1. Soutien
  2. Base de connaissances
  3. 100050142

Steps to Prepare for Veritas Alta SaaS Protection Deployment Hosted in Customer’s Azure Account

Article: 100050142
Dernière publication: 2024-05-10
Evaluations: 6 0
Produit(s): Veritas Alta SaaS Protection

Description


While Veritas Alta SaaS Protection is a fully managed SaaS offering, deploying Veritas Alta SaaS Protection into your own Azure subscription requires the customer to complete a set of steps within Azure.  Steps 1-9 below is an overview of the process.  If at any time there are questions or if you would like assistance, please contact your Veritas technical contact.  

  1. Create a dedicated Azure subscription for Veritas Alta SaaS Protection.
  2. Create an 'Veritas Alta SaaS Protection' user in your default Azure Active Directory.
  3. Assign the created 'Veritas Alta SaaS Protection user to have the required access to the new Azure subscription. This user does not require an O365 license or be mail-enabled. 
  4. Create the Azure Active Directory 'Veritas Alta SaaS Protection COPS' application, to permit the Veritas Alta SaaS Protection provisioning system access to the new Azure subscription.
  5. Create the Azure Active Directory 'Veritas Alta SaaS Protection Directory Provider' application to allow Veritas Alta SaaS Protection to sync your organization's Azure Active Directory.
  6. Disable MFA for the user account.
  7. Remove restrictions on user login to Azure.
  8. Whitelist COPS IP addresses.
  9. Disable any conditional policy.

Required Information Checklist

At the end of this process, there will be a section to enter the information below that you will send to your Veritas technical contact.  

  1. The 'Veritas Alta SaaS Protection' user's 'SMTP address' and temporary 'password'.
  2. The 'Application ID' for the 'Veritas Alta SaaS Protection COPS' Azure Active Directory application.
  3. Optionally, the 'Application ID' and generated 'key' for the created 'Veritas Alta SaaS Protection Directory Provider' Azure Active Directory application.

Creating a dedicated Azure subscription for Veritas Alta SaaS Protection

Create a new dedicated Azure subscription for the exclusive use of Veritas Alta SaaS Protection. Care should be taken to ensure that only required users have access to this subscription, to prevent accidental deletion or modification of Veritas Alta SaaS Protection's underlying Azure resources.

 

Log in to the Azure portal, select the 'All Services' blade, then 'Subscriptions', then click the 'Add' action, and follow the normal steps to create a subscription.

 

 

Create an 'Veritas Alta SaaS Protection' user in your default Azure Active Directory

Log in to the Azure portal using a Global admin account to create an 'Veritas Alta SaaS Protection' user in your organization's default Azure Active directory. Veritas will use this account to manage your deployment.

  1. Select the proper directory by referencing the top-right user widget.  If the default directory is not selected, click top-right user widget, select 'Switch directory', and select the default directory. 
 
  1. Select the Azure Active Directory blade, then click 'Users', 'All Users', and the 'New user' action.

 

 
 
 
Configure the user as follows:
  1. User name: Veritas Alta SaaS Protection@<your_azure_ad_domain> 
  2. Name: Veritas Alta SaaS Protection 
  3. Create a password
  4. Click the 'Create' button 
Notes:
  1. Veritas will change the password during the provisioning process, and this user will be enrolled in Veritas Alta SaaS Protection's password management system, and have the password updated every 60 days.
  2. Take note of the 'User name' and temporary 'Password' as this will be sent to your Veritas technical contact.  
 

Assign the 'Veritas Alta SaaS Protection' user to have the required access to the new Azure subscription

Grant the newly created 'Veritas Alta SaaS Protection' user to have Owner permissions to the new Azure subscription.  The Veritas Alta SaaS Protection provisioning system will connect and manage the Azure subscription through that user. 

  1. Select the 'All Services' blade, then 'Subscriptions', and then click the newly created Veritas Alta SaaS Protection subscription, followed by the 'Access Control (IAM)' blade.
  2. Click the 'Add' button. 
  3. Select the 'Add role assignment'.
 
  1. Select the 'Role' to be 'Owner'
  2. Type 'Veritas Alta SaaS Protection@' in the 'Select' text field. The Veritas Alta SaaS Protection user should be returned.  
  3. Click the user, and it is added to the bottom list of 'Selected members'.  
  4. Click the 'Save' button.

 

Create the Azure Active Directory 'Veritas Alta SaaS Protection COPS' application

Access to the Windows Azure Service Management API must be granted for the Veritas Alta SaaS Protection Customer Operations System (COPS) to manage the subscription in an automated manner. Create an Azure Active Directory native application as follows:

  1. Select the 'Azure Active Directory blade', then click 'App registrations', followed by 'New registration'.
 

Configure the application as follows:

  1. Name: Veritas Alta SaaS Protection COPS
  2. Support Account Types: Accounts in this organizational directory only 
  3. Redirect URI (Optional): 
    1. Select Public client (mobile & desktop)
    2. Enter URL as: https://localhost
  4. Click the 'Register' button.
 
 

The application blade will be automatically opened once the application is created.  

  1. Take note of the 'Application (client) ID' for 'Veritas Alta SaaS Protection COPS' as this will also be provided to your Veritas technical contact. 
  2. Click 'API Permissions'

 

 

  1.         On the 'API Permissions' blade, select 'Add a permission.'

 

 

  1.          Select the 'APIs my organization uses' tab, then type 'Windows' in the search field. Click the 'Windows Azure Service Management API' entry.

 

 

 

  1. Check the 'user_impersonation Access Azure Service Management as organization users (preview)' option.
  2. Click 'Add Permission.'

 

 
  1. Click the 'Grant Permissions' button
  2. Click 'Yes' when prompted.

 

 
Lastly, choose the Authentication branch and toggle the Allow public client flows option to Yes.  
 
NOTE

The COPS account does not collect plain text passwords from the M365 tenant. The account credentials are securely held in the COPs system and the obfuscated password provided is rolled periodically by the system.

This setting is not about the Identity Provider (Azure AD)’s security feature. It is about the client application’s design flow and the environment the application is used in. Changing the type does not cause Azure AD to provide any more or less security protection for the application than the other setting. It only changes what Azure AD expects from the client application during authentication. A confidential client is expected to provide a secret (or assertion) when authenticating to Azure AD while a public client does not have to provide this parameter. Access the Learn more link to see more.

Configure Veritas Alta SaaS Protection to sync your organization's Azure Active Directory

While Veritas Alta SaaS Protection is a fully managed SaaS offering, you may optionally configure Veritas Alta SaaS Protection to have read access to your Azure Active Directory.  Doing this allows Veritas Alta SaaS Protection to synchronize all users, groups, and group memberships.  Directory synchronization is a requirement for the following Veritas Alta SaaS Protection features:
  1. Link-based stubbing.  (Used for stubbing files on non-Windows file shares such as CIFS).
  2. End-user Portal. (Allows end user Browse and Search functionality based on user permissions)
  3. Custodian based searching in the Veritas Alta SaaS Protection Discovery application.

If none of the above apply to your deployment, it is possible to skip directory synchronization, in which case Veritas can provision your tenant without any action on your part. If your requirements change, Veritas can enable the directory synchronization functionality at that time. 

To enable directory synchronization, please follow these steps on How to Enable Directory Synchronization. 

 
That completes the process.  Work with your Veritas Alta SaaS Protection technical contact to securely transfer the following information to them. Do not send it via email.  
 
User Name
SMTP Address
Temporary Password
Veritas Alta SaaS Protection
 
 
 
Name
Application ID
Veritas Alta SaaS Protection COPS
 
 
Name
Application ID
Veritas Alta SaaS Protection Directory Provider
 
 
In addition to the above, the customer's subscription needs to be able to support the following types of Azure resources in the region where ASP is deployed.
 

App Service and App Service plan - 1 Per StorSite
The sizes we currently use are:

S1,S2,S3

P1v2,P2v2,P3v2

P0v3,P1v3,P2v3,P3v3

P1mv3,P2mv3,P3mv3,P4mv3.P5mv3

 

 SQL Server - 1 Per StorSite

SQL databases - 1 for the Hub and 1 per Stor
The sizes we use are:

S0,S1,S2,S3,S4,S5,S7,S9,S12,vCore

 

 Storage Account - 2 per Stor

 Per ASP Connector VM’s (sizing dependent- minimum 1)

Public IP address - 1

Virtual machine - 1
The sizes we currently use are:

DS1_V2,DS2_V2,DS3_V2,DS4_V2,DS5_V2,D4S_V3

E2S_V3,E4S_V3,E8S_V3,E16S_V3,E32S_V3,E48S_V3,E64S_V3

F2S_V2,F4S_V2,F8S_V2,F16S_V2,F32S_V2,F48S_V2,F64S_V2

E4_2AS_V4,E8DS_V4,E8AS_V4

Network Interface -1

Network security group - 1

Storage account -1

Disk - (sizing dependent- minimum 3)

Virtual network

 

For Search we require some additional resources

Virtual network - 1 Per StorSite

 

Per search cluster node (sizing dependent- minimum 1)

Public IP address - 1

Virtual machine - 1
The sizes we currently use are:

DS1_V2,DS2_V2,DS3_V2,DS4_V2,DS5_V2,D4S_V3

E2S_V3,E4S_V3,E8S_V3,E16S_V3,E32S_V3,E48S_V3,E64S_V3

F2S_V2,F4S_V2,F8S_V2,F16S_V2,F32S_V2,F48S_V2,F64S_V2

E4-2AS_V4,E8DS_V4,E8AS_V4

Network Interface -1

Network security group - 1

Storage account -1

Disk - (sizing dependent- minimum 3)

Recovery Services vault - 1

 

App Service and App Service plan - 1 Per StorSite
The sizes we currently use are:

S1,S2,S3

P1v2,P2v2,P3v2

P0v3,P1v3,P2v3,P3v3

P1mv3,P2mv3,P3mv3,P4mv3.P5mv3

 

 SQL Server - 1 Per StorSite

SQL databases - 1 for the Hub and 1 per Stor
The sizes we use are:

S0,S1,S2,S3,S4,S5,S7,S9,S12,vCore

 

Storage Account - 2 per Stor

 

 Per ASP Connector VM’s (sizing dependent- minimum 1)

Public IP address - 1

Virtual machine - 1
The sizes we currently use are:

DS1_V2,DS2_V2,DS3_V2,DS4_V2,DS5_V2,D4S_V3

E2S_V3,E4S_V3,E8S_V3,E16S_V3,E32S_V3,E48S_V3,E64S_V3

F2S_V2,F4S_V2,F8S_V2,F16S_V2,F32S_V2,F48S_V2,F64S_V2

E4_2AS_V4,E8DS_V4,E8AS_V4

Network Interface -1

Network security group - 1

Storage account -1

Disk - (sizing dependent- minimum 3)

Virtual network

 

For Search we require some additional resources

Virtual network - 1 Per StorSite

 

Per search cluster node (sizing dependent- minimum 1)

Public IP address - 1

Virtual machine - 1
The sizes we currently use are:

DS1_V2,DS2_V2,DS3_V2,DS4_V2,DS5_V2,D4S_V3

E2S_V3,E4S_V3,E8S_V3,E16S_V3,E32S_V3,E48S_V3,E64S_V3

F2S_V2,F4S_V2,F8S_V2,F16S_V2,F32S_V2,F48S_V2,F64S_V2

E4-2AS_V4,E8DS_V4,E8AS_V4

Network Interface -1

Network security group - 1

Storage account -1

Disk - (sizing dependent- minimum 3)

Recovery Services vault - 1

 
 
 

Ce contenu était-il utile ?

Article Languages