Enterprise Vault™ Installing and Configuring
- About this guide
- Section I. Enterprise Vault requirements
- Enterprise Vault hardware requirements
- Hardware requirements for Enterprise Vault server
- Hardware requirements for SQL Server
- Network requirements for Enterprise Vault
- About the storage requirements for Enterprise Vault
- Storage for vault stores
- Storage for Enterprise Vault indexes
- Storage requirements for SQL databases
- Storage requirements for the Enterprise Vault cache folder
- Local storage requirements for temporary files
- TEMP folder security requirements
- Granting additional users and groups access to the TEMP folder
- Enterprise Vault required software and settings
- About the Enterprise Vault required software and settings
- About valid computer names for Enterprise Vault servers
- About the Enterprise Vault Deployment Scanner
- Basic software requirements for Enterprise Vault
- Best practice settings for Enterprise Vault servers
- Message queue cleanup interval: MessageCleanupInterval
- Message queue message storage limit: MachineQuota
- Disable opportunistic locking: OplocksDisabled
- Disable loopback check: DisableLoopbackCheck
- Disable strict name checking: DisableStrictNameChecking
- Maximum Outlook attachments and recipients: AttachmentMax and RecipientMax
- TCP/IP maximum ports and TCP timed wait delay
- Preinstallation tasks for Enterprise Vault server
- Creating the Vault Service account
- Creating a SQL login account
- About assigning permissions and roles in SQL databases
- Assigning the required SQL Server roles and permissions to an Active Directory group
- Locking down Enterprise Vault SQL databases
- Creating Enterprise Vault DNS aliases
- Turning off or reconfiguring Windows Firewall
- Securing data locations
- About User Account Control (UAC)
- Additional requirements for Operations Manager
- Additional requirements for classification
- Additional requirements for Enterprise Vault Reporting
- Additional requirements for Exchange Server archiving
- About Exchange Server archiving
- Preinstallation tasks for Exchange server archiving
- Installing Outlook on the Enterprise Vault server
- Creating the Enterprise Vault system mailbox
- Removing the restriction on NSPI connections to a Windows Server domain controller
- Creating a user profile on the Enterprise Vault server
- Creating a mailbox for the Vault Service account
- Configuring the Exchange throttling policy on the Vault Service account
- Granting the Vault Service account Send As permission on the system mailboxes
- Assigning Exchange Server permissions to the Vault Service account
- Enterprise Vault client access with Exchange Server archiving
- Additional requirements for Domino Server archiving
- Domino Server archiving requirements for all Enterprise Vault servers
- Requirements for Domino mailbox archiving
- Required software for Enterprise Vault Domino Gateway
- Required software for target Domino mail servers
- Requirements for Enterprise Vault extensions for Notes clients
- Preinstallation tasks for Domino mailbox archiving
- Register the Enterprise Vault Domino Gateway
- Configuring the Internet port on the Enterprise Vault Domino Gateway
- Configuring server security for the Enterprise Vault Domino Gateway
- Configuring Single Sign-On on the Enterprise Vault Domino Gateway
- Clustering Enterprise Vault Domino Gateway servers
- Configuring an alias URL for web connections to the Enterprise Vault Domino Gateway server
- About the user ID for Domino mailbox archiving
- Configuring the server document for each target Domino mail server
- Install and configure Enterprise Vault Domino Gateway
- Requirements for Domino journaling archiving
- Additional requirements for File System Archiving (FSA)
- Additional requirements for SharePoint Server archiving
- Additional requirements for Skype for Business Archiving
- Additional requirements for SMTP Archiving
- Additional requirements for Enterprise Vault Search
- Additional requirements for a standalone Enterprise Vault Administration Console
- Additional requirements for the Archive Discovery Search Service
- Additional requirements for Single Sign-On
- Enterprise Vault hardware requirements
- Section II. Installing Enterprise Vault
- Section III. Configuring Enterprise Vault
- About configuring Enterprise Vault
- Running the Enterprise Vault configuration wizard
- Securing Enterprise Vault Web Access components
- Default security for the Enterprise Vault Web Access components
- Customizing the port or protocol for the Enterprise Vault Web Access components
- Customizing authentication for the Enterprise Vault Web Access components
- Customizing security for the Web Access components on client computers
- Encrypting session cookies
- Running the Enterprise Vault Getting Started wizard
- What the Enterprise Vault Getting Started wizard does
- Preparing to run the Enterprise Vault Getting Started wizard
- Running the Enterprise Vault Getting Started wizard
- About the express and custom modes of the Enterprise Vault Getting Started wizard
- About indexing configuration with the Enterprise Vault Getting Started wizard
- About storage configuration with the Enterprise Vault Getting Started wizard
- About policy definition with the Enterprise Vault Getting Started wizard
- About Exchange target configuration with the Enterprise Vault Getting Started wizard
- About Domino target configuration with the Enterprise Vault Getting Started wizard
- About file target configuration with the Enterprise Vault Getting Started wizard
- Planning for the Enterprise Vault Getting Started wizard
- Configuring Enterprise Vault Operations Manager
- Configuring the Archive Discovery Search Service
- Section IV. Initial Enterprise Vault setup
- Initial Enterprise Vault setup
- Setting up storage
- About setting up storage for Enterprise Vault archives
- About Enterprise Vault single instance storage
- About sharing levels and sharing boundaries
- How Enterprise Vault single instance storage works
- About the fingerprint database
- Deletion of SIS parts
- Requirements for Enterprise Vault single instance storage
- About Centera device-level sharing
- About sharing partitions on storage devices that support the Enterprise Vault storage streamer API
- Developing a suitable sharing regime for Enterprise Vault single instance storage
- Creating vault store groups
- About creating vault stores
- About Enterprise Vault safety copies
- Choosing when to remove Enterprise Vault safety copies
- Checking that the partition has been backed up before Enterprise Vault removes safety copies
- Using the archive attribute to determine whether a partition has been backed up
- Using the trigger file mechanism to determine whether a partition has been backed up
- Creating a vault store
- About Enterprise Vault safety copies
- Creating vault store partitions
- Configuring sharing for a vault store group
- Adding index locations
- Setting up Index Server groups
- About Index Server groups
- Do I need to create Index Server groups?
- Do you have more than one Enterprise Vault server?
- Do you use or plan to use journal archiving or File System Archiving?
- Do you use or plan to use Compliance Accelerator or Discovery Accelerator?
- Is the server loading evenly distributed across existing Enterprise Vault servers?
- Are there more than approximately 5,000 mailbox archives per Enterprise Vault server?
- Creating an Index Server group
- Adding an Index Server to an Index Server group
- Removing an Index Server from an Index Server group
- Assigning a vault store to an Index Server group
- Unassigning a vault store from an Index Server group
- Assigning a vault store to a different indexer
- Reviewing the default settings for the site
- Setting up Enterprise Vault Search
- About Enterprise Vault Search
- Defining search policies for Enterprise Vault Search
- Allowing privileged Enterprise Vault Search users to restore items to other users' mailboxes
- Setting up provisioning groups for Enterprise Vault Search
- Creating and configuring Client Access Provisioning tasks for Enterprise Vault Search
- Configuring user browsers for Enterprise Vault Search
- Configuring Enterprise Vault Search for use in Forefront TMG and similar environments
- Setting up Enterprise Vault Search Mobile edition
- Managing metadata stores
- Section V. Clustering Enterprise Vault with VCS
- Introducing clustering with VCS
- Installing and configuring Storage Foundation HA for Windows
- Configuring the VCS service group for Enterprise Vault
- Running the Enterprise Vault Configuration wizard
- Before you run the Enterprise Vault Configuration wizard
- Setting up Enterprise Vault in an active/passive VCS configuration
- About setting up Enterprise Vault in a VCS N+1 configuration
- Implementing an SFW HA-VVR disaster recovery solution with Enterprise Vault
- About installing and configuring SFW HA-VVR with Enterprise Vault
- Overview of the steps for installing and configuring SFW HA-VVR
- Setting up the VCS cluster on the primary site
- Setting up the VCS cluster on the secondary site
- Adding the VVR components for replication
- Adding the GCO components for wide-area recovery
- Troubleshooting clustering with VCS
- Section VI. Clustering Enterprise Vault with Windows Server Failover Clustering
- Introducing clustering with Windows Server Failover Clustering
- About clustering Enterprise Vault with Windows Server Failover Clustering
- Supported Windows Server Failover Clustering configurations
- Required software and restrictions on clustering Enterprise Vault with Windows Server Failover Clustering
- Typical Enterprise Vault configuration in a Windows Server failover cluster
- Control of Enterprise Vault services in a Windows Server failover cluster
- Preparing to cluster with Windows Server Failover Clustering
- Configuring Enterprise Vault in a Windows Server failover cluster
- About configuring Enterprise Vault in a Windows Server failover cluster
- Setting up a new Enterprise Vault installation with Windows Server Failover Clustering support
- Configuring a new Enterprise Vault server with Windows Server Failover Clustering support
- Configuring a failover node in a Windows Server failover cluster
- Troubleshooting configuration of the Enterprise Vault Monitoring database
- Examples of Enterprise Vault installations in various Windows Server Failover Clustering modes
- Converting an existing Enterprise Vault installation to a Windows Server failover cluster
- Modifying an existing Enterprise Vault cluster
- Troubleshooting clustering with Windows Server Failover Clustering
- About this chapter
- Enterprise Vault event messages and the failover cluster log
- Resource ownership and dependencies when configuring Enterprise Vault in a failover clustered environment
- Registry replication on failover clustered nodes
- Viewing the clustered message queues for an Enterprise Vault cluster server
- Starting and stopping Enterprise Vault services in a Windows Server Failover Clustering environment
- Potential failover issue in a Windows Server cluster
- Introducing clustering with Windows Server Failover Clustering
- Appendix A. Automatically preparing an Enterprise Vault server
Configuring Single Sign-On
Starting with release 14.1, Enterprise Vault supports enterprise Single Sign-On (SSO) authentication for Enterprise Vault Search site using Security Assertion Markup Language (SAML) 2.0 compliant Identity Providers (IdPs).
Perform the following steps to set up the SAML-based authentication:
Step 1: Register a new application in Identity Provider with the details about Enterprise Vault Server.
Enterprise Vault works with several Identify Providers, such as okta, Microsoft Azure, AWS, and so on. These steps use the okta IdP; the steps to register a new application in Identity Provider vary based on the IdP you use.
Step 2: Configure the required properties in Enterprise Vault Administration Console.
Step 3: Update Enterprise Vault Search site settings in IIS and
Web.configfile.Update Enterprise Vault Search site authentication settings in IIS
Update Enterprise Vault Search site configuration settings in
Web.config
Step 1: Register a new application in Identity Provider with the details about Enterprise Vault Server
- Sign in to the Identity Provider administrator portal.
- Register New Application. During the application registration, if asked, provide the following details:
Name of the App: Enterprise Vault Search
Platform: Web based
Sign On Method: SAML 2.0
Single sign on URL OR ACS URL: https://<your-EVserver-server-name-here >/EnterpriseVault/Search/SamlAcs.aspx
Note:
The URL specifies the location where the SAML assertion is sent by the IdP with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL of the application.
Audience URI (SP Entity ID) or Issuer: https://<your-EV-server-namehere>/
Note:
It specifies the application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of the application.
Ensure that the Attribute Statement of assertion is configured to return the User Principal Name (UPN) value of the user (for example, user@WindowsADdomain.com), with attribute name UPN. Enterprise Vault uses this value to map with the Windows Active Directory user for authorization.
Note:
Ensure that the Response configuration is such that the SAML Response and the Assertion in the response must be signed using Signature Algorithm RSA-SHA256.
Enterprise Vault currently does not support automatic configuration for SAML using MetaData URL. All the configuration details need to be configured manually.
- Once the application is registered, go to the Sign On tab of the registered application, and then click View Setup Instructions. Note down the following values of the registered application:
Identity Provider Single Sign-On URL value: The location where the SAML request will be sent to the IdP with a HTTP POST. You need this value to set the SSO Service Location setting in Enterprise Vault Administration Console.
Identity Provider Issuer value: The unique identifier of the registered application in IdP, that is the intended source who sends the SAML assertion. This is most often the IdP Entity ID of the application. You need this value to set the Issuer URL in Enterprise Vault Administration Console.
Download the certificate of your registered application, and save the certificate (
.certor.cer) file somewhere on your Enterprise Vault server. If multiple formats of the certificate are presented for download by the IdP, then choose the Base64 Certificate format for download. You need this certificate file while configuring SSO on Enterprise Vault Administration Console.
- Assign permissions to all the required users who should be allowed to access Enterprise Vault Search.
Step 2: Configure the required properties in Enterprise Vault Administration Console
- In the Administration Console, go to Site > Properties > Single Sign-On page.
- Configure Single Sign-On for Enterprise Vault Search.
For more information on how to configure Single Sign-On, see Site Properties: Single Sign-On in the Administration Console help.
Step 3: Update Enterprise Vault Search site settings in IIS and Web.config file
- Update Enterprise Vault Search site authentication settings in IIS
On the Enterprise Vault server, Open Internet Information Services (IIS) Manager.
If you are using Windows Server 2012 or higher version, on the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
In the Connections pane, expand the server name, expand Sites, and go to the following level in the hierarchy pane: Default Web Site > EnterpriseVault > Search, and then click on that Search Web site or Web application.
Scroll to the IIS section in the Feature View pane, and then double-click Authentication.
In the Authentication pane, enable the following items, and disable the remaining items, using the Enable/Disable option in the Action pane:
Name
Status
Anonymous Authentication
Enabled
Forms Authentication
Enabled
ASP.NET Impersonation
Enabled
Basic Authentication
Disabled
Windows Authentication
Disabled
Digest Authentication
Disabled
- Update Enterprise Vault Search site configuration settings in Web.config
On the Enterprise Vault server, locate the Enterprise Vault Search site mapped folder, which is located at:
<Enterprise Vault Install Directory>\EVSearch\EVSearchClient. For example:C:\Program Files (x86)\Enterprise Vault\EVSearch\EVSearchClientTake backup of the
Web.configfile.Open the
Web.configfile in any Text or XML editor application.Change 1 of 4:
Locate the following section:
<authentication mode="Windows"/> <!--Uncomment following for SAML config, AND comment out above--> <!--<authentication mode="Forms"> <forms loginUrl="SamlStartSSOAuth.aspx" defaultUrl="Shell.aspx"> </forms> </authentication> <authorization> <deny users="?" /> </authorization>-->Modify the above section to following:
<!--<authentication mode="Windows"/>--> <!--Uncomment following for SAML config, AND comment out above--> <authentication mode="Forms"> <forms loginUrl="SamlStartSSOAuth.aspx" defaultUrl="Shell.aspx"> </forms> </authentication> <authorization> <deny users="?" /> </authorization>Change 2 of 4:
Locate the following section:
<!--Uncomment following for SAML/IDP configuration--> <!--<location path="SamlStartSSOAuth.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="SamlAcs.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="ErrorPage.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>-->Modify the above section to following:
<!--Uncomment following for SAML/IDP configuration--> <location path="SamlStartSSOAuth.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="SamlAcs.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="ErrorPage.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>Change 3 of 4:
Locate the following section:
<!--Set UseRestrictedSecurity to "0", with SAML/IDP configuration. This is required for IE 11 support--> <add key="UseRestrictedSecurity" value="1"/>Modify the above section to following:
<!--Set UseRestrictedSecurity to "0", with SAML/IDP configuration. This is required for IE 11 support--> <add key="UseRestrictedSecurity" value="0"/>Change 4 of 4:
Locate the following section:
<!--Uncomment following for SAML/IDP configuration--> <!--<add key="SAML.SP.ACSURL" value= "https://EV-SERVER.Domain.com/EnterpriseVault/Search/SamlAcs.aspx" /> <add key="SAML.SP.Issuer" value= "https://EV-SERVER.Domain.com/EnterpriseVault/Search" />-->Modify the above section to following:
<!--Uncomment following for SAML/IDP configuration--> <add key="SAML.SP.ACSURL" value= "https://EV-SERVER.Domain.com/EnterpriseVault/Search/SamlAcs.aspx" /> <add key="SAML.SP.Issuer" value= "https://EV-SERVER.Domain.com/EnterpriseVault/Search" />The value should be your Enterprise Vault server name.
Save the changes to the
Web.configfile.Restart IIS for the changes to take effect.
Run this command as Administrator: iisreset