Tenant Administration

Note

A tenant is usually mapped to an organization or sometimes, a service provider would call them clients. Basically a tenant is a management scope that represents an organization.

Tenant manager scope is defined for tenant administrator. For a multi-tenant CentreStack system, each tenant has an administrator. For a single-tenant CentreStack system, the default cluster administrator is also the tenant administrator.

Tenant Manager is completely web-based.

You will access the tenant manager by clicking on the “Management Console”.

_images/image020.png

Note

If you are the default cluster administrator, you may not see the “Management Console” icon. You will access the management console directly from the Cluster Manager page -> Tenant Manager and then click through to manage the “Default Tenant”.

Now the following guide will assume you are a tenant administrator, which is not the default cluster administrator.

Dashboard

Tenant Management Console > Dashboard

Upon entering the Management Console, you will see the dashboard.

_images/image021.png

If you want to navigate among different sections of the tenant administration portal, you can open the left side of the panel using the “Hamburger” menu.

_images/image213.png

Storage Manager

_images/image215.png

Note

You can mount different storage services into a single namespace (folder structure). For example, if you have multiple Amazon S3 buckets, you can mount them all in. If you have multiple OpenStack Swift accounts, you can mount them all in as well. If you have multiple file server network shares, you can add them to the storage manager.

Note

The cluster manager can define whether or not the Storage Manager is exposed to the tenant administrator.

_images/image024.png

Home Storage

_images/image139.png

Home storage is the most important property in the tenant manager. It is used in many ways, for example the users’ home directory can be setup under the home storage (if the user’s active directory home directory property is not used).

Note

In the field, one of the common mistake is that a tenant’s root network share is mapped directly to home directory of the tenant. The home directory can not be shared from the root, so if your end goal is to turn the network share directly into a team folder, you are better off mapping the home directory to another location, and later attach the network share as a secondary folder and turn that secondary folder into a team folder.

Attach Storage

Storage is an important component in the CentreStack system. you can connect the tenant to a specific storage service. For example, you can connect it to local file server storage; you can also connect the tenant to cloud storage service such as Amazon S3, Windows Azure and OpenStack Swift.

_images/image140.png

After clicking the “Attach Storage” button, the CentreStack system will take some time to discover file servers in the local area network and also provide a section to add cloud storage.

_images/image141.png

File Servers in Local Area Network

_images/image142.png

In the File Servers in Local Area Network section, the CentreStack system will contact Active Directory or contact network browser in the local area network to try to find file servers in the local area network. Most of the time, if firewalls and network connections are properly configured, the file server can be easily added into the system.

However, sometimes, there are some situations such as the DNS system or the NETBIOS system are not ready, in that case, file server may be discovered but it may not be connected, you can use Manual Configuration to manually connect to the file server.

_images/image143.png
Root Folder Name

Root folder name is the top level folder name that will show up in the tenant administrator’s folder structure. We recommend the folder name being descriptive and follow the normal Windows path recommendations (For example, there are certain characters that are not allowed).

Note

Remember this folder is only showing to the tenant administrator, it is not published to the team user yet. When it is time to publish the folder to the tenant users, the name that the tenant user will see can also be defined. It is recommend that if later the folder is continue to be published as a team folder, the name there for the team folder be the same as the folder name here. It is recommended but not necessary to have the root folder name the same as published team folder name.

Local Storage Location

This is the file server UNC path or local windows folder path that you will connect into the tenant administrator’s root folder structure. The idea here is you will take this folder, and mount the folder into the tenant administrator’s root folder structure with the name described in the “Root Folder name”.

User Name

The user name is the Windows username, either it being local Windows user or global Active Directory user, this is a Windows account that is capable of accessing the “Local Storage Location”

Password

This is the password for the Windows user above.

Note

We recommend this Windows user and credential being a service account, meaning the password doesn’t subject to the maximum password days local security policy. Otherwise when it is time to rotate or change the user password, the connection here may be broken until the password is updated to match.

“Always access the storage using logon user identity”

When you have Active Directory Integration, and mount an existing file server network share in, you can select to “Always access the storage using logon user identity” so the ACL (NTFS Permission) on the file server share will be used natively. The access permission will be checked natively against the user’s Active Directory identity that is defined by the NTFS permission.

This option only applies to the “Local Storage” such as network share, DFS share, local folder and etc.

“The share is from a Linux/Unix/ZFS server”

Most of the time, you don’t want to check this flag because your file server share shall behave like a normal Windows Server share, even if it doesn’t come from a Windows Server. In some small SOHO network storage devices, it may only allow one connection from one IP address, so if that is the case, you want to check this flag. Most of the time, you just don’t need to check this when the network share is capable of taking multiple connections/sessions from one single machine.

“This share is a DFS share”

If the share is a DFS share, you will check this checkbox, because DFS share has an extra layer of translation to translate back down to normal file server shares. This flag basically tell the CentreStack server to do an extra DFS translation back to SMB share before connecting to the share.
“Enable Inplace Versioning”
The underlying file server network share may not have explicit version control (It may have volume shadow copy for other purpose), this will add centrestack version control to the file server network share. It is independent from and not related to the volume shadow copy.

Note

In place versioning put the old version file into a __ver__ sub folder in the same folder structure, thus the name for In-Place Versioning so the folder structure is maintained as-is, while extra old copies of the file getting stored in a specific sub folder.

_images/image025.png

Here is a demo video showing the end result of “Enable Inplace Versioning” when the root folder (‘forward slash’) is mounted with the “Inplace versioning” enabled.

Storage Manager – Cloud Storage Property

Besides local storage, you can also mount cloud storage into the system. If you have Amazon S3, or Amazon S3 compatible storage service, or if you have OpenStack Swift or OpenStack Swift compatible storage, you can connect it into the system. You can see the full list of storage services supported, including SoftLayer Object Storage, Google Cloud Storage, Microsoft Azure storage and more.

_images/image026.png

Team Folders (Team Shares)

Tenant Management Console > Team Folder

The team folder concept is like a network share, meaning you can define a folder and then add users and groups to the folder and thus turn it into a team shared folder. The team folder will show up in the user’s folder list when the user is added to the team folder.

When the server agent is in use, the team folder can be mapped directly to a network share from the server where the server agent is installed.

When a directly connected network share is used, a team folder can be mapped to a SMB/CIFS network share directly.

You can also turn any existing folder into a team folder.

Team folder has a tenant administrator scope so the team folder related sharing is limited to the users inside the tenant.

Note

By default, the files and folders that the administrator can see is hidden away from the regular team user until those folders are published to the team users.

_images/image022.png

Create Team Folder

Tenant Management Console > Team Folder > Add New Team Folder

You can click on the “+” sign to create a new team folder

_images/image188.png

Once it is clicked, it shows three main sources of team folder, among other options

  • default location
  • from a file server, either remote or local
  • from cloud storage
_images/image188_1.png
Default Tenant Storage
When you pick this option to create a team folder, the team folder will be created from the default storage from scratch with an empty team folder. Usually when you want to have a team folder that is brand new and empty, you can pick this option.
Publish Tenant Home Storage As a Team Folder
By default, the tenant’s root storage folder is not published to any team user. To use an analogy, it is like a C: drive on a Windows File Server, by default it is not published as network share to users. However, if you want to make it available to users, you can pick this option.
File Servers in Local Area Network

When you have files and folders from local area network (LAN), you can convert the network share directly into a team folder in CentreStack. It is a one-to-one relationship between a team folder and a network share. When you pick this option, most of the time, the Active Directory server for this tenant is also in the same Local Area Network.

_images/image249.png
Remote File Server

When you have server agents installed on remote file servers, those file servers will be visible and the network shares from remote file servers will be imported to CentreStack.

_images/image250.png
Cloud Storage

You can also pick Cloud Storage as this team folder’s underlying storage. As shown in the following picture, you can pick Amazon S3, Windows Azure Blob, OpenStack Swift and other cloud storage services.

_images/image248.png

Team Folder Properties

Team Folder Information

Team Folder > {Pick a Team Folder} > info button

_images/image251.png

Here is a look at the information dialog:

_images/image252.png

Team Folder Permission Setting

Team Folder > {Pick a Team Folder} > edit button

_images/image253.png

Here is a look at the settings

_images/image254.png
Collaborators

Team Folder > {Pick a Team Folder} > edit button > Collaborators Tab

In the Collaborators section, you can define:

Display Name:

The name of the team folder

User List:

The users and groups that are assigned to the team folder. The users with the owner flag will be able to manage the users.
Folder Permissions

Team Folder > {Pick a Team Folder} > edit button > Folder Permissions Tab

You can browse to different sub-folders and define the folder permission. The folder permissions defined here is CentreStack side of the permission.

If you are leveraging native Active Directory/NTFS permission from a file server, you don’t need to define any permissions here.

Note

You can think of the permissions as two different gates controlling the access to files and folders. The first gate is defined here as CentreStack Folder Permission. After this permission check, there is still check at the file server level (which is NTFS permission).

In practice, usually it is done one way or the other. If you have decided to use NTFS natively, you can leave the permission settings here empty and not defined.

_images/image255.png
Settings

Team Folder > {Pick a Team Folder} > edit button > Settings Tab

_images/image256.png

Here is a look at the details of the Team Folder Settings:

_images/image257.png

Disable further sharing

Don’t allow users to share out team folder contents.

Create CIFS Share

If there are server agents connected to the tenant, create a CIFS share on the file server agent server as a standard Windows network share.

Disable Offline Access

Don’t allow Windows clients or Mac clients to mark folder as offline from within the team folder

Synchronize folder permission automatically

If the folder is coming from a file server agent, sync the NTFS permission over to the cloud side. This is emulating NTFS permission with the CentreStack server is away from the file server across the Internet.

Don’t show folder users doesn’t have permissions to access

Hide folder instead of showing users folders that they will receive “Access Denied”.

Secure Data Room

Don’t allow download content but allow viewing directly in web browser.

IP White List

Security feature to lock team folder access down to a range of IP addresses.

Quota and Retention Policy

Team folder can have a per-team folder retention policy.
_images/image274.png

Regular User Manager

Tenant Management Console > User Manager > User Manager

In the Documentation, the regular user is often referenced as “Team User”.

The first tab is the Regular User Manager. These are the users that have full privilege of home directory, sharing and other features.

_images/image189.png

User Manager also have a list view:

_images/image190.png

If you have Active Directory, normally these are the users in the Active Directory.

  • Native User

    these are the users that are created manually with an email.

  • AD User

    these are the users that are imported from Active Directory via LDAP.

  • Proxied AD User

    these are the users that are imported from Server Agent, where the file server agent is remote and away from the centrestack server in the customer’s site. The customer’s Active Directory domain is also remote, and the file server itself (where server agent is installed) is in the remote Active Directory.

A create user demo video:

A delete user demo video:

Guest User Manager

Tenant Management Console > User Manager > Guest User Manager

Guest users are users that don’t have a home directory. The only folder they have is “Files Shared with Me”. So they rely on other “Regular User” sharing files and folders with them before they can do anything. If nobody is sharing anything with a guest user, the guest user doesn’t have any read/write permission to any folder.

The primary reason for guest user to exist is to have a secure way for external user to collaborate and edit documents.

Group Manager

Tenant Management Console > User Manager > Group Manager

When you have Active Directory integration, you will leverage Active Directory group instead of using Group Manager here. This group manager is to create group of users in a simple way. It is not as complicated as Active Directory (such as supporting nested groups) but make it easy for non-Active Directory users. This is native centrestack group. In the product, you may also see AD group from the user selection user interface and Proxied AD group from the user related interface. The AD group and the proxied AD group are not the same as the group mentioned here.

Role Manager

Tenant Management Console > User Manager > Role Manager

Role Manager is to provide role based administration. For example, you may want to provide read-only permissions to some users. You can also assign some group policies to some groups of users. More and more policy items are added to the role manager so in addition to only use role manager for administration, it can be also used to define policy items for users.

When creating a role, there are 4 different sections

  • Permissions
  • Sharing
  • Policies
  • Assigned Users/Groups

Role Manager - Permissions

You can define areas in the tenant administrator’s management console and assign it into a role.

_images/image196.png

Role Manager - Sharing

additional sharing policies for the role.

_images/image197.png

Role Manager - Policies

Additional policies that can be assigned to a role.

_images/image198.png

Group Policy

Tenant Management Console > Group Policy

_images/image146.png

Group Policy – Common Settings

Tenant Management Console > Group Policy > Common Settings

_images/image266.png

Security

Tenant Management Console > Group Policy > Common Settings > Security

_images/image263.png

“Allow Cluster Admin to manage my tenant”

when enabled, the cluster admin will be able to use “Manage Tenant” link to manage the tenant in the tenant manager. This is very convenient for cluster administrator (typically system administrator from service provider) to provide management work to the tenant.

“Enable Authenticating User with Google Apps Credentials”

when enabled, users can login using Google Apps credentials.

“When delegate admin login via server agent, impersonate as tenant admin”

Server agent typically need to sync to the default tenant administrator. It is recommended when a delegate administrator setup server agent, it needs to impersonate the default tenant administrator.

“Access management related pages from Intranet Only”

(This setting may only be available from cluster administrator side) Intranet is defined as 10.x.x.x or 192.168.x.x kind of IP addresses. Usually you can achieve the same functionality by disable the management functionality on external facing worker nodes but enable that for an internal facing worker node. But if your intranet meets certain IP address criteria, you can use this setting to achieve that goal too. It is a security feature to limit the management scope to intranet only. As mentioned above, an alternative way is to go to the cluster manager, then cluster server farm and disable the “management functionality on this node”.
_images/image029.png

“File upload and download must go through worker node”

(This setting may only be available from cluster administrator side)

For Amazon S3 type of cloud storage/object storage, it is recommend NOT to force file upload and download going through worker nodes, because Amazon S3 is good for offload the upload/download to between the access clients and the backend Amazon S3 storage. However, for OpenStack Swift storage, depending on how it is setup, you may want to turn this on to force File Upload/Download going through worker node for security reason.

This setting may be checked by default. However, based on your configuration, it may not need to be checked. For example, if you are using file server network share as the storage location, the upload and download has to go through worker node anyway, so there is no need to check this checkbox.

There may be some situations that this setting must be checked. For example, you may be using native object storage such as Amazon S3 for storage. However, your company policy may disable direct access to Amazon S3. So in this case, you will have to route traffic through the worker node.

Sharing Settings

Tenant Management Console > Group Policy > Common Settings > Sharing

_images/image264.png

“User must login to access shared files/folders”

When sharing files and folders with users, you can force the sharing to create guest accounts for users that are not already in the system. It is more secure when asking the receiver of the share to sign in to receive shared items. This disables the anonymous sharing. If this setting is not enabled, users can share files and folders to outside email address without requiring outside user to create guest user account.

“Disable team-user share home directory content externally”

This feature disables the ability for regular user to share home directory contents for security reasons.

“Enable Internal Public Share URL”

If you have an internal public share you can use this setting to enable it. When this is enabled, it will use the Internal URL property to generate the link.

Disable Public Link

This will disable the public link feature in the sharing dialog.

“Enable distribution group detection in file/folder sharing user interface”

With active directory integration, sometimes you want to share files and folders with a distribution group. This feature allows detection of distribution group and expand the group so the sharing will be done with the users in the group, instead of using the group as a single user.

“Show user list in sharing dialog”

When enabled, the user list will be displayed in the recipient’s dropdown list.

“Show guest user list in sharing dialog”

When this option is enabled, the guest user list will be shown in the recipient dropdown list.

“Show group list in sharing dialog”

When this option is enabled, the group list will be shown in the recipient dropdown list.

“Allow user enter share name”

By default the file name or folder name is used for the share name. However, if user has many same name folders or files. Sharing them out sometimes many not know which is which. This setting allows user to change share name. For example, when sharing out a “Documents” folder, it can be named “Documents in top level folder”.

“Expiration Time for Shared Folder/File (Days):”

When set, during the file/folder sharing wizard, the expiration time dropdown selection will not be shown, it will be pre-set to expiration set in here.

“Expiration Time for public links (Days):”

If left as zero, public link will never expires, otherwise the public link will be purged after expired.

“Don’t create a guest user account if the recipient is from the following domain”

If guest account is not created, these sharing will be with email address only.

“Only allow sending shares to the specified domain”

You can further limit the sharing to some domain instead of random email. For example, if your primary collaboration target is with ACME corporation and you can limit the sharing to your domain and also ACME domain.

File Locking Settings

`Tenant Management Console > Group Policy > Common Settings > File Locking

Settings under file locking applies to all clients which include desktop clients as well as server agent clients.

“Enable Distributed locking when accessing files”

In CentreStack, there are two ways to lock files, one is manually by right click on a file and do “Check out”. The other way is automatic based on certain binary executables. For example, you can see Microsoft Office executable files like winword.exe and so on.

“Lock file exclusively”

When set, the other user won’t be able to open the file for edit or read.

“Delay sync until file is unlocked”

It is recommended to check this setting. Most users have habit to save files in the middle of editing. You don’t want these edit to go every time to the cloud for these intermediate saves. You want to do a save to the cloud at the end like a grand finale. So you can delay sync until file is unlocked.

“Unlock file after file is uploaded”

After the file is uploaded, unlock the file.

“Enable scheduled sync for files with following extensions (i.e.[.mdb][.qbw]) when file is locked”

Typically this applies to database files that are constantly in use and constantly actively writing(commit) to the database file.

“Apply lock only to the following processes (Lower case)”

You can specify the processes here for which locking should be applied. By default, locking is enabled for Microsoft Word, Excel, and PowerPoint.

“Apply lock only to the following MAC processes”(Lower case)

You can specify the processes here for which locking should be applied. By default, locking is enabled for Microsoft Word, Excel, PowerPoint and MAC text editor.

“Client Setting Manager”

Tenant Management Console > Group Policy > Common Settings > Client Setting Manager

_images/image153.png

Sync Throttle

Sync Throttled Upload Bandwidth (KB/s, 0-Unlimited): - this setting controls the upload bandwidth from the client machine.

Sync Throttled Download Bandwidth (KB/s, 0-Unlimited): - this setting controls the download bandwidth from the client machine.

Full Speed Sync Stop Hour (default 7:00): 7 - full speed sync means multiple thread concurrent upload or download. This is typically good for after hour activity. We recommend default setting stop at 7am so when people return to work, the full speed sync stops so to give back more bandwidth to users who may be using the Internet for other purposes.

Full Speed Sync Start Hour (default 20:00) 20 - Similar to the above setting, we recommend start full speed sync after working hours.

Mapped Drive Control

Hide Large File Download Tracker (Right-bottom popup progress window when downloading large file)

this is usually good for usability but people may find it annoying if download is popping up a download progress dialog at the lower right corner.

Always Allow Picture Preview

Windows Explorer may want to download pictures in the background to generate thumbnails. This consumes bandwidth and may slow system down until all the preview thumbnail is generated. By default the client program disables the preview. However you can re-enable it.

Allow shortcuts

Allow shortcuts (.lnk) files.

When start windows client, open mounted drive automatically

Do not show file change notifications

This is another feature that shows file change notification at the lower right hand corner of Windows desktop. People may find it annoying if the change notification comes in quite often.

Enable Inplace Open Zip File

Windows Explorer has zip built-in extension that can open a zip file when double clicked on. It maybe good for local drive but for cloud drive, that means the zip file is unzipped and re-upload back into the cloud. By default client application disables opening zip file directly in the cloud drive.

Max Size of Zip File Allowed to Open Inplace (MB)

work with the above setting when enabled.

Cloud Drive Label

what do you want to call your windows client drive.

Drive Letter

what do you want to give the drive letter to the client application.

Cache Size Limit (MB)

the Windows client maintain a client side cache

Large File Upload

Enable chunk upload when file size larger than (MB) - when upload a single large file can be disrupted by Internet glitch, upload smaller chunks can increase the success rate.

Chunk file in the unit of (MB): - work together with the above setting.

Use Volume Shadow Copy to Upload Files being Opened - There is pro and con of using this flag. When file is open by other application, the file usually is locked and can’t be uploaded until the file is closed. However using volume shadow copy can still upload the file. The down side is when the volume shadow copy happens, the file is not known to be in a consistent state.

Bandwidth Control

Download Bandwidth Limit (KB/s, 0-Unlimited): This is download bandwidth control.

Upload Bandwidth Limit (KB/s, 0-Unlimited): - This is upload bandwidth control.

Number of File Transfer Threads: - This is the number of concurrent upload/download allowed.

Outlook Plugin

Prompt conversion only when file is larger than n KB (0 - unlimited) - For smaller files, it may be as well to just use the native outlook attachment

Client Startup Script

After the Windows client is completely started and finished loading, a command line script to run. For example, a script to map an additional drive letter to a specific folder inside the cloud drive.

Client Shutdown Script

Right before the Windows client is completely shutdown and finished running, a command line script to run. For example, a script to clean up any reference to folders and files inside the cloud drive.

Retention Policy

Tenant Management Console > Group Policy > Common Settings > Retention Policy

_images/image032.png

The cloud monitoring service on the CentreStack system will be responsible for the retention policy. The execution of the retention policy will be

“Keep Last n version of each file in the versioned folder”

You can decide how many versions of files to keep in the version folder.

“Only purge version file that is more than n days old”

security feature. For example, there is a virus modified the same file many times so it created many versions causing good old versions to be scheduled for deletion. However, with this set, the good old versions will be kept for at least the amount of days so give enough time to recover.

“Keep deleted files in versioned folder/trash can for n days”

When a file is deleted in the version folder, it is not actually deleted. It will be kept for several days defined here. The same policy also apply to

“Keep file change log for n days”

file change log is the biggest database table and could be growing without trimming. You can decide how often you want to trim the table.

Note

There is also a cluster setting about the file change log length. The cluster setting overrides the per-tenant setting.

“Hide purge option from web file browser (not applicable to tenant administrator)”

Do not show the purge window to users when deleting content.

“Do not send email notifications when purge deletes contents”

There are times when an admin would not want to send or see delete email notifications for purged contents.
_images/image033.png

Anti Virus

Tenant Management Console > Group Policy > Common Settings > Anti Virus

Only allow the following process to update files. - This is a white list of applications that are allowed to update files. The applications that are not in the list will not be able to upload files.

Following executables will not be allowed to open files directly - This is the opposite of the above policy. The applications in this list will be denied.

Disable a device if the device changes more than n files in 10 minutes - When users are using the cloud drive in a normal way. Human speed will not be able to generate large amount of file upload.

Disable uploading files whose name contains the text pattern

When files are named in certain way, the files will not be uploaded.

Disable uploading files whose names start with the following strings

When files are named in certain way, the files will not be uploaded.

Disable uploading files whose names end with following strings

When files are named in certain way, the files will not be uploaded.

Group Policy – Account & Login

Tenant Management Console > Group Policy > Account & Login

_images/image267.png

User Account Settings

Tenant Management Console > Group Policy > Account & Login > User Account

_images/image147.png

“Guest User”

When enabled, you will allow creating of guest user when team user share files or folders with external users. When disabled, the file/folder sharing is limited to regular users only or anonymous users only.

“Account Info”

This setting allows users to edit their account information and is enabled by default.

Enforce 2-Step Verification on users

(Only available after 2-Step Verification is turned on)

When 2-Step verification is enabled, enforce it for all tenant users.

Disable 2-Step Verification

(Only available after 2-Step Verification is turned on)

When 2-Step verification is enabled, disable it.

Do NOT enforce 2-Step Verification on guest users

(Only available after 2-Step Verification is turned on)

Do not enforce 2-Step verification for guest users.

“Login Control”

Account Lockout Threshold (0 - never lockout):

You can specify the Account lockout threshold limit here. The limit specified will be the number of invalid logon attempts that will be allowed before an account is locked out.

Enforce progressively longer waiting times after invalid logon attempts

Under login control, you can also enforce progressively longer waiting times after invalid logon attempts.

Send email notification when login from new location/device

Another setting under login control is the ‘Send email notification when login from new location/device’. This setting will send an email to users whenever a different device or location is used to login.

Password Policy Settings

Tenant Management Console > Group Policy > Account & Login > Password Policy

_images/image148.png

Admin can enable password policy for non-AD users.

_images/image070.png

Single Sign-On Settings

Tenant Management Console > Group Policy > Account & Login > Single Sign-On

Single Sign-On is available using SAML authentication.

When it comes to Single Sign-On support via SAML, there are always two parties.

  • One is the IdP (the identity provider)
  • and the other is SP (service provider)

A user will be registered with the identity provider and use the service from service provider. The setup here is to allow service provider (CentreStack) to use an identity provider.

Here, The IdP will be a public IdP such as SSOCircle and the SP will be CentreStack. The SSOCircle is used as an example to set up the IdP; it can work with other IdP as well.

In a multi-tenant CentreStack deployment each tenant may want to have its own SSO service. Therefore, the Single Sign On is a per-tenant setting.

You can find the Single Sign-On setting under management console -> group policy ->security”.

_images/image072.png

Step 1: Register CentreStack at IdP

IdP will need to register CentreStack as a service provider (SP) by importing the SP’s meta data. You will find the CentreStack’s metadata at the following location (per-tenant setting).

_images/image073.png

We can use the following xml to register centrestack as an SP at SSOCircle:

_images/image074.png

Now at the SSOCircle, need to add a new service provider:

_images/image075.png

In the next screen we can paste in the xml from CentreStack side, set the FQDN to the URL contained within the XML, and check the 3 parameters, the FirstName, LastName and Email.

_images/image076.png

Now the SSOCircle side of the registration is done.

Step 2: Register SSOCircle at CentreStack side

The IdP registration and SP registration is a two-way I trust you and now you trust me kind of manual setup.

_images/image077.png

The meta data from the SSOCircle look like this and it can be imported to CentreStack.

_images/image078.png

Inside the meta data from SSOCircle, you will see there is a HTTP-Redirect URL, that will be the URL we use to register the IdP. And also register the 3 paramaters (FirstName, LastName, EmailAddress) from the IdP.

_images/image079.png

Step 3: Login at the IdP, but use service at SP

As the summary, the IdP and SP register each other’s meta data, register each other’s URL and parameters. After that, it will be single signon at the IdP side. The login will be at the IdP side, and after login, it will redirect back to the SP side.

_images/image080.png

Azure AD

Tenant Management Console > Group Policy > Account & Login > Azure AD

Azure AD integration allows users to use their Azure AD credentials to login to CentreStack, including web portal and native clients.

You will still need to create Azure AD users as if they were local CentreStack users first. After that, you can enable Azure AD integration.

To enable Azure AD integration, you will need to create an Azure AD native client application.

_images/image191.png

You will need the client id from the Azure Native Client Application

_images/image192.png

You will give the Azure Native Client Application full read permission to the following two items

  • Azure Active Directory
  • Microsoft Graph API
_images/image193.png

You will also need the domain name

_images/image194.png

Group Policy – Folder & Storage

Tenant Management Console > Group Policy > Folder & Storage

_images/image268.png

Home Directory

Tenant Management Console > Group Policy > Folder & Storage > Home Directory

_images/image154.png

“Default Storage quota”

This policy will not affect existing user and their quota. It can affect newly created user for the default storage quota.

“Create default folders”

When the new user account is provisioned, the default root folder is empty. “Create default documents and pictures folder” will make the root folder look less empty and more user friendly. It is kind of like a hint for how to organize files and folders in the cloud.

“Use user email to generate home directory name”

Home directory name will be created using user’s email address. By default, it is user’s GUID that is used to create user’s home directory.

“Folder and Storage Settings”

Tenant Management Console > Group Policy > Folder and Storage

“Allow users to attach external cloud storage”

when checked, you will allow users to see storage manager and allow them to attach external storage such as their own Amazon S3 bucket into the system.

“Disable Versioned folder”

Normally you will NOT disable versioned folder. Because versioned folder is the supporting feature for “Two-way sync locally attached folder”. If you disable versioned folder, you will lose the two-way synchronization folder feature as well.

Disable Trash Can

For folders that are not under version control, a deleted file will be moved into Trash Can. If this feature is not useful, you can disable it.

“Don’t show folder that user doesn’t have read permission”

With native Active Directory integration and with network share as backend storage, the user’s permission to the folders are checked natively. When this option is set, for those folders that users doesn’t have read permission, the folder will be hidden.

Don’t show Trash Can for non-admin user

Trash Can is a virtual folder that shows up at the web browser portal only. This setting controls whether or not to show it for regular team user.

“Don’t append (Team Folder) to published folders”

A team folder by default, when showing up in a team user’s folder list, it will have “(Team Folder)” appended to the end of the folder name to signify it is a team folder. This feature allows a team folder showing up as it is without the (Team Folder) suffix. The use case is that when a network share is mounted and then turned into a team folder, since the users are already familiar with the network share in its original name, so it is not necessary to append (team folder) to the folder name. You shouldn’t change this setting in the middle of operation because if users have pending upload/download, changing the name could cause those tasks to fail.

“Attached Folder Settings”

Tenant Management Console > Group Policy > Folder & Storage > Attached Folder

_images/image150.png

“Disable backup/attach local folder from client device”

Attached Local Folders are two-way synchronization folders. In order to do version backup and two-way synchronization, there are multiple folder structures created in the backend storage. Some organization doesn’t need this feature and want the users to work exclusively with the cloud drive.

“Enable Snapshot backup for server agent”

It is a feature related to server agent on Windows 2003-2012 servers.

“Allow syncing empty files”

By default, empty file (0-byte) will be skipped for syncing in attached folder. when enabled, those files will be synchronized.

Enable scheduled sync for files with following extensions

this is to help sync/upload frequently changed file such as Microsoft access database or QuickBook files. These type of files typically are constantly open (thus prevent other application to hold on to them) and also changed frequently. So you can define the time period to check back on these type of files and use volume shadow copy to upload these files.

“Filters Settings”

Tenant Management Console > Group Policy > Folder & Storage > Filters

_images/image152.png

“Files with the following extensions will be excluded from attached local folder”

You can stop certain file types from being uploaded. For example .pst files. These are local outlook email files, which is not necessary to upload into the cloud storage because usually it is backed up by an exchange server.

“Files with following extensions will be excluded from directory listing (i.e.[.qbw]):”

You can specify the executables which should not be listed under a user’s directory.

“In-place editing/Preview is disabled for files with following extension”

Windows Explorer has a habit to peek into large files to generate thumbnail and present other information. It may not be a good fit for cloud drive files because each peek will generate a download from cloud.

Allow file without file name extension

Allow files without extension suffix to synchronize.

Group Policy - Client Control

“Web Portal Settings”

Tenant Management Console > Group Policy > Client Control > Web Portal

“Disable folder download from web client”

The folder download from web client will zip up the folder and download it. It is CPU intensive so if you don’t want it to be consuming too much CPU, you can disable it.

“Disable Search”

If you don’t need the search by file name feature, you can disable it.

“Web Browser - Disable Java Uploader”

Some organization standardized on web browser, for example, all web browser are HTML5 compliant. In this case, Java Uploader is not necessary and could be confusing to support when different users have different Java version installed.

“Web Browser - Disable Flash Uploader”

Some organization standardized on web browser, for example, all web browser are HTML5 compliant. In this case, Flash Uploader is not necessary and could be confusing to support when different users have different Flash version installed. Different kind of web browser may also have different levels of Flash support, causing different behavior.

“Web Browser - Disable Local Uploader”

Admin can also disable local uploaded in which case the upload will happen using the browser directly.

“Enable Tabbed-Browsing in User Manager”

When enabled, the user manager will order users by their last name so if you have many users, you have an easy to access way to find the users.

“Only show search interface in User Manager”

When you have even more users, Tabbed-Browsing can’t handle it any more, you can enable search-only interface.

“Show tutorial page for non admin user”

Display tutorial page for regular users when they login to the web portal.

“Show team folder level permission in team folder publishing dialog”

The advanced setting refers to “Create CIFS Share”, “Disable further sharing”, and “Disable Offline Access” settings.
_images/image031.png

Confirm before drag and drop moving

In web portal, sometimes there can be accidental drag and drop, in this case, having a confirmation dialog can help prevent accidental drag and drop.

Max count of file/folder items can be shown

Some customers may have a very flat folder that has more than one thousand files. It is not recommended to have a cloud system have flat folder structure like this. But if customer has many files in a flat folder. This setting can be used to show all files.

Native Client Settings

Tenant Management Console > Group Policy > Client Control > Native Client

_images/image151.png

“Create a shortcut in the documents library”

This is a convenience feature to add a link to documents library to the cloud drive.

“Create shortcut on desktop”

Same as above but the shortcut is on the desktop.

“Hide Settings in Windows Client Management Console”

The Settings in the Windows client may be viewed as “too much information for normal user”. If that is the case, you can disable that.

“Don’t Allow Setting Changes in Windows Client Management Console”

When you want the client settings to be centrally controlled.

“Disable Windows client in-place upload”

Normally you don’t want to disable it. If it is disabled, the files that are being uploaded will be copied into cache first before upload, thus creating two copies of the same file in the file system, one at the original place, one in the cache.

“Disable Auto-Login next time”

When you want the user to type in username/password every time they login to the Windows client, you can disable auto-login.

“Disable drag & drop handler”

Normally you will not disable it. If it is disabled, the Windows file drag and drop will take over, this typically means the files will be copied into cache before upload, thus resulting in two copies of files being uploaded.

Requiring approval for device access

the first login attempt will place the device in a staging area waiting for approval. The approval can be done from the “Client Device Manager”

“Enable auto-install of Outlook Plugin”

CentreStack Windows Desktop client comes with outlook plug-in. If enabled, the outlook plugin will be enabled upon client running.

“Disable native client for guest users”

For guest users, don’t allow them to use native client, so the guest users can only use web browser files and folder view.

Group Policy - Export/Import

_images/image265.png

You can also export the group policy settings to other clusters in the environment or import existing settings from another cluster.

Tenant Branding

Tenant Management Console > Tenant Branding

If per-tenant branding is enabled, The tenant branding section will be available.

_images/image195.png

Customized URL for your business

Typically the customize URL is a sub domain of the centrestack server. For example, if centrestack server is at https://cloud.mycompany.com, the sub domain can be https://acme1.mycompany.com

In Windows 2012 and above (the server that has CentreStack running), it also allows SNI (Server name indicator) in the SSL certificate binding. So it is possible to bind multiple SSL certificates to the same IIS server. In this case, the Customized URL can be a fully qualified domain name.

Tenant Administrators

Tenant Management Console > Tenant Administrators

You can define a group of administrators here.

_images/image036.png

Here is a demo video for adding delegated administrators.

Reports

Tenant Management Console > Reports

You can see upload report, storage statistics, team folders, shared objects, audit trace, and file change logging.

Upload Report

_images/image045.png

Storage Statistics

_images/image046.png

Team Folders

_images/image047.png

Shared Objects

_images/image156.png

Folder Permissions

_images/image156.png

Audit Trace

Audit trace contains the management events, such as login success, login fail , shared a folder and etc.

_images/image040.png

File Change Log

File change log is capable of search for user’s file change history. It is most useful when helping user troubleshoot issues. For example, you can point to the file change log and say, you deleted this file on this day.

_images/image041.png

Distributed Locks

_images/image157.png

Pending Purged Folder

_images/image158.png

Advanced Information

Tenant Management Console > Advanced

_images/image159.png

Active Directory Settings

_images/image037.png

“Enable Active Directory Integration”

You will check this when you want to integration with Active Directory.

Note

There are two different ways to integrate with Active Directory. One way is here, using LDAP connection. The other way is to leverage the server agent software. The server agent software is capable of connecting remote Active Directory.

“Domain Controller Address”

The domain controller’s address, typically in the form of DNS name.

“User Name”

This is recommended to be a service account (password never expire, account never disable” so the user will be able to query LDAP for users and authenticate users on the login user’s behave.

“Password”

This is the password for the service account for the “User Name” field.

“Friendly Domain Name”

This is typically the domain name you see in the Microsoft Domain and User tool. It needs to be exact match of the domain name. Otherwise, you will see error message about “referral is required” , which translates to the domain controller didn’t match the domain name and need to refer you to somewhere else for another domain name.
_images/image038.jpg

“Only Include users in Organization Unit”

when you type in the organization unit, you don’t need to type the domain part any more. It just need the Organization Unit part of the string. This is allowed for only single Organization Unit specified in its distinguishedName format without the domain suffix.

“Allow Switching to Global Catalog” – For some organization that has multiple domain, sometimes there is a Global Catalog that stores everything inside. This may be required if you have such situation.

“Disable Nested Group” – Normally you will disable this if you have many groups. The nested group may slow down the look up and login speed.

“This is the root of the AD forest and contains multiple sub-domains” – CentreStack support multiple domains in the same AD forest. You will need to point to the root of the AD and it is capable of finding all the sub-domains.

“Don’t allow user auto-creation” – By default, the Enterprise package is capable of creating users upon first login into the web portal. However, for big enterprise, they may want to control the pace of adding users to the system so they will disable this feature.

“Publish user’s home drive” – In the user’s Active Directory profile, there is a setting about home directory. The same home directory setting can be used to map user’s active directory home directory in to the cloud drive’s home directory.

_images/image039.jpg

Client Device Manager

This feature is used to control BYOD (Bring your own device). For some organization, they want to control who can bring what device into the system. This is the tool to control that and allow/disallow on a device by device basis.

_images/image043.png

Application Manager

_images/image160.png

This section configure several web applications to the web portal on a per-tenant basis.

Tenant Administrators

_images/image161.png

This section defines the delegate administrators for the tenant.

Notification

_images/image162.png

Shared File/Folder

Notification regarding the changed files and folders Team Folder - notification regarding changed files and folders Settings

Send Daily Notification Email Notify tenant admin when member’s sync task failed Notify tenant admin when member shares a folder Notify me when user account is locked out.

Team Folder

_images/image163.png

This is for administrator to subscribe to team folder change notifications.

Settings

_images/image164.png

Send Daily Notification Email - When set, the system will send email notification daily about the events you are interested (Select below).

  • File Changes
  • Audit Trace
  • Users approaching the storage quota limit

Notify tenant admin when member’s sync task failed.

Notify tenant admin when member shared a folder

Notify me when user account is locked out

Send notification to these emails in addition to tenant admin’s email (email;email2) - This is used for additional administrators to receive email notification.

Helping and Supporting User’s File and Folder List

_images/image044.png

An admin can view a user’s file and folder list using the eye icon for the user in Management ConsoleUser Manager.

Storage Location Migration

There are two types of storage migrations.

1. Migrate data to a different location in the same type of storage using the steps below:
  1. Identify the location of the current storage
  2. Copy the content to the new location (for example, you can use xcopy . from the old location to the new location
  3. Login to web portal as master admin.
  4. Launch Management Console -> Collaboration -> Storage Manager and click on edit to point to the new location
2. Migrate data to a different type of storage using the steps below:
  1. Go to the registry using regedit
  2. Go to HKLM\SOFTWARE\Gladinet\Enterprise\ and add a new string value called ‘CanChangeDefaultStorage’ and set the value to ‘True’ and reboot
  3. Edit the storage type using new icon to edit storage under Cluster ManagerTenant Manager

Note

It is not recommended to modify registry settings. Take a backup of the registry before modifying any registry settings.