Nasuni is excited to unveil our brand-new documentation experience! Designed with our customers in mind, this beta release is the beginning of what's to come. While we're still putting on the finishing touches, you may notice a few broken links or missing pieces - don't worry, we're actively improving things every day.
The Configuration page enables you to configure the following elements:
HTTPS proxy.
Network Configuration.
Time Configuration.
Domain Settings.
General CIFS Settings.
Directory Services.
Encryption Keys.
Escrow passphrase.
Firewall.
SSL Certificates.
Users and Groups.
Global File Lock.
Passwords.
Note: The Configuration page, and all other pages of the Nasuni Edge Appliance user interface, might look different to different users. Also, different menus and actions might be available for different users. This is because different users are assigned different permissions, based on their roles in the role-based access control system. See “Users and Groups” for details.
Note: If this Nasuni Edge Appliance is under the control of the Nasuni Management Console, menus and menu choices might look different, because you use the Nasuni Management Console to perform these tasks.
HTTPS Proxy Configuration
You can configure the Nasuni Edge Appliance to use an HTTPS proxy server, if needed. All HTTPS traffic goes through the proxy server that you specify. See Firewall and Port Requirements for details of HTTPS traffic, which includes:
Storage traffic.
Global File Lock server traffic.
Antivirus definition files.
Nasuni Management Console Administrative Access.
Web Access.
NOC traffic.
By using an HTTPS proxy server, you can ensure the privacy of your client machine. The HTTPS proxy server acts as an intermediary between your client machine and external resources such as those mentioned above. This allows you to conceal the IP address of the client machine.
Note: Nasuni only supports HTTPS proxies. SOCKS proxies are not supported.
To configure the HTTPS proxy server for a Nasuni Edge Appliance, you need the hostname or IP address of the proxy server, as well as the port number used by the proxy server. If a username and password are required to authenticate with the proxy server, those are also necessary.
You can specify hostnames or IP addresses that need not be routed through the proxy server. These would include trusted hosts that do not require the protection of the proxy server. These hosts are still protected by HTTPS access.
Tip: With on-premises object storage, if you are using an HTTPS proxy, consider including the hostnames of the target endpoint for the on-premises object storage in the Do Not Proxy specification. Otherwise, the proxy server might not allow data traffic or might slow down data traffic.
Tip: On Azure-based Edge Appliances only, during a reboot or recovery procedure, it is necessary to connect with IP address 169.254.169.254 in order to obtain information about the Azure VM instance. If you have configured an HTTPS proxy, this attempt to connect can cause a delay of several minutes. To avoid this delay, add the IP address 169.254.169.254 to the “Do Not Proxy” section of the HTTPS Proxy configuration.
Note: If this Nasuni Edge Appliance is under the control of the Nasuni Management Console, when you enable or disable the HTTPS proxy, the Nasuni Management Console cannot update the Nasuni Edge Appliance settings for about 2 minutes.
To configure the HTTPS Proxy:
Click Configuration, then select HTTPS Proxy from the list. The HTTPS Proxy Settings page appears.
Figure 11-3: HTTPS Proxy Settings page.
To enable HTTPS proxy support, select the Enable Proxy Support check box.
In the Proxy Server text box, enter the hostname or IP address of a host running the HTTPS proxy.
Tip: If you use a hostname with a round-robin DNS configuration (that is, with multiple A records associated with the HTTPS proxy server's hostname), this might affect the classification of HTTPS traffic.
Important: If the password of the Proxy Server changes, you must change the HTTPS Proxy Password.
In the Port text box, enter the port number used by the HTTPS proxy server. For details about ports and firewalls, see Firewall and Port Requirements.
Optionally, enter a valid username (case-sensitive) as configured by the proxy server in the User Name text box and the password (case-sensitive) in the Password text box.
Caution: The Password cannot include the symbols “/” (slash) and “#” (pound sign).
Important: If the password of the Proxy Server changes, you must change the HTTPS Proxy Password.
Optionally, in the Do Not Proxy text box, enter a list of hostnames or IP addresses not to proxy (one per line). Enter one hostname or IP address per line. Do not use a leading period (“.”).
Tip: With on-premises object storage, if you are using an HTTPS proxy, consider including the hostnames of the target endpoint for the on-premises object storage in the Do Not Proxy specification. Otherwise, the proxy server might not allow data traffic or might slow down data traffic.
To test your settings and then save your settings, click Test & Save. Alternatively, click Save to accept your selections without testing.
Network Configuration
The network address configuration is initially set during installation of the Nasuni Edge Appliance. However, you can change network settings as required. Changing network settings might temporarily disconnect users accessing the Nasuni Edge Appliance.
Note: If you need to reconfigure the network, but the Nasuni Edge Appliance user interface is not available, you can access network settings using the service menu on the console. See the Nasuni Edge Appliance Initial Configuration Guide for details.
Note: IPv6 is not supported.
Important: Edge Appliances and the NMC must be configured with operational DNS servers and a time server (internal or external) within your environment.
See Worksheets for a worksheet for planning configurations.
About Traffic Groups
Three default traffic groups are available, but you can change the purpose and the name of each traffic group:
General: All traffic is in the General traffic group, unless explicitly assigned to a different traffic group. Systems with only one network interface card (NIC) always use the General traffic group. This traffic group is not for any specific purpose.
Management: The Management traffic group limits access to the assigned interfaces of the Nasuni Edge Appliance to administrative access only.
External: The External traffic group designates a set of interfaces that carry only Web Access traffic.
Note: You use the Firewall configuration page to configure what kind of traffic the Nasuni Edge Appliance accepts on each traffic group.
You cannot combine traffic from two or more traffic groups together.
Note: If a proxy is defined such that it is on one of the networks local to the Nasuni Edge Appliance, this local proxy is used for cloud traffic, Remote Support traffic, and Nasuni Data API traffic. Traffic flows on whichever interface can reach the local proxy.
Bonding. If you assign more than one device to the same traffic group, the assigned devices are “bonded” for that traffic group. A bonded interface is a virtual network interface that runs on two or more physical interfaces. The Nasuni Edge Appliance uses bonding mode 5 (balance-tlb) for high- availability (HA) networking with a performance enhancement when sending packets. This has no requirement from the switches. To change this bonding mode, request Nasuni Support to configure the Bonding Mode setting.
Bonding also provides failover benefits. This bonding mode monitors the state of the network interface cards (NICs) that are in the bond: if the active device fails, it switches to a different active device. In addition, when transmitting a packet, the system determines (using an internal metric) which device in the bond is least busy, and transmits the packet using that device. When the host sends a packet to the Nasuni Edge Appliance, the packet always goes to the active device.
Network switch ports to which bonded Nasuni Edge Appliance ports are attached must be configured as switch port access with trunk access disabled. Any switch port where a bonded Nasuni Edge Appliance port is attached should also not be bridged with any other Nasuni Edge Appliance port.
Note: Nasuni supports either Balance-TLB or the Link Aggregation Control Protocol (LACP) to bond several physical ports together to form a single logical channel. While Balance-TLB is the default, LACP allows a network device to negotiate an automatic bundling of links. If your switch supports LACP, Nasuni recommends using LACP as a best practice. To enable LACP, request Nasuni Support to configure the Bonding Mode setting.
The Spanning Tree's blocking, listening, and learning stages should be disabled or bypassed on all switch ports to which a bonded Nasuni Edge Appliance port is attached. (Cisco switches have a feature called PortFast that is used to disable these Spanning Tree stages on a port-by-port basis.)
Bonded Nasuni Edge Appliance port members may also be split across more than one switch in order to achieve switch redundancy. However, all switch ports that are attached to members of the same bond must comprise a single broadcast domain (namely, the same VLAN) configured on the switch port.
Additionally, if problems exist after deploying a Nasuni Edge Appliance bond across more than one switch, reattach all bond members to the same switch. If the problems disappear, then the cause of the problem resides in the configuration of the switches and not in the configuration of the Nasuni Edge Appliance.
Basic Configuration. Put all available NICs into the General traffic group. The Nasuni Edge Appliance uses a single IP address, and all types of traffic use that IP address. Traffic leaving the LAN uses a default gateway available on this LAN.
Separating client and cloud traffic. Divide the NICs into General and External traffic groups.
The Nasuni Edge Appliance uses one IP address for serving CIFS (SMB), NFS, and FTP traffic, along with the user interface and management protocols.
The Nasuni Edge Appliance uses another IP address for Web Access. The default gateway must be specified on the LAN that the External traffic group uses.
Separating data and management traffic. Divide the NICs into General and Management traffic groups. The Nasuni Edge Appliance uses one IP address for serving CIFS (SMB), NFS, and FTP traffic in addition to communicating with cloud APIs, and a different IP address for the user interface and management protocols. This configuration expects that administrators use a separate “back plane” network to manage devices more securely.
Sample network topologies.
This example is for General traffic only.
Figure 11-4: General traffic only.
This example is for General and External traffic.
Figure 11-5: General and External traffic.
This example is for General and Management traffic.
Figure 11-6: General and Management traffic.
This example is for General, External, and Management traffic.
Figure 11-7: General, External, and Management traffic.
Configuring Network Settings
Important: Edge Appliances and the NMC must be configured with operational DNS servers and a time server (internal or external) within your environment.
To configure network settings, follow these steps:
Click Configuration, then select Network Configuration from the list. The Network Configuration page appears.
Figure 11-8: Network Configuration page.
To change the hostname for this Nasuni Edge Appliance, enter a new hostname in the Hostname text box. Enter the hostname (15 characters or fewer) or Fully Qualified Domain Name (64 characters or fewer) for this Nasuni Edge Appliance. You can use ASCII lower-case letters a through z, digits 0 (zero) through 9, and hyphens. The Nasuni Edge Appliance hostname is automatically registered in the DNS server, so that users can access this host by name.
The name that you enter is the name that you provide to users so they can access the Nasuni Edge Appliance.
Note: If joining a Nasuni Edge Appliance to Active Directory, Nasuni recommends using the fully qualified domain name with the hostname, such as filer.domain.com. If the Nasuni Edge Appliance would never join Active Directory, you can use the hostname without the domain name.
Tip: After you change the Hostname of the Nasuni Edge Appliance, you should delete the Active Directory computer object with that Hostname.
In the Network Interface Settings area, to manage traffic groups, click Manage Traffic Groups. The Traffic Groups dialog box appears.
Figure 11-9: Traffic Groups dialog box.
The Traffic Groups dialog box displays a list of the currently available traffic groups. For each traffic group, the traffic group’s name and description appears. For more information about traffic groups, see “About Traffic Groups”.
To add a new traffic group, click Add Traffic Group. The Add Traffic Group dialog box appears.
Figure 11-10: Add Traffic Group dialog box.
In the Name text box, enter a short name for the new traffic group.
Optionally, in the Description text box, enter a description of the purpose or characteristics of the new traffic group.
Click OK to add the new traffic group. Alternatively, click Cancel to exit without adding a new traffic group.
To edit a traffic group’s name or description, click Edit. The Edit Traffic Group dialog box appears. The Edit Traffic Group dialog box is similar to the Add Traffic Group dialog box described in step a above. Enter a new name or description for the traffic group, then click OK.
To delete a traffic group, click Delete. The traffic group is deleted.
To save all changes to the traffic groups, including added traffic groups and edited traffic groups, click Save. Alternatively, to exit without saving any changes, click Cancel.
Note: You configure the network settings for each traffic group in step 5 below.
In the Network Interface Settings area, for each Device in the list, select the Traffic Group from the drop-down list.
Tip: If any network interfaces are not in use, set them to “Disabled”.
In the Network Interface Settings area, to configure each Traffic Group, click Edit beside the Traffic Group. The Network Settings page appears.
Figure 11-12: Network Se ttings page.
From the Network Type drop-down list, select either Static or DHCP.
If you select DHCP (Dynamic Host Configuration Protocol), the IP Address, Netmask, and MTU Value fields become unavailable.
Note: DHCP might not be enabled on more than one traffic group.
Important: If installing on the Google Compute Platform (GCP), use Static and not DHCP.
If DHCP is selected, the new Edge Appliance can reach appliances outside the local GCP subnet, but is unable to reach local appliances on the same subnet.
If you select Static, you must provide Network Interface Settings and System Settings. See your IT administrator for assistance. Enter the following information:
Enter the static IP address in the IP Address text box. The address of a static device must not already be present on the network. The Nasuni Edge Appliance verifies this and displays an error if a collision is detected.
Ensure that the IP address you are using is not in use elsewhere.
Note: If you define more than one static device, the Nasuni Edge Appliance checks that the subnets specified do not appear more than once.
Important: If you change the IP address, also do the following:
Update Firewalls with the new IP address.
Update DNS entries so that they resolve the Edge Appliance with the new IP address.
Re-join the Domain after changing the IP address.You might need to remove the old computer object.
Enter a netmask address in the Netmask text box.
Enter the MTU value in the MTU Value text box.
Tip: MTU settings should not exceed 1500.
The maximum transmission unit (MTU) is the size (in bytes) of the largest protocol data unit that the layer can pass onwards. A larger MTU brings greater efficiency, because each packet carries more user data, while protocol overheads, such as headers, remain fixed; the resulting higher efficiency means a slight improvement in the bulk protocol throughput. A larger MTU also means processing fewer packets for the same amount of data. However, large packets can occupy a slow link for some time, causing greater delays to following packets, and increasing lag and minimum latency.
(Optional) You can specify a gateway for each traffic group. This gateway is used to return traffic for clients outside one of the Nasuni Edge Appliance's local networks that do not use the default gateway. In the Gateway text box, enter the IP address for the gateway.
Click OK to use these values. Click Cancel to exit this page without making any changes.
In the System Settings area, from the Settings Source drop-down list, select one of the following:
DHCP (Dynamic Host Configuration Protocol): Provides a network IP address for a host on an IP network automatically. The Default Gateway, Search Domain, Primary DNS Server, and Secondary DNS Server fields become unavailable.
Important: If installing on the Google Compute Platform (GCP), use Static and not DHCP or DHCP with custom DNS.
If DHCP or DHCP with custom DNS is selected, the new Edge Appliance can reach appliances outside the local GCP subnet, but is unable to reach local appliances on the same subnet.
DHCP with custom DNS: Provides a network IP address for a host on an IP network automatically. The Default Gateway field becomes unavailable.
Important: If installing on the Google Compute Platform (GCP), use Static and not DHCP or DHCP with custom DNS.
If DHCP or DHCP with custom DNS is selected, the new Edge Appliance can reach appliances outside the local GCP subnet, but is unable to reach local appliances on the same subnet.
Enter the following information:
Enter one or more local search domains in the Search Domain text box, each separated by a space. You must enter valid hostnames.
You can use search domains to avoid typing the complete address of domains that you use frequently. The search domains that you enter are automatically appended to names that you specify for purposes such as Active Directory configuration, HTTPS proxy, and NTP server. For example, if you specify the search domain “mycompany.com”, then typing “server1” for one of these purposes would connect to “server1.mycompany.com”.
Enter the IP address for your primary DNS server in the Primary DNS server text box. You must enter a valid hostname or IP address.
Enter the IP address for your secondary DNS server in the Secondary DNS server text box (if applicable). You must enter a valid hostname or IP address.
Static: Address information must be entered manually. Enter the following information:
Enter a default gateway address in the Default Gateway text box.
The gateway address must match a subnet of a defined static network.
Enter one or more local search domains in the Search Domain text box, each separated by a space. You must enter valid hostnames.
You can use search domains to avoid typing the complete address of domains that you use frequently. The search domains that you enter are automatically appended to names that you specify for purposes such as Active Directory configuration, HTTPS proxy, and NTP server. For example, if you specify the search domain “mycompany.com”, then typing “server1” for one of these purposes would connect to “server1.mycompany.com”.
Enter the IP address for your primary DNS server in the Primary DNS server text box. You must enter a valid hostname or IP address.
Enter the IP address for your secondary DNS server in the Secondary DNS server text box (if applicable). You must enter a valid hostname or IP address.
Click Save Network Configuration to accept your entries. The Confirm Network Changes page appears.
Figure 11-13: Confirm Network Changes page.
Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation, then click Submit. Your changes are saved.
A message box appears indicating that you will be disconnected briefly from the user interface while the changes are applied. Close this message box and refresh the page, or re-access the Nasuni Edge Appliance with your new IP address.
Nasuni Edge Appliance Time Configuration
Important: Edge Appliances and the NMC must be configured with operational DNS servers and a time server (internal or external) within your environment.
You can set the time zone and time server for the Nasuni Edge Appliance, which are necessary for notifications and file sharing purposes. The time zone setting you select should be for the region where the Nasuni Edge Appliance is physically located. For example, if you are located in the eastern part of the United States, use “US/Eastern”.
See Worksheets for a worksheet for planning configurations.
Caution: Editing the Edge Appliance time configuration (time zone or time servers) disconnects and resets all currently connected SMB clients for the selected Edge Appliance, and can restart the Edge Appliance. This restart helps to ensure proper authentication.
To configure the time zone and source settings, follow these steps:
Click Configuration, then select Time Configuration. The Filer Time Configuration page appears.
Figure 11-19: Filer Time Configuration page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
From the Time Zone drop-down list, select a time zone. Time zones are listed alphabetically by country (such as “Portugal”), city (such as “Europe/Zagreb”, and abbreviation (such as “GMT”).
In the Time Server text box, enter the hostnames of one or more valid Network Time Protocol (NTP) servers, separated by commas. By default, all Nasuni Edge Appliances are set to use
Nasuni's NTP server, time.nasuni.com, to set the time daily. If you cannot open port 123 in your firewall to access time.nasuni.com, you should change to an internal NTP server.
Join the Nasuni Edge Appliance to an Active Directory domain or an LDAP Directory Services domain. You can specify the domain, and an Auto Detect wizard attempts to discover necessary domain information automatically. See “Directory Services”.
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Tip: LDAP Directory Services must be enabled in the client license before joining an LDAP domain. Active Directory is enabled by default.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
Caution: Edge Appliances joined to LDAP cannot share volumes with Edge Appliances joined to Active Directory. Similarly, Edge Appliances joined to Active Directory cannot share volumes with Edge Appliances joined to LDAP. If you want Edge Appliances to share volumes, ensure that they are joined to the same directory service.
Support for authentication using Active Directory or LDAP has been combined on the Directory Services page. See “Directory Services”.
You can associate an Active Directory or LDAP Directory Services domain group with a permission group. This enables you to log in using Active Directory or LDAP Directory Services credentials. See “Adding Permission Groups”.
See Worksheets for a worksheet for planning configurations.
Configuring CIFS (SMB) settings
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Important: It is necessary to designate Administrative Users, who have full access to all data on CIFS shares, and the rights to change file and folder permissions. See step 2 below.
Note: This procedure allows you to specify a CIFS Administrative User. If you are trying to create an administrator for the Edge Appliance itself (called a “Filer Administrator”), see “Filer Administrators”.
Click Configuration, then select General Settings from the list. The General CIFS Settings page appears.
Figure 11-21: General CIFS Settings page.
In the Administrative User(s) text box, enter a list of administrative users. Entering a user name provides each specified user with full access to all data on CIFS shares to which the user has access, and rights to change file and folder permissions, regardless of current ACL settings.
Important: It is necessary to designate Administrative Users, who have full access to all data on CIFS shares, and the rights to change file and folder permissions.
Note: This procedure is to specify a CIFS Administrative User. If you are trying to create an administrator for the Edge Appliance itself (called a “Filer Administrator”), see “Filer Administrators”.
In specifying Administrative User(s), follow these guidelines:
User names must be in the Primary domain, as described in “Directory Services”.
Administrative User names can have up to 128 characters. However, Active Directory requires such names to be 20 characters or fewer. Therefore, you should only use Administrative User names that are 20 characters or fewer.
If you are specifying more than one user name, separate the user names with commas or semicolons.
Do not specify groups. Only specify individual users.
Do not use domain names. Only specify user names in the Primary domain. For example, do not use “mydomain\myname” or “myname@mydomain.com”. Only use “myname”.
Tip: In order for an Administrative User to connect to a share, the Administrative User must be included in share-level permissions in at least one of the following ways:
the Security of the share is set to Public.
the Authenticate setting of the share is set to "Authenticate all Users".
the Administrative User is a member of a Group that has permissions.
the Administrative User is a User that has permissions.
Note: If this Nasuni Edge Appliance is under the control of the Nasuni Management Console, the following button and pane do not appear, because you use the Nasuni Management Console to perform these tasks. Click Filers, then select CIFS Settings.
If the current security mode is LDAP Directory Services or Public, the Workgroup text box is also available.
Figure 11-22: General CIFS Settings page.
In the Workgroup text box, enter a local Windows NT-compatible workgroup name (15 characters maximum) in which the Nasuni Edge Appliance can be accessed. To use the default workgroup for the domain, leave this field blank. Some domains need this value if the name cannot be automatically determined.
Optionally, to display advanced options, click Show Advanced Options. The Advanced Options pane appears.
Figure 11-23: Advanced Options pane.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this pane is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
Note: For sites with mostly Windows clients, the default settings are best.
From the Protocol Level drop-down list, select the maximum version of the CIFS/SMB protocol that the server negotiates with the client. This is the highest level that the Nasuni Edge Appliance supports. The client can negotiate a lower version, if necessary. The choices include the following:
CIFS: Common Internet File System protocol, also called SMB 1.0. SMB 1.0 is disabled by default. To enable SMB 1.0, request Nasuni Support to configure the SMB minimum protocol version setting.
CIFS & SMB2: Server Message Block version 2.0. SMB 2.0 offers improved performance over SMB 1.0.
CIFS & SMB3: Server Message Block version 3.0. SMB 3.0 offers improved performance and security over SMB 2.0
Tip: Best practice is to select “CIFS & SMB3”. Using SMB3 can improve performance.
Durable handles allow SMB 2.0 and higher clients to open a file and survive a temporary connection loss (60 seconds or less). Durable handles are supported for volumes with NTFS Exclusive Permissions Policy and cannot be used with Global File Lock.
Note: When Global Locking is enabled, support for SMB durable handles (allowing clients to survive temporary connection loss) is disabled. Enabling Global Locking anywhere on the volume disables durable handles. If durable handles is disabled in this way, durable handles cannot be enabled again.
From the Allocation Roundup Size drop-down list, select the allocation roundup size. The default is to be disabled.
To allow clients to use Portable Operating System Interface (POSIX) semantics, select the Enhanced Support for POSIX Clients check box (selected by default). If you clear this option, POSIX clients can still connect. However, they do not have the full range of file server operations.
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
To not allow anonymous connections, select Restrict Anonymous. When selected, users cannot log into CIFS without entering a valid username and password.
Tip: If “Restrict Anonymous” is not set, anonymous connections are allowed, and users can log into CIFS without entering a valid username and password.
If “Restrict Anonymous” is set, anonymous connections are not allowed, and users must enter a valid username and password to log into CIFS. In particular, users cannot discover shares, cannot discover or list sessions, and cannot discover or list users and groups.
To enable additional restriction options, request Nasuni Support to configure the SMB Restrict Anonymous setting.
To close this display, click Hide Advanced Options.
Click Save CIFS Settings to save your settings. The Change General CIFS Settings? dialog box appears.
Note: Changing these settings only affects new CIFS/SMB clients. You must disconnect or reset an existing client's connection to use the new settings.
Click Continue Saving. Your CIFS settings are saved. Otherwise, click Cancel.
Joining a Nasuni Edge Appliance to a domain
If the Nasuni Edge Appliance has not previously joined any Active Directory domain or LDAP Directory Services domain before, you can join the Nasuni Edge Appliance to a domain. Both Active Directory and LDAP are supported. You can specify the domain, and an Auto Detect wizard attempts to discover necessary domain information automatically. For the procedure to join the Nasuni Edge Appliance to a domain, see “Procedure for joining Nasuni Edge Appliance (not previously joined) to domain”.
Important: To connect an Edge Appliance to a shared volume owned by another Edge Appliance, the following must be true:
The Edge Appliance must join the same domain as the owning Edge Appliance.
The domain configuration for the Edge Appliance must match the domain configuration for the owning Edge Appliance.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
Caution: Edge Appliances joined to LDAP cannot share volumes with Edge Appliances joined to Active Directory. Similarly, Edge Appliances joined to Active Directory cannot share volumes with Edge Appliances joined to LDAP. If you want Edge Appliances to share volumes, ensure that they are joined to the same directory service.
Caution: Avoid using characters that systems, such as Active Directory, specify as disallowed, including period (.), backslash (\), forward slash (/), colon (:), asterisk (*), question mark (?), quotation mark ("), less than sign (<), greater than sign (>), percent (%), and vertical bar (|). Errors can occur for Nasuni Edge Appliances whose names include such characters. For example, it might not be possible to configure the Nasuni Edge Appliance for Active Directory access. You can change the name of the Nasuni Edge Appliance to avoid such characters.
About Active Directory
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Microsoft's Active Directory (AD) service is capable of providing security across multiple domains or forests through domain and forest trust relationships. The trusts established between domains allow or deny users access to resources outside their native domain. After you establish the correct trust relationships among your Active Directory servers, you can enable access and permissions for users and groups within the trusted domains. Configuration of trusts between domains is outside the scope of this document.
Tip: Nasuni also supports the “Identity Management for UNIX” role service for Active Directory. This feature allows UNIX-style user and group identities to be stored in Active Directory, and can synchronize identity management across CIFS (SMB) and NFS. If your organization requires this functionality:
During the initial engagement, inform Nasuni Professional Services of your needs.
Configure Active Directory in consultation with Nasuni Professional Services or Nasuni Support.
Request Nasuni Support to configure the Edge Appliance for Active Directory Unix Extensions (RFC 2307).
The Nasuni Edge Appliance can join one Windows Active Directory domain server and access its users and groups. These users and groups can only be edited through Active Directory tools.
Important: If joining an Active Directory domain, members of the Active Directory "Protected Users" security group cannot be used to join the domain. This is due to the login restrictions for members of that security group. Nasuni recommends using a Domain Admin account that is not a part of the “Protected Users” group to join Active Directory.
The Nasuni Edge Appliance joins one domain, called the primary domain. If the client’s environment has valid, active trust relationships between the primary domain and other domains, the Nasuni Edge Appliance attempts to discover those domains automatically. You can then select which of the non- primary domains to allow to access the Nasuni Edge Appliance.
Important: You cannot use Active Directory passwords longer than 127 characters to log in to the NMC.
The Nasuni Edge Appliance offers support for trusted domains of multiple Active Directory servers. This can simplify enabling access and permissions for users and groups within trusted domains. To use trusted domains of multiple Active Directory servers, you must establish the correct trust relationships among your Active Directory servers.
There are two aspects to trusted domain support: authentication and sharing. The authentication aspect allows a user to access a Nasuni Edge Appliance’s resources in a different domain. The sharing aspect enables systems in different domains to access the same data.
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
As an alternative to Microsoft Active Directory, some organizations prefer to use their own LDAP and Kerberos services. This is often the case for organizations that rely heavily on UNIX-style clients, such as Linux or macOS. The LDAP protocol is used for identifying users and other resources. The Kerberos protocol is used for authentication. In lieu of joining a domain, the Nasuni Management Console requires a Kerberos keytab file, which contains encryption keys associated with network services (service principal names).
Tip: LDAP Directory Services must be enabled in the client license before joining an LDAP domain. Active Directory is enabled by default.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
Note: The Nasuni Management Console requires the use of Kerberos for secure authentication, and does not support storing passwords in LDAP.
Caution: Edge Appliances joined to LDAP cannot share volumes with Edge Appliances joined to Active Directory. Similarly, Edge Appliances joined to Active Directory cannot share volumes with Edge Appliances joined to LDAP. If you want Edge Appliances to share volumes, ensure that they are joined to the same directory service.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
Procedure for joining Nasuni Edge Appliance (not previously joined) to domain
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Tip: LDAP Directory Services must be enabled in the client license before joining an LDAP domain. Active Directory is enabled by default.
Important: To connect an Edge Appliance to a shared volume owned by another Edge Appliance, the following must be true:
The Edge Appliance must join the same domain as the owning Edge Appliance.
The domain configuration for the Edge Appliance must match the domain configuration for the owning Edge Appliance.
Caution: Edge Appliances joined to LDAP cannot share volumes with Edge Appliances joined to Active Directory. Similarly, Edge Appliances joined to Active Directory cannot share volumes with Edge Appliances joined to LDAP. If you want Edge Appliances to share volumes, ensure that they are joined to the same directory service.
Important: If joining an Active Directory domain, members of the Active Directory "Protected Users" security group cannot be used to join the domain. This is due to the login restrictions for members of that security group. Nasuni recommends using a Domain Admin account that is not a part of the “Protected Users” group to join Active Directory.
Caution: Avoid using characters that systems, such as Active Directory, specify as disallowed, including period (.), backslash (\), forward slash (/), colon (:), asterisk (*), question mark (?), quotation mark ("), less than sign (<), greater than sign (>), percent (%), and vertical bar (|). Errors can occur for Nasuni Edge Appliances whose names include such characters. For example, it might not be possible to configure the Nasuni Edge Appliance for Active Directory access. You can change the name of the Nasuni Edge Appliance to avoid such characters.
If the Nasuni Edge Appliance has not previously joined any Active Directory domain or LDAP Directory Services domain before, follow these steps:
Click Configuration, then select General Settings from the list. On the General CIFS Settings page, the “Connect to a Directory Service” button is available.
Figure 11-24: “Connect to a Directory Service” button available on General CIFS Settings page.
To join an Active Directory domain, follow the procedure starting at step a below. Otherwise, to join an LDAP Directory Services domain, skip to step 3 below.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
To join an Active Directory domain, follow this procedure.
Important: In order to link an Active Directory domain group to a permission group, the “Group type” of the Active Directory domain group must be “Security”. If the “Group type” of the Active Directory domain group is “Distribution”, users within the Active Directory domain group are not able to log in.
Important: If joining an Active Directory domain, members of the Active Directory "Protected Users" security group cannot be used to join the domain. This is due to the login restrictions for members of that security group. Nasuni recommends using a Domain Admin account that is not a part of the “Protected Users” group to join Active Directory.
Click “Connect to a Directory Service”. The Directory Services page appears.
Figure 11-25: Directory Services page.
In the Domain text box, enter the fully qualified Active Directory domain name that you want the Nasuni Edge Appliance to join. The Nasuni Edge Appliance joins this domain to authenticate users from the Active Directory server.
Leave Auto Detect selected. If Auto Detect is selected, the wizard attempts to determine whether the specified domain is an Active Directory domain or an LDAP domain, and then attempts to retrieve pertinent information using DNS.
Note: For Auto Detect to work, the DNS must be configured to refer to directory service settings.
If, after you click Continue (step m below), the wizard is unsuccessful in automatically detecting configuration information, deselect Auto Detect. The Directory Service Type drop-down list becomes available.
To automatically alter the system’s hostname so that is part of the domain to be joined, select Alter System Hostname. For example, if joining a Nasuni Edge Appliance (such as filer) to a domain (such as domain.com), Nasuni recommends using the fully qualified domain name with the hostname to form the new hostname (such as filer.domain.com). Alternatively, if you know that the hostname is correct for this domain, deselect Alter System Hostname.
If Auto Detect is deselected, the Directory Service Type drop-down list becomes available. From the drop-down list, select Active Directory.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
(Optional) In the Workgroup text box, enter a local Windows NT-compatible workgroup name (15 characters maximum) in which the Nasuni Edge Appliance can be accessed. To use the default workgroup for the domain, leave this field blank. Some domains need this value if the name cannot be automatically determined.
Tip: This value cannot be changed after the Nasuni Edge Appliance joins the domain.
(Optional) In the Domain Controller text box, enter the fully qualified domain name of the primary domain controller. For example, DomainControllerName.domain.com.
Entering a Domain Controller name forces the Nasuni Edge Appliance to use only that domain controller. However, leaving the Domain Controller text box blank causes the Nasuni Edge Appliance to automatically find and use an appropriate Domain Controller, and also allows for Domain Controller failover. Unless you want only one specific domain controller to be used, leave the Domain Controller text box blank.
In particular, if you want support for trusted domains of multiple Active Directory servers, leave the Domain Controller text box blank.
Note: The Active Directory Sites and Services feature tries to find nearby Domain Controllers to use.
(Optional) Many local groups are created automatically, such as when installing the Microsoft Windows operating system. These local groups are often referred to as “built-in groups”. Of these local groups, the Administrators and Users groups can be granted filesystem-level permissions to the upper level of source fileserver data drives. By default, these permissions are inherited throughout directory structures.
To support filesystem best practices, Nasuni recommends converting permissions to domain groups on source file servers. See “Built-In Administrators and Users Local Groups”. When this is done, leave the Users Built-In Group Name text box and the Administrators Built-In Group Name text box blank.
When the conversion of permissions to domain groups is not possible, Nasuni provides the ability to associate the local Administrators and Users groups to domain groups. For this functionality, a single Active Directory Universal Group can be associated with each local group. This association must be consistent across all Nasuni Edge Appliances sharing volumes.
Note: This functionality might limit future ability to connect Edge Appliances to volumes, if either group association is not consistent with other Edge Appliances already sharing the same volumes.
Note: Changes to these groups are not reflected for connected clients. Connected clients must reconnect in order for the settings to be applied to their session.
Figure 11-26: Built-In Groups on Directory Services page.
(Optional) To link to the BUILTIN\Users group, in the Users Built-In Group Name text box, enter the NETBIOS name of an Active Directory Universal Group. The maximum length of a group name is 30 characters.
(Optional) To link to the BUILTIN\Administrators group, in the Administrators Built-In Group Name text box, enter the NETBIOS name of an Active Directory Universal Group. The maximum length of a group name is 30 characters.
Note: Nasuni stores SIDs, not the name of the group. To display the group name, Nasuni looks up the current name of the group in Active Directory using the SID for the group. Therefore, when the page is displayed, if the stored SIDs cannot be resolved (for example, due to network errors), then the unresolved SID is shown instead of the NETBIOS group name.
(Optional) In the Computer OU text box, enter a domain organization unit in which the Nasuni Edge Appliance is placed. You can use standard notation, such as:
OU=<name>,..., DC=<name>, ...
If you leave this value blank, the Nasuni Edge Appliance is placed in a default location. The computer’s container is the default location.
Tip: This value cannot be changed after the Nasuni Edge Appliance joins the domain.
(Optional) To use Network Time Protocol (NTP) services provided by domain controllers, select NTP from Domain Controllers. If no NTP services are available from domain controllers, the current NTP server is used. See “Nasuni Edge Appliance Time Configuration”.
Tip: This value cannot be changed after the Nasuni Edge Appliance joins the domain.
Click Continue. The wizard attempts to look up domain information in the DNS. If successful, the wizard returns to this page, enters the information found, and deselects Auto Detect. You can then enter or change any information.
If the message appears that Auto Detect was successful, verify any values that Auto Detect added, deselect Auto Detect if still selected, then click Continue.
The Confirm/Authenticate Directory Service dialog box appears.
Figure 11-27: Confirm/Authenticate Directory Service dialog box.
Enter the user name and password of a user who is authorized to join this Nasuni Edge Appliance to the specified domain. Click Submit.
The wizard attempts to use the given credentials for the specified domain. If successful, the Volume Selection tab is selected.
Figure 11-28: Volume Selection tab.
For each volume in the list, select whether to use domain-based authentication for that volume, then click Continue.
The wizard attempts to establish the specified authentication for the specified volumes. If successful, the Domain Configuration tab is selected.
Figure 11-29: Domain Configuration tab.
If any other Nasuni Edge Appliances on your account are already configured for access to the specified domain, they appear in a list. Select one of those Nasuni Edge Appliances from the Configuration Source drop-down list in order to duplicate its user and group mappings. This helps to ensure consistent and successful authentication.
Alternatively, if there are no other Nasuni Edge Appliances already configured for access to the specified domain, or if you prefer to configure domains and trusts manually, select Local Settings from the Configuration Source drop-down list.
Allow Unique Settings: If your account has an existing Domain Configuration that can be copied, you must indicate that you are aware that Local Settings might cause issues with Remote Volumes and permissions by selecting Allow Unique Settings.
Selecting Allow Unique Settings enables this Edge Appliance to specify unique ID maps for all the domains discovered within you environment. Only select this in situations where discrete mappings are necessary (for example, with segregated domains for Group A that should never work with Group B). Before selecting this option, consult with Nasuni Customer Support.
Click Continue.
The wizard attempts to configure for the specified domain. If successful, the Enable Domains tab is selected.
Figure 11-30: Enable Domains tab.
A list of available domains appears. From this list, select the domains that you want the Nasuni Edge Appliance to access.
Click Continue.
The wizard attempts to enable the selected domains. If successful, the “Complete the Configuration” tab is selected.
Figure 11-31: “Complete the Configuration” tab.
Verify the configuration values, then click Finish.
The wizard attempts to complete the configuration. If successful, the Directory Services page appears.
Figure 11-32: Directory Services page.
Tip: Because the new domain users come from the NMC, it might take a few minutes before you can access the Edge Appliance UI as a domain user.
The newly joined domain appears in the Domain Settings list.
To update the list of trusted domains that the Edge Appliance is aware of, click Update Domains. This adds new trusted domains, as well as changes to existing domains that the Edge Appliance is aware of.
This button does not remove decommissioned domains that had previously been discovered.
Alternatively, to join an LDAP Directory Services domain, follow the procedure below.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
Tip: LDAP Directory Services must be enabled in the client license before joining an LDAP domain. Active Directory is enabled by default.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
Important: If your LDAP server does not use a publicly trusted certificate, you must upload a globally or locally trusted certificate to the Nasuni Edge Appliance, so that the Nasuni Edge Appliance trusts your LDAP server. See “Uploading SSL server certificates”.
Important: We recommend the use of indexes for uidNumber and gidNumber attributes. If your LDAP Directory Server can look up records based on uidNumber and gidNumber quickly without an index, this is also sufficient.
Click “Connect to a Directory Service”. The Directory Services page appears.
Figure 11-33: Directory Services page.
In the Domain text box, enter the fully qualified LDAP Directory Services domain name that you want the Nasuni Edge Appliance to join. The Nasuni Edge Appliance joins this domain to authenticate users from the LDAP Directory Services server.
If not using FreeIPA, leave Auto Detect selected. If Auto Detect is selected, the wizard attempts to determine whether the specified domain is an Active Directory domain or an LDAP domain, and then attempts to retrieve pertinent information using DNS. If the wizard detects an LDAP Directory Services domain, it also tries to detect the type of domain (FreeIPA, Apple Open Directory, or Generic).
Note: If using FreeIPA, leave Auto Detect off (unselected).
Note: For Auto Detect to work, the DNS must be configured to refer to directory service settings.
If, after clicking Continue (step f below), the wizard is unsuccessful in automatically detecting configuration information, deselect Auto Detect. The Directory Service Type drop-down list becomes available.
To automatically alter the system’s hostname so that is part of the domain to be joined, select Alter System Hostname. For example, if joining a Nasuni Edge Appliance (such as filer) to a domain (such as domain.com), Nasuni recommends using the fully qualified domain name with the hostname to form the new hostname (such as filer.domain.com). Alternatively, if you know that the hostname is correct for this domain, deselect Alter System Hostname.
If Auto Detect is deselected, the Directory Service Type drop-down list becomes available. From the drop-down list, select LDAP Directory Services.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
If Auto Detect is selected, click Continue. The wizard attempts to look up domain information in the DNS. If successful, the wizard returns to this page, enters the information found, and deselects Auto Detect. You can then enter or change any information.
Figure 11-34: Directory Services page.
If the message appears that Auto Detect was successful, verify any values that Auto Detect added, deselect Auto Detect if still selected, then click Continue.
If the directory services provider has not already been selected, from the Directory Services Provider drop-down list, select the provider that matches your LDAP and Kerberos servers. Options include FreeIPA, Generic LDAP/Kerberos, and Apple OpenDirectory. By selecting the appropriate provider, the wizard selects various connection parameters. The following steps detail the Generic LDAP/Kerberos option where the wizard does not assume any connection settings.
Note: Some of the following fields are optional, depending on the choice of Directory Services Provider.
In the LDAP Servers text box, enter a list of the domain names (or IP addresses) of the LDAP servers for the Nasuni Edge Appliance to connect to, separated by commas.
To use DNS to retrieve information, leave this text box blank.
In the Kerberos KDC Servers text box, enter a list of the IP addresses or hostnames of the Kerberos Key Distribution Center (KDC) servers for the Nasuni Edge Appliance to connect to, separated by commas.
To use DNS to retrieve information, leave this text box blank.
(Optional.) From the LDAP ID Schema drop-down list, select the LDAP ID schema used by your LDAP infrastructure: RFC2307 or RFC2307bis.
(Optional.) In the LDAP User Search Base text box, enter an LDAP DN (distinguished name) that indicates a subtree that contains users.
(Optional.) In the LDAP Group Search Base text box, enter an LDAP DN (distinguished name) that indicates a subtree that contains groups.
(Optional.) In the LDAP User Name Attribute text box, enter the LDAP user name attribute.
(Optional.) In the LDAP Group Name Attribute text box, enter the LDAP group name attribute.
(Optional.) In the LDAP Netgroup Search Base text box, enter an LDAP DN (distinguished name) that indicates a subtree that contains netgroups.
(Optional.) In the LDAP Bind DN text box, enter an LDAP DN (distinguished name) to use instead of an anonymous bind.
(Optional.) In the LDAP Bind Password text box, enter a password to use to bind with DN.
In the Minimum Supported ID text box, enter the minimum user or group ID to map to the Nasuni Edge Appliance. This is needed for the case where you want the Nasuni Edge Appliance to ignore some of the IDs that Auto Detect might identify in your LDAP infrastructure, or to use IDs outside of the ranges that are allowed to be automatically chosen by the Nasuni Edge Appliance.
To have Auto Detect find this, leave blank.
In the Maximum Supported ID text box, enter the maximum user or group ID to map to the Nasuni Edge Appliance. This is needed for the case where you want the Nasuni Edge Appliance to ignore some of the IDs that Auto Detect might identify in your LDAP infrastructure, or to use IDs outside of the ranges that are allowed to be automatically chosen by the Nasuni Edge Appliance.
To have Auto Detect find this, leave blank.
Click Continue. The wizard attempts to look up domain information in DNS. If successful, the wizard returns to this page, enters the information found, and deselects Auto Detect. You can then enter or change any information.
The Confirm/Authenticate Directory Service dialog box appears.
Figure 11-35: Confirm/Authenticate Directory Service dialog box.
If necessary, enter the user name and password of a directory user who is authorized to join this Nasuni Edge Appliance to the specified domain. Click Submit.
The wizard checks the provided information before proceeding to the Keytab step. If the wizard is successful in checking the LDAP domain and other information, the wizard highlights the Keytab step.
From the Keytab Source drop-down list, select the source of the Kerberos keytab for the Nasuni Edge Appliance from the following choices:
FreeIPA Server (only available on a FreeIPA system): If you select a FreeIPA server, enter the Username, Password, and Repeat Password, then click Continue.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
The wizard checks the provided keytab information before proceeding to the Volume Selection step. If the wizard is successful in obtaining the Kerberos keytab information, the wizard highlights the Volume Selection step.
If there are no volumes, the Volume Selection step is skipped.
If there are volumes, for each volume in the list, select whether to use authentication based on LDAP Directory Services for that volume, then click Continue.
The wizard attempts to establish the specified authentication for the specified volumes. If successful, the Domain Configuration tab is selected.
If any other Nasuni Edge Appliances on your account are already configured for access to the specified domain, they appear in a list. Select one of those Nasuni Edge Appliances from the Configuration Source drop-down list in order to duplicate its user and group mappings. This helps to ensure consistent user authentication and ID mapping across Nasuni Edge Appliances accessing the same volumes.
Alternatively, if there are no other Nasuni Edge Appliances already configured for access to the specified domain, or if you prefer to configure domains and trusts manually, select Local Settings from the Configuration Source drop-down list.
Click Continue.
The wizard attempts to configure for the specified domain. If successful, the “Complete the Configuration” tab is selected.
Verify the configuration values, then click Continue.
The wizard attempts to complete the configuration. If successful, the Directory Services page appears.
Figure 11-38: Directory Services page.
The newly joined domain appears in the Domain Settings list.
Disconnecting an Edge Appliance from an Active Directory domain
To disconnect an Edge Appliance from an Active Directory domain, you must first perform the procedure “Deleting Active Directory domain configuration”. If you are unable to perform this procedure, or if you cannot disconnect the Edge Appliance from the Active Directory domain after performing the procedure, contact Nasuni Support.
After disconnecting an Edge Appliance from an Active Directory domain, the Edge Appliance can then join another Active Directory domain, or rejoin the original Active Directory domain.
Built-In Administrators and Users Local Groups
Many local groups are created automatically, such as when installing the Microsoft Windows operating system. These local groups are often referred to as “built-in groups”.
Of these local groups, the Administrators and Users groups are granted filesystem-level permissions to the upper level of source fileserver data drives. By default, these permissions are inherited throughout directory structures. To support filesystem best practices, Nasuni recommends converting permissions to domain groups on source file servers.
The commands below can be used for this conversion.
To convert local Administrators (Well Known SID S-1-5-32-544) to a domain group, use a command like this:
<PATH> is the path or name of the object to process.
<LOGFILENAME> Is the name of a log file.
When the conversion of permissions to domain groups is not possible, Nasuni provides the ability to associate the local Administrators and Users groups to domain groups. For this functionality, a single Active Directory Universal Group can be associated with each local group. This association must be consistent across all Nasuni Edge Appliances sharing volumes.
Note: This functionality might limit future ability to connect Edge Appliances to volumes, if either group association is not consistent with other Edge Appliances already sharing the same volumes.
Using FreeIPA for LDAP authentication
FreeIPA is an identity management system used for LDAP authentication.
Important: You must have an LDAP domain to use FreeIPA.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
To use FreeIPA for LDAP authentication, follow these steps:
In a Web browser, visit the Web site:
http://<LDAP-fqdn>
where LDAP-fqdn is the fully-qualified domain name of the LDAP domain controller. The FreeIPA Identity Management site appears.
If the Nasuni Edge Appliance is not yet listed as a host, click Identity, then select Hosts, then click +Add. The Add Host dialog box appears. Enter the following information:
Host Name: the host name of the Nasuni Edge Appliance.
IP Address: the IP address of the Nasuni Edge Appliance.
DNS Zone: from the drop-down list, select the DNS Zone.
Click Add. The Nasuni Edge Appliance is added to the list of Hosts.
If the CIFS service of the Nasuni Edge Appliance is not yet listed as a service, click Identity, then select Services, then click +Add. The Add Service dialog box appears. Enter the following information:
Service: from the drop-down list, select cifs.
Host Name: from the drop-down list, select the host name of the Nasuni Edge Appliance. You can search for the host name by typing part of the host name in the Search text box and pressing Enter.
Click Add. The CIFS service of the Nasuni Edge Appliance is added to the list of Services.
Download the SSL certificate from the FreeIPA server. Save the certificate file in a location that the Nasuni Edge Appliance can access.
For single protocol access, Nasuni supports Kerberos and NTLMv2 over SMB protocol for appliances bound to Microsoft Windows Active Directory. Nasuni also supports Kerberos over NFSv4 for appliances bound to a supported LDAP Directory, including FreeIPA, Oracle Directory Services, and Apple Open Directory.
For multiple protocol access using both NFSv4 and SMB protocol to access the same data, the SMB protocol is authenticated using Kerberos or NTLMv2 by Active Directory. However, Nasuni multiprotocol access with NFSv4 only supports NFS basic authentication (AUTH_SYS). AUTH_SYS does not use tokens or passwords for authentication or access control, relying on the client to provide an ID validated on the server side to limit and control access.
In multiprotocol use cases, Nasuni recommends using network segmentation, and using the Allowed Hosts list to specify NFS client IP addresses, in order to restrict the endpoints that can access NFS exports.
Considerations for a Read-Only Domain Controller (RODC)
If there is a Read-Only Domain Controller (RODC) in your Active Directory environment, certain considerations are necessary before joining a Nasuni Edge to the domain.
To use a Read-Only Domain Controller in your Active Directory environment, follow these steps:
Identify the Read-Only Domain Controllers in your Active Directory environment.
Each Read-Only Domain Controller has a unique ID that includes the string ‘krbtgt’ and an ID number. This ID number must be less than 32768. To determine the ID, run this PowerShell command:
where WritableDC is the hostname of a writable domain controller (RWDC) and DNDP is the distinguished name of the domain partition, such as dc=domain,dc=com
This command provides a list of Read-Only Domain Controllers with their associated UIDs for the KRBTGT account.
If the number is above 32768, you must redeploy the Read-Only Domain Controller.
If you have access to the Windows Server 2016 Active Directory Administrative Center, you pre-configure the Read-Only Domain Controller with a number less than 32768. You can then use this Read-Only Domain Controller.
If you are using Windows Server 2012 Active Directory Administrative Center, the number is assigned randomly. The number must be less than 32768.
Add the Nasuni Edge Appliance computer object to the Password Replication Policy by following these steps:
Log in to the Read-Write Domain Controller that was joined in step 1 above.
Open Server Manager → Tools → Active Directory Users and Computers. The “Active Directory Users and Computers” application opens.
In the left-hand pane, select “Domain Controllers“. A list of domain controllers appears, including Read-Only Domain Controllers.
From the list of domain controllers, right-click the Read-Only Domain Controller, then select Properties from the drop-down list.
Click the “Password Replication Policy” tab. A list of current groups, users, and computers appears.
Double-click “Allowed RODC Password Replication Group“. The “Allowed RODC Password Replication Group Properties” dialog box appears.
Click the Members tab. A list of members appears.
Click Add, then Add the Nasuni Edge Appliance computer object as a member.
Click OK.
Remove the Read-Write Domain Controller, using these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-39: Directory Services page for Active Directory.
Ensure that the Domain Controller text box is blank.
Ensure that “Rejoin Active Directory” is set to Off before performing the following step.
Click Submit.
Important: By default, Nasuni changes the computer object password every 7-10 days. After you complete this procedure, contact Nasuni Support to disable the password change policy.
This completes the procedure for handling a Read-Only Domain Controller (RODC) in your Active Directory environment.
Directory Services
The Nasuni Edge Appliance supports Directory Services using either Active Directory or LDAP (Lightweight Directory Access Protocol) with Kerberos for authentication. See “General CIFS Settings” for details about Active Directory and LDAP Directory Services.
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
Caution: Edge Appliances joined to LDAP cannot share volumes with Edge Appliances joined to Active Directory. Similarly, Edge Appliances joined to Active Directory cannot share volumes with Edge Appliances joined to LDAP. If you want Edge Appliances to share volumes, ensure that they are joined to the same directory service.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
You can associate an Active Directory or LDAP Directory Services domain group with a permission group. This enables you to log in using Active Directory or LDAP Directory Services credentials. See “Adding Permission Groups”.
See Worksheets for a worksheet for planning configurations.
Specifying multiple protocol access
For single protocol access, Nasuni supports Kerberos and NTLMv2 over SMB protocol for appliances bound to Microsoft Windows Active Directory. Nasuni also supports Kerberos over NFSv4 for appliances bound to a supported LDAP Directory, including FreeIPA, Oracle Directory Services, and Apple Open Directory.
For multiple protocol access using both NFSv4 and SMB protocol to access the same data, the SMB protocol is authenticated using Kerberos or NTLMv2 by Active Directory. However, Nasuni multiprotocol access with NFSv4 only supports NFS basic authentication (AUTH_SYS). AUTH_SYS does not use tokens or passwords for authentication or access control, relying on the client to provide an ID validated on the server side to limit and control access.
In multiprotocol use cases, Nasuni recommends using network segmentation, and using the Allowed Hosts list to specify NFS client IP addresses, in order to restrict the endpoints that can access NFS exports.
Viewing information about Directory Services already configured
To view information about Directory Services, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-40: Directory Services page for LDAP Directory Services.
For LDAP Directory Services, information on this page includes the following:
Type: Type of authentication, such as Publicly Available, Active Directory, and LDAP Directory Services.
Connection Status: The current status of the connection.
ENABLED indicates that the connection has been configured successfully. DISABLED indicates that the connection has not been configured successfully. HEALTHY indicates that the connection is successful.
UNHEALTHY indicates that the connection is not successful.
Domain Settings: A list of domains appears, displaying the following information:
Domain: The IP address or the hostname of the domain.
Details: Details about the Directory Services entry, including the following:
Provider: The Directory Services provider.
Schema: The LDAP schema: either RFC2307 or RFC2307bis.
LDAP Servers: The IP address or the hostname of the servers that service the domain.
KDCs: The IP address or the hostname of the Kerberos Key Distribution Centers (KDC) that supply session tickets and temporary session keys.
Status: The status of the domain: Enabled or Disabled.
Keytab Contents: The contents of the keytab file used to authenticate to the KDC, including the following information:
Service Type: The service type and the IP address or the hostname of the host that is offering it.
Realm: The IP address or the hostname of the server hosting the application.
For Active Directory, the Directory Services page looks like this:
Figure 11-41: Directory Services page for Active Directory.
For Active Directory, information on this page includes the following:
Type: Type of authentication, such as Publicly Available, Active Directory, and LDAP Directory Services.
Connection Status: The current status of the connection.
ENABLED indicates that the connection has been configured successfully. DISABLED indicates that the connection has not been configured successfully. HEALTHY indicates that the connection is successful.
UNHEALTHY indicates that the connection is not successful.
Domain Settings: A list of domains appears, displaying the following information:
Domain: The IP address or the hostname of the domain.
Type: The type of Active Directory domain: Primary or Trusted.
NT Name: The local Windows NT-compatible workgroup name of the Active Directory domain.
Status: The status of the domain: Enabled or Disabled.
Update Domains button: To update the list of trusted domains that the Edge Appliance is aware of. This adds new trusted domains, as well as changes to existing domains that the Edge Appliance is aware of. This button does not remove decommissioned domains that had previously been discovered.
Editing LDAP Directory Services domain settings
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
To edit settings for the LDAP Directory Services domain, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-42: Directory Services page.
For the domain whose information you want to edit, click Edit. The Edit Domain dialog box appears.
Figure 11-43: Edit Domain dialog box.
Note: The fields available depend on the Directory Services Provider selected.
In the LDAP Servers text box, enter a list of the IP addresses or hostnames of the LDAP servers for the Nasuni Edge Appliance to connect to, separated by commas.
To use DNS to retrieve information, leave this text box blank.
In the Kerberos KDC Servers text box, enter a list of the IP addresses or hostnames of the Kerberos Key Distribution Center (KDC) servers for the Nasuni Edge Appliance to connect to, separated by commas.
To use DNS to retrieve information, leave this text box blank.
Click Save. The information is applied to the selected domain.
Updating the Kerberos keytab file
The Kerberos keytab file contains encryption keys associated with services (the service principal names) located on servers hosting Kerberos-enabled protocols.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
To update the keytab file, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-44: Directory Services page.
Click Update Keytab. The Update Keytab dialog box appears.
Figure 11-45: Update Keytab dialog box.
From the Keytab Source drop-down list, select the source of the Kerberos keytab for the Nasuni Edge Appliance.
If you select a server, enter the Username, Password, and Repeat Password, then click Submit.
If you select to upload a keytab file, click Choose File to navigate to the file, then click Submit.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
The keytab file is updated.
Editing Active Directory domain settings
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
To edit settings for an Active Directory domain, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-46: Directory Services page for Active Directory.
To update the list of trusted domains that the Edge Appliance is aware of, click Update Domains. This adds new trusted domains, as well as changes to existing domains that the Edge Appliance is aware of.
This button does not remove decommissioned domains that had previously been discovered.
For the domain whose information you want to edit, click Edit. The Edit Domain dialog box appears.
Figure 11-47: Edit Domain dialog box.
To enable or disable resources in the Active Directory domain accessing the Nasuni Edge Appliance, select or deselect Enable Source.
Tip: The Primary domain cannot be disabled.
Click Save. The information is applied to the selected domain.
Editing Active Directory general settings
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
To edit settings for Active Directory, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-48: Directory Services page for Active Directory.
To update the list of trusted domains that the Edge Appliance is aware of, click Update Domains. This adds new trusted domains, as well as changes to existing domains that the Edge Appliance is aware of.
This button does not remove decommissioned domains that had previously been discovered.
(Optional) In the Domain Controller text box, enter the fully qualified domain name of the primary domain controller. For example, DomainControllerName.domain.com.
Entering a Domain Controller name forces the Nasuni Edge Appliance to use only that domain controller. However, leaving the Domain Controller text box blank causes the Nasuni Edge Appliance to use the primary domain controller on the join, and also allows for domain controller failover. Unless you want only one specific domain controller to be used, leave the Domain Controller text box blank.
In particular, if you want support for trusted domains of multiple Active Directory servers, leave the Domain Controller text box blank.
(Optional) Many local groups are created automatically when installing the Microsoft Windows operating system. These local groups are often referred to as “built-in groups”.
Of these local groups, the Administrators and Users groups are granted filesystem-level permissions to the upper level of source fileserver data drives. By default, these permissions are inherited throughout directory structures. Nasuni recommends converting permissions to domain groups. See “Built-In Administrators and Users Local Groups”. Then leave the Users Built-In Group Name text box and the Administrators Built-In Group Name text box blank.
When the conversion of permissions to domain groups is not possible, Nasuni provides the ability to associate the local Administrators and Users groups to domain groups. For this functionality, a single Active Directory Universal Group can be associated with each local group. This association must be consistent across all Nasuni Edge Appliances sharing volumes.
(Optional) In the Users Built-In Group Name text box, enter the NETBIOS name of an Active Directory Universal Group to link to the BUILTIN\Users group. The maximum length of a group name is 30 characters.
(Optional) In the Administrators Built-In Group Name text box, enter the NETBIOS name of an Active Directory Universal Group to link to the BUILTIN\ Administrators group. The maximum length of a group name is 30 characters.
Note: Changes to these groups are not reflected for connected clients. Connected clients must reconnect for the settings to be applied to their session.
To reconnect a Nasuni Edge Appliance to Active Directory, or refresh its current connection status, select Rejoin Active Directory.
Figure 11-49: Rejoin Active Directory selected.
Click Submit. The information is applied to the selected domain.
If specified, the Users Built-In Group Name and Administrators Built-In Group Name entries are validated. If valid, the settings are retained.
Resyncing Active Directory domain
You can resynchronize the current Nasuni Edge Appliance to the Active Directory domain configuration of another Nasuni Edge Appliance. This can be useful if the domain configuration changes on one Nasuni Edge Appliance, perhaps by a new domain being added, so that all the Nasuni Edge Appliances no longer have the same domain configuration. This procedure clones the Active Directory domain configuration of a selected Nasuni Edge Appliance.
To resync an Active Directory domain configuration, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-50: Directory Services page for Active Directory.
Click Resync Domain Configuration. The Resync Domain dialog box appears.
Figure 11-51: Resync Domain dialog box.
From the Configuration Source drop-down list, select the Nasuni Edge Appliance from which to copy the Active Directory domain configuration. All Nasuni Edge Appliances from which you are allowed to copy the domain configuration are listed.
Click Save. The selected domain configuration is used for this Nasuni Edge Appliance.
Deleting Active Directory domain configuration
You can delete an Active Directory domain configuration. This removes the Nasuni Edge Appliance from the current domain. This can be useful for fully purging all domain settings, such as when re-using an existing Nasuni Edge Appliance hardware appliance in a new domain.
Important: Before deleting an Active Directory domain configuration:
If the Nasuni Edge Appliance has any local “owned” volumes that use Active Directory authentication, those volumes must be deleted.
If the Nasuni Edge Appliance has any remote volumes that use Active Directory authentication, those volumes must be disconnected.
After deleting the Active Directory domain configuration, the state of the Nasuni Edge Appliance is comparable to that of a Nasuni Edge Appliance that has never joined an Active Directory domain.
To delete an Active Directory domain configuration, follow these steps:
Click Configuration, then select Directory Services from the list. The Directory Services page appears.
Figure 11-52: Directory Services page for Active Directory.
Click Delete Configuration. The Delete Domain Configuration dialog box appears.
Enter the Username and Password of a user who has permission to perform this action.
Select “I understand and accept responsibility for this action”.
Click Delete. The domain configuration is deleted for this Nasuni Edge Appliance.
The Nasuni Edge Appliance is removed from the current domain. The state of the Nasuni Edge Appliance is comparable to that of a Nasuni Edge Appliance that has never joined an Active Directory domain.
The Nasuni Edge Appliance automatically encrypts your data at your premises using the OpenPGP encryption protocol, with 256-bit Advanced Encryption Standard (AES-256) encryption as the default encryption. Your data is encrypted and compressed in cloud object storage, and is never visible to Nasuni.
You can generate your own encryption keys using any OpenPGP-compatible program, such as Gpg4win, GPGTools, and OpenPGP Studio. For details, see Generating Encryption Keys. You can then upload the encryption keys you generated.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
You can escrow your encryption keys with Nasuni (or a trusted third party), or store your own encryption keys. Before you can escrow your encryption keys with Nasuni, you must create an escrow passphrase, in case you need these escrowed encryption keys when you perform a recovery procedure. See “Escrow Passphrase”.
Encryption keys are stored inside the Nasuni Edge Appliance, which is a locked-down system that has no customer logins, and (by default) no Nasuni logins. It is possible for you to grant limited temporary access to their Nasuni Edge Appliance to Nasuni Support personnel in order to troubleshoot issues.
Safeguards around this Remote Support Service option help ensure security, as detailed in the RemoteSupport document and in “Remote Support Service”.
Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use these to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance. To upload encryption keys to a Nasuni Edge Appliance, see “Adding (Importing or Uploading) Encryption Keys”.
All data on a volume is encrypted using one or more OpenPGP-compatible encryption keys before being sent to cloud object storage. Volumes may be encrypted with one or more encryption keys, and encryption keys may be used for any number of volumes.
There are several actions you can perform on encryption keys, including adding new encryption keys, enabling or disabling encryption keys, escrowing encryption keys with Nasuni, and, under certain circumstances, deleting encryption keys.
All uploaded encryption keys must be at least 2048 bits long.
Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use these to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance. To upload encryption keys to a Nasuni Edge Appliance, use the Encryption Keys page.
At least one encryption key must be enabled for a volume, but several encryption keys can be enabled at the same time. When multiple encryption keys are enabled, all of the encryption keys enabled at the time are used to encrypt the data. Any of the encryption keys enabled at the time a piece of data is encrypted can be used to later decrypt the data. Only the encryption keys enabled when the data was written can decrypt that data. An encryption key that was enabled after the data was written cannot decrypt any data that was written before that key was enabled.
There are several reasons you might want to disable an encryption key, such as, when someone with access to the encryption key leaves the company, or if your enterprise has a policy of rotating encryption keys periodically. When you disable an encryption key, no future data is encrypted with that encryption key. However, all data previously encrypted by that disabled encryption key remains encrypted by that disabled encryption key. For this reason, before you disable an encryption key, you should consider establishing a snapshot retention policy that removes the data that was encrypted with the disabled encryption key. Because volumes must have at least one encryption key associated with them, in practice you add a new encryption key to a volume first, and then disable the existing encryption key.
You can delete encryption keys, but only in the case where they are not being used by any volumes.
You cannot modify encryption keys stored on the system. For security reasons, encryption keys that you upload cannot be downloaded from the system. You can only download encryption keys that the Nasuni Edge Appliance has generated internally.
You can escrow your encryption keys with Nasuni (or a trusted third party), or store your own encryption keys. Before you can escrow your encryption keys with Nasuni, you must create an escrow passphrase, in case you need these escrowed encryption keys when you perform a recovery procedure.
You can specify that you do not want Nasuni to generate any of your encryption keys. This ensures that your data is encrypted only with encryption keys that you upload. If you specify this, you must upload all the encryption keys used. Specifically, when creating a volume, you cannot select Create New Key as the source of the volume encryption key. For security reasons, encryption keys that you upload cannot be downloaded from the system. If you want to specify that Nasuni not generate encryption keys, request Nasuni Support to disable key generation in your license.
Similarly, you can specify that you do not want Nasuni to escrow encryption keys. If you specify this, you must manage your own encryption keys, because Nasuni does not manage them. If you specify this, you can still have Nasuni generate encryption keys, and those generated encryption keys are still automatically escrowed, because all generated encryption keys are automatically escrowed. If you want to specify that Nasuni not escrow encryption keys, request Nasuni Support to disable key escrow in your license.
To ensure that none of your encrypted keys is escrowed with Nasuni, you must specify BOTH that Nasuni not generate encryption keys AND that Nasuni not escrow encryption keys.
Tip: To use an encryption key from one Edge Appliance on other Edge Appliances, first obtain a file containing the desired encryption key. If the key was generated internally by the Edge Appliance, download the encryption key from the original Edge Appliance to a file, using the procedure in “Downloading (Exporting) Generated Encryption Keys”. After obtaining a file containing the encryption key, upload the encryption key to the NMC, using the procedure in “Uploading (importing or adding) encryption keys to the NMC”. Then you can send the uploaded encryption key to other Edge Appliances.
See Worksheets for a worksheet for planning configurations.
Viewing information about encryption keys
To view information about encryption keys:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-57: Encryption Keys page.
On this page, you can view information about each of the encryption keys currently in use, including the encryption key name, fingerprint, encryption key ID, algorithm, length (in bits), whether the encryption key is escrowed by Nasuni, and which volumes use the encryption key. The fingerprint is a cryptographic hash of the encryption key. The key ID is a shorter version of the fingerprint of the encryption key, generally including just the last 8 digits.
Optionally, you can click a volume hyperlink to go to the Volume properties page.
You can generate your own encryption keys using any OpenPGP-compatible program, such as Gpg4win, GPGTools, and OpenPGP Studio. For details, see Generating Encryption Keys. You can then add (import or upload) the encryption key to the Nasuni Edge Appliance. The encryption key is used to encrypt your data before it is sent to cloud object storage and decrypt data when it is read back. The Nasuni Edge Appliance accepts multiple encryption algorithms for encryption keys.
Important: For security reasons, encryption keys that you upload cannot be downloaded from the system.
Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
Important: Imported encryption keys are not automatically escrowed. You MUST SAVE all imported encryption keys to another location outside the Nasuni Edge Appliance, so that they are available if needed for recovery. All encryption keys associated with a volume must be recovered as part of the recovery process. To escrow encryption keys with Nasuni, see “Escrowing Encryption Keys with Nasuni”.
All uploaded encryption keys must be at least 2048 bits long. To add (import or upload) an encryption key:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-58: Encryption Keys page.
Click Upload Encryption Key(s). The Import OpenPGP Key(s) page appears.
Figure 11-59: Import OpenPGP Key(s) page.
Click Choose File, then navigate to the encryption key file. This file should be OpenPGP compatible.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
If an encryption key passphrase is needed, enter the encryption key passphrase in the Key Passphrase text box.
Click Import Key. The encryption key is imported to the Nasuni Edge Appliance.
Important: For security reasons, encryption keys that you upload cannot be downloaded from the system.
Tip: Imported encryption keys are not automatically escrowed. Save all imported encryption keys to another location outside the Nasuni Edge Appliance, so that they are available if needed for recovery.
If you are using encryption keys generated internally by the Nasuni Edge Appliance, you can export (download) and escrow your encryption keys with Nasuni or a trusted third party.
To export (download) encryption keys:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-60: Encryption Keys page.
Click Download generated keys. Depending on your browser, a message box might appear; if so, navigate to an appropriate folder and save the encryption key file. The encryption key file is saved with a .pgp extension.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Tip: If you are planning on trying the recovery functionality during trial mode, download your encryption keys to a safe location first.
You can escrow your encryption keys with Nasuni. Escrowing an encryption key with Nasuni means that you can, at any time, request the encryption key during a recovery from Nasuni. Your encryption key is protected on Nasuni servers using the same security practices that we use for all encryption keys escrowed with Nasuni.
Note: You can specify that you do not want Nasuni to escrow encryption keys. If you specify this, you must manage your own encryption keys, because Nasuni does not manage them. If you specify this, you can still have Nasuni generate encryption keys, and those generated encryption keys are still automatically escrowed, because all generated encryption keys are automatically escrowed. If you want to specify to not escrow encryption keys, contact Nasuni Support.
Important: Before you can escrow your encryption keys with Nasuni, you must create an escrow passphrase, in case you need these escrowed encryption keys when you perform a recovery procedure. See “Escrow Passphrase”.
To escrow encryption keys with Nasuni:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-61: Encryption Keys page.
For the encryption key that you want to escrow with Nasuni, click Escrow key with Nasuni. The Escrow your encryption key with Nasuni page appears.
Figure 11-62: Escrow your encryption key with Nasuni page.
Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation.
Caution: You are about to permanently escrow your encryption key with the Nasuni Corporation. This process is irreversible.
Click Escrow Key. Your encryption key is escrowed with Nasuni.
Deleting Encryption Keys
You can delete encryption keys, as long as the encryption key is not currently assigned to a volume and never has been assigned to a volume. Encryption keys that were once assigned to a volume, but are now disabled, might be needed for recovery procedures and so cannot be deleted.
To delete an encryption key, follow these steps:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-63: Encryption Keys page.
For the encryption key that you want to delete, click Delete This Key. The Delete an OpenPGP Key dialog box appears.
Figure 11-64: Delete an OpenPGP Key dialog box.
Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation.
Caution: You are about to permanently delete this encryption key. This process is irreversible.
Click Delete. Your encryption key is deleted.
Escrow Passphrase
To perform a recovery procedure on an Edge Appliance, you MUST have all of the encryption keys for ALL volumes owned by that Edge Appliance in order to successfully regain access to your data. This means that, if Nasuni is escrowing any of your encryption keys, one of the following must occur:
You must have created an escrow passphrase.
You must have all of your encryption keys available, including the encryption keys escrowed with Nasuni.
You must contact Nasuni and verify your identity so that Nasuni can issue a special one-time- use recovery key.
The escrow passphrase must contain only ASCII printable characters (no Unicode) and cannot exceed 511 characters.
You can create an escrow passphrase on the Nasuni Edge Appliance, on the NMC, or using the NMC API.
To create an escrow passphrase on the Nasuni Edge Appliance, follow these steps:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-65: Encryption Keys page.
Click Set Escrow Passphrase. The Set Escrow Passphrase dialog box appears.
Figure 11-66: Set Escrow Passphrase dialog box.
Enter the Escrow Passphrase. The passphrase must contain only ASCII printable characters (no Unicode) and cannot exceed 511 characters.
An indication of the strength of the passphrase is displayed.
Confirm the escrow passphrase by entering it again.
Click Set Passphrase.
The escrow passphrase is created.
Important: Keep this escrow passphrase in a secure place. You use the escrow passphrase when performing a recovery procedure for the Nasuni Edge Appliance.
Tip: If the escrow passphrase is lost, contact Nasuni Support and complete a lost passphrase form. Nasuni provides a one-time-use recovery key. The recovery key is not the escrow passphrase: Nasuni does not know your escrow passphrase and cannot provide it.
Backup Keys
A backup key is a type of encryption key that is used to ensure that it is possible to recover a Nasuni Edge Appliance that has no owned volumes. Without a backup key, it is not possible to recover a Nasuni Edge Appliance that has no owned volumes.
If a Nasuni Edge Appliance has no owned volumes and no backup key, after 2 days, the following notification is sent: “Because this Filer has no volumes or backup keys, you cannot currently perform a disaster recovery on this Filer. On the Encryption Keys page, you can generate a backup key to enable disaster recovery.”
Important: If you intend to use a backup key that Nasuni generates, that backup key is automatically escrowed with Nasuni. To recover keys escrowed with Nasuni, you must specify an escrow passphrase. Therefore, you must specify an escrow passphrase. See “Escrow Passphrase”.
Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
There are two ways to get a backup key: generating the backup key or uploading the backup key:
To generate a backup key on the Nasuni Edge Appliance, follow these steps:
Note: If your Nasuni license does not allow for key generation or key escrow, you cannot generate a backup key on the Nasuni Edge Appliance. Instead, upload an encryption key, as shown in step 2 below.
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-67: Encryption Keys page.
If the Nasuni Edge Appliance has no owned volumes and no backup key, the “Generate Key” button is available.
Click “Generate Key”. A backup key is generated.
Important: The time necessary to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.
A generated backup key is automatically escrowed with Nasuni. You can also download a generated backup key and safeguard it yourself.
Alternatively, you can upload an encryption key for use as a backup key, by following these steps:
All uploaded encryption keys must be at least 2048 bits long.
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure 11-68: Encryption Keys page.
Click Upload Encryption Key(s). The Import OpenPGP Key(s) page appears.
Figure 11-69: Import OpenPGP Key(s) page.
Click Choose File, then navigate to the encryption key file. This file should be OpenPGP compatible.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
If an encryption key passphrase is needed, enter the encryption key passphrase in the Key Passphrase text box.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
Click Import Key. The encryption key is imported to the Nasuni Edge Appliance.
Important: For security reasons, encryption keys that you upload cannot be downloaded from the system.
Tip: Imported encryption keys are not automatically escrowed. Save all imported encryption keys to another location outside the Nasuni Edge Appliance, so that they are available if needed for recovery.
The generated or the uploaded encryption key appears on the Encryption Keys page.
Figure 11-70: Encryption key.
The “Set backup key” button appears.
Click “Set backup key”. The key becomes the backup key for the Edge Appliance.
Figure 11-71: Backup key.
If the backup key is the only encryption key for the Nasuni Edge Appliance, you cannot delete the backup key.
When recovering the Nasuni Edge Appliance using a backup key, your options include the following:
Use your escrow passphrase.
Obtain your backup key from your own safekeeping.
Obtain your backup key from Nasuni.
Firewall
You can limit traffic to the Nasuni Edge Appliance user interface and the Nasuni Support SSH port, which provides firewall protection.
In addition to this protection, you can also configure separate access to CIFS shares, NFS exports, and FTP/SFTP directories.
To configure firewall protection, follow these steps:
Click Configuration, then select Firewall from the list. The Firewall page appears.
Figure 11-72: Firewall page.
In the Traffic Group area, to configure the firewall policy for each Traffic Group, click Edit beside the Traffic Group. The Edit Firewall Policy dialog box appears.
Figure 11-73: Edit Firewall Policy dialog box.
From the Policy drop-down list, select one of the following choices:
Note: All policies permit outbound traffic. That traffic is fully controlled by the configuration of the Nasuni Edge Appliance's local networks and gateways.
All Protocols Permitted: This policy allows all inbound traffic.
Deny All Incoming Connections: This policy allows no inbound traffic.
Client Protocols Permitted: This policy allows only CIFS, CIFS Web, NFS, and FTP inbound traffic.
Mobile/Web Clients Permitted: This policy allows only CIFS Web inbound traffic, such as Web Access.
Custom Protocol Selection: This policy allows selected inbound traffic. You can select one or more of the following inbound protocols:
Warning: If you disable “Mobile” Web inbound traffic and enable Admin UI traffic, you might not be able to open the default URL of the Nasuni Edge Appliance user interface. Normally, the default URL is redirected from port 80 to port 8443, but this cannot happen when “Mobile” Web inbound traffic ise disabled. Use this URL to access the Nasuni Edge Appliance user interface:
Click Save to save your changes. Otherwise, click Cancel.
In the Filer GUI Hosts text box, enter a comma-separated list of IP addresses or subnet addresses of hosts that you permit to access your Nasuni Edge Appliance user interface. If the text box is blank, any host can access your Nasuni Edge Appliance user interface.
In the Support SSH Hosts text box, enter a comma-separated list of IP addresses or subnet addresses of hosts that you permit to connect to your Nasuni Edge Appliance’s Support SSH port. If the text box is blank, any host can access your Nasuni Edge Appliance’s Support SSH port.
Note: Setting this field does not prevent the use of the Nasuni Remote Support Service, as detailed in “Remote Support Service”.
Click Save Firewall Settings to save your entries. The message “Updated firewall configuration” appears.
Tip: If you configure the firewall in such a way that you cannot access the Nasuni Edge Appliance user interface, you can reset the firewall using the console for the Nasuni Edge Appliance. For the Nasuni Edge Appliance hardware appliance, use a keyboard and monitor attached to the hardware appliance. For the Nasuni Edge Appliance virtual machine, use the virtual machine console window. The console prompt appears.
Press Enter to access the Service menu. The login prompt appears. Enter the username and password. The login username is service, and the default password is service. The Service Menu appears.
Enter resetfirewall
The firewall resets.
SSL Server and Client Certificates
You can view the SSL CA-signed server certificates or self-signed certificates that you can use when accessing the Nasuni Edge Appliance user interface. By default, the Nasuni Edge Appliance is preloaded with a self-signed SSL certificate that is unique to the Nasuni Edge Appliance.
You can also generate a new Certificate Request to submit to a Certificate Authority (CA) for signing. When you receive the signed certificate from the CA, you can associate the CA-signed certificate (and optional certificate chain) with the request. After this is done, you can use that CA-signed certificate to manage the Nasuni Edge Appliance.
Note: If something ever goes wrong with the certificates and you are unable to access the Nasuni Edge Appliance user interface, use the service menu on the console of your hardware appliance or virtual machine to reset the certificate to the default self-signed certificate. See “Resetting an SSL Certificate” for details.
Note: A notification occurs when the active SSL certificate is less than 30 days from expiring.
You can also upload an existing SSL server certificate. This can be in the form of an SSL key file, an SSL key and certificate file, an SSL certificate, or an SSL certificate chain. You can then use that uploaded certificate to manage the Nasuni Edge Appliance.
You can also copy, replace, save, and delete SSL server certificates and SSL certificate chains.
You can also view and upload client certificates. Client certificates are SSL Certificates that enable the Nasuni Edge Appliance to verify the identity of services that it connects to. For example, you can upload a custom CA certificate used by your company that the Nasuni Edge Appliance can use to validate LDAP servers.
Tip: For detailed procedures for LDAP with Apple OpenDirectory, Oracle Enterprise Directory Server (Oracle DS), and FreeIPA, see the LDAP Best Practices Guide.
Viewing SSL CA-signed or self-signed server certificate
To view current SSL CA-signed certificates or self-signed certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-78: SSL Certificates page.
The current SSL certificates, self-signed certificates, and SSL certificate requests appear in the list.
To view details of a certificate, click the hyperlink of the certificate. The Certificate Details box appears.
Figure 11-79: Certificate Details box.
The certificate information displayed includes the following:
Name: The name of the certificate.
Type: The type of certificate.
Subject: The string containing the subject of the certificate.
Issuer: The string containing the issuing party.
Signature type: The type of cryptographic signature of the certificate.
Note: The signature type Sha1WithRsaEncryption is being deprecated and should be avoided, if possible.
Start Date: The date that the certificate becomes effective.
End Date: The date that the certificate is no longer in effect.
Common Name: The IP address or fully qualified domain name (FQDN) of the web server that receives the SSL certificate.
Country Code: The two-letter ISO abbreviation for the country (for example, US for the United States) where your organization's office is legally registered.
State/Province: The full name of the state or province where your organization's office is located.
Locality Name: The full name of the city where your organization's office is located.
Organization: The name under which your organization is legally registered.
Click Close to close this box.
Generating SSL CA-signed or self-signed server certificate
To generate a new SSL CA-signed server certificate or a self-signed server certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-80: SSL Certificates page.
Click Generate Certificate. The Create SSL Certificate Request page appears.
In the Management Name text box, enter the name that you use to refer to this certificate.
In the Common Name text box, enter the fully qualified domain name (FQDN) or IP address that you use to access the Nasuni Edge Appliance user interface. The optional but most common choice is the Nasuni Edge Appliance's fully qualified domain name, which is automatically entered.
Note: This MUST match the way users connect to the Nasuni Edge Appliance.
In the Country Code text box, enter the two-letter country code, such as US.
In the State/Province Name text box, enter the name of your state or province, such as Massachusetts.
In the Locality text box, enter the name of your city or town, such as Boston.
In the Organization Name text box, optionally enter the name of your organization, such as Nasuni.
To create a self-signed certificate instead of a certificate request, select Self-Sign Certificate.
Click Save Certificate. If you selected Self-Sign Certificate, a self-signed certificate is created. Otherwise, a certificate request is created.
If you did not select Self-Sign Certificate, to download the certificate request .csr file, on the SSL Certificates page, click Save Request File next to the name of the certificate request in the list.
Submit this certificate request to a Certificate Authority (CA) for signing.
When you receive the signed certificate file, select Add Signed Certificate from the Actions drop-down list next to the name of the certificate request in the list. The Add Certificate Files dialog box appears.
Figure 11-82: Add Certificate Files dialog box.
Click Choose File next to Certificate File, then navigate to the PEM- and DER-encoded X.509 file or PKCS#7 certificate file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Optionally, click Choose File next to Certificate Chain File, then navigate to the SSL certificate chain file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Click Save Certificate. The certificate is installed and becomes available in the list of certificates on the SSL Certificates page.
Figure 11-83: SSL Certificates page.
Copying existing SSL server certificates
You can create a new SSL CA-signed server certificate or self-signed server certificate by copying an existing SSL server certificate. You might need to copy an SSL certificate as part of a manual process for recreating or updating an SSL certificate.
Important: For security reasons, if the SSL server certificate does not contain a .csr file, you cannot copy an existing SSL server certificate.
To copy an SSL certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-84: SSL Certificates page.
For the SSL certificate that you want to copy, select Copy from the Actions drop-down list next to the name of the certificate in the list. The Copy SSL Certificate dialog box appears.
Figure 11-85: Copy SSL Certificate dialog box.
In the New Management Name text box, enter the new name that you want to use to refer to this SSL certificate. The default name is the name of the original SSL certificate with “(2)” appended. All other SSL certificate parameters are copied from the original SSL certificate.
To create a self-signed certificate instead of a certificate request, select Self-Sign Certificate.
Click Copy Certificate. If you selected Self-Sign Certificate, a self-signed certificate is created. Otherwise, a certificate request is created.
If you did not select Self-Sign Certificate, to download the certificate request .csr file, on the SSL Certificates page, click Save Request File next to the name of the certificate request in the list.
Submit this certificate request to a Certificate Authority (CA) for signing.
When you receive the signed certificate file, select Add Signed Certificate from the Actions drop-down list next to the name of the certificate request in the list. The Add Certificate Files dialog box appears.
Figure 11-86: Add Certificate Files dialog box.
Click Choose File next to Certificate File, then navigate to the PEM- and DER-encoded X.509 file or PKCS#7 certificate file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Optionally, click Choose File next to Certificate Chain File, then navigate to the SSL certificate chain file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Click Save Certificate. The certificate is installed and becomes available in the list of certificates on the SSL Certificates page.
Uploading SSL server certificates
To upload an existing SSL server certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-87: SSL Certificates page.
Click Upload Certificate. The Add Certificate Files page appears.
Figure 11-88: Add Certificate Files page.
In the Certificate Name text box, enter the name that you use to refer to this certificate.
To add an SSL key file or SSL key and certificate bundle file, click Choose File next to Key File, then navigate to the SSL key file or SSL key and certificate bundle file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
If an SSL certificate was not part of a bundle file in step 4, to add an SSL certificate, click Choose File next to Certificate File, then navigate to the SSL certificate file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
If an SSL certificate chain was not part of a bundle file in step 4, to add an SSL certificate chain file, click Choose File next to Certificate Chain File, then navigate to the SSL certificate chain file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Enter the Password, if required.
Click Save Certificate. The certificate is installed and becomes available in the list of certificates on the SSL Certificates page.
Figure 11-89: SSL Certificates page.
Replacing SSL server certificates or SSL server certificate chains
You can replace an existing SSL server certificate or SSL server certificate chain. This might occur if you need an SSL server certificate chain file, or if you are replacing one SSL server certificate with another one.
To replace an existing SSL certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-90: SSL Certificates page.
For the SSL certificate that you want to replace, select Replace Certificate/Chain from the Actions drop-down list next to the name of the certificate in the list. The Add Certificate Files dialog box appears.
Figure 11-91: Add Certificate Files dialog box.
Click Choose File next to Certificate File, then navigate to the PEM- and DER-encoded X.509 file or PKCS#7 certificate file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Optionally, click Choose File next to Certificate Chain File, then navigate to the SSL certificate chain file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
Click Save Certificate. The existing certificate is replaced and appears in the list of certificates on the SSL Certificates page.
Setting SSL server certificates
You can select which of several SSL server certificates to set as the GUI certificate for the Nasuni Edge Appliance.
To set a new SSL certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-92: SSL Certificates page.
For the SSL certificate that you want to select, click Set as GUI Certificate. The Enable SSL Certificate for Filer GUI dialog box appears.
Figure 11-93: Enable SSL Certificate for Filer GUI dialog box
Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation, then click Set GUI Certificate.
Your choice is set as the GUI certificate for the Nasuni Edge Appliance.
Saving SSL server certificates
Important: For security reasons, if the SSL server certificate does not contain a .csr file, you cannot save the SSL server certificate.
To download and save an SSL server certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-94: SSL Certificates page.
From the Actions drop-down list next to the name of the certificate or certificate request that you want to save, select “Save certificate as zip”. The certificate is downloaded and saved as a zip file, in the way your browser handles downloads.
Deleting SSL server certificates or certificate requests
Tip: You cannot delete the active SSL server certificate.
To delete an SSL server certificate or certificate request:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.
Figure 11-95: SSL Certificates page.
From the Actions drop-down list next to the name of the certificate or certificate request that you want to delete, select Delete. The About to Delete SSL Certificate dialog box appears.
Click Delete Certificate.
The certificate or certificate request is deleted.
Resetting an SSL Certificate
If something ever goes wrong with the SSL certificates, and you are unable to access the Nasuni Edge Appliance user interface, use the service menu on the console on your hardware appliance or virtual machine to reset the certificate to the default self-signed certificate.
To reset the certificate, follow these steps:
On the console, log in to the servicemenu by pressing Enter and signing in. The default login username is service, and the default password is service.
On the console, at the command-line prompt, type resetguicert and press Enter. The message “Reset GUI SSL certificate to default” appears.
To confirm, at the command-line prompt, type yes. The message “GUI Certificate Reset” appears.
Re-try the Nasuni Edge Appliance user interface with the self-signed certificate.
Viewing SSL client certificates
To view current SSL client certificates:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears. The Client Certificates pane is at the bottom of the page.
Figure 11-96: Client Certificates pane.
The current SSL certificates appear in the list.
The certificate information displayed includes the following:
Name: The name of the certificate.
Role: The role of the certificate, such as LDAP.
To view details of a certificate, click the hyperlink of the certificate. The Certificate Details box appears.
Figure 11-97: Certificate Details box.
The certificate information displayed includes the following:
Name: The name of the certificate.
Type: The type of certificate.
Subject: The string containing the subject of the certificate.
Issuer: The string containing the issuing party.
Signature type: The type of cryptographic signature of the certificate.
Note: The signature type Sha1WithRsaEncryption is being deprecated and should be avoided, if possible.
Start Date: The date that the certificate becomes effective.
End Date: The date that the certificate is no longer in effect.
Click Close to close this box.
Uploading SSL client certificates
To upload an existing SSL client certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears. The Client Certificates pane is at the bottom of the page.
In the Certificate Name text box, enter the name that you use to refer to this certificate.
Click Choose File next to Certificate File, then navigate to the SSL certificate file.
Caution: The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
If a particular client has other limits, the smaller of the two limits applies.
To select this certificate as the default for authenticating with the primary LDAP server, select Default Authentication certificate.
Click Save Certificate. The certificate is installed and becomes available in the list of certificates on the SSL Certificates page.
Figure 11-100: Client Certificates pane.
Deleting SSL client certificates
Tip: You cannot delete the active SSL certificate.
To delete an SSL certificate:
Click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears. The Client Certificates pane is at the bottom of the page.
Figure 11-101: Client Certificates pane.
For the certificate that you want to delete, select Delete. The About to Delete SSL Certificate dialog box appears.
Click Delete Certificate. The certificate is deleted.
Users and Groups
The Nasuni Edge Appliance provides role-based access control. You can define specific access permissions for permission groups and users to perform actions within the Nasuni Edge Appliance user interface.
You can define up to 500 groups, each with permissions that you specify, such as Storage Access. You can then define up to 500 users, and assign them to groups, from which users receive permissions. The defined groups and users are for the local Nasuni Edge Appliance only.
Also, you can associate Active Directory domain groups or LDAP Directory Services domain groups with a permission group.
Caution: When a Nasuni Edge Appliance goes under the control of the Nasuni Management Console, the following processing occurs:
Any existing local users and groups on the Nasuni Edge Appliance are replaced by the users and groups of the NMC.
When a Nasuni Edge Appliance is disconnected from the Nasuni Management Console, the Nasuni Edge Appliance retains those users and groups that pertain to the Nasuni Edge Appliance.
For this reason, you should either use the NMC to define users and groups, or place the Edge Appliance under the management of the NMC before creating users and groups with the Edge Appliance.
Filer Administrators
There are two default groups, called Filer Administrators and File Restore. Users in the Filer Administrators group receive full access to all aspects of the Nasuni Edge Appliance (super user). Users in the File Restore group receive the ability to restore files and access versions. The Filer Administrators group cannot be deleted.
There is one default user, created during installation or during an upgrade. The default user is assigned to the Filer Administrators group. There is always at least one user in the Filer Administrators group.
Note: These permissions are only for performing actions within the Nasuni Edge Appliance user interface. These permissions are completely independent of permissions for access to data.
See Worksheets for a worksheet for planning configurations.
Viewing Permission Groups and Users
To view permission groups and users, follow these steps:
Click Configuration, then select Users/Groups from the drop-down list. The Filer Users and Groups Overview page appears.
Figure 11-102: Filer Users and Groups Overview page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
The information displayed includes the following:
Total Users: The total number of users, including Native Users and Domain Users. To view a list of users, click Manage Users.
Native Users: The number of native users, namely, users explicitly defined and managed using the Nasuni Edge Appliance or Nasuni Management Console. To view a list of users, click Manage Users. To add a user, see “Adding Users”.
Domain Users: The number of domain users, namely, users automatically created because they are members of an Active Directory or LDAP Directory Services domain group associated with a permission group. To view a list of users, click Manage Users. To add a permission group with an associated Active Directory or LDAP Directory Services domain group, see “Adding Permission Groups”.
Users with Storage Access: The number of native users who are members of permission groups that have Storage Access enabled. To view a list of users, click Manage Users. To add a permission group that has Storage Access enabled, see “Adding Permission Groups”.
Tip: Users with Storage Access enabled do not require connectivity to the domain. If connectivity to the domain is interrupted, users with Storage Access enabled can still access data.
Total Groups: The total number of permission groups, including Group Associations, Groups Granting Access, and permission groups that do not have Group Associations or Storage Access. To view a list of permission groups, click Manage Groups.
Group Associations: The number of permission groups that have Active Directory or LDAP Directory Services domain groups associated with them. To view a list of permission groups, click Manage Groups.
Groups Granting Access: The number of permission groups that have Storage Access enabled. To view a list of permission groups, click Manage Groups.
Tip: Users with Storage Access enabled do not require connectivity to the domain. If connectivity to the domain is interrupted, users with Storage Access enabled can still access data.
Groups without Members: The number of permission groups that do not have any members. To view a list of permission groups, click Manage Groups.
On the Filer Users and Groups Overview page, clicking Manage Users opens the Filer Users page.
Figure 11-103: Filer Users page.
A list of users appears. The information displayed for each user includes the following:
Username: The name of the user.
Type: The type of user: either Native or Domain. Native users are explicitly defined and managed using the Nasuni Edge Appliance or Nasuni Management Console. Domain users are automatically created because they are members of an Active Directory or LDAP Directory Services domain group associated with a permission group.
Email: The email address of the user. Might be blank if no email address is entered. You can change this by clicking Edit User.
Groups: The permission groups that the user belongs to. You can change this by clicking Edit User.
Storage Access (For Native Users only): An indication of whether Storage Access is enabled for any of the groups that the user belongs to: Yes (if Storage Access is enabled) or No (if Storage Access is not enabled, or if user is a Domain User).
Tip: Users with Storage Access enabled do not require connectivity to the domain. If connectivity to the domain is interrupted, users with Storage Access enabled can still access data.
Actions: Available actions, such as Edit User and Delete User.
The Add User button is also available. See “Adding Users” for details.
On the Filer Users and Groups Overview page, clicking Manage Groups opens the Filer Groups page.
Figure 11-104: Filer Groups page.
A list of permission groups appears. The information displayed for each permission group includes the following:
Group: The name of the permission group. You can change this by clicking Edit Group.
Users: The number of users who belong to the permission group.
Permissions: The permissions defined for this permission group. You can change this by clicking Edit Group.
Special: Either Domain Group Association, Storage Access Enabled, or blank. You can change this by clicking Edit Group.
Tip: Users with Storage Access enabled do not require connectivity to the domain. If connectivity to the domain is interrupted, users with Storage Access enabled can still access data.
Note: Domain groups and the members of those groups always have storage access.
Actions: Available actions, such as Edit Group and Delete Group (if permission group has no users).
You can add up to 500 permission groups to which you can assign users. For each group, you can specify exactly which actions the users in that group have permission to perform. You can associate Active Directory or LDAP Directory Services domain groups with a permission group. You can also assign which email alerts the group receives.
Important: If you define users and groups on the Edge Appliance, and then put this Edge Appliance under the control of the NMC, the newly defined users and groups are deleted. This is because, for consistency, NMC-defined users and groups replace Edge Appliance-defined users and groups, when the Edge Appliance goes under the control of the NMC. To avoid this, use the NMC to define the users and groups. Alternatively, put the Edge Appliance under the control of the NMC first, then define the users and groups using the Edge Appliance UI.
Important: Email alerts are not sent to the email addresses of Active Directory domain users. To ensure that email alerts are sent, use either of the following:
Add email addresses to the Extra Emails list.
Create local users and use their email addresses.
To add a permission group, follow these steps:
Click Configuration, then select Users/Groups from the drop-down list. The Filer Users and Groups Overview page appears.
Figure 11-105: Filer Users and Groups Overview page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
On the Filer Users and Groups Overview page, click Manage Groups. The Filer Groups page appears.
Figure 11-106: Filer Groups page.
Click Add Group. If there are already 500 groups, you must delete an existing group before you can add a new group. The Add New Group dialog box appears.
Figure 11-107: Add New Group dialog box.
In the Group Name text box, enter the name for this group. The Group Name can have up to 30 characters, including letters, digits, and symbols.
From the Access Type drop-down list, select the type of access from the following:
Storage Access: To grant data access to users in the new permission group.
Tip: Users with Storage Access enabled do not require connectivity to the domain. If connectivity to the domain is interrupted, users with Storage Access enabled can still access data.
Note: Storage Access does not grant any access to the Nasuni Edge Appliance user interface.
Note: If you select Storage Access, you cannot enter a Group Association.
User Interface Access: This Access Type allows you to define permissions and, optionally, any associations to Active Directory or LDAP Directory Services domain groups. For a full list of displayed permissions and the operational permissions that they include, see Permissions.
From the Permissions list, select or clear the Nasuni Edge Appliance permissions that you want to grant to the new group.
Warning: Users with “Perform File Restores/Access Versions” permission have the ability to access all files on the file server.
Tip: If you want a group to NOT BE ABLE TO add volumes or delete volumes, select “Manage Volume Settings”.
If you want a group to BE ABLE TO add volumes or delete volumes, select "Manage all aspects of Volumes". This permission also includes all the other permissions of “Manage Volume Settings”.
For details of the many permissions that these permissions include, see Permissions.
Tip: Selecting the “Manage all aspects of the Filer (super user)” permission automatically selects all other permissions, even though those other permissions are not selected on the screen. To specify permissions at a more granular level, do not select the “Manage all aspects of the Filer (super user)” permission, and instead select combinations of individual permissions.
Tip: If you want this group to receive alert emails, you MUST select “Receive Filer alert emails”.
Important: Email alerts are not sent to the email addresses of Active Directory domain users. To ensure that email alerts are sent, use either of the following:
Add email addresses to the Extra Emails list.
Create local users and use their email addresses.
Tip: Users with “Disconnect Users from Access Points” permission have the ability to disconnect CIFS or NFS users individually, which is sometimes necessary when there are locked files.
(Optional.) To link a domain group (Active Directory or LDAP Directory Services) to this permission group, and allow members of that domain group to use their domain credentials to access volumes on Nasuni Edge Appliances, the exact domain name and domain group are necessary.
In the Group Association text box, enter any text from the domain name or the domain group, and click Search. The Select Group dialog box appears. Click Search. From the list of domain groups that include the search text, select the domain name and domain group, then click Add Selected Group.
Alternatively, enter the exact domain name and domain group in the Group Association text box.
Important: In order to link an Active Directory domain group to a permission group, the “Group type” of the Active Directory domain group must be “Security”. If the “Group type” of the Active Directory domain group is “Distribution”, users within the Active Directory domain group are not able to log in.
Note: The list of available domain groups are from the domains previously joined to the Nasuni Edge Appliance. See “Directory Services”.
Note: It is optional, but not necessary, to link groups granting User Interface access to domain groups.
Note: Adding a domain group allows all users in that group to access the user interface. You do not need to explicitly add those users. If the group membership changes after the group is linked, the new members can still log in.
Note: If you use a Group Association, you cannot select Storage Access.
Note: Domain groups and the members of those groups always have storage access.
(For User Interface Access only.) In the Email Subscriptions area, to receive all Nasuni Edge Appliance alerts to this group, select the Receive All Alerts check box.
Tip: If you want this group to receive alert emails, you MUST select “Receive alert emails” in step 5a above.
(For User Interface Access only.) In the Email Subscriptions area, if you do not select the Receive All Alerts check box, select the specific alerts that you want sent to this group.
Tip: If you want this group to receive alert emails, you MUST select “Receive alert emails” in step 5a above.
The choices include the following:
Appliance Alerts: Alerts that occur on the appliance.
General Alerts: Alerts not in the other categories.
Snapshot Restore Alerts: When you restore data from a snapshot, this alert notifies you when the restore is complete.
Violation Alerts: Alerts about antivirus violations (infections) and ransomware detection violations.
Account Alerts: Alerts related to Nasuni.com account license issues, such as expiration and capacity limits.
Capacity Alerts: Alerts related to capacity, such as volume quotas, new quotas, and account limits.
Note: If the licensed capacity is exceeded, you can still store more data temporarily. If your total stored data nears or exceeds your licensed capacity, you receive warnings to increase your licensed capacity.
Tip: For a summary of available data metrics, see “Data Metrics”.
Tip: To send quota reports, you must select Capacity Alerts.
Safe Delete Alerts: Alerts about Safe Delete being enabled or disabled, or changes in the status of a Safe Delete volume pending approval of delete or pending delete.
Software Updates: Notices that software updates are available.
(For User Interface Access only.) In the Extra Emails text box, enter one or more destination email addresses for sending alerts to, separated by commas.
Important: Email alerts are not sent to the email addresses of Active Directory domain users.
To ensure that email alerts are sent, use either of the following:
Add email addresses to the Extra Emails list.
Create local users and use their email addresses.
(For User Interface Access only.) In the Group Association text box, enter a domain group in order to allow members of that domain group to log in. Enter a partial or complete group name, then click Search . The Select Group dialog box appears, containing the partial or complete group name.
Figure 11-108: Select Group dialog box.
A list of groups that match your search appears. Select the group, then click Add Selected Group. The group appears in the Group Association text box.
Important: In order to link an Active Directory domain group to a permission group, the “Group type” of the Active Directory domain group must be “Security”. If the “Group type” of the Active Directory domain group is “Distribution”, users within the Active Directory domain group are not able to log in.
To accept your selections, click Add Group.
The permission group is added with the selected permissions.
Editing Permission Groups
You can edit the features of existing groups.
To edit a permission group, follow the steps in “Adding Permission Groups”, except click Edit Group instead of Add Group. The dialog box is named Edit Group, and you click Save Group at the end. The group and its permissions are changed.
Deleting Permission Groups
Note: You cannot delete the Filer Administrators group.
To delete a permission group, follow these steps:
Click Configuration, then select Users/Groups from the drop-down list. The Filer Users and Groups Overview page appears.
Figure 11-109: Filer Users and Groups Overview page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
On the Filer Users and Groups Overview page, click Manage Groups. The Filer Groups page appears.
Figure 11-110: Filer Groups page.
To delete a group, select the group, then click Delete Group.
The About to Delete Group dialog box appears. Click Delete Group. The group is deleted.
Adding Users
You can add up to 500 users. For each user, you can specify which permission groups that user belongs to. If this Nasuni Edge Appliance is joined to Active Directory or LDAP Directory Services, you can also add domain users.
Important: If you define users and groups on the Edge Appliance, and then put this Edge Appliance under the control of the NMC, the newly defined users and groups are deleted. This is because, for consistency, NMC-defined users and groups replace Edge Appliance-defined users and groups, when the Edge Appliance goes under the control of the NMC. To avoid this, use the NMC to define the users and groups. Alternatively, put the Edge Appliance under the control of the NMC first, then define the users and groups using the Edge Appliance UI.
Note: Adding a domain group allows all Active Directory or LDAP Directory Services users in that group to access the user interface. You do not need to explicitly add those users.
To add a user, follow these steps:
Click Configuration, then select Users/Groups from the drop-down list. The Filer Users and Groups Overview page appears.
Figure 11-111: Filer Users and Groups Overview page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
On the Filer Users and Groups Overview page, click Manage Users. The Filer Users page appears.
Figure 11-112: Filer Users page.
To add a native user, click Add Native User. Native users are explicitly defined and managed using the Nasuni Edge Appliance user interface. If there are already 500 users, you must delete an existing user before you can add a new user. The Add Native User dialog box appears.
Figure 11-113: Add Native User dialog box.
In the Username text box, enter the name for this user. The Username can have up to 30 characters, including letters, digits, and the following symbols:
@ . + - _ (at symbol, period, plus sign, minus sign, underline)
In the Email text box, enter the email address for this user.
In the Password text box, enter the password for this user. Enter the same password in the Password confirmation text box. An indicator of password strength appears. Although password strength is not enforced, you should use strong passwords.
In the Groups list, for each of the permission groups, select or clear the check box for granting membership to the permission group.
To accept your selections, click Add User.
The user is added with membership in the selected groups.
If the Nasuni Edge Appliance is joined to Active Directory or LDAP Directory Services, to add a domain user, click Add Domain User. Domain users are members of an Active Directory or LDAP Directory Services domain group. If there are already 500 users, you must delete an existing user before you can add a new user. The Add Domain User dialog box appears.
Figure 11-114: Add Domain User dialog box.
Note: Adding a domain group allows all Active Directory or LDAP Directory Services users in that group to access the user interface. You do not need to explicitly add those users. You only need to add Active Directory or LDAP Directory Services users individually if you do not want to grant access to the entire group.
In the Username text box, enter the name of a user in an Active Directory or LDAP domain. For Active Directory domains, the Username must be NT-compatible. The Username can have up to 30 characters, including letters, digits, and the following symbols:
@ . + - _ (at symbol, period, plus sign, minus sign, underline) To search for existing user names, enter a partial or complete user name.
Tip: To specify a local user name (native to the Nasuni Edge Appliance), include the name of the local Nasuni Edge Appliance in the query string.
Click Search . The Select User dialog box appears, containing the partial or complete user name.
Figure 11-115: Select User dialog box.
Click Search. If the search fails, a message appears. Otherwise, a list of users that match your search appears. Select the user to define access for, then click Add Selected User. The selected user appears in the Username text box.
In the Groups list, for each of the permission groups, select or clear the check box for granting membership to the permission group.
To accept your selections, click Link User.
The user is added with membership in the selected groups.
Editing Users
You can edit the features of existing users.
To edit a user, follow the steps in “Adding Users”, except click Edit User instead of Add User. The dialog box is named Edit User, and you click Save User at the end. The user and his or her groups are changed.
Deleting Users
Note: You cannot delete the last user in the Filer Administrators group.
To delete a user, follow these steps:
Click Configuration, then select Users/Groups from the drop-down list. The Filer Users and Groups Overview page appears.
Figure 11-116: Filer Users and Groups Overview page.
Note: If this Nasuni Edge Appliance is under Nasuni Management Console control, this page is not available on the Nasuni Edge Appliance. Instead, use the Nasuni Management Console to view information or perform actions.
On the Filer Users and Groups Overview page, click Manage Users. The Filer Users page appears.
Figure 11-117: Filer Users page.
To delete a user, select the user, then click Delete User.
The About to Delete User dialog box appears. Click Delete User. The user is deleted.
Note: If a user enables Safe Delete, and the user's account is removed, Safe Delete remains enabled.
Note: If a user clicks Delete Volume or Approve Delete for a volume that has Safe Delete enabled, and the user's account is removed, any pending deletions and any pending deletion approvals that they have made are canceled.
Global Locking
This page enables you to configure certain aspects of Global File Lock. For details about Global File Lock, see “Global File Lock”.
Tip: Use caution when making changes to Global File Lock, and discuss the possible implications of changes beforehand with Nasuni Technical Support.
Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.
If Global File Lock is enabled, and Internet connectivity issues prevent a Nasuni Edge Appliance from releasing locks on certain files, local users can still read any files that are present in the local cache by degrading the type of lock to a read lock.
If a user is trying to access a file that is not present in the local cache, and if the Nasuni Edge Appliance does have Internet access, you can also attempt to restore access to the file by degrading the type of lock to a read lock. Enabling this feature causes all locks that are not read locks to be denied. This effectively makes any directories that have global locks enabled into read-only directories.
To continue working on a file, the user should copy the file to their local client. After connectivity is restored, set “Degrade to read locks” back to “disabled”.
After connectivity is restored and “Degrade to read locks” has been set back to “disabled”, the user should copy the file back to the Edge Appliance.
Tip: Only enable this feature if file access is affected for an extended period of time.
Tip: To use Global File Lock, you must enable Global Locking in your customer license.
Note: You can view the Health Status of the Nasuni Orchestration Center (NOC), Global File Acceleration (GFA), and Global File Lock (GFL) at account.nasuni.com.
Tip: A specific lock server can be assigned to a specific volume. Consult Nasuni Support.
Tip: On volumes with Global File Lock enabled, we recommend increasing the snapshot frequency and the synchronization frequency of the volume.
If the normal snapshot and synchronization frequency of the volume are decreased, new files take longer to propagate, because new files depend on snapshot and synchronization to propagate.
Important: If an open file has Global File Lock enabled, and if that file is saved, then that file is protected in the cloud outside of the regular snapshot, even if that file is still open. However, if Antivirus Protection is enabled for that file, then that open file is not immediately protected in the cloud. This is because Antivirus Protection must check that file before that file can be moved to cloud object storage. In this case, after Antivirus Protection checks that file, and that file has no infections, then that file is protected in the cloud.
If a file does have antivirus infections, and those infections are marked “Ignore”, then the file experiences the usual Global File Lock processing.
For details of Global File Lock processing, see Global File Lock.
For details of Antivirus Protection processing, see Antivirus Service.
Tip: If Global File Lock is enabled for a volume that uses multiple protocols where hardlinks might be present, it is highly recommended that the parent directory where Global File Lock is enabled be exported as an “NFS Export” to applications that use multiple protocols. Note that hardlinks can span multiple hierarchies where Global File Lock is enabled.
Figure 11-130: Export GFL parent directory as NFS Export.
Caution: Allowing NFS hardlinks to span hierarchies outside where Global File Lock is enabled might result in data inconsistencies during file synchronization. This does not apply to soft links such as symlinks.
Figure 11-131: Avoid NFS hardlinks outside GFL.
You can perform this procedure using either the Nasuni Edge Appliance user interface or the Nasuni Management Console (NMC).
To degrade Global File Lock to read locks, follow these steps:
Click Configuration, then select Global Locking from the drop-down list. The Global Locking page appears.
Figure 11-132: Global Locking page.
Note: This page is available even if this Nasuni Edge Appliance is under Nasuni Management Console control.
To degrade Global File Lock to read locks, select enabled from the Degrade to read locks drop-down list.
To accept your selections, click Save Global Locking Setting. The Global File Lock configuration is changed.
After connectivity is restored, set “Degrade to read locks” back to “disabled”.
Changing User Password
You can change the currently logged-in user account password to a new password. To change the user account password:
Click Configuration, then select Change Password from the list. Alternatively, click the user name at the top of the page, then select Change Password from the list. The Change User Password page appears.
Figure 11-133: Change User Password page.
Enter your current password (case-sensitive) in the Old password text box.
Enter the new password (case-sensitive) you want associated with your user account in the New password text box. An indicator of password strength appears. Password strength is enforced for this action. You should use strong passwords.
Enter the new password (case-sensitive) again in the Confirm new password text box.
Click Save New Password.
You are taken to the Home page where the message “Password successfully changed” is displayed.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
. The Select Group dialog box appears, containing the partial or complete group name..png)
.png)
.png)
.png)
.png)
.png)
.png)
. The Select User dialog box appears, containing the partial or complete user name..png)
.png)
.png)
.png)
.png)
.png)
.png)