructure of many WAN configurations, and within the constraints of firewalls, while assuring secure peer communications via the relay server. Where firewalls prevent direct peer-to-peer network tions between devices, the relay server creates a virtual peer-to-peer communica-tions path between the devices. The following are some sample scenarios.

Figure 7 shows a scenario where devices A and B are on different networks, each protected by a firewall. Both firewalls are configured to allow outbound connec-tions over ports 2492, 80, and 443, while blocking all inbound connecconnec-tions. In this scenario, devices A and B cannot establish peer-to-peer connections to each other because of the firewall policies. They can, however, establish port 2492 connec-tions to a Groove relay server. The result is that Groove communication occurs via a relay server; clients will connect to the relay server over SSTP on port 2492

(22)

Figure 7. Relay with Firewalls and Ports 2492, 80, and 443 Open

Another firewall configuration demonstrates the relay server’s protocol encapsula-tion scheme. Company networks often include firewalls that allow outbound con-nectivity to port 80 only. When SSTP outbound connections fail over ports 2492 or 443, the Groove client encapsulates SSTP within HTTP and reattempts the connec-tion over port 80.

HTTP-encapsulated SSTP connections are initiated by Groove clients and estab-lished with a relay server. Like native SSTP connections, these connections enable virtual peer-to-peer communications via the relay server. However, because HTTP is stateless and cannot establish a true session, an HTTP-encapsulated SSTP con-nection uses an adaptive algorithm to maintain a virtual concon-nection.

Figure 8 shows a scenario where devices A and B are on different networks, each protected by a firewall. Both firewalls are configured to block inbound and out-bound connections over port 2492, and to allow outout-bound connections over ports 80 and 443, but block inbound connections over those ports. In this scenario, each company routes HTTP connections through an HTTP proxy and SSTP traffic is encapsulated in HTTP, then sent on to the relay server.

(23)

Figure 8. Relay with Firewalls and Ports 80/443 Open

Server Failover

In the unlikely event of relay server failure, a multi-relay installation can reduce the risk of interrupted or slowed communications within your Groove network. Using the Enterprise Management Server, administrators can prioritize relay servers assigned to a management domain. Managed Groove identities in the domain are then directed to a series of relay servers. If one relay is inaccessible for handling a message from a managed identity in the domain, the Groove client will contact the next relay in the list and attempt to queue the message on that relay.

In the event of disk failure, you can use the relay server’s FFQBackup and FFQRebuild utilities to reconstruct databases (as described later in this guide).

In addition, to protect your data and the server operating system from the effects of com-ponent failure, the relay and management server machines should be equipped with reli-able redundant hard-drive capability, or other fault-tolerant technology.

(24)

Installing and Configuring a

Relay Server

The Groove Enterprise Relay Server (ERS) is an application that lets you manage a relay server installed at your site. Relay servers facilitate communications by acting as a proxy for navigating firewalls, providing alternative communications paths for clients operating over dial-up modems or other slow links, offering temporary storage when users are offline, and fanning out data transmissions. The Enterprise Relay Server runs as a Win-dows service.

This document describes how to install and configure the Enterprise Relay Server soft-ware on a Windows server machine. The following sections explain how to configure the Windows operating system, install and configure the relay software, start up the relay server, and set up communications with the Enterprise Management Server.

For information about upgrading from a previous version of the Groove Enterprise Relay Server, see “Upgrading/Re-installing a Relay Server” in the Managing a Relay Server chapter of this guide.

Setting up a relay server at your site, involves the following basic steps, each of which is described in detail in subsequent sections:

1. Checking hardware and software Requirements 2. Getting Help

3. Preparing the Network for a Relay Server

4. Installing the Operating System on the Relay Server Machine 5. Configuring the Platform for the Relay Server

6. Installing the Relay Server Software

7. Configuring the Relay Server (Generate relay server keys, Generate SOAP identity files, Configuring SSL, Customize security settings)

8. Backing Up Initial Relay Server Key Files

9. Binding the Administrative Listener Ports to Specific NICs (optional) 10. Configuring Relay Service Startup, Recovery, and Error Detection 11. Starting the Relay Server

12. Setting Up the Enterprise Management Server The following sections describe these steps in detail.

(25)

Requirements

The following topics list Enterprise Relay Server has hardware, software, and client requirements:

• Hardware • Software

• Groove Client Requirements • Expertise

Note: Because the Enterprise Management Server requires IIS, which cannot coexist with the relay server, EMS should not be installed on the relay machine. Hardware

The Enterprise Relay Server requires the minimum hardware listed in the table below. Recommended specifications appear where appropriate. Listed specifications apply gener-ally to a community of 5,000 to 10,000 provisioned Groove users (approximately 3,000 concurrent Groove users).

Machine Specifications (~3,000 concurrent Groove users) Groove Enterprise Relay

Server machine

• Dual-processor Intel® Xeon™ Dual processor 2.4 GHz (or higher)

• 2 GB RAM (or higher)

• 250 GB RAID disk array, minimum 350 GB RAID disk, recommended

• At least 2 network interface cards, 1 for internal connections and 1 for external connections (recommended for typical relay server setup in a DMZ)

• Caching Hardware RAID Controller, minimum

Write-Caching Hardware RAID Controller with battery backup, recommended

Either controller must support a throughput rate of 200,000 bytes/second, as verified by DBWritetest (in “Testing Relay Hardware Throughput with DBWritetest”) in the Managing Relay Servers section of this guide.

• All Volumes, Database/Log, and Queue Store directories must be uncompressed, with a cluster size of 4,096 bytes (typical default). Volumes must be formatted as NTFS (network volumes are not supported.) Verify volume setup with relay server’s DBWritetest utility.

See “Testing Relay Hardware Throughput with DBWritetest” for information about running DBWritetest to qualify your hardware. Note: IIS must not be installed on the relay server machine. Note: The Groove client must not be installed on the relay server machine.

Management server Enterprise Management Server (EMS) machine, as specified in the Groove Management Server Administrator’s Guide

(26)

Software

You need the software listed in the following table to support the current set of ERS features:

Note: Installation and configuration of the Enterprise Management Server is best performed after configuring the relay server.

Groove Client Requirements

Clients must be running Groove version 2.0 or later and must be members of a manage-ment domain, as defined on the Groove Enterprise Managemanage-ment Server.

Expertise

To install and administer an Enterprise Relay Server, you need expertise in the following areas:

• Network topology • Network security

• Windows server administration

• Configuring and running internet services • Setting up Domain Name System (DNS) names • Groove use

Getting Help

The relay server provides online Help with using the Relay Server Configuration Control For this Machine You Need this Software

Relay server • One of the following:

> Microsoft® Windows® 2000 Server or Advanced Server, with Service Pack 4 (or later)

> Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Web Edition, recommended

• The following, as needed: > Critical updates > Security updates

• Internet Explorer 6.0 (or later)

• Groove® Enterprise Relay Server 3.0 (or later) Enterprise Management

Server

Groove Enterprise Management Server 3.0 (or later), installed on a separate server machine as described in the Groove Management Server Administrator’s Guide.

Groove clients One of the following:

• Groove Workspace version 2.5 (or later)

(27)

Panel Applet.

To get help with configuring the relay server, do the following:

• Click the Help button on the lower right corner of any relay server configuration tab.

Preparing the Network for a Relay Server

To prepare your network to support a relay server, follow these steps:

1. Choose a Domain Name Service (DNS) host name for your relay server and report it to your DNS administrator, so that it can be registered with DNS.

2. Get a static Internet Protocol (IP) address for the server machine from the DNS administrator.

Note: Using a Dynamic Host Configuration Protocol (DHCP) address for this server machine is not recommended.

3. Set up any routes necessary to allow your relay server to be accessible to internal and external users (or just internal users if you will not be supporting external users).

Once you have prepared your network to support the relay server, install and configure the operating system platform on the server machine.

Installing the Operating System on the Relay Server

Machine

Once you have prepared the network to support a relay server, you install and configure the Windows server platform on the relay server machine, as follows:

• Install the Windows Server software on a stand-alone machine (one that is not a domain controller).

• Allocate disk partitions for system information and data storage to optimize server efficiency.

• Include the components that will support and not conflict with the relay server software.

To install and configure the Windows platform to take maximum advantage of relay capa-bilities, use the following procedure:

1. On a server-level PC that meets the hardware requirements listed in the Requirements section of this guide, install the Windows Server on a 16-GB (or higher) C:drive partition.

Note: If you encounter difficulties setting up a system volume of 16 GB, consult your hardware vendor. You may need to expand the system volume after the operating system is installed. To support this expansion, you may also need to convert your system volume to the NT File System (NTFS) after the oper-ating system is installed, or use a third-party partitioning application, such as PowerQuest VolumeManager.

(28)

Note: Install as a Windows stand-alone server. Do not join the server to a Win-dows Network domain.

2. Configure disk partitions as follows:

a. Set the system (boot) partition size to be three times the physical memory size, or 16 GB, whichever is greater.

b. Set the data partition to at least 36 GB.

The relay installer allows you to select the directories where the program, database, and log files will reside. Disk allocations vary, depending on the type and number of drives you have available for relay server operation. The goal is to achieve a high performance operational disk configuration. The following table provides an exam-ple of an optimal disk setup.:

Drive NTFS Partition Size Disk Channel Contents

C: Boot 40 GB NTFS Ch1, Disk1, RAID 0+1 OS, Relay program

D: CD-ROM IDE-internal (typically) CD-ROM

E: 8 GB NTFS Ch1, Disk1, RAID 0 OS Swap

F: 300+ GB NTFS Ch2, Disk2, RAID

(29)

3. Install or omit Windows operating system components as follows:

Configuring the Platform for the Relay Server

Now that you have installed the Windows server software with the necessary components, you can configure the Windows platform to support the relay server software. Platform configuration involves the following tasks, each of which is described in detail in the sub-sequent procedure.

• Set system startup and recovery options

• Set virtual memory to maximize performance.

• Configure internal network connections to support TCP/IP.

• Configure external network connections to support TCP/IP with filtering, port restrictions, and any other security measures in place.

• Specify NT EventLog size and overwrite properties.

• Install system base symbols

• Install system service pack symbol updates.

• Install User Dump service.

• Install latest Windows service pack.

• Install Windows critical and security updates.

Do NOT Install These Components: Install These Optional Components as Needed:

Internet Information Service (IIS)

The Groove Relay service listens on ports 80 and 443. IIS’s use of these same ports will conflict with the relay’s use of these ports.

Active Directory

The relay server utilizes the services of the Enterprise Management Server instead of Active Directory services. The presence of Active Directory services and other Windows services impede relay server performance.

The following components should not be installed because they degrade relay server performance:

Internet Mail Service/SMTP virtual server Content Indexing

Transaction Service Message Queue Service Domain Name Service

Dynamic Host Configuration Protocol (DHCP) Service

WINS Service

Terminal Services (for remote administration).

Management and Monitoring Tools/Network Monitor Tools (for analysis of network packets).

Remote Registry Service (for remote access to performance counters).

(30)

• Configure registry settings to prevent memory fragmentation.

The following procedure describes each of the above tasks in detail. 1. Open the System control panel applet, click the Advanced tab. 2. Configure system startup and recovery options as follows:

a. Click the Startup and Recovery button, and entering recommended values as shown in the following table.

b. Click OK when you are finished.

3. Configure the system performance options as follows: a. Click the Performance Options button.

b. In the ‘Optimize performance for’ field, select Background services. c. Click the Change button to display the Virtual Memory options.

d. Set your virtual memory to be at least the size of the real memory available on your machine, but no more than half the available free space on your system partition. Typically, the setting should between 1 and 8 gigabytes (GB). e. Click OK when you are finished.

4. Configure each of the relay server’s internal network connections (network interface cards) as recommended below.

Note: The settings listed here are general guidelines only. Customize these settings based on your local network configuration. Microsoft leaves all ports open and unprotected (no lockdowns are in place), so consider your connection settings care-fully. On an internal network, the settings described here are typically satisfactory but if you need to further protect certain ports, you can provision and apply filters to them. However, blocking all ports on internal connections is not recommended as it can disrupt communications between the relay and management servers. a. Right-click on My Network Places, and select Properties open the Network and

Dial-Up Connections window. Then right-click on the internal connection that you want to edit and select Properties.

b. If the Client for Microsoft Networks component is not already present and enabled, add and enable it.

c. If the File and Printer Sharing for Microsoft Networks component is not already present and enabled and you installed the Remote Registry Service listed in the operating system components table above, and if your company’s System Startup and

Recovery Options Value Send an administrative alert On Automatically reboot On

Crash Dump type Complete Memory Dump Dump File %SystemRoot%\MEMORY.DMP Overwrite any existing files On

(31)

security policies allow this component, add and enable it. Otherwise, remove or disable it.

d. If the Internet Protocol (TCP/IP) component is not already present and enabled, add and enable it.

e. If you installed the Network Monitor Tools above, add and enable the Network Monitor Driver component.

f. If you enabled File and Printer Sharing, enable NetBIOS over TCP/IP by clicking Internet Protocol (TCP/IP), clicking the Properties button, clicking the Advanced button to open the Advance TCP/IP Settings window, clicking the WINS tab, and then selecting the Enable NetBIOS over TCP/IP radio button. g. Click the DNS tab and make any changes necessary to your network

configuration.

h. Click the IP Settings tab and make any necessary changes.

i. Press Ok until you return to the Network and Dial-Up Connections window. 5. Configure each external network connection on the relay server as follows:

Note: Customize these settings based on your local network configuration. Microsoft leaves all ports open and unprotected (no lockdowns are in place), so consider your connection settings carefully. The settings cited below are general guidelines.

a. Right-click on My Network Places, select Properties to open the Network and Dial-Up Connections window, and right-click on the external connection that you want to edit.

b. Remove or disable the Client for Microsoft Networks component. c. Remove or disable the File and Printer Sharing for Microsoft Networks

component.

d. If you installed the Network Monitor Tools above and if your company security policy allows, add and enable the Network Monitor Driver component.

e. If the Internet Protocol (TCP/IP) component is not already present and enabled, add and enable it.

f. Disable NetBIOS over TCP/IP by clicking Internet Protocol (TCP/IP), pressing the Properties button, clicking the Advanced button to open the Advance TCP/IP Settings window, clicking the WINS tab, and then selecting the Disable NetBIOS over TCP/IP radio button.

g. Configure TCP/IP Filtering controls by clicking the Options tab, selecting TCP/IP Security, pressing the Properties button, and entering the following

(32)

settings:

h. Click OK to return to the Advanced TCP/IP Settings window. i. Click the DNS tab and make any changes necessary to your network

Security Properties Value Enable TCP/IP Filtering (All adapters)

Click-check this box to configure all network interface cards on your network.

TCP Ports Click Permit Only and specify the following ports:

• 80 - Inbound Port 80 is used to transport HTTP-encapsulated SSTP messages from Groove clients when direct SSTP transmissions are blocked by firewalls. A corresponding outbound port is used to support Customer Support Notification (CSN). For information about CSN, see in “Customer Support Notification” Monitoring a Relay Server section of this guide.

• 2492 - Inbound port 2492 must be open to receive SSTP messages from Groove clients. A corresponding outbound port must be open to support single-hop fanout, where relay-to-relay communications takes place. For more information about single-hop fanout, see

“Fanout” in the Overview section of this guide.

• 443 - Inbound port 443 is used by Groove clients and relay servers to transport messages when SSTP transmissions over port 2492 are blocked by firewalls.

• 8009 (only if external access from the Enterprise Management Server is necessary) - Inbound port 8009 is used to support administration of the relay server by the Enterprise Management Server. You may want to secure this port by restricting it to a specific network interface card, as described later in these procedures (in the section “Binding the Administrative Listener Ports to Specific NICs”). If the relay server and EMS will not be communicating via the external interface, do not include this port in the list.

• 8010 (only if external access to the relay server administrative Web pages is necessary) - Inbound port 8010 is used to allow administrators to view Web pages that report relay server statistics and to allow other administrative tasks such as database purging. You may want to secure this port as described for Port 8009. UDP Ports Click Permit All.

IP Protocols Click Permit Only and specify the following protocols: 6 - Supports Transmission Control Protocol (TCP).

17 - Supports User Datagram Protocol (UDP), allowing user name-service access. This setting is required for the relay’s single-hop fanout and Customer Support Notification (CSN)features. In single-hop fanout, the relay responds to a UDP query from the sending client and fans out a message to its destination relays over the same random port chosen by the Groove client when initiating the send. Note: If you need to block Internet Core Messaging Protocol (ICMP) traffic (to prevent external users from pinging your servers) along with TCP/IP filtering, you must configure IP packet filters through Routing and Remote Access. For more information IP about IP packet filters, refer to Microsoft documentation, available at http://

(33)

configuration.

j. Click the IP Settings tab and make any necessary changes.

k. Click OK until you return to the Network and Dial-Up Connections window. 6. Set the properties for each Windows Event Log (application, security, and system

logs), by clicking Start --> Program Files --> Administrative Tools, and launching the Event Viewer applet, then selecting each log. To avoid loss of important event data, set properties for each log as shown:

Note: For maximum supportability of your server installation, be sure to complete the following steps for installing diagnostics symbols, debug tools, and user dump service.

7. If you are using a Windows 2000 server, install the Windows 2000 base symbols as follows:

a. Open a Web browser and go to http://www.microsoft.com/windows2000/ downloads/tools/symbols/default.asp and download the Win2k Base Symbols contained in the Customer Support Diagnostics package.

b. Follow the online instructions for downloading and installing the Customer Support Diagnostics package. Do not download the debug symbols which are only for the Windows 2000 checked build. The retail symbols are included in the default download of the Customer Support Diagnostics package.

c. Install the retail symbols into the default directory (usually \WINNT\symbols) Note: Make sure that you install the retail symbols. Do not install the debug

sym-bols which are specifically for Windows 2000 checked builds.

Note: Running a checked build of Windows 2000 is not recommended as it may greatly reduce your server's performance.

Note: Do not install the Debugging Tools. You will install the debugging tools from the Customer Support Diagnostics Service Pack Update for Service Pack 1 instead.

8. If you are using a Windows 2000 server, install the Windows 2000 symbols updates as follows:

a. From your Web browser, go to http://www.microsoft.com/windows2000/ downloads/servicepacks/default.asp and select the link corresponding to the service pack level that you intend to install. Service Pack 4 (or later) is recommended.

Windows Event Logs Properties

Application log Maximum log size: 32000 KB Overwrite events as needed Security log Maximum log size: 32000 KB

Overwrite events as needed System log Maximum log size: 32000 KB

(34)

b. Scroll to the bottom of the Service Pack page and click on the Customer Support Diagnostics Update link.

c. Follow the instructions for downloading and installing the updated service pack symbols.

d. Install the symbols into the default directory (usually WINNT\symbols). You can safely install these symbols before installing the Win2k Service Pack itself. e. Leave the browser window open to the Customer Support Diagnostics Update

page (which you should have opened from your local hard drive if you followed the download instructions from the Microsoft web site). From this page you will download the updated Debugging Tools in the next step.

9. If you are using a Windows 2003 server, install Windows 2003 symbols, using the instructions provided at http://www.microsoft.com/whdc/devtools/debugging/ symbolpkg.mspx.

10. Install the most recent version of the User Dump utility, available from Microsoft as part of the Windows Support Tools package (also known as the OEM Support Tools package). The relay server invokes UserDump in the event of serious server malfunction. In addition, the relay server’s exception handler invokes this service when it detects an exception or access violation before the process exits. The resulting snapshot provides vital debugging information for Groove Support. Install UserDump as follows:

a. Go the Microsoft Web site and download the following .zip file:

http://download.microsoft.com/download/win2000srv/Utility/3.0/NT45/EN-US/Oem3sr2.zip

b. Open StartHere.htm in your browser and scroll down to Section8: Specifications.

c. Click the User Mode Process Dump link and follow the instructions in Section 6: Installation in the UserDump specification.

11. Install the latest Windows service/service pack as follows:

a. Go to http://www.microsoft.com/windows2000/downloads/servicepacks/ default.asp or http://www.microsoft.com/windowsserver2003/downloads/ servicepacks/default.mspx and select the link corresponding to the service pack level you intend to install.

b. Follow the online instructions for downloading and installing the service pack. 12. Install the latest Windows critical and security updates as follows:

a. Go to http://www.microsoft.com/windows2000/downloads/critical/default.asp or http://www.microsoft.com/windowsserver2003/downloads/updates/

default.mspx and select the updates that you intend to install.

b. Follow the online instructions for downloading and installing the updates. 13. Update the Windows registry to prevent operating system memory fragmentation

during relay operation, by setting the following value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

(35)

The value is in hex. After setting this value, restart the operating system for the changes to take effect. For more about this setting, see the Microsoft Knowledge Base Article 315407.

The machine is now ready for the relay server software installation.

Installing the Relay Server Software

Use the following procedure to install and configure the relay server software on the machine where you configured the platform as described previously. The installation pro-cess sets up the relay server as an NT service. Note that the Groove client must not be installed on this machine.

Note: Pre-test your intended relay server using the supplied DBWritetest utility prior to installing the relay server software.

To install the relay server software, follow these steps:

1. To pre-qualify your server hardware for relay installation and operation, copy the DBWritetest.exe utility from the ERS installation CD to the intended relay server drive and directory, enter dbwritetest from a Windows command prompt in that directory, and make sure that the resulting throughput assessment is above 200 kilobytes per second. Run this test three times to confirm the result.

See “Testing Relay Hardware Throughput with DBWritetest” in the Managing a Relay Server section of this guide for information about this utility.

2. From Windows, run the Groove relay setup.exe file to launch the installer wizard, and follow the instructions.

3. If you want to change the default install paths (for example, you may want to install the Database files on larger drives), edit them as follows:

a. Choose Custom installation.

b. Select the Programs component then click the Change... button to override the default installation directory.

c. Click Next, then click the corresponding Change... buttons to edit the paths for the Database files and Log files.

Note: If you select a specific path for the program files, the database file and log file paths retain their original default locations. You must set them explicitly in order to override the default locations.

4. Click Next and follow any remaining instructions.

5. Click Install, then click Finish to install the relay server. The installer now launches the relay configuration control panel applet.

Now that you have installed the relay server software on the server machine, configure it using the relay server configuration control panel applet, as described next.

Configuring the Relay Server

(36)

applet to configure it. Initial relay configuration focuses on setting up a secure environ-ment for relay server operation. A major part of this task involves authenticating the relay server to EMS and Groove clients. This authentication is accomplished through the use of various key files. See the table in “Relay Server Key Files” for a summary of relay server key and certificate files.

Caution: Do not generate any new relay server private key and certificate files, SOAP key and ID files, and SSL key and certificate files after you have generated them for the first time. Doing so will permanently prevent existing Groove clients from accessing the relay server.

Relay Server Key Files

The following table lists and describes the key files associated with relay servers.

Key Files Description and Contents Location

privkey.dat

ServerCertificate.xml (not displayed in UI)

Private key files that contain the relay server private keys. The relay server creates these keys during initial configuration and then encrypts them using a hash of the user’s password. The relay server uses these keys to authenticate itself to users whenever they contact the relay server to collect messages and workspace updates.

Relay server install directory (by default)

ServerCertificate.cer Certificate file that contains the relay server’s public key. The Enterprise Management Server distributes this key to managed Groove users who use it to send secure Groove messages and data to the relay server.

client_relay_params.reg Registry file that contains client parameters for users of pre-2.0 Groove. Parameters include the relay public key and the relay name. You manually copy to this file and install it on client devices. Clients will use these parameters when registering with a relay server.

Relay server install directory. (The EMS or relay server

administrator will retrieve this file for distribution to client PCs.)

ServerSOAPKeyStore.xml Private key file that contains the relay server’s Simple Object Access Protocol (SOAP) private key. The relay server creates this key during initial

configuration and then encrypts it using a hash of the user’s password. The relay server then uses this key to authenticate itself to EMS when EMS contacts the relay server.

ServerSOAPCertificate.cer Certificate file that contains the relay server’s SOAP public key. This key is used by the Enterprise Management Server to send secure Groove data to the relay server.

Enterprise Relay Server