Getting Started for Office Groove Server 2007
Total Page:16
File Type:pdf, Size:1020Kb
Getting Started for Office Groove Server 2007
Microsoft Corporation Published: June 2007 Author: Office IT and Servers User Assistance ([email protected]) Editor : Office IT and Servers User Assistance ([email protected])
Abstract This book presents the requirements for running Office Groove Server 2007 and provides steps for installing and configuring Groove servers. It also offers instruction for getting started with Groove domains. The audience for most of this book includes IT professionals and infrastructure specialists responsible for setting up servers in an enterprise. The Management Domain Operations section is specifically for Groove domain administrators. The content in this book is a copy of selected content in the Office Groove Server Technical Library (http://go.microsoft.com/fwlink/?LinkId=93923) as of the publication date above. For the most current content, see the technical library on the Web.
1 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
2 Contents
3 1. Introduction to Getting Started for Office Groove Server 2007
Microsoft® Office Groove® Server 2007 is a Windows-based software package that provides comprehensive services for managing Microsoft Office Groove. Office Groove Server 2007 contains three components: the Groove Server Manager, Groove Server Relay, and Groove Server Data Bridge applications, any of which can be installed on Windows servers in a corporate network. Microsoft® Office Groove® enables office workers to share and synchronize data on their PCs using a variety of productivity tools. Using a Groove workspace on their PCs, they can collaborate in real time. Members of a workspace may work interactively to assemble information, discuss plans, schedule meetings, track results, jointly produce reports, store files, and converse through online chat or instant messages. Additionally, team members may perform tasks offline and then synchronize the results with others when they go back online. When a project is finished, they can archive their work by linking to an Office SharePoint site. To sustain communications in the dynamic and increasingly diverse conditions of today's networks, Groove Relay servers are employed which provide data store-and-forwarding, message fanout, device presence detection, and other services that enable timely information exchange regardless of corporate firewalls, weak communications links, internet traffic conditions, or client online/offline status. In a managed Groove environment, enterprises can obtain dedicated relay support by installing Groove Server 2007onsite, or they can employ Groove Enterprise Services to avoid the burden of server administration and maintenance. Groove Server 2007 supplies organizations with onsite Groove Server Manager and Groove Server Relay functionality, providing Groove management and relay services, respectively. It also offers the optional Groove Server Data Bridge to integrate Groove workspace backup service into your system. Groove Server Manager (Groove Manager henceforth) component of Office Groove Server enables administrative control of Groove clients. Groove administrators and clients communicate with the Groove Manager via its Web site, which provides both an administrative interface and a base for client contact. The site’s administrative Web interface allows for server management, and allows domain administrators to govern Groove usage via the distribution of policies and relay server assignments. This book provides instructions for getting started with Groove Server Manager, Relay, and Data Bridge, as well as Groove Domains (via Groove Enterprise Services or onsite Groove Server Manager.
4 2. I. Overview of Groove Server 2007
Office Groove Server 2007 consists of the following applications for managing Office Groove in the enterprise: Office Groove Server 2007 Manager Office Groove Server 2007 Relay In addition, it provides the following optional applications for a more comprehensive management environment: Office Groove Server 2007 Manager with Auditing Office Groove Server 2007 Data Bridge Use the Office Groove Server 2007 product CD or download to install a selected application onto a dedicated server machine. Note Be sure to install each application on a separate, dedicated server. Note Groove Audit is an option that can be enabled via the Groove Manager application. In lieu of onsite Groove Servers, Groove Enterprise Services provides access to Microsoft-hosted Groove Relay and Groove Manager services, described in Overview of Groove Enterprise Services below. For detailed information about getting started with any of these products, select one of these links: Getting Started with Groove Server Manager Getting Started with Groove Management Domains Getting Started with Groove Server Relay Getting Started with Groove Server Data Bridge If you subscribe to Groove Enterprise Services or for information about getting started managing a Groove domain, see Getting Started with Groove Management Domains. For information about enabling the Groove Auditing feature, see the ‘Auditing Groove Activity’ section of the book, Operations for Groove Server - Manager.
5 3. II. Overview of Office Groove Enterprise Services
Groove Enterprise Services provides access to Groove Relay and Groove Manager through a hosted environment at a Microsoft data center. Organizations who procure these services configure management domains during initial Enterprise Services registration. Once registration is complete, administrators can immediately begin managing their domains, setting Groove policies and entering user information. Groove relay support is included with the Enterprise Management services, so no relay configuration is necessary. For more information about Groove Enterprise Services, see the Groove Enterprise Services site (http://office.microsoft.com/en-us/grooveservices/FX101674141033.aspx).
6 4. III. Getting Started with Groove Server Manager
Installing the Microsoft Office Groove Server 2007 Manager software and bringing the server online at your organization involves the following main steps: setting up an SQL server, setting up the Microsoft Internet Information Services (IIS) server, installing the Groove Server Manager software on the IIS server, configuring the Groove Server Manager, and configuring SMTP. The context is for a general setup that meets the needs of many enterprises. Upon successful completion of the procedures described in this section, the Groove Manager will be ready for domain administration, described in the Groove Manager Domain Administration portion of the Help. Groove Manager installation and initial configuration involves the set of procedures described here. In this section: Readme for Office Groove Server 2007 Manager Requirements for Groove Manager Setting Up the Groove Manager SQL Server Setting Up the Groove Manager IIS Server Installing Groove Manager Securing the Groove Manager Administrative Web Site Configuring and Securing SMTP for Groove Manager Accessing Groove Manager's Administrative Web Site Configuring an Initial Groove Manager Domain Utilizing Onsite Directories of User Information Deploying Groove on Client Devices Setting Up Groove Auto-Account Configuration/Restoration Viewing and Editing Groove Manager Server Properties
Readme for Office Groove Server 2007 Manager This document contains late breaking information for the Microsoft® Office Groove® Server 2007 Manager. The Groove Server Manager (subsequently called Groove Manager) application enables you to deploy and manage Groove in your enterprise from a centralized location, either from a server at your company site or from a Microsoft-hosted Groove Manager domain. For information about managing this application, see the Groove Manager Server Administration and Groove Manager Domain Administration topics in the online Help that accompanies this product. In this section: Important Issues and Notes Summary of Changes from Prior Versions 7 Issues and Notes The following table lists important issues and notes concerning the Groove Manager application.
Issue or Question Answer What names have changed? The following names have changed since previous management server versions: Microsoft Office Groove Server 2007 Groove Manager replaces the former name, Enterprise Management Server (EMS). Groove Enterprise Services replaces the former Groove Hosted Management Services and Groove Hosted Relay Services. What steps are necessary to support Groove In order to successfully send e-mail from Manager e-mail? the Groove Manager, be sure to grant permission to your local computer to relay e-mail through your SMTP server (via the Relay restrictions setting on the SMTP Virtual Server Properties/Access tab). What stops the Groove Manager from The Groove Manager does not recognize repeated attempts to reconnect with a when you have stopped and/or disconnected Groove Relay? disconnected a managed Groove Relay but continues trying to contact the disconnected device. To prevent this condition, remove the Groove Relay entry from the Groove Manager before stopping and/or disconnecting the Groove Relay server device. Can audited files be secured with Access In non-NTFS environments (FAT or Control Lists? FAT32), you cannot secure audited files with Access Control Lists (ACLs). While Groove encrypts the files, users can nevertheless access and delete them. To monitor such activity, you may want to check the audit server SQL Security table where the audit server reports file deletions and other events. Future versions of the Audit Server will address this issue. Does the Groove Auto-Account If you are integrating Groove Manager with Configuration feature have specific an LDAP directory server in support of the directory server requirements? Groove Manager's Groove Auto Account Configuration feature, Active Directory 8 integration is strongly recommended as this is the tested and supported configuration. In an LDAP environment, Groove users are If you are integrating Groove Manager with not receiving Groove Manager e-mails an LDAP directory server, particularly if you are using Lotus Domino directories, make sure that each user record includes a valid e-mail address. The Domino format automatically populates blank user e-mail addresses with default entries, usually preventing Groove Manager e-mails from reaching users. In an LDAP environment, imported If you are integrating Groove Manager with members are showing directory status of an LDAP directory server, you should Deleted. access directory server member entries (for data synchronization, for example) using the same LDAP Login Name that was used to import members into the Groove Manager domain. Using a different LDAP Login Name can disrupt your directory entries on the Groove Manager when data synchronization occurs because different LDAP Login Names may have different access to the directory server. Under these conditions, the directory status of user accounts in Groove Manager will appear as Deleted. To update the member's directory status to Imported, change the LDAP Login Name back to the original name used to import members. Directory synchronization events (user If you have the role of Server updates and deletes) do not appear in Administrator, look for synchronization management domain reports; they appear events at the application level. only in server-level reports. Communicator-Groove integration features In environments where managed user do not function properly for managed contact information originates from an Groove clients. Active Directory (AD) database, a user's `mail' and `RTCSIP' addresses in AD must match (the AD default condition) in order for Groove-Communicator integration to function properly. Because Groove Manager uses AD `mail' addresses for user 9 e-mail addresses, while Communicator's Live Communications Server (LCS), depends on AD RTCSIP addresses, if the two AD address fields do not match (if an administrator edited the `mail' address, for example) and you synchronize Groove Manager with AD, the resulting Groove contact e-mail address will conflict with the Communicator contact e-mail address and Groove-Communicator integration cannot occur. To avoid this condition, check with your Active Directory administrator to ensure that the RTCSIP address and mail address fields in Active Directory match. In an environment that includes Groove 3.1 Provisioned license sets cannot be deleted. (or earlier) users, trying to delete a license Unprovision all the users from the license set fails. set. Auditing fails for management domain The Groove 3.0 domain member should members on their managed devices after migrate to Groove 3.1, prior to upgrading to migrating from Groove 3.0 to Office Office Groove 2007 Groove 2007.
Summary of Changes from Prior Versions Office Groove Server 2007 Groove Manager offers the following new server-level features and enhancements over previous management server versions: Streamlined process for automatic account configuration (formerly auto-activation). New automatic account restoration capability. New unified installation of Groove Manager and Groove Client Audit Service. For details about the above features, see the Groove Manager Server Administration portion of the Help. Office Groove Server 2007 Groove Manager offers the following new domain-level features and enhancements over previous management server versions: Groove licensing is now handled via Office product keys during installation. Microsoft Office Groove component updates are now subject to standard Office update policies. New automated domain migration capability. New identity security policy to control which file types Groove blocks. Simplified tool usage policy (now included on the Client Policies tab of the Device Policy template). New device policy to control client support for Instant Messenger. New member identity policy for setting minimum Groove version. Simpler process for managing Groove devices. 10 Both server and domain Help are now available in multiple languages, including German, French, Spanish, and Japanese, besides English. For details about the above features, see the Groove Manager Domain Administration portion of the Help.
Requirements for Groove Manager The following sections list minimum and/or recommended hardware and software requirements for installing and running Groove Manager at your site. For information about installing the required Groove Relay server software, see the Groove Relay Administrator’s Guide included with the Groove Relay component of the Groove Server. In this article: Hardware Requirements Software Requirements Expertise Requirements
Hardware Requirements The Groove Manager requires the following hardware:
Machine Specifications Groove Manager - IIS server Processor: 64-bit processor supporting AMD64 or Intel® EM64T instruction set Processor speed: AMD 1.8GHz or higher, or Intel 2.4 GHz or higher RAM: 2 GB minimum Disk: 40 GB RAID disk array Groove Manager - SQL Server Dual-processor Intel Xeon 2 GHz minimum 2 GB RAM 100 GB RAID disk array LDAP directory server machine (optional) Standard directory setup at your enterprise. Groove Relay server As specified in the Groove Relay documentation that accompanies the Groove Relay component of the Microsoft Office Groove Server. Microsoft Office Groove clients As specified in the documentation that accompanies Microsoft Office Groove.
Software Requirements for Groove Manager The Groove Manager requires the following software: 11 For this Machine You Need this Software Groove Manager - IIS server One of the following: Windows Server 2003 Standard or Enterprise x64 Edition Service Pack 1 (or later) Windows Server Vista (requires IIS6 Management Compatibility component) Microsoft® Internet Information Services (IIS) version 6.0 for Windows Server 2003 Standard or Enterprise x64 Edition Microsoft .Net Framework 2.0 (or later), including ASP.NET Simple Message Transfer Protocol (SMTP) virtual server Microsoft® Office Groove® Server 2007 Manager Groove Manager - SQL server One of the following: Windows Server 2003 Standard Edition or Windows Server 2003 Enterprise Edition, with the latest Service Pack required Microsoft SQL Server 2000 Service Pack 2 (or later service pack) Note: SQL 2005 Express Edition is not supported. Browser on administrative PC Internet Explorer (IE) 6.0 or later is running on the administrative PC, with the following settings in place: JavaScript, Cookies, and Forms are enabled Minimum Screen Resolution: 1024 by 768 pixels Maximum Display DPI Setting: Normal size (96 DPI) Directory server (optional) LDAP 3.0-based software Microsoft Active Directory, Lotus Domino R5 or later, and Sun One supported Groove Relay server Microsoft® Office Groove® Server 2007 Relay Groove Enterprise Relay Server 3.0 or later supported Microsoft Office Groove client Microsoft Office Groove 2007 recommended, to utilize the full set of Groove Manager features Groove Workspace 2.5, Groove Virtual Office 3.0, or later supported 12 Expertise Required for Groove Manager As a Groove Manager administrator, you need expertise with the following: Windows Server 2003 Internet Information Services (IIS) SQL database administration SMTP server administration Internet Domain Name System (DNS) naming Network security and topology Groove operation Domain administrators must be familiar with the following: Software deployment and administration Password policies Software usage and security policies Software event reports Groove operation
See Also: Getting Started with Groove Server Manager
Setting Up the Groove Manager SQL Server The Groove Manager stores most of its data, including user information and certificates, on an SQL server machine.
To set up an SQL server to support the Groove Manager installation: 1. Install an SQL Server on a Windows server machine using your company’s standard practices for SQL server configuration. 2. In an environment of approximately 5 transactions per user per hour, configure disk storage to allow 6 MB of storage per managed Groove user, including space for account backup. 3. Make sure that the MS-SQL port (usually 1433) is open for incoming transmissions from the Groove Manager. 4. Define a unique SQL server host name, preferably a fully qualified Domain Name System (DNS) or Internet Corporation for Assigned Names and Numbers (ICANN) name, such as gmssql.contoso.com. 5. Configure the SQL server authentication options to support both SQL Server and Windows Authentication mode (mixed mode). This allows for SQL authentication on the SQL server and Windows authentication on the associated IIS server. 6. Once the Groove Manager is running with your SQL server, as described in the following sections, be sure to back up the Groove Manager databases and log files on the SQL server each day to ensure that sufficient space is maintained on the SQL server for the Groove Manager database and transaction log. Note If the SQL server cannot accommodate the Groove Manager database and 13 transaction log, Groove Manager operations may cease. When you are finished configuring the SQL storage, communications, and authentication settings, proceed to Setting Up the Groove Manager IIS Server.
See Also: Getting Started with Groove Server Manager
Setting Up the Groove Manager IIS Server The Groove Manager is a Web-based application accessible by administrators from a Web browser. As such, it relies on Microsoft Internet Information Services (IIS). Therefore, you must configure IIS to support the Groove Manager Web site. You configure IIS on the same Windows server machine where you will install the Groove Manager software. The following section provides guidelines for properly configuring IIS for a Groove Manager. In this section: Configuring IIS for Groove Manager Groove Manager Web Site Setup Creating a Custom Groove Manager Web Site (optional)
Configuring IIS for Groove Manager The following sections describe how to set up the Internet Information Services (IIS) to support your Groove Manager installation. The Groove Manager installation process creates a Groove Manager Web site for you, or you can create one yourself prior to installation.
To set up IIS for the Groove Manager: 1. Install a clean version of Windows Server 2003 Standard Edition x64 Edition 1 or later on a clean stand-alone machine. Do not try to install a Groove Manager on a domain controller or a machine where Microsoft Office Groove is installed. Doing so will cause the install process to fail. This IIS machine will house the Groove Manager software which cannot coexist with the Microsoft Office Groove client. Installing Groove Manager on an existing production Web server falls outside of the scope of the Help; if you choose to do so, consult with a Microsoft Support technician for guidance. 2. To install IIS 6.0 on the Windows Server 2003, open the Windows Control Panel, click Add or Remove Programs, and follow the instructions. Note that the iSAPI extension, gms.dll, that supports the Groove Manager Web site, requires Scripts and Executables to be enabled in IIS. This Windows parameter is set automatically during creation of the default Groove Manager Web site. The following section describes the directory structure for the Groove Manager Web site files that will be set up in IIS during the Install process. 14 Groove Manager Web Site Setup During installation, the Groove Manager software creates a default Web site, installing the necessary files in IIS, or it uses an existing custom Web site that you created in IIS, as described in Creating a Custom Groove Manager Web Site (optional). In either case, the Groove Manager Web site consists of two main parts: a client URL interface, and an administrative user interface. Both the client-accessible entry point (a .dll file) and the directory containing the administrative Web pages reside in the Groove Manager Web site’s root directory. The following list describes the main components of the Groove Manager Web site, including the optional Auto-Account Configuration component.
Groove Manager Web Site Description Important Notes Components GMS directory If you install the full Groove Due to the sensitive Manager application with both information available through client and administrative the administrative interface, interfaces, this directory is you should secure this created to hold the administrative directory and all administrative interface Web of its files with a reliable IIS pages (.aspx files) and the authentication scheme, as index.htm file which contains discussed in Securing the Groove the main entry point to the Manager Administrative Web Site. administrative interface. . AutoActivation If you install the full Groove This directory uses SSL for directory Manager application with both encryption and is secured client and administrative using IIS Integrated Windows interfaces), this directory is authentication (formerly called created to support the Groove NTLM). The SOAP Auto-Account transactions involved in the Configuration/Restoration Auto-Account feature, described in Setting Up Configuration/Restoration Groove Auto-Account process depend on SSL for Configuration/Restoration. encryption. Aspnet_client directory This directory is part of the This directory is installed with ASP.NET support for Groove ASP.NET. Manager. gms.dll This dynamic link library Groove clients must be able to (DLL) is the main entry point connect to the gms.dll in the for transactions from Groove home directory as anonymous 15 Groove Manager Web Site Description Important Notes Components clients. The Groove Manager users, so the top-level gms.dll URL (that you define during file must be accessible from installation) must point to this the Internet and must not be DLL. This file resides in the secured. Groove Manager root directory Do not set up login of IIS and in the authentication for this AutoActivation directory. directory.
Creating a Custom Groove Manager Web Site (optional) The Groove Manager install process creates a Groove Manager Web site for you. You need not create one. However, if you are experienced with creating Web Sites in IIS and have specific requirements, follow the guidelines below to create a Groove Manager Web Site that will be used in the Groove Manager installation process: When defining your Web site in IIS, follow the directory and file hierarchy described in Groove Manager Web Site Setup. Because the Groove Manager Web site depends on active server pages (ASPs), be sure to enable Scripts and Executables in IIS. During the Groove Manager installation process, specify the Web site that you created instead of accepting the default option.
Installing Groove Manager This section describes the process for installing and setting up the Groove Manager. The installation procedure involves defining the Groove Manager, establishing its relationship to the SQL server that will store all administrative data, and creating a Web site for the Groove Manager administrative interface. During this installation, Groove Manager uses your inputs to create a database on your SQL server. The following sections provide installation prerequisites and instructions. Before You Begin Installing Groove Manager
Before You Begin To facilitate the installation process, do the following: Note the SQL server host name. See Setting Up the Groove Manager SQL Server for information about installing the Groove Manager SQL server. Note the name of SQL database to be used for storing Groove Manager data. Ensure that you have the necessary SQL login credentials, native SQL or Windows NT-based, with sysadmin permissions. 16 Note the certification authority name for the Groove Manager. This must be an official, fully qualified, unique name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN). If convenient, configure any onsite Groove Relay servers before configuring the Groove Manager, as described in the administrative Help that accompanies the Groove Relay component of the Office Groove Server.
Installing Groove Manager This procedure outlines the process for installing and configuring Groove Manager at your site.
To install Groove Manager on the IIS machine: 1. Read Before You Begin in the Installing Groove Manager section. 2. From the Windows server machine where you set up IIS for the Groove Manager Web site, insert the Microsoft Office Groove Server CD into the drive. 3. Select the option to install Microsoft Office Groove Server 2007 Manager. This process will create a Groove Manager installation directory that includes a setup.exe file and a readme.htm file. 4. Follow the Install wizard instructions, entering the product ID key code when prompted. If .NET Framework is not installed, an informational message appears, asking you to install it before proceeding. 5. Click Continue. The Microsoft Software License agreement appears. 6. Read and accept the Microsoft Software License agreement. 7. Click Continue. A window appears displaying the Basic or Advanced install options. 8. Select Basic to install now, or select Advanced to specify more options, as described in the following table, then click Install Now.
Groove Manager Install Options Explanations Basic To install the complete Groove Manager application (including the administrative interface and the Groove client interface of the Groove Manager Web site) in the default installation directory: c:\Program Files\Microsoft Office Servers\12.0\Groove\Groove Management Server Advanced To specify the following options, then install the complete Groove Manager application: File location – To specify a Groove Manager installation directory. Feedback – To specify whether you want to participate in the Customer Experience Improvement Program. For information about CEIP and its privacy policy, click here. 17 9. Once the software installation finishes and the Groove Manager Welcome page appears, click Next. 10. Select whether to install Groove Manager alone or Groove Manager with the Auditing capability. For information about Groove Auditing, see Error: Reference source not foundAuditing Groove Activity . 11. Click Next. The Groove Manager Database Configuration window appears. 12. Enter your SQL server information, as described in the table below. 13. Have on-hand the SQL server host name, and, if SQL authentication is chosen, your SQL server login name and password. The Groove Manager uses this information to establish a connection to the database server on which the Groove Manager depends for data storage. Make sure that the login name and password have sufficient permissions to allow you to create a database on this server.
Groove Manager Database Configuration Fields Explanations Use the Following SQL Server Login Select this check box to specify native SQL server authentication. Clear this option to specify Windows authentication and enter login information. User Name Appears if ‘Use the Following SQL Server Login’ is selected. Type the login information for the SQL server. Note: Make sure that the login gives you database creation rights. Password Appears if ‘Use the Following SQL Server Login’ is selected. Type a password for the SQL server. Database Information: SQL Server Name Type the host name or Internet Protocol (IP) address of your SQL server. Database Name Type a SQL database name, such as gmsDb. The Installer will create or upgrade this database.
14. Click Next. The Groove Manager Master Password or Groove Audit Server Configuration window appears, depending on your installation selection. 15. If the Groove Audit Server window appears, supply the required information, as described in Auditing Groove Activity, then click Next. The Groove Manager Master Password window appears. 16. Enter and confirm a Master Password for the Groove Manager. If you are upgrading, you enter the existing password and confirmation is not required. This password is used to encrypt critical server data stored on the SQL server, including signature and encryption keys, and passwords. 18 Note Do not lose this password, as it cannot be restored easily. If you lose your password, contact Microsoft Support. You can change the password on the server Properties page after the Groove Manager is installed. 17. Click Next. The Groove Manager Configuration window appears. 18. Enter the required Groove Manager Configuration information, as described in the following table:
Groove Manager Configuration Fields Explanations Administrator’s E-mail Address Type the e-mail address of the administrator who is responsible for Groove Manager operation. This name may be used in the ‘From’ field of default emails to Groove clients. Organization Name Type the name of your organization. This name will form the basis of the Groove Manager server name and the initial domain name used in the Groove Manager administrative interface. URL of Groove Manager Server Accept the default Universal Resource Locator (URL) for the Groove Manager, or edit the name. The initial default is the IIS machine name. If editing the name, use the format: http://
19 Groove Manager Configuration Fields Explanations configure all Groove client accounts. Certification Authority Name Type the unique official name of your Groove Manager (such as groovemanager.contoso.com). This name will be used as the default Groove PKI Certificate Authority name in your initial domain. The name you enter must meet the following requirements: Must be a fully qualified DNS name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN). Must be unambiguous and unique. The qualified DNS must describe a third-level domain or higher within your organization. Therefore, it must have at least three text blocks (components) and two dots - one dot (.) separating each section, such as groovemanager.contoso.com where: com = Customary DNS generic top- level domain (gTLD) identifier of com for company, net for network, or org for organization. contoso = DNS second-level domain, such as your company name. groovemanager = DNS third-level domain, such as company branch or department. If you are registered in a country-code top-level domain (ccTLD), you may need to use at least four components, separated by three dots.
19. Click Next. The Summary window appears. 20. Click Next. 21. Follow the Configuration wizard to the end and click Finish, then Close. 22. The Groove Manager administrative Web site opens. This site is created for you and includes an administrative Web interface that you can access through the URL, http://
20 23. An initial management domain is also created for you. Associated with the domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a set of default policies that the domain administrator can edit. The certification authority name that you defined applies to this domain. The section, “ Configuring an Initial Groove Manager Domain” , describes how to complete initial domain setup. Once you have installed and set up the Groove Manager, take steps to help secure the Groove Manager Web site, as described in Securing the Groove Manager Administrative Web Site. See Also: Getting Started with Groove Server Manager
Securing the Groove Manager Administrative Web Site Like other Web applications, the Groove Manager’s administrative IIS Web interface must be secured against unauthorized access and interference. Controlling network access, instituting a reliable authentication system, configuring SSL, and defining administrative roles for the administrative Web pages are important steps you should take toward securing your administrative environment. The following sections describe measures you can take secure your Groove Manager’s administrative Web pages. In this section: Controlling Network Access to the Groove Manager Web Site Implementing SSL Implementing an Authentication System Implementing Role-Based Access Securing the SQL Server Backend
Controlling Network Access to the Groove Manager Web Site Once you have installed Groove Manager as described in Installing Groove Manager, take an essential step towards securing it by controlling access to the Groove Manager Web site. The following procedure provides guidelines for configuring network settings.
To configure network parameters to help secure the Groove Manager Web site: 1. Select IIS Manager from the Windows Administrative Tools and navigate to the GMS Website. 2. From the IIS machine, right-click on My Network Places, then select Properties to open the Network Connections window. 3. Right-click on the external connection (network interface card) that you want to edit, then select Properties. 4. Remove or disable the Client for Microsoft Networks component. 5. Remove or disable the File and Printer Sharing for Microsoft Networks component. 6. If the Internet Protocol (TCP/IP) component is not already present and enabled, add and enable it. 7. Select Properties/Advanced, then the Options tab to configure TCP/IP Filtering of Ports to Permit only the following: 80 (TCP port for the Groove Manager Web site)
21 443 (SSL port for GMS and Auto-Configuration directories) 3389 (optional for Remote Desktop administration) 8. Configure UDP Ports to Permit All. 9. Configure IP Protocols to Permit only the following: 6 (TCP) 17 (UDP) Now, set up SSL for the administrative site, as described in Implementing SSL. See Also: Securing the Groove Manager Administrative Web Site Getting Started with Groove Server Manager
Implementing SSL Further secure the administrative side of the Groove Manager Web site with the Secure Socket Layer (SSL) encryption protocol, as described here.
To enable SSL for the Administrative Web pages: 1. Select IIS Manager from the Windows Administrative Tools and navigate to the GMS Website. 2. From the Groove Manager root directory in IIS, right-click and select Properties, select the Directory Security tab, and setup an SSL (x.509) certificate for the Groove Manager Web site using either the Web Server Certificate Wizard and Microsoft Certificate Services, or an outside certification authority (CA). Refer to Microsoft online IIS documentation for Configuring SSL on Servers. 3. From the Groove Manager root directory in IIS, right-click and select Properties, select the Directory Security tab, and setup an SSL (x.509) certificate for the Groove Manager Web site using either the Web Server Certificate Wizard and Microsoft Certificate Services, or an outside certification authority (CA). Refer to Microsoft online IIS documentation for Configuring SSL on Servers. 4. If the new Groove 2007 auto-configuration feature is to be used, from the AutoActivate directory, right-click and select Properties, then specify settings to enable SSL and require 28-bit encryption. If the pre-Groove 2007 auto-activation feature is to be used, leave SSL disabled for the AutoActivate directory. Now, specify an authentication scheme for Groove Manager administrators, as described in Implementing an Authentication System.
See Also: Securing the Groove Manager Administrative Web Site Getting Started with Groove Server Manager
Implementing an Authentication System Windows Internet Information Services (IIS) supports several authentication schemes for securing IIS Web sites via passwords, smart cards, or SecureID tokens. Authentication options include: Integrated Windows Authentication, Basic Authentication, and Digest Authentication. Of these, Integrated Windows is the strongest and recommended 22 authentication system for the Groove Manager administrative (GMS) Web site. If you prefer, you can implement your own custom login authentication mechanism. Designed to be independent of any specific authentication system, the Groove Manager allows you to choose the one that will properly secure your Groove Manager administrative Web pages..
The following is a sample procedure to guide you in setting up Groove Manager authentication: 1. From the IIS machine, select IIS Manager from Windows Administrative Tools and navigate to the GMS Website. 2. Ensure that authentication for the Groove Manager Web site root is set to Anonymous access, as follows: a. Right-click the Groove Manager Web site root and select Properties. b. On the Directory Security tab, set authentication to Anonymous access, and disable all other authentication schemes. 3. Set authentication for the administrative GMS directory of the Groove Manager Web site, as follows: a. Right-click the GMS directory and select Properties. b. On the Directory Security tab, set authentication to Integrated Windows authentication, and disable Anonymous access, for strong authentication across your enterprise. Note Basic Authentication, which sends unencrypted passwords over the network, and Digest Authentication, which hashed passwords over the network, provide weaker protection than Integrated Windows authentication, which utilizes a challenge/response protocol to authenticate users instead of sending credentials over the network. 4. To support Automatic Account Configuration/Restore, set authentication for the GMS Website AutoActivate directory to Integrated Windows authentication and disable all authentication schemes, including Anonymous access. 5. Configure IIS logon accounts (local or domain logons as needed) for Groove Manager administrators. 6. On the SQL machine, configure the SQL server authentication options to support both SQL Server and Windows Authentication mode (mixed mode). This allows for SQL authentication on the SQL server and Windows authentication on the associated IIS server. Once an administrator logs into the administrative Web interface as required by the chosen authentication system, access within the site can be controlled by defining administrator roles. To enable Role-based access control, see Implementing Role-Based Access.
See Also: Securing the Groove Manager Administrative Web Site Getting Started with Groove Server Manager
23 Implementing Role-Based Access To control access to the Groove Manager administrative Web site, you must enable the Roles Based Access Control (RBAC) on the Groove Manager. Enabling RBAC requires that you establish yourself as the Groove Manager server administrator. RBAC lets you specify who can access the Groove Manager administrative interface and which tasks they can perform. Omitting this step leaves the entire Groove Manager administrative interface open for viewing and modification by anyone who learns the login credentials. For more information about RBAC, see About Role-Based Access Control.
To define an initial administrator role and enable role-based access control: 1. Make sure that you set up an authentication system for the Groove Manager directory in IIS, as described in Implementing an Authentication System. Otherwise, RBAC cannot effectively safeguard the Groove Manager’s administrative interface. 2. Start the Groove Manager from Internet Explorer, as described in Accessing Groove Manager's Administrative Web Site. 3. Select the Groove Manager from the left navigation pane. The Groove Manager page appears. 4. Click the Roles tab. 5. From the Groove Manager Roles tab, select Add Administrator in the toolbar. The Add Administrator page appears. For reference, this page displays the name that you used to log in to the Groove Manager administrative Web site. 6. In the Name field, enter the exact login name (in this initial case, your login name) that the administrator will use to log in to the Groove Manager Web site, as defined by your authentication system. Note Make sure that the administrator name that you specify exactly matches the login name used by your Web site authentication scheme, or you will not have any privileges on the Groove Manager after RBAC is enabled. 7. From the Scope drop-down menu of the Groove Manager, listing server and domain names defined on this machine, select Groove Server Manager. 8. Click the Add button. The selected Groove Server Manager name appears in the Assigned Scopes scrolling list, and the role of Server Administrator appears under Assigned Roles Within Select Scope. Select this role by selecting the check box. Later, if you enter a domain as the scope for an administrator name, selecting that domain in the Assigned Scopes displays a list of Assigned Roles options that you can select. Note that at least one administrator must be assigned the Scope of
Securing the SQL Server Backend The Groove Manager stores data in a SQL Server database, which is installed on a separate machine from the IIS front end. To maximize security protections, the SQL Server should be isolated behind a port-restricted and IP address-restricted firewall. It should always have the latest Critical Update Package and Security Rollup installed. As with any enterprise server, your first line of protection is a securely configured network and operating system. Follow the standards in place at your organization for safeguarding corporate data resources and refer to the guidelines for best practices in Security Planning for Groove Manager. Note Remember to configure the SQL server authentication options to support both SQL Server and Windows Authentication mode (mixed mode). This allows for SQL authentication on the SQL server and Windows authentication on the associated IIS server. See Also: Securing the Groove Manager Administrative Web Site Getting Started with Groove Server Manager
25 Configuring and Securing SMTP for Groove Manager In order to enable the Groove Manager to support sending account configuration and password reset e-mail to Groove clients, you must configure the IIS Simple Message Transfer Protocol (SMTP) virtual server. While the Groove Manager does not require many special e-mail settings, you still need to configure security settings, as indicated in the procedure below.
To configure the IIS SMTP virtual server to deliver e-mail via your enterprise’s SmartHost: 1. Open Internet Information Services on the Groove Manager machine. 2. Right-click on Default SMTP Virtual Server and select Properties. The Default SMTP Virtual Server Properties page appears. 3. Click the Delivery tab. 4. Click the Advanced button. 5. In the Host name field, enter the fully qualified domain name in the form
See Also: Getting Started with Groove Server Manager
Accessing Groove Manager's Administrative Web Site You access the Groove Manager administrative Web site via a URL, as described in this section. In this section: 26 Accessing Groove Manager's Administrative UI Groove Manager Administrative UI Overview Getting Help with Groove Manager Setting Administrative Preferences for Groove Manager Changing the Language of Groove Manager Administrative Web Pages
See Also: Getting Started with Groove Server Manager
Accessing Groove Manager's Administrative UI When you finish installing the Groove Manager software, go to the administration Web site to configure Groove Manager settings. You can access the Groove Manager administrative Web site from any PC, using the login authentication system that you established for the site.
To access the Groove Manager administrative user interface (UI): 1. From an administrative PC, open an Internet Explorer (IE) browser that meets the requirements specified in Software Requirements for Groove Manager. 2. Enter the URL for your new Groove Manager site (typically, http://
Groove Manager Administrative UI Overview The Groove Manager administrative Web interface comprises a navigation pane on the left, and a main window. The navigation pane displays the Groove Manager server name along with an initial management domain automatically created for you. The Web page has the following characteristics: Main window - Reflects the current selection in the navigation pane, and includes a set of tabs. When the management server is selected, a set of domain tabs appears, where you access Groove Manager server administration tasks, as summarized in the table below. Toolbar - Appears at the top of the main window and displays icons appropriate for the task being performed on the current tab. Navigation tree - Appears in the left pane and displays the management domains, groups, policy templates, and relay server sets defined on this serve. 27 Server Tabs Descriptions Reports Allows you to view Groove audit log reports, as described in Monitoring Groove Manager. Domains Allows you to add and delete management domains, as described in Adding and Managing Groove Domains. Roles Allows you to add, edit, and delete administrator roles as described in Managing Administrative Roles in Groove Manager. Directory Integration Allows you to integrate an LDAP-based directory server of user information with the Groove Manager, providing that a directory server is installed at your site, as described in Defining a Directory Server on Groove Managerr.
See Also: Accessing Groove Manager's Administrative Web Site Getting Started with Groove Server Manager
Getting Help with Groove Manager To get help using the Groove Manager, follow these guidelines: Click the Help link in the upper left of a Groove Manager administrative Web page to display online Groove Manager Help. For Groove Manager server-level information, see the Groove Manager Administration portion of the Help. For domain-level information, see the Groove Manager Domain Administration portion of the Help. The Readme file included with the Groove Manager product provides late-breaking information. See Also: Accessing Groove Manager's Administrative Web Site Getting Started with Groove Server Manager
Setting Administrative Preferences for Groove Manager You can change administrative Web page preferences (such as setting a start page) by using the Preferences link above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins.
To edit administrative preferences: 1. Go to the Groove Manager administrative Web interface and click the Preferences link in the top 28 left side of the current page. The Start Page window appears with an image of your navigation tree. 2. To change the default number of Display items that appear on any list page, select a number in the Default number of items to display drop-down box. The initial default setting is to display 25 items per page. 3. To select a start page, select an item from the Start Page tree. 4. Click OK. Your changes take effect immediately. This page will open the next time you log into the Groove Manager Web site.
See Also: Accessing Groove Manager's Administrative Web Site Getting Started with Groove Server Manager
Changing the Language of Groove Manager Administrative Web Pages Administrators can change the language of the Groove Manager administrative interface by using their browser’s language setting, providing that the Groove Manager supports the browser-set language. The Groove Manager’s supported display language depends on the following factors: The language of the Groove Manager installation. Any language packs added to the Groove Manager system. The browser setting on the administrative PC used to access Groove Manager. If a browser-selected language is not available on the Groove Manager server as an installation language or language pack, a default language is used, generally the language in which Groove Manager was installed. Once you can access the administrative Web pages, proceed to Configuring an Initial Groove Manager Domain. See Also: Accessing Groove Manager's Administrative Web Site Getting Started with Groove Server Manager
Configuring an Initial Groove Manager Domain A management domain contains groups of Groove users and devices that the domain administrator places under domain management. Associated with each new domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a private key for password/smart card login reset and data recovery. Customizable usage and security policy templates, and Groove Relay server sets apply to groups in the domain. Management domains are independent and secure from each other. However, if Groove PKI authentication is in effect at an organization, domain administrators can use the Groove Manager interface to export the domain certificate to other domains, either within the organization or on a Groove Manager at another organization, to establish a trust 29 relationship with those domains (cross-domain certification). See the Groove Manager Domain Administration portion of the Help for information about setting up cross- domain certification. The Groove Manager installation process supplies an initial management domain, with Groove PKI specified as the identity authentication mechanism. The initial domain name is based on the Organization that you entered during Groove Manager installation. The initial domain setup page typically appears on the screen following Groove Manager installation, requiring you to supply some basic information in the blank fields. Once you finish configuring the domain, it is ready for domain-level administrators to populate it with Groove users. Note If you have engaged Groove Enterprise Services to provide Groove Manager functionality, initial domain creation and administrator role assignment occurs during product registration.
To configure the initial Groove management domain: 1. Start the Groove Manager from Internet Explorer, as described in Accessing Groove Manager's Administrative Web Site. 2. Click the domain in the left navigation pane to display the domain setup window, then accept or edit the value in the Domain Name field. The name for this initial management domain is supplied automatically during the Groove Manager installation process and configurable by administrators. 3. If necessary, add a domain description in the Description field. 4. Enter a valid e-mail address of a contact administrator. Note that Groove Public Key Infrastructure (PKI) is the selected mechanism for certifying member identities in this initial domain; the Identity Authentication Setting is not configurable for this domain. If you prefer to use a PKI implementation already in place at your enterprise, you can create another domain from the Domains tab, as described in Adding a Groove Management Domain. 5. Select whether to complete password reset setup now, or to allow a domain administrator to supply this information (by clicking Members, under the domain in the left navigation panel). You can define domain administrators from the Domains tab, as described in Managing Administrative Roles in Groove Manager. 6. If you chose to supply the password reset information now, accept or edit the Password or Smart Card Reset Setup options as necessary. Note that you or another administrator must finish configuring the domain in order to add domain members. For more information about Groove password reset and data recovery, see About the Password/Smart Card Reset Private Key. 7. Click OK. Next, set up the SMTP environment for the Groove Manager, as described in Configuring and Securing SMTP for Groove Manager. See Also: Getting Started with Groove Server Manager
30 Utilizing Onsite Directories of User Information If your organization maintains an LDAP-based directory server of user contact information, you can incorporate in-house user directories with the Groove Manager to facilitate Groove management. Integrating a corporate directory with the Groove Manager is recommended and offers the following benefits: Facilitates the process of entering user contact information into management domains. Allows for automatic configuration (and restoration) of managed Groove accounts. Facilitates the process of migrating members of a Groove Enterprise Services (or other) domain to an onsite domain. Facilitates the use of external enterprise PKI for domain member authentication, providing that the directory is properly configured with valid PKI certificates to be used for Groove identity authentication. For information about sharing LDAP-based directories with the Groove Manager, see Defining a Directory Server on Groove Manager. See Also: Getting Started with Groove Server Manager
Deploying Groove on Client Devices In small enterprises, the Microsoft Office Groove application can be installed and configured on individual client devices. But a more efficient way to deploy Groove, especially in in larger enterprises, is to use the Office Customization tool, available with the Office Resource kit, and the Microsoft Systems Management Server (SMS) or other compatible centralized deployment software. Once Groove is installed on client devices, users must enter the account configuration codes sent to them by domain administrators to make them managed members of a domain. Or, you can automate the account configuration process, by utilizing the Groove Manager’s Auto-Account Configuration feature (see “Setting up Groove Auto-Account Configuration/Restoration”). With the automated option, which is recommended for large-scale deployment, users can start Groove for the first time without needing to process configuration codes, and can immediately use their managed identities to participate in workspaces. See Also: Getting Started with Groove Server Manager
Setting Up Groove Auto-Account Configuration/Restoration Automatic Groove account configuration and restoration is the recommended approach to configuring Groove on client devices in corporate environments. To support this capability the Groove Manager associates the Windows login names of Groove users with their managed member information, imported to a Groove Manager domain from an Active Directory database. Users do not need to enter an account configuration code in
31 order to start Groove for the first time; Groove starts up automatically. If a user starts Groove for the first time without having configured an account previously, the new account creation process begins. If a user starts Groove without an account and a valid backed-up account exists, Groove will restore that account. Auto-account configuration and restoration depends on a correctly configured Windows intranet environment using IIS Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication). For information about extending this capability beyond your intranet, consult a Microsoft Support technician. Note If you are integrating Groove Manager with Active Directory databases, be sure to enable the automatic account configuration feature to ensure smooth integration and Groove 2007 deployment. The Groove Auto-Account Configuration feature supersedes the device-management- based Auto-Activation feature available with Groove Manager version 3.1, but the older Auto-Activation feature is still supported for environments that include earlier (pre- Groove 2007) client versions. Instructions for each method (both, optional) appear in the following section. In this section: Enabling Auto-Account Configuration/Restoration Setting Up Groove Auto-Activation
Enabling Auto-Account Configuration/Restoration Auto-Account Configuration expedites Groove 2007 deployment in your enterprise. It also facilitates restoration of backed-up Groove accounts, and allows you to use the Automatic Domain Migration facility, described in “ Error: Reference source not foundAutomatically Migrating Users to Another Domain” . If you are integrating an LDAP-compliant directory server with Groove Manager to support a community of Groove 2007 users, the automatic account configuration/ restoration feature is highly recommended. Before you begin, make sure that your Groove management setup meets the following requirements: Office Groove 2007 should be installed on Windows XP Pro devices. Groove client devices must be joined to a Windows network domain. Office Groove Server 2007 Manager must be installed on your network, as described in Installing Groove Manager. The Groove Manager server must be joined to the same Windows network domain as Groove clients. This domain must be setup to authenticate users to the same directory that supports Groove Manager directory integration. Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication) must be configured on the Groove Manager IIS server. Refer to Microsoft documentation for information on configuring IIS Integrated Windows authentication environments. Groove client devices must be able to successfully authenticate with the Groove Manager IIS server 32 that is set up to use Windows Authentication for auto-account configuration. The AutoActivate directory on the Groove Manager IIS server must support SSL. An onsite Active Directory server of user information must be integrated with the Groove Manager, as described in Defining a Directory Server on Groove Manager. If your setup does not meet these requirements, the Auto-Account Configuration cannot function. The auto-activation procedure, described in Setting Up Groove Auto-Activation, is an alternative. When requirements are met, follow the instructions in this table.
To enable automatic Groove account configuration or restoration: 1. From the Groove Manager, go to the Identity Policy template assigned to the relevant domain group, and verify that the Member Policy for scheduling Groove account backup is enabled. For more information about account backup and restoration, see “Backing Up and Restoring Groove User Account Data” in the Groove Manager Domain Administration portion of the Help. 2. Update the registries of Groove client devices. The recommended method for accomplishing this is to use an Active Directory Group Policy Object (GPO), as follows: a. Locate the administrative template file, Groove.ADM, in the Microsoft Office Resource Kit toolbox (ork.exe). This file contains the required GPO. For download and other information about the toolkit, click here. b. Customize the ‘ADM’ to include the auto-account configuration DNS name for your Groove Manager server. Groove device registries will be updated with the following key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\Groove\M anager\
Setting Up Groove Auto-Activation If you must support environments that include earlier (pre-Groove 2007) client versions, you can use the Groove Manager Auto-Activation feature to automatically activate managed user accounts. Once you have set up Groove devices and registered them with the Groove Manager, as described in the following procedure, the Groove Manager will rely on managed users’ Microsoft Windows domain login credentials to associate Groove users with domain member information defined in its database. Users will not need to enter an activation key. Note that this auto-activation feature does not restore backed-up accounts. The term ‘activation’ is used here only to describe this previously existing feature; its meaning does not equate to the meaning of the term as used in Office Groove or other applications in the Office suite. For information about using the Auto-Account Configuration feature to automatically activate managed user accounts, see Enabling Auto-Account Configuration/Restoration. Before you begin, make sure that your Groove management setup meets the following requirements: Groove 3.0 or later must be installed on user devices that will be registered with the Groove Manager, as managed devices. Groove client devices must be joined to a Windows network domain. Groove Manager 3.0 or later must be installed and configured on your network, as described in the Installing Groove Manager section of this guide. The Groove Manager 3.0 or later must be joined to the same Windows network domain as Groove clients. This domain must be setup to authenticate users to the same directory that supports Groove Manager directory integration. Windows authentication (NTLM) must be configured on the IIS front end of the server that will be the
34 Groove Manager server. Refer to Microsoft documentation for information on configuring IIS Integrated Windows authentication environments. Groove client devices must be able to successfully authenticate with the Groove Manager IIS server that is set up to use Windows Authentication for auto-account configuration. An onsite Active Directory server of user information must be integrated with the Groove Manager, as described in Defining a Directory Server on Groove Manager..
To enable Groove Auto-Activation: 1. Import Groove user contact information from your onsite Active Directory server into the Groove Manager, as described in Defining a Directory Server on Groove Manager. Note that each user entry must include a valid e-mail address in order for auto-account configuration/restoration to function. 2. On the IIS machine that hosts the Groove Manager client and auto-activation, secure the AutoActivate/gms.dll file by enabling Integrated Windows Authentication as the only authenticated access. The AutoActivate directory is provided by the Enterprise Management Server during full EMS installation (including the client and administrative interfaces). Anonymous access to the AutoActivate directory is not permissible. 3. Configure Groove client devices, as follows: Install Groove 3.0 or higher. Register client devices with a Groove Manager domain (the domain that contains any Groove Manager accounts that you imported from a directory server). See “Registering User Devices with the Groove Manager” in the Groove Manager Domain Administration portion of the Help for information about registering devices in a domain. Update the Windows registry with the following AutoActivate setting: HKEY_LOCAL_MACHINE\Software\Groove Networks, Inc.\Groove\ManagementDomain\ "AutoActivate"=dword:00000001 4. Test the auto-account configuration/restoration feature on a Groove client as follows: a. Login to a Windows domain (not the LOCAL machine). b. Start Groove for the first time on a clean device (on which no previous automatic configuration has been attempted). A dialog box appears displaying a Groove account name and prompting for a password. c. Enter a new Groove password (or smart card, depending on domain device policy). If the Windows authentication check passes on the Groove client, the Groove Manager checks the account name, comparing the Windows client logon name with the imported Active Directory server account name in Groove Manager. If these checks succeed, the new Office Groove account will be auto-configured (activated) on the client device. Both the user and device will be members of a Groove management domain. See Also: Setting Up Groove Auto-Account Configuration/Restoration Getting Started with Groove Server Manager
35 Viewing and Editing Groove Manager Server Properties The Groove Manager server properties page allows you to change the administrative contact e-mail address and change the Groove Manager Master Password.
To view or edit Groove Manager server Properties: 1. Go to the Groove Manager administrative Web site and select the server in the left navigation pane. A set of server tabs appears. 2. Click Server Properties in the tool bar. A Groove Manager Properties window appears. 3. To change the administrative contact e-mail address, edit the E-mail field. The default is the managing administrator's e-mail address, supplied during installation. 4. To change the Groove Manager Master Password, enter the old and a new password in the appropriate fields. The Master Password is used to encrypt critical server data stored on the SQL server, including signature and encryption keys, and passwords. Note Do not lose this password, as it cannot be restored easily. If you lose your password, contact Microsoft Support. You can change the password on the server Properties page after the Groove Manager is installed. 5. Click OK. See Also: Getting Started with Groove Server Manager
Upgrading Groove Manager The procedure for upgrading a 3.0 or later version of the Groove Manager to the current version is similar to that described previously for installing a new Groove Manager application, once you take the necessary measures to back up your data. Note Groove Manager 2.5 cannot be directly upgraded to Groove Manager 2007.
To upgrade the Groove Manager from version 3.0 or later, follow these steps: 1. Back up the Groove Manager database that resides on the SQL server. 2. Back up your existing version of the Groove Manager if you do not have access to the original installation CD. 3. Backup the existing Groove Manager entries in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Groove\Manage mentServer 4. Shut down the Groove Manager Web site from IIS. 5. Run the installation for the new version of the Groove Manager. This will upgrade the existing version. See Installing Groove Manager for details about the installation. 6. When the installation is complete, reboot the Groove Manager server. You should now be able to run the upgraded Groove Manager as usual, with your settings and data intact.
36 See Also: Getting Started with Groove Server Manager
Uninstalling Groove Manager To uninstall the Groove Manager, use Add/Remove Programs from the Windows Control Panel. If you encounter problems during uninstall or re-install, contact a Microsoft Support technician. See Also: Getting Started with Groove Server Manager
37 5. IV. Getting Started with Groove Management Domains
The Groove Server Manager, subsequently called Groove Manager, enables you to set up a system for effectively managing the use of Microsoft® Office Groove® in an enterprise. The following section provides preliminary and instructional information for setting up a Groove domain. In this section: Overview of Groove Management Domains Before You Begin Working with Groove Management Domains Accessing the Administrative Web Site in Groove Manager Setting Up a Groove Management Domain
Overview of Groove Management Domains Clicking the name of a fully configured domain in the navigation pane of the Groove Manager administrative Web interface, displays tabs where you perform basic domain- level tasks, as described in the table below:
Domain Tabs Descriptions See: Reports Allows you to view Groove Viewing Groove Domain usage reports for domain Reports members, workspaces, and tools. E-mail Allows you to add, edit, and Adding, Editing, and delete domain e-mail Deleting E-mail Templates templates. Roles Allows you to configure Editing Domain domain-level administrator Administrator Roles roles.
In this section: Groove Management Domain Architecture Groove Management Domain Functionality
Groove Management Domain Architecture The fundamental administrative unit of a Groove Manager installation is a management domain, typically named after the organization (such as, Contoso Corporation) or, if multiple domains are required, a division (such as Contoso, Northeast). Each 38 management domain consists of a collection of Groove user identities, devices, policies, and managed relay server information, assembled and defined by the domain administrator. A domain can be divided into groups (such as a Sales group, Finance group, and so on). Each group contains a separate collection of user identity information, policies, and relay server information. Groove Manager server administrators create domains. Each domain has one top-level group, within which you can add other groups and subgroups. Adding Groove user information to domain groups makes them domain members. If a server administrator has not completed domain configuration, domain administrators are prompted to provide the necessary information before you can add domain members. The Groove Server Manager administrative interface is the interactive component of the server Web site. From this interface, administrators can manage Groove users within a management domain, set Groove usage and device policies, and assign relay servers within the organizational unit of a management domain. The management domain is defined during Groove Manager installation or Groove Enterprise Service registration and is accessible from a Web browser. The Groove Manager’s domain administration interface consists of a navigation pane, a display window, and a set of tabs and tools that lets administrators perform tasks associated with a selected item in the navigation tree. The navigation tree consists of the elements described in the following table:
Navigation Tree Hierarchy Description Domain Management domain defined on the server. A domain consists of member groups, policies templates, and relay server sets. Member groups and subgroups Pages for creating member groups and for creating, editing, or deleting domain member contact information. Identity Policy Templates Pages for adding, editing, and deleting collections of identity policies, including: Domain Member policies Security policies Device Policy Templates Pages for adding, editing, and deleting collections of device policies, including: Groove Account policies Client policies Security policies Audit Server policies (onsite installations only) Relay Server Sets Pages for adding, configuring, and removing sets of relay servers. Legacy License Management (for Groove For version 3.1 or earlier Groove clients 39 Navigation Tree Hierarchy Description 3.1 or earlier) only. Pages for adding, configuring, and removing sets of licenses. These pages appear only if the option to support version 3.1 (and earlier) client licensing is selected on the Domain Properties page.
At the administrative level, user identities, devices, and policies are fundamental elements of Groove management, as described here. In this section: Managed User Identities and Devices Identity and Device Policies
Managed User Identities and Devices A managed Groove user is one who is subject to Groove usage and security policies, and assigned to managed relay servers. Administrators define managed users by entering their identity information in a domain that has been defined via the Groove Manager, and then send Groove account configuration codes to the prospective domain members. Each Groove configuration code uniquely relates prospective domain member with corresponding pending identity information in the domain. Once user account configuration codes are entered in Groove, Groove uses the associated identity information to create a managed identity for each user. The user then becomes a domain member, is subject to domain policies and is directed to a sequence of relay servers defined for the domain. Groove Manager provides a central directory which lists management domain identity information - contacts within the organization - so that fellow employees can easily find each other. Associated with each Groove identity is at least one device – the primary device on which the user is running Groove. User devices can also be managed, so that device- based Groove usage and security policies can be enforced. Applying a Groove Manager device management registry setting to a device makes it managed. Device management can be set automatically by defining an identity policy accordingly.
Identity and Device Policies Policies are rules that control Groove usage within a management domain or group. Certain policies apply to managed user identities; others to managed devices. Upon initial Groove Manager installation, default policies are in effect that administrators can customize. The Groove Manager automatically distributes all policy changes to user identities and devices in the domain whenever domain member clients contact the server. Once a Groove client gets a policy setting, Groove enforces this policy.
40 User identity policies control account backup scheduling, publication of user contact information, and other user activities. Device policies control password creation, creation of multiple Groove accounts, and other aspects of Groove functionality on a device. See Also: Overview of Groove Management Domains Getting Started with Groove Management Domains
Groove Management Domain Functionality The Groove Manager enables centralized control of Groove usage from a server administrator-defined management domain. Supported by a SQL database that stores most of its data, the Groove Manager helps maintain productive workflow and collaboration. Groove Manager and Groove Enterprise Services Manager provide a centralized administrative interface for managing Groove users within a defined domain. Domain administrators can access this interface from a Web browser to assign relay servers for domain members, set Groove usage and security policies, and review reports of Groove user, tool, and workspace events. Groove Manager and Groove Enterprise Services Manager provide a centralized administrative interface for managing Groove users within a defined domain. Domain administrators can access this interface from a Web browser to assign relay servers for domain members, set Groove usage and security policies, and review reports of Groove user, tool, and workspace events. The following sections briefly describe the scope of domain management tasks that can be conducted from Groove Enterprise Services or onsite Groove Managers. In this article: Groove User and Device Management Groove User and Device Policy Setting Groove Relay Server Provisioning Groove Domain Administration and Role Assignment Password/Smart Card Login Reset and Data Recovery Groove Account Backup Groove Usage Monitoring Groove Auditing
Groove User and Device Management Groove users must each have a managed identity in a Groove Manager domain in order to be provisioned with usage and security policies, and relay servers. If administrators need to set policies on Groove devices, as well as user policies, they can also register the Groove user devices in a Groove Manager domain. The following sections briefly describe both aspects of user administration: Groove User Management Groove Device Management Groove User Management 41 The Groove management process begins with adding user contact information to a domain group defined on the Groove Manager. This can be accomplished most efficiently by integrating a corporate directory server (such as an Active Directory server) with the Groove Manager. If directory integration is not suitable, domain administrators can enter user information manually, from an .xml or a .csv file, or imported from a corporate directory. Once domain population is complete, an automated process can be set up to silently configure managed Groove accounts on Groove client devices when prospective domain members start Groove. Or, administrators can distribute account configuration codes to prospective domain members, who then apply these codes to their Groove accounts upon startup. Configuring managed Groove accounts on client devices results in the creation of a managed, provisioned identity for each domain member. Groove Device Management An important aspect of managing Groove users is managing the devices they use for work. Managed devices are subject to specific security policies, such as password creation rules, while unmanaged devices are not. Device management involves the distribution of Groove account, client, security, and audit policies to devices defined for managed identities. Devices running Groove must be registered with the Groove Manager in order to be managed and subject to device policies. Registration is accomplished via an identity policy set prior to account configuration, or by downloading a Groove Manager registry key to individual devices associated with managed domain members. Once the device registry is updated with the management key, the device becomes subject to device policies obtained automatically from the Groove Manager upon Groove startup, upon login/logoff, and periodically thereafter.
Groove User and Device Policy Setting The Groove Manager provides templates of default usage and security policies that apply to domain group members and any associated devices that are registered on the server. Administrators can modify the policies set in these templates or create new templates, then apply the templates to designated management domain groups or users. These policies apply only to managed Groove users and devices - those defined on the Groove Manager as belonging to a specific management domain group. Policies do not affect unmanaged Groove users. The following table summarizes the policy options in each category:
Groove Policies Description User Policies Member policies, including client account backup scheduling, control of identity publication, and restriction of managed identity use to managed devices in the domain. Security policies, including control of peer 42 Groove Policies Description authentication behavior, login credential reset, and Groove’s default list of blocked file attachments. Device Policies Account policies, including restriction of managed device use to managed identities in the domain, and control of multiple account creation and account import. Client policies, including control of Messenger integration and restriction of Groove tool usage. Security Policies, including control of password or smart card login, account lockout behavior, and Web services availability. Audit Server Policies, including audit event selection and periodicity (option available for Groove Manager only).
Groove Relay Provisioning Relay servers are a fundamental part of Microsoft Office Groove peer-to-peer communications. In a managed environment dedicated relay servers, installed onsite at an enterprise or engaged through Groove Enterprise Services, help ensure timely, uninterrupted message and data transfer between Groove peers, regardless of their location or status (online or offline) on the network. Once an enterprise has installed at least one relay server onsite or procured Groove-Enterprise Services, administrators can define a relay server on the Groove Manager and assign it to specific management domain groups or users.
Groove Domain Administration and Role Assignment A management domain, defined by a server administrator, is the top-level management unit on the server. Each domain consists of user groups and subgroups, as well as a collection of user and device policy templates, and relay server sets. Administrators can view Groove usage reports, and add, edit, or delete Groove Manager e-mail templates for their domains. In addition, if the Groove Manager administrator has enabled Role Based Access Control (RBAC) on the server, domain administrators can define roles for peer administrators.
Password/Smart Card Login Reset and Data Recovery In the event that a managed user forgets a Groove password or smart card login, resetting the user’s password or smart card login credentials may be necessary. To prepare for this eventuality, the domain (or server) administrator can set an identity policy that allows for reset proceedings. The Groove Manager supports two centralized approaches to resetting 43 a user pass phrase or smart card login. One approach allows the Groove Manager to automatically respond to user requests for login credential resets. The other is an administrator-driven approach where administrators respond to individual user requests for login credential reset, by verifying user identity and granting (or denying) the request; if the request is granted, users can reset their own password without further administrative involvement. In addition, the Groove Manager provides a utility that domain administrators can use to access data that would otherwise be irretrievable without the user’s password (for instance, when a user is removed from a management domain). Groove data that is normally stored encrypted with the managed user's password, known only to that user, is also encrypted with the administrator’s public key. The data recovery tool enables the domain administrator to use a corresponding private key to recover the device owner’s Groove data or reset the user password.
Groove Account Backup The Groove Manager lets administrators set an identity policy that enables automatic Groove account backup at specified intervals for users in a selected domain. Backed up information includes user identity information, contact and workspace lists, and domain management settings. Without a backup system in effect, lost or corrupted Groove account data is irretrievable.
Groove Usage Monitoring When a managed identity or device exists on a Groove client, the Groove software periodically reports statistics on Groove usage, providing information about managed user activities, Groove workspaces, and Groove tools being used. Administrators can view Groove usage statistics via the Groove Manager administrative Web site. Usage statistics include the amount of time domain members spend in a particular workspace or using a specific tool. Audit log reports are also available that log domain events, such as the addition of a new group to a domain.
Groove Auditing If the Groove client auditing feature is part of the Groove Manager installation and Groove devices are registered with the Groove Manager, a device policy can require managed Groove clients to log user activities. Groove Manager device policies specify which Groove events are tracked and uploaded to Groove Manager databases. Client audit logs are collected into a database on a SQL server, and from those logs administrators can generate formatted reports using third-party reporting tools, such as Crystal Reports. Note that Groove client auditing is available for onsite Groove Manager
44 installations only; it is not available through Microsoft-hosted Groove Enterprise Services. See Also: Overview of Groove Management Domains Getting Started with Groove Management Domains
Before You Begin Working with Groove Management Domains Review the following checklist before accessing the Groove Manager administrative Web site:
Category Confirm the following: Groove Manager or Groove Enterprise URL of the Groove Manager Web site is Services access available, depending on your setup: If Groove Manager is installed at your site as part of the Office Groove Server 2007 - Ensure that the Groove Manager software is installed on your system as described in the Groove Manager Server Administration portion of the Help, and note the URL of the Groove Manager administrative Web site on that server. If you access Groove Manager via Groove Enterprise Services, note the URL of your company’s Groove Manager administrative Web site. Browser on administrative PC Internet Explorer (IE) 6.0 (or later) is running on the administrative PC, with the following settings in place: JavaScript, Cookies, and Forms are enabled Minimum Screen Resolution: 1024 by 768 pixels Maximum Display DPI Setting: Normal size (96 DPI) Microsoft Office Groove clients Groove version 3.0 (or later) is installed on end-user computers. (Groove 2007 is recommended for full feature functionality.) Groove Relay server If your management system includes at least one onsite Groove Server Relay (subsequently called Groove Relay), the Groove Relay is installed and configured as described in the Groove Relay Administrator’s Guide included with the 45 Category Confirm the following: Groove Relay application. LDAP server If your user contact information originates from a corporate directory server, your Groove Manager administrator has defined and configured the directory server on your Groove Manager, as described in the Groove Manager Server Administration portion of the Help. Note that directory server integration is possible only if a Groove Manager is installed at your site. Permissions You have full access to the domain portion of the administrative Web site. If your server administrator has enabled Role Based Access Control, you must have the role of Server Administrator or Domain Administrator. Some options may not be available to you if you have any other role. Login credentials You know your login name and password for the Groove Manager, if required. If you are using the Groove Manager, this information is determined by your company’s Web site authentication system. If you are using Groove Enterprise Services, this information is determined by login requirements of your Groove Enterprise Services Web site. Device management You have considered the possibility of Groove user device management. Device management lets you set various Groove usage and security policies, including those governing Groove login. For information about device management, see “Overview of Device Policies”. Expertise As a domain administrator, you have the following expertise: General Groove use User account management Software usage and security policies Software usage monitoring Understanding of basic functionality provided by the Groove Manager. For more information, 46 Category Confirm the following: see the Overview of Groove Domain Administration.
See Also: Getting Started with Groove Management Domains
Accessing the Administrative Web Site in Groove Manager The following section provides instructions for accessing and using the Groove Manager administrative Web site. In this section: Accessing the Groove Manager Administrative UI Overview of the Groove Manager Administrative UII Getting Help with Groove Manager Domain Administrationn Changing Administrative Preferences
Accessing the Groove Manager Administrative UI You access the Groove Manager administrative Web site by entering its URL from your browser, as described in this section.
To access the Groove Manager administrative user interface (UI): 1. From an administrative PC, open an IE Web browser that meets the requirements specified in Before You Begin Working with Groove Management Domains. 2. If you are accessing a local Groove Manager from your own site, go to the URL of the Groove Manager, defined by the Groove Manager administrator. 3. If you are accessing a the Groove Enterprise Services Manager Web site, go to the appropriate URL, then register and set up your initial domain according to the instructions. 4. Log in to the Groove Manager using your administrator login name and password (determined by your company’s Web site authentication scheme if you are using the Groove Manager). 5. The Groove Manager home page appears, as described in Groove Manager Administrative UI Overview. You are now ready to begin populating a server domain group with members and provisioning those members, as described in subsequent sections of this Help. 6. For information about how to get online Help at any time, see Getting Help with Groove Manager Domain Administration. 7. For information about changing administrative preferences, see Changing Administrative Preferences. See Also: Accessing the Administrative Web Site in Groove Manager Getting Started with Groove Management Domains
47 Overview of the Groove Manager Administrative UI The Groove administrative user interface consists of a domain list on the left and a main window. The Web page has the following characteristics, which may vary, depending on the role your server administrator has assigned to you: Main window - Reflects the current selection in the navigation pane, and includes a set of tabs. When the management domain is selected, a set of domain tabs appears: Reports, E-mail, and Roles, with the Reports tab in the foreground. Toolbar - Appears at the top of the main window and displays icons appropriate for the task being performed on the current tab. Navigation tree - Appears in the left pane and displays the management domain or domains defined on this server. Selecting a domain displays the items described in the following table.
Domain Constituents Description Members A top-level group for managing domain members and groups that you define. Identity Policy Template A container of templates for managing domain identity policies, including a Default template. Device Policy Template A container of templates for managing domain device policies, including a Default template. Relay Server Set A container of templates for managing Groove Relay servers or services, including a default set.
See Also: Accessing the Administrative Web Site in Groove Manager Getting Started with Groove Management Domains
Getting Help with Groove Manager Domain Administration To get help using Management Services: Click the Help link in the upper left of a Groove Manager administrative Web page to access Groove Manager online Help. See Also: Accessing the Administrative Web Site in Groove Manager Getting Started with Groove Management Domains
Changing Administrative Preferences You can change administrative Web page preferences (such as setting a home page) by using the Preferences link above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins. 48 To edit administrative preferences: 1. Go to the Groove Manager administrative Web interface and click the Preferences link at the top of the current page. An image of your left navigation pane appears in the dialog box. 2. To change the default number of list items that appear on any list page, select a number from the Default number of items to display drop-down box. The initial default setting is to display 25 items per page. 3. To select a start, or home, page, select an item from the Start Page tree which will appear when you start the Groove Manager administrative Web interface. 4. Click OK. See Also: Accessing the Administrative Web Site in Groove Manager Getting Started with Groove Management Domains
Setting Up a Groove Management Domain A domain is the top-level management unit of Groove deployment on the Groove Manager. It contains one or more groups of Groove users (domain members). Your Groove Manager administrator creates domains; you or anyone with management domain-level permissions (if Role Based Access Control is configured on your server) can manage the domain. The procedure below outlines the basic steps necessary to create a user management system, following a recommended sequence. Where necessary, you can link to other sections of the guide that provide more detail. You may want to begin by performing a trial run with a sample user base and minimal customization. Note If Role Based Access Control (RBAC) is configured on your server, administrators with limited roles (roles other than Server or Domain administrator) may not be able to see certain pages or fields discussed in this guide. RBAC and initial administrator roles are set by the Groove Manager administrator as part of the Groove Manager installation and configuration process. However, domain administrators can edit the roles of domain-level or limited domain-level administrators, as described in Editing Domain Administrator Roles.
To add Groove users to a Groove management domain and provision them with policies and relay servers: 1. Make sure that Groove is installed on user devices (or that users have access to Groove for installation). 2. Start the Groove Manager server (if onsite), and log into the Groove Manager administrative Web site, as described in the Accessing the Administrative Web Site in Groove Manager. At least one domain appears in the navigation tree in the pane to the left of the main window. 3. In the navigation pane, click the domain to expand it and view the following items: Members group Identity Policy Templates Device Policy Templates
49 To add Groove users to a Groove management domain and provision them with policies and relay servers: Relay Server Sets If a message appears, referring you to a server or domain administrator for domain access, ask the appropriate administrator to assign you an administrative role with at least domain-level permissions. Then continue with this procedure. 4. Consider customizing the default identity policy template in the domain by clicking Identity Policy Templates to expand it, then clicking the Default template. Initial default policies are usually based on minimal security requirements. For details about editing identity policies, see Viewing and Editing Identity Policies. Important identity policies to consider include the following:
Important Identity How to Set Them Policies Automatically Registering devices with the Groove Manager allows you to set manage client domain device policies that control Groove password entry, client devices upon auditing, and other important device-based activities. Setting this Groove account policy automatically registers Groove user devices with the Groove configuration Manager when Groove users configure their managed Groove accounts. This is the most efficient way to register Groove devices in a domain. Set this recommended policy if your administrative environment allows. For more information about this policy, see Automatically Managing Devices During Account Configuration or Logon. If you do not set an identity policy for automatic device configuration, you can register each device that you want to manage with the Groove Manager by downloading the device management registry key from the Groove Manager to a client-accessible location (select the default device policy template in the navigation pane, then select Download Device Management Key in the toolbar). Then copy the key to each client device. For instructions and general information about registering devices, see Registering User Devices with the Groove Manager. Allow for Groove Set the relevant identity Security Policies as needed, as described in password Resetting Groove Login Credentials. resetting and data recovery Schedule Set the relevant identity Member Policy as needed, as described in automatic backup Backing Up and Restoring User Account Data. of domain member accounts
5. Consider customizing the default device policy template in the domain by clicking Device Policy Templates, then clicking the Default template. Initial default policies are usually based on minimal security requirements. For details about editing device policies, see Viewing and Editing Device 50 To add Groove users to a Groove management domain and provision them with policies and relay servers: Policies. Important device policies to consider include the following:
Important Device Policies* How to Set Them Set up Groove client password or smart Set the relevant device Security Policies card login controls as needed, as described in “Setting Groove Login Password Policies” and Setting Smart Card Login Policies. Enable Groove client auditing Consult your Groove Manager server administrator to ensure that the Groove client Auditing feature is configured at your site, then set the relevant device Audit Policies as needed, as described in the Enabling Groove Client Auditing. *To enact any device policies, make sure you installed device registry keys on each user device, as described earlier in this procedure.
6. If you manage users who are running Groove Virtual Office 3.1 or earlier, add Groove licenses to a domain license set, as described in Groove 3.1 or Earlier - Appendix C. Managing Groove Product Licenses. 7. If the Groove Manager is installed onsite at your organization, add Groove Relay servers to the domain. Add the Groove Relay servers by selecting Relay Server Sets for the domain, clicking the Relay Servers tab, then clicking Add Relay Server in the toolbar and entering the required information. For detailed instructions about adding relay servers to a Groove Manager domain, see Adding a Relay Server to the Groove Manager. 8. To enter user contact information in the domain, if your server manager has not already performed this step using a corporate directory server, select Members in the navigation pane and select Add Members in the toolbar, then follow the instructions in the Add Members Wizard. See Adding Groove Users to a Domain for detailed instructions about adding Groove members. If user data has already been integrated with Groove Manager member groups from a corporate directory server, skip this step and proceed to the next step. Members is the default top-level domain group, to which the default policy templates and relay server sets apply. You can add sub-groups and provision users with other templates and relay server sets, as described in Managing Groove Users. If, when you click the Members group, a domain setup window appears requesting password information, type the required information in the fields. 9. Send managed account configuration codes to Groove users, as described in Enabling Groove Account Configuration. If your server administrator has set up Auto-Account Configuration, Groove users will receive their managed account configuration codes automatically and you can skip this step. Once the account configuration code is installed in a user’s Groove software, Groove will authenticate the user and create a managed identity based on the associated user information. To perform various domain management tasks, use the domain tabs,
51 To add Groove users to a Groove management domain and provision them with policies and relay servers: described in the following table:
Domain Tabs Descriptions Reports Allows you to view Groove usage reports for users, workspaces, and tools in the selected domain, as described in Viewing Groove Domain Reports. E-mail Allows you to add, edit, and delete Groove Manager e-mail templates for the selected domain, as described in Adding, Editing, and Deleting E-mail Templates. Roles Allows you to configure domain-level administrator roles, as described in Editing Domain Administrator Roles.
See Also: Getting Started with Groove Management Domains
52 6. V. Getting Started with Groove Server Relay
The Groove Relay is a Microsoft Office Groove Server 2007 application that lets you manage Groove relay services from a server installed at your site, in conjunction with a Groove Manager installation. Relay servers facilitate communications by acting as proxies for navigating firewalls, providing alternative communications paths for clients operating over dial-up modems or other slow links, offering temporary storage when users are offline, and fanning out data transmissions. The Groove Relay application runs as a Windows service. The following sections explain how to configure the Windows operating system, install and configure the Groove Relay software, start the Groove Relay, and set up communications with the Groove Manager. For information about upgrading from a previous version of the Groove Relay, see ‘Upgrading/Re-installing Groove Relay’ in the book, Operations for Groove Server - Relay. Setting up the Groove Relay at your site, involves the following basic steps, each of which is described subsequently in detail. 1. Checking Readme for Office Groove Server 2007 Relay 2. Checking Requirements for Groove Relay 3. Preparing the Network for the Groove Relay 4. Installing the Operating System on the Groove Relay Server 5. Configuring the Platform for the Groove Relay Server 6. Installing the Groove Relay 7. Configuring the Groove Relay 8. Backing Up Initial Groove Relay Key Files 9. Configuring Groove Relay Service Startup 10. Binding Administrative Ports to Specific NICs 11. Starting the Groove Relay 12. Setting up the Groove Manager
Readme for Office Groove Server 2007 Relay September 7, 2006
Copyright © 2006 Microsoft Corporation. All rights reserved.
The online Help and documentation included with this product are part of this release. They are for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS HELP CONTENT.
53 License Information
Please refer to the provided End-User License Agreement for license information.
Summary of Changes from Prior Releases
Important To retain settings and data from prior beta/pre-release installs of Groove Relay you must read and follow all procedures in the section Upgrading from Prior Beta/Pre-release Versions below.
Incompatibilities with Prior Beta/Pre-Release versions
The default installation path has changed from previous pre-release versions. Please see the section Upgrading from Prior Beta/Pre-release Versions below for more information. The RQS metadata database format has changed for this release. Please see the section Upgrading from Prior Beta/Pre-release Versions below for more information.
This release of the Groove Relay does not support the following features:
SSL encryption and certificate-based authentication of access to the Groove Relay Administrative Web Interface. Non-encrypted HTTP access is provided on the port 8010 on the local machine only. The SSL and Security tabs have been removed from the Groove Relay Configuration Control Panel Applet as they are not relevant for this release.
Installation Changes
The following additional installation changes should be noted:
During installation, only a single path may be specified as the root path for the FFQ and RQS subdirectories. This is called the Data directory path. It defaults to the install directory, which would result in FFQ and RQS data being stored in subdirectories by the same names under the install directory. It may be overridden to specify a different location for these subdirectories. During installation, a new path option is provided to specify a location for diagnostic information. By default it will be stored in a subdirectory called Diagnostics under the install directory. If overridden, it will result in diagnostic information being stored in the user specified directory. There is no optional symbols component in this release. 54 Access to the Groove Relay Administrative Web Interface
The Groove Relay Administrative Web Interface is now available on port 8010 on the local machine only by default, using regular HTTP (non-SSL) communication. On the local machine browse to http://127.0.0.1:8010/ or http://localhost:8010/ to access the Administrative Web Interface. (The administrator password is still required for access.) Previously the Administrative Web Interface was protected with SSL encryption and was available via all network interfaces. Users may want additionally want to block access to port 8010 from external network interfaces using standard Windows Networking configuration options.
Summary of Changes from the Groove Relay 12 Pre-Release version
The use of Secure Groove SOAP for management of the Groove Relay from the Groove Manager (previously know as the Groove Management Server) is now supported. Pre-authentication via the Groove Manager is also now supported again. The Groove Relay Configuration Control Panel Applet is now a 64-bit executable and appears in the main Control Panel folder. The Administrative Web Interface has been moved from port 8009 to 8010 for this release. The Administrative Web Interface is now restricted to localhost (127.0.0.1) access by default.
Upgrading from Prior Beta/Pre-release Versions
Migration of existing settings and data from a beta or pre-release installation of 2007 Groove Relay is unsupported. However the procedure provided below is being made available for customers who have a strong need to transition their beta deployment of the Groove Relay to the final release. The recommended and supported mechanism for transitioning to the final version is to stand up a new Groove Relay with a new server identity and re-provision users to the new relay via the Groove Manager. Important Before beginning upgrade to this version of the relay make sure all software and data on your relay machine has been completely backed up. Also, please read through all the instructions below before attempting the upgrade and migration. During upgrade you will need to specify the prior installation path used during the earlier installation in order to preserve existing relay settings and data. The default installation path for this release has changed, so you will need to use the Advanced install option to 55 specify the correct path. In addition the RQS metadata database format for this version has changed and requires rebuilding before starting the relay for the first time after upgrade from versions prior to this release. User queue data is preserved in this process, but queue metadata must be rebuilt and the list of authorized relay users must be re- synced via the Groove Manager.
The following assumes the prior relay installation directory is “C:\Program Files\Microsoft Office Server\12.0\Groove\Groove Relay” and relay data directory is on a separate volume, “D:\Relay\Data”, with the relay metadata directory located in “D:\Relay\Data\RQS”; substitute your actual locations where necessary. For example, if you previously chose default locations for the relay data and metadata directories, they will be located here instead: “C:\Program Files\Microsoft Office Server\12.0\Groove\Groove Relay\Data” and “C:\Program Files\Microsoft Office Server\12.0\Groove\Groove Relay\Data\RQS”.
To determine if you are using a non-default location for the relay data directory, check for the existence of the following registry value: HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\Groove\Groove Relay\Parameters DataDir
If this value exists, it points to the non-default location.
Below is the recommended procedure for preserving prior settings and data during upgrade, and rebuilding the RQS metadata and resyncing with the Groove Manager.
1. Make a backup of all software and data on the Groove Relay machine. 2. Uninstall the prior version of the Groove Relay via Add/Remove Programs. 3. Launch the installer for this version of the relay and choose the Advanced install option. Important To preserve prior settings and data (including the Groove Relay identity information, name, private key data, certificates, queues, and Groove Manager identity information for associated Groove Manager instances), you must choose the Advanced install option during the install and modify the default installation path to match you prior installation path. To detect what the prior install path was before installing this version you can examine the following registry value:
If you chose the default installation path in previous installs, you will need to remove the trailing ‘s’ from the default path name presented, as the new default path name ends with “Microsoft Office Servers” instead of “Microsoft Office Server”. Note that for the
56 previous default path name you can only specify the first and second components of the name. The portion after, “\12.0\Groove\Groove Relay”, cannot be changed, and you should not specify it explicitly. You only attempt to match the “C:\Program Files\Microsoft Office Server” portion, or whatever partial path you used previously. This will enable the install to migrate your prior settings. CAUTION: If you choose a different path, all previous settings in the registry will be lost, although key files and data files will remain. Important Do not start the relay after upgrade. 1. Rename the existing metadata directory, e.g., “D:\Relay\Data\RQS” to D:\Relay\Data\RQS-save”. 2. Disable relay ports 80, 443, and 2492 as follows: a. Click Run from the Start menu, then enter regedit. b. Navigate the registry to: HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\Groove\Groove Relay\Parameters c. Set the following values: "HTTPPort"=dword:00000000 "Port"=dword:00000001 "SSLPort"=dword:00000002 3. From a command-line, enter the following: D: cd \Relay “C:\Program Files\Microsoft Office Server\12.0\Groove\Groove Relay\FFQrebuild” -f Data\FFQ 4. If the relay is provisioned to multiple Groove Manager servers, ensure that the “Epoch” REG_DWORD registry value under each Groove Manager key is set to 0. The “Epoch” registry value for each Groove Manager can be found under: HKEY_LOCAL\Software\Microsoft\Office Server\Groove\Groove Relay\Parameters\ManagementServers\[Groove Manager] Substitute your actual Groove Manager server name for “[Groove Manager]” in this registry path. 5. Synchronize the relay with each Groove Manager by forcing a connection as follows: a. Start the Groove Manager. b. Navigate to one of the relay's provisioned Groove Manager domains. c. Click Relay Server Sets in the left navigation pane. d. Click the Relay Servers tab, then click the link for the desired relay. e. Change the purge interval for the Device Message Lifetime - by 1 day, for example. 6. Monitor the Groove Relay Administrative Web Interface Users page. Refresh the Users listing page until the defined users returns to a normal level for the domains. This can take several minutes to a half hour or more. 7. Stop the relay. 8. Enable ports 2492, 443, and 80, as follows: a. Click Run from the Start menu, then enter regedit. b. Navigate the registry to:
57 HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\Groove\Groove Relay\Parameters c. Set the following values: "HTTPPort"=dword:00000050 (decimal 80) "Port"=dword:0000000bc (decimal 2492) "SSLPort"=dword:00000001bb (decimal 443) 9. Restart the Groove Relay service. 10. Monitor the Groove Relay from the Relay Administrative Web pages until connections and on-line users return to normal. 11. Check the event log to make sure no serious anomalies occur after restart. 12. In the Groove Manager, change the purge interval back to its original value.
The migration is complete at this point. Be sure to back up your relay identity and key files to off-line media, as described in the Groove Relay Administrator’s Guide.
Upgrading from Groove Relay 3.1
As the Groove Relay for this release is a new 64-bit application, an in-place upgrade from Groove Relay Server 3.1 or earlier is not supported. However, you may add a new instance of the Groove Relay to a new or existing Relay Server Set in the Groove Manager and re-provision users to the new relay server. See the Groove Manager Administrator's Guide for more information. See Also: Getting Started with Groove Server Relay
7. Requirements for Groove Relay
The following sections list minimum and/or recommended hardware and software requirements for installing and running the Groove Relay software at your site. For information about Groove Manager installation and configuration, see Getting Started with Groove Server Manager. In this Article: Hardware Requirements Software Requirements Expertise Requirements
58 Hardware Requirements The following table lists the hardware required to run the Groove Relay. Listed specifications generally support a community of 12,000 to 18,000 provisioned Groove users.
Machine Specifications (approximately 25,000 concurrent Groove users) Groove Relay server Processor: 64-bit processor supporting AMD64 or Intel® EM64T instruction set Processor speed: AMD 1.8 gigahertz (GHz) or higher, or Intel 2.4 GHz or higher Number of processors: Dual Processor or Dual core (Dual Processor recommended) Memory: 4 gigabytes (GB) minimum; 8 GB recommended System volume: 40 GB minimum; 73 GB recommended (for operating system and Groove Server Relay application) Data volume: 250 GB minimum; 1.1 terabytes recommended (local SCSI-attached storage in a RAID5 or RAID10 configuration recommended) Volume cluster size: 4 KB for system volume and 4 KB for data volume Volume format: NTFS is required RAID controller: High-Performance Hardware- Based Caching RAID controller with minimum of 64 MB of read cache; Write Caching Controller with Battery Backup and 128 MB or more of Read/Write Cache, recommended Disk subsystem performance: Disk subsystem for the data volume must support a write throughput of 200 Kilobytes/second as measured by the provided DBWriteTest tool. See Testing Groove Relay Hardware Throughput with DBWritetest in the Managing Relay Servers section of this guide for information about running DBWritetest to qualify your hardware. Disk rotational speed: 15,000 rpm recommended; 10,000 rpm minimum Note Compressed and network volumes are not supported for the Groove Relay installation or data directories. 59 Machine Specifications (approximately 25,000 concurrent Groove users) Groove Manager server IIS and SQL servers, as specified in the online Help that accompanies the Groove Manager component of the Microsoft Office Groove Server. Microsoft Office Groove client As specified in the documentation that accompanies Microsoft Office Groove.
Software Requirements The following table lists the software required to support the current set of Groove Relay features:
For this Machine You Need this Software Groove Relay server One of the following: Windows Server 2003 Standard x64 Edition Service Pack 1 or later Windows Server Vista Internet Explorer 6.0 or later, for viewing the relay administrative Web interface. Internet Explorer 64-bit version is required to ensure correct processing of the Groove Manager key used to register the Groove Relay. Microsoft® Office Groove® Server 2007 Relay Groove Manager server Microsoft Office Groove Server 2007 Manager Microsoft Office Groove client Microsoft Office Groove 2007
Expertise Requirements To install and administer a Groove Relay server, you need expertise in the following areas: Network topology Network security Windows server administration Configuring and running internet services Setting up Domain Name System (DNS) names Groove use See Also: Getting Started with Groove Server Relay
60 Preparing the Network for the Groove Relay The first step in setting up Groove Relay support onsite is to properly configure your network for the new node.
To prepare your network to support the Groove Relay: 1. Choose a Domain Name Service (DNS) host name for the Groove Relay and report it to your DNS administrator, so that it can be registered with DNS. 2. Get a static Internet Protocol (IP) address for the server machine from the DNS administrator. Note Using a Dynamic Host Configuration Protocol (DHCP) assigned address for this server machine is not recommended. 3. Set up any routes necessary to allow the Groove Relay to be accessible to internal and external users, or only internal users if you will not be supporting external users. Note Restricting the Groove Relay to internal access is not recommended, as this configuration prevents external users from contacting Groove users within your organization. See Also: Getting Started with Groove Server Relay
Installing the Operating System on the Groove Relay Server Once you have prepared the network to support the Groove Relay, install and configure the Windows server platform on the Groove Relay server.
To install the Windows platform to take maximum advantage of relay capabilities: 1. Ensure that none of the following applications or services are installed or operating on the intended relay server machine: Groove Manager Groove Data Bridge IIS (or other Web servers or applications listening on port 80) Microsoft Office Groove Microsoft Office Microsoft Office SharePoint® server Other Microsoft Office servers On-line backup utilities and services that backup files that are open for reading or writing in the Groove Relay installation or data directories. 2. On a server-level PC that meets the hardware requirements listed in the Requirements section of this guide, install the Windows Server on a 16-GB (or higher) C: drive partition.
61 Note Because the Groove Relay runs on an internet boundary (perimeter network), install Windows as a stand-alone server as an added security measure. Do not join the server to a Windows Network domain. This non-joined installation helps prevent an intruder who has compromised a machine from accessing other machines on the Windows domain. 3. Configure disk partitions as follows: a. Set the system (boot) partition size to be three times the physical memory size, or 16 GB, whichever is greater. b. Set the data partition to at least 250 GB. The Groove Relay installer allows you to select the directories where the program, database, and log files will reside. Disk allocations vary, depending on the type and number of drives you have available for relay server operation. The goal is to achieve a high performance operational disk configuration. The following table provides an example of an optimal disk setup:
Drive NTFS Partition Size Disk Channel Contents C: Boot 16 GB NTFS Ch1, Disk1, RAID OS, Relay 0+1 program, OS swap D: DVD-ROM IDE-internal DVD-ROM (typically) E: 250+ GB NTFS Ch2, Disk2, RAID Relay data (write caching enabled)
4. Install or omit Windows operating system components as follows:
Do NOT Install These Components: Install These Optional Components as Needed:
See Also:
62 a. Click the Startup and Recovery button, and enter recommended values as shown in the table below. b. Click OK when you are finished.
System Startup and Recovery Options Value Send an administrative alert On Automatically reboot On Crash Dump type Mini-dump (recommended option) Dump File %SystemRoot%\MEMORY.DMP Overwrite any existing files On
3. Configure the system performance options, as follows. a. Click the Performance Options button. b. In the Optimize performance for field, select Background services. c. Click the Change button to display the Virtual Memory options. d. Set your virtual memory to be at least the size of the real memory available on your machine, but no more than half the available free space on your system partition. Typically, the setting should between 8 gigabytes (GB). e. Click OK when you are finished. 4. Configure each internal network connection on the Groove Relay server, as follows: Note The settings listed here are general guidelines only. Customize these settings based on your local network configuration. By default, all ports are open and unprotected (no lockdowns are in place), so consider your connection settings carefully. On an internal network, the settings described here are typically satisfactory, but if you need to further protect certain ports, you can provision and apply filters to them. However, blocking all ports on internal connections is not recommended as it can disrupt communications between the Groove Relay and the Groove Manager. a. Right-click on My Network Places, and select Properties to open the Network and Dial-Up Connections window. b. Right-click on the internal connection (network interface card) that you want to edit, and select Properties. c. If the Client for Microsoft Networks component is not already present and enabled, add and enable it. d. If the File and Printer Sharing for Microsoft Networks component is not already present and enabled and you installed the Remote Registry Service listed in the operating system components table above, and if your company’s security policies allow this component, add and enable it. Otherwise, remove or disable it. e. If the Internet Protocol (TCP/IP) component is not already present and enabled, add and enable it. f. If you installed the Network Monitor Tools above, add and enable the Network Monitor Driver component. g. If you enabled File and Printer Sharing, enable NetBIOS over TCP/IP by clicking Internet
63 Protocol (TCP/IP), clicking the Properties button, clicking the Advanced button to open the Advance TCP/IP Settings window, clicking the WINS tab, and then selecting the Enable NetBIOS over TCP/IP option. h. Click the DNS tab and make any changes necessary to your network configuration. i. Click the IP Settings tab and make any necessary changes. j. Click OK until you return to the Network and Dial-Up Connections window. 5. Configure each external network connection on the Groove Relay server. Note Customize these settings based on your local network configuration. Microsoft leaves all ports open and unprotected (no lockdowns are in place), so consider your connection settings carefully. The settings cited below are general guidelines. a. Right-click on My Network Places, then select Properties to open the Network Connections window. b. Right-click on the external connection (network interface card) that you want to edit, then select Properties. c. Remove or disable the Client for Microsoft Networks component. d. Remove or disable the File and Printer Sharing for Microsoft Networks component. e. If you installed the Network Monitor Tools above and if your company security policy allows, add and enable the Network Monitor Driver component. f. If the Internet Protocol (TCP/IP) component is not already present and enabled, add and enable it. g. Disable NetBIOS over TCP/IP by selecting Internet Protocol (TCP/IP), pressing the Properties button, clicking the Advanced button to open the Advance TCP/IP Settings window, clicking the WINS tab, and then selecting the Disable NetBIOS over TCP/IP option. h. Configure TCP/IP Filtering controls by clicking the Options tab, selecting TCP/IP Security, pressing the Properties button, and entering the following settings:
Security Value Properties Enable Select this box to configure all network interface cards on your TCP/IP network. Filterin g (All adapters ) TCP Click Permit Only and specify the following ports: Ports 80 - Inbound Port 80 is used to transport HTTP-encapsulated SSTP messages from Groove clients when direct SSTP transmissions are blocked by firewalls. 2492 - Inbound port 2492 must be open to receive SSTP messages from Groove clients. A corresponding outbound port must be open to support single-hop fanout, where relay-to-relay communications takes place. For more information about single- 64 Security Value Properties hop fanout, see 'Fanout' in Groove Server Relay Functionality. 443 - Inbound port 443 is used by Groove clients and relay servers to transport messages when SSTP transmissions over port 2492 are blocked by firewalls. 8009 (only if external access from the Groove Manager is necessary) - Inbound port 8009 is used to support administration of the Groove Relay via the Groove Manager. You may want to secure this SOAP port by restricting it to a specific network interface card, as described later in these procedures in the section, Binding Administrative Ports to Specific NICs. If the Groove Relay and the Groove Manager will not be communicating via the external interface, do not include this port in the list. UDP Click Permit All. Ports IP Click Permit Only and specify the following protocols: Protoco 6 - Supports Transmission Control Protocol (TCP). ls 17 - Supports User Datagram Protocol (UDP), allowing user name-service access. This setting is required for the Groove Relay’s single-hop fanout. In single-hop fanout, the Groove Relay responds to a UDP query from the sending client and fans out a message to its destination relays over the same random port chosen by the Groove client when initiating the send. Note If you need to block Internet Core Messaging Protocol (ICMP) traffic (to prevent external users from pinging your servers) along with TCP/IP filtering, you must configure IP packet filters through Routing and Remote Access. For more information IP about IP packet filters, refer to TCP/IP Fundamentals (http://go.microsoft.com/fwlink/? LinkId=93681&clcid=0x409)
i. Click OK to return to the Advanced TCP/IP Settings window. j. Click the DNS tab and make any changes necessary to your network configuration. k. Click the IP Settings tab and make any necessary changes. l. Click OK until you return to the Network and Dial-Up Connections window. 6. Set properties for each Windows Event Log, as follows: a. Click Start --> Program Files --> Administrative Tools, and launch the Event Viewer applet. b. To avoid loss of important event data, open each log and set its properties as shown in the following table: 65 Windows Event Logs Properties Application log Maximum log size: 32000 KB Overwrite events as needed Security log Maximum log size: 32000 KB Overwrite events as needed System log Maximum log size: 32000 KB Overwrite events as needed
7. Install the latest Windows service pack, as follows: a. Go to Microsoft Service Packs (http://go.microsoft.com/fwlink/? LinkId=93682&clcid=0x409) and select the link corresponding to the service pack level you intend to install. b. Follow the online instructions for downloading and installing the service pack. 8. Install the latest Windows critical and security updates, as follows: a. Go to Microsoft Update (http://go.microsoft.com/fwlink/?LinkId=93684&clcid=0x409) and select the updates that you intend to install. b. Follow the online instructions for downloading and installing the updates. The machine is now ready for the Groove Relay software installation. See Also: Getting Started with Groove Server Relay
Installing the Groove Relay Use the following procedure to install and configure the Groove Relay on the machine where you configured the platform as described previously. The installation process sets up the Groove Relay as a Windows service. Note The Groove client must not be installed on the Groove Relay server machine. Note Pre-qualify your intended Groove Relay hardware using the supplied DBWritetest utility prior to installing the Groove Relay software.
To install the Groove Relay: 1. Insert the Microsoft Office Groove Server 2007 CD into the drive of the Windows server machine, configured as described in Configuring the Platform for the Groove Relay Server. 2. Select the option to install Microsoft Office Groove Server 2007 Relay. A Getting Started window appears, referring you to the Groove Relay Release Notes and the Administrator’s Guide which contains the Groove Relay Installation instructions. (Release Notes and Guide are located in the \grs directory of the installation media.) 3. Pre-qualify your server hardware for relay installation and operation by running the DBWritetest.exe utility located on the Groove Relay installation CD, and make sure that the resulting throughput assessment is above 200 kilobytes per second. Run this test three times to confirm the result. Each test can take up to 10 minutes to complete. 66 For more information about DBWritetest, see “Error: Reference source not foundTesting Groove Relay Hardware Throughput with DBWritetest” in the Managing the Groove Relay section of this guide for information about this utility. 4. Open the Release Notes and save the Administrator’s Guide to disk for reference. 5. Follow the Install wizard instructions, entering the product ID key code when prompted. 6. Click Continue. The Microsoft Software License agreement appears. 7. Read and accept the Microsoft Software License agreement. 8. Click Continue. A window appears displaying the Basic or Advanced install options. 9. Select Basic to install now, or, select Advanced to specify more options as described in the table below and then click Install Now. 10. Once the software installation finishes, click Close. The installer now launches the Groove Relay Configuration control panel applet.
Groove Relay Install Options Explanations Basic To install the Groove Relay application in the default installation directory, c:\Program Files\Microsoft Office Servers\12.0\Groove\Groove Relay. Advanced To specify the following options, then install the Groove Relay application: File location – To specify a Groove Relay installation directory. Feedback – To specify whether you want to participate in the Customer Experience Improvement Program, opt-out of the program, or choose later. For more information about configuring this option after the Groove Relay is installed, see “Participating in the Microsoft Customer Experience Improvement Program”. For information about CEIP and its privacy policy, see http://go.microsoft.com/fwlink/?LinkId=52143 . .
Now that you have installed the Groove Relay software on the server machine, configure it using the Groove Relay Configuration control panel applet, as described next. See Also: Getting Started with Groove Server Relay
67 Configuring the Groove Relay Once you have installed Groove Relay, you can use the Groove Relay Configuration control panel applet to configure it. Initial relay configuration focuses on setting up a secure environment for relay server operation. A major part of this task involves authenticating the Groove Relay to Groove Manager and Groove clients. This authentication is accomplished through the use of various key files (listed in Identifying the Groove Relay and Generating Groove Relay Key Files). Caution Do not generate any new relay server private key and certificate files, or SOAP key and ID files, after you have generated them for the first time. Doing so will permanently prevent existing Groove clients from accessing the Groove Relay. Configuring the Groove Relay involves the following major steps: 1. Identifying the Groove Relay and Generating Groove Relay Key Files to enable the secure provisioning of managed Groove users to the Groove Relay. 2. Generating SOAP Key Files to enable communication with your company’s onsite Groove Manager server. See Also: Getting Started with Groove Server Relay
Identifying the Groove Relay and Generating Groove Relay Key Files You configure the Groove Relay to securely support managed Groove users by generating the Groove Relay private key and public key files. Private key files are encrypted by a hash of a user-supplied password. When the private key file is generated, a corresponding public key certificate file is also generated. Public key files are used by clients to send encrypted data to the Groove Relay. See Groove Relay Files for a table that lists and describes relay key files.
To configure the Groove Relay keys: 1. Open the Control Panel from the Start menu, then double-click the Groove Relay Configuration control panel applet. The Server tab appears. 2. From the Server tab, set field values as shown in the following table:
Server Configuration Values Fields Relay Server Name Accept the default or enter the fully qualified, publicly recognized DNS name for the Groove Relay that you previously registered with the Domain Name Service. Use the format
3 When prompted to enter the Private Key File Password, enter and confirm a password of up to 255 characters, then click OK when prompted to generate the necessary files. The Groove Relay uses this password to decrypt private key information which the server requires to run. The system will prompt you for this password whenever you manually restart the Groove Relay, unless the Unattended startup option is selected. When the Unattended Startup option is selected, the server uses a hash of this password stored in the registry. This password applies to the Groove Relay private key file, the SOAP private key file configured on the SOAP tab, as described in the next section. Note Memorize this password because you cannot recover it if it is lost or forgotten. The password is not stored anywhere directly. Only a hash of
70 the password is stored in the registry (under the Groove Relay Parameters key), and only if the Unattended Startup option is selected. See for more information about this password. 4 Click the Next button to continue to the next procedure and create the SOAP identity files necessary for communication with the Groove Manager server. The Next button is disabled if you have not completed the required fields. To return to a previous window to review or edit a value, you can always press the Back button. Important If you make any changes to the Groove Relay configuration parameters while the Groove Relay is running, you must restart the Groove Relay service in order for the changes to take effect.
Groove Relay Key Files The following table lists the Groove Relay key files, all of which should be backed up.
Key File (stored in Relay server install directory by Description default) privkey.dat Private key files that contain the Groove ServerCertificate.xml (not displayed in UI) Relay private keys. The Groove Relay creates these keys during initial configuration and then encrypts them using a hash of the user’s password. The Groove Relay uses these keys to authenticate itself to users whenever they contact the Groove Relay to collect messages and workspace updates. ServerCertificate.cer Certificate file that contains the Groove Relay public key. The Groove Manager application distributes this key to managed Groove users who use it to send secure Groove messages and data to the Groove Relay. ServerCertificate.xml Private key file that contains the server private signing key. ServerSOAPKeyStore.xml Private key file that contains the Groove Relay’s Simple Object Access Protocol (SOAP) private key. The Groove Relay creates this key during initial configuration and then encrypts it using a hash of the user’s password. The Groove Relay then uses this key to authenticate itself to the
71 Key File (stored in Relay server install directory by Description default) Groove Manager server when Groove Manager contacts the Groove Relay. ServerSOAPCertificate.cer Certificate file that contains the Groove Relay’s SOAP public key. This key is used by the Groove Manager to send secure Groove data to the Groove Relay. ServerID.xml File that contains Groove client parameters and relay SOAP identity information. Parameters include the Groove Relay public key and the Groove Relay name. The Groove Manager administrator will retrieve this file for upload to the Groove Manager server, which automatically deploys them to clients during relay assignment. Clients will use these parameters when registering with a Groove Relay server.
See Also: Configuring the Groove Relay Getting Started with Groove Server Relay
Generating SOAP Key Files To support communications between the Groove Relay and Groove Manager servers, you can configure the SOAP key settings to update the Groove Relay registry with the serverID.xml file and other important keys. Note that the Groove Manager server, on which the Groove Relay depends for certain administrative tasks, is designed to communicate with the Groove Relay via Simple Object Access Protocol (SOAP) over port 8009. Therefore, you must configure the Groove Relay SOAP interface to be recognizable to the Groove Manager.
To configure the Groove Relay SOAP interface for communications between the Groove Relay and Groove Manager servers: 1. From the Groove Relay Configuration control panel applet SOAP tab, enter information in the fields as described in the following table:
SOAP Configuration Fields Values Relay SOAP Interface Name Accept or edit the default name. This is a fully qualified DNS name for the Groove Relay SOAP interface that you 72 SOAP Configuration Fields Values previously registered with your Domain Name Service. Use the format http://
73 SOAP Configuration Fields Values the server’s SOAP interface public key. The Groove Manager uses this certificate when sending messages to the Groove Relay. Default: ServerSOAPCertificate.cer Export ID File Name Accept the default name of the ServerID.xml file or edit it. This file contains the Groove Relay certificates, relay server name, and SOAP interface name, required by the Groove Manager and Groove clients to establish secure communication with the Groove Relay. The file is not encrypted because it contains only public data.
2. Once you have generated the SOAP private key and certificate files (by clicking the Generate Files button) and then clicked the Export ID File button, click the Next button to continue to the Security tab. 3. Review the settings on the Security tab. The setting here concerns how the Groove Relay handles messages addressed to unmanaged Groove users. The default is the most secure and recommended setting so you can accept it, then click Next to continue to the Tuning tab. For more information about the user authentication setting, see "Changing the Groove User Authetication Setting." 4. Review the settings on the Tuning tab. The defaults are generally the recommended settings so, with the exception of the Microsoft Continuous Improvement Program settings, you can accept the defaults and click the Next button to continue to the Security tab. For information about the Tuning settings, see the following topics: "Tuning the Groove Relay Server" "Moving the Data Directory to Another Location" "Participating in the Microsoft Customer Experience Improvement Program" 5. Click the Finish button to complete the initial relay server configuration and exit the control panel. A window appears indicating that Groove Relay configuration is complete, followed by pop-up window advising you to back up the newly generated key files. 6. Click close, then back up the relay key files, as described in the next section Backing Up Initial Groove Relay Key Files. Important If you make any changes to the Groove Relay configuration parameters while the Groove Relay is running, you must restart the Groove Relay service in order for the changes to take affect. See Also: Configuring the Groove Relay Getting Started with Groove Server Relay
74 Backing Up Initial Groove Relay Key Files An important step in securing the Groove Relay is to back up critical relay registry settings, files, and directories. If you neglect to back up these items and then uninstall or reinstall the Groove Relay, or if the Groove Relay disk drive fails, you risk permanently losing the Groove Relay identity information. When you finish with the initial Groove Relay installation and configuration process, a prompt asks you to enter the name of the directory to be used for backing up the server’s key files (including the private key, certificate, and identification files). You can perform this backup immediately or at another time, but backing up immediately is highly recommended.
To back up the Groove Relay key files immediately after relay server installation and configuration: 1. When prompted with a backup file selection window at the end of the Groove Relay installation process, select a secure directory on your network on the removable media where the backed up relay server key files will reside. As best practice, back up these files to permanent removable media and then secure the media at an off-site location. 2. Click OK to back up all the key files. 3. As best practice, backup the relay registry settings as described in Backing Up Groove Relay Registry Settings. Now that you have configured the Groove Relay, you can proceed to configuring service startup and recovery settings, described in Configuring Groove Relay Service Startup. See Also: Getting Started with Groove Server Relay
Configuring Groove Relay Service Startup Once the Groove Relay is installed and configured on the server machine, configure the Groove Relay service start and recovery options.
To configure the Groove Relay service startup and recovery settings: 1. Go to Start --> Programs --> Administrative Tools --> Services --> Groove Relay (or Start --> Settings --> Control Panel --> Administrative Tools --> Services --> Groove Relay), then edit the fields on the General tab. 2. Set Startup type to Automatic. 3. Go to the Log On tab and make sure that Log on as: Local System Account is selected. 4. If you decide later that you want to require operator entry of the Groove Relay password, return to this window and change this option to allow service interaction. 5. Configure the Groove Relay service recovery settings options under Logon as: Local System Account by clicking the check box Allow service to interact with the desktop. 6. Click the Recovery tab and entering values as shown in the following table:
75 Groove Relay Service Recovery Settings Values First Failure Restart the Service Second Failure Restart the Service Subsequent Failure Restart the Service Reset Failure Count 999 Restart service after 1 minute
Note Be sure that you have completed configuration of the server in the Groove Relay Configuration control panel applet; otherwise the service will not start. 7 Click Apply, then click OK. After configuring relay service startup options, take the recommended step of binding the relay ports to separate network interface cards, as described in Binding Administrative Ports to Specific NICs. See Also: Getting Started with Groove Server Relay
Binding Administrative Ports to Specific NICs Groove Relay uses two administrative listener ports: SOAP port 8009 for relay management transmissions from the Groove Manager, and port 8010 for browser access to the Groove Relay’s administrative Web interface. By default, SOAP port 8009 is bound to all network interface cards and port 8010 is bound to localhost (IP address 127.0.0.1). Typically, SOAP port 8009 should be configured to allow Groove Manager access over a restricted (or if necessary public) network. Port 8010, should be configured as by default, for local administrative access only (allowing no remote access), as Groove Relay currently uses basic authentication (Base64 encoding), not Secure Socket Layer (SSL) encryption. Binding these ports to separate network interface cards (NICs) is recommended.
To bind the Groove Relay administrative listener ports (8009 and 8010) to specific network interface cards: 1. Click Start->Run and enter regedit.exe. 2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\Groove\Groove Relay\Parameters 3. Use the registry editor to define the following string value names: For port 8009: AdminGrooveSOAPInterface For port 8010: AdminInterface 4. Right-click a port name and set the string value to the dotted IP address of the interface (such as 192.168.1.1) to which you want to restrict the administrative port. Port 8009 should be configured for public or restricted access by the Groove Manager; Port 8010 should be configured for internal access (for administrative use). Now you are ready to start and test your Groove Relay installation, as described in 76 Starting the Groove Relay. See Also: Getting Started with Groove Server Relay
Starting the Groove Relay Before starting the Groove Relay, be sure that you have configured it in the Groove Relay Configuration control panel applet as described in the previous sections. You can get online Help with Groove relay configuration and maintenance from the Groove Relay Configuration control panel applet. The following sections cover relay startup and Help access: Starting the Groove Relay Server Getting Help for Groove Relay
See Also: Getting Started with Groove Server Relay
Starting the Groove Relay Server You start the Groove Relay as a service, as described below.
To start the Groove Relay server: 1. From the Groove Relay server, go to Start --> Programs --> Administrative Tools --> Services. 2. Right-click on the service Groove Relay and select Start. 3. The service should start within a few seconds. 4. To test the server installation, open a browser and enter one of the following URLs: 5. http://localhost:8010/ or http://127.0.0.1:8010/ Note If you configured the Groove Relay service to require attended startup (by clearing the Unattended Startup option in the Groove Relay Configuration control panel applet and setting Allow service to interact with the desktop, in the Windows Services applet), the server will prompt you for the private key file password whenever the server starts up. If you enter an incorrect password, or cancel the password prompt, the server will not start. See “Identifying the Groove Relay and Generating Groove Relay Key Files” for other implications of this setting. You can get online Help with Groove relay configuration and maintenance from the Groove Relay Configuration control panel applet, as described in Getting Help for Groove Relay. Now that you have installed and configured the Groove Relay, set up the Groove Manager, as described in Setting up the Groove Manager.
See Also: Starting the Groove Relay Getting Started with Groove Server Relay erver 2007 77 Office Groove Server 2007
Getting Help for Groove Relay The Groove provides online Help about configuring and managing the Groove Relay. To access online Help for the Groove Relay, do the following: Open the Groove Relay Configuration control panel applet and click the Help button on the lower right corner of any Groove Relay configuration tab. See Also: Starting the Groove Relay Getting Started with Groove Server Relay
Setting up the Groove Manager Once you have installed and configured the Groove Relay on your company’s network, you are ready to configure the Groove Manager to communicate with the Groove Relay, as described in the online Help that accompanies the Groove Manager component of the Office Groove Server. This process involves an initial exchange of keys between the Groove Manager and Groove Relay, necessary to establish SOAP communications between the two servers. After the key exchange is complete, you can provision managed users at your company with an ordered set of Groove Relay servers. You provision users to a Groove Relay server via company domains configured on the Groove Manager server at your site. Groove users are defined on the Groove Manager as members of a domain group, so when a relay server set is added to the domain, domain users are provisioned to that relay server set. Groove clients contact the relay servers in the set in the order they appear in the assigned set. The Groove Manager allows administrators to re-order Groove Relay servers as needed, and to purge relay message queues when queue quotas are exceeded. See Also: Getting Started with Groove Server Relay
78 8. VI. Getting Started with Groove Server Data Bridge
The Microsoft Office Server 2007 Data Bridge is a Web services-based application that enables data and process integration between Microsoft Office Groove workspaces and third-party applications used by an organization. In this model, integration programs, hosted by external applications, access Groove Data Bridge identities through SOAP calls to Web services enabled on the Groove Data Bridge. As Groove workspace members, Data Bridge identities process Web services calls on behalf of Groove clients, making Groove Data Bridge a server-based access node to Groove workspaces. For information about how to develop applications that integrate with Groove workspaces on the Groove Data Bridge server, see the Groove Web Services Programmer’s Guide and Groove Web Services API Reference that accompany the Microsoft Office Groove 2007 Software Development Kit (SDK). Before you begin, check that your site meets the Groove Data Bridge hardware and software Requirements listed below. Once the requirements are met, setting up a Groove Data Bridge server at your site involves the procedures addressed here. In this section: Readme for Office Groove Server 2007 Data Bridge Requirements for Groove Data Bridge Installing the Groove Data Bridge Accessing the Administrative Interface Deploying a Groove Data Bridge Identity Ending the Session
Readme for Office Groove Server 2007 Data Bridge This document contains late breaking information for Microsoft® Office Groove® Server Groove Data Bridge. Groove Data Bridge is an application that provides a central control point for managing automated end-user services that help integrate Microsoft Office Groove with databases and other support systems on a company's network. The following sections describe important issues concerning Groove Data Bridge use, and changes from prior versions.
Issues and Notes The following table lists important issues and notes concerning Groove Data Bridge use.
Issue or Question Answer Is a Groove Manager A Groove Manager server is optional. In a managed Groove 79 Issue or Question Answer required to run the environment, if you want to manage the Groove Data Bridge the Groove Data Bridge? Microsoft Office Groove Manager server or Office Groove Enterprise Services Manager is necessary. Note that previous Groove Manager versions are not supported with this version of Groove Data Bridge. What type of third- Any device necessary to support the software with which party devices are Groove Data Bridge is integrating, such as a SQL server. required? Installing connection integration target code on the Groove Data Bridge server machine is NOT recommended. What version of Microsoft Office Groove 2007 is recommended; Microsoft Groove clients are Office Groove 3.0 or later is supported supported? What Groove This version of the Groove Data Bridge supports workspaces workspace versions created by the Office 2007 version of any Office Groove product can be used with or prior workspaces created in Groove 3.1. Groove Data Bridge 2007 Where is Groove Data For information and instructions about installing, configuring, Bridge administrator managing, and upgrading the Groove Data Bridge, see the documentation Groove Data Bridge Administrator's Guide located? (GrooveDataBridgeAdministratorsGuide.pdf) included on the product CD or the online Help. What names have Microsoft Office Groove Data Bridge (Groove Data Bridge) changed in the new now replaces the former product name of Groove Enterprise release? Data Bridge (EDB). Are upgrades Upgrading from any previous Enterprise Data Bridge (EDB)- supported? based product to Groove Data Bridge is not supported. How does Groove All Groove-authored components are now installed Data Bridge handle automatically on the Data Bridge server, rather than being Groove components? available for download on demand. Third-party custom tools are not supported. Modifications to the Policies page are not supported and the page may be removed for final release of the product. Are custom bots This Groove Data Bridge product does not support custom bots supported? (agents). Are third-party tools This Groove Data Bridge product does not support third-party supported? Groove tools or tools written in .NET Framework. Are custom Web Groove Data Bridge does not support custom Web Services. Services from previous EDB versions 80 Issue or Question Answer supported? Does an account After a Groove Data Bridge account backup, a completion backup completion notice does not appear in this version of the product. Typically notice appear? this process takes less than 1 minute. Is CASAHL CASAHL EcKnowledge is not compatible with the current EcKnowledge Groove Data Bridge version. The Forms Publisher bot and tool supported? are not part of the Groove Data Bridge 2007 product. What prerequisites are Before running the Groove Data Bridge as a Windows service, complete necessary for running the Groove Data Bridge account setup configuration, as described in the the Groove Data Groove Data Bridge installation instructions above (and in the Groove Data Bridge Administrator's Guide that accompanies the Data Bridge Bridge as a Windows application). If the Data Bridge is started as a service before service? configuration is complete. The Data Bridge administrator will be unable to create the necessary directories in the file system. The Remember password option should be selected to prevent prompting for account password while performing automated restarts. This option is set during installation and can be reset whenever the password prompt appears. What special steps are When the management domain uses external PKI, the client required for running authentication certificates for the Groove Data Bridge identities should external PKI on be imported into the Local Machine Personal Store, not the Current User Personal Store. The recommended method is to use the Certificate Add- Groove Data Bridge? in the Microsoft Management Console (MMC), then choosing the machine option. When using external PKI for Groove Data Bridge on a Vista Server machine, export the certificate from the Vista Server certificate server, and import the certificate to the local Data Bridge machine. What considerations When choosing directory paths for account backups, workspace should be made when archives, and GFS workspaces, use Universal Naming choosing paths for Convention (UNC) names instead of drive mappings. Drive Data Bridge account mappings are typically specific to an individual user and Groove backups, space Data Bridge does not run under a Windows account assessable archives, and GFS to a user. Paths to network resources that require user level workspaces? credentials may cause failures, possibly silent. What conditions are When running Groove Data Bridge in a closed network necessary for running environment, observe the following practices: the Groove Data Create Managed Data Bridge identities to help ensure a secure Bridge on a closed environment and maintain proper system functioning. See the Groove network? Data Bridge Administrator's Guide for information about creating Managed identities. Ensure that the closed network does not allow communication with clients on the Internet. For information about enabling Groove clients in a closed network to allow access to Internet-based clients, contact Microsoft Office Groove Support.
81 Issue or Question Answer In a managed No. All managed identities defined for a Groove Data Bridge environment, does the account must be members of the same management domain. Groove Data Bridge server support identities from multiple Groove management domains? What size limits exist Groove Data Bridge does not archive workspaces greater than 2 for workspaces on a gigabytes, so avoid supporting workspaces that exceed that size. Groove Data Bridge You can check the size of any workspace of which a Data server? Bridge identity is a member by navigating to Workspaces in the Data Bridge administrative interface, selecting a workspace, and clicking Properties. Proxy NTLM The Groove Data Bridge proxy prompt does not function authentication does not reliably in this Groove Data Bridge version. Specify all the work properly. proxy credentials on the Proxy Settings page (accessed from the Groove Data Bridge Options menu). If you are running Groove Data Bridge with a proxy device, configuring the proxy through the Proxy Settings page is recommended. Available memory is Numerous Space Creation and Space Invitation requests can declining noticeably. significantly deplete memory. Restart the Groove Data Bridge service when total memory in use exceeds the installed physical RAM. The Groove Data If the following message error appears: Bridge intermittently `Abnormal termination: Groove has detected that a redundant terminates abnormally. database has become corrupt. This redundant database has been deleted and Groove must now shut down. A new redundant database will be created the next time Groove is started.' This is a benign event and can be accommodated by going to the Recovery tab of the Windows Services applet and configuring the Microsoft Office Groove Data Bridge service to automatically restart. When archiving If the archiving feature is not enabled while a Data Bridge Groove workspaces identity is receiving workspaces, some spaces for may not be for a Groove Data archived, due to the time required for the Groove Data Bridge to Bridge identity, all scan all workspaces. All spaces should be completely archived workspaces are not during the next 24-hour archive cycle. archived. The following error Windows limits total path length to 250 characters. Your total appears during path length was too long. To solve the problem and allow you to 82 Issue or Question Answer installation: "You rerun the post install, follow these steps: cannot create a new 1. From the Start menu, run regedit and navigate to: folder here. Choose a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office different location", Server\12.0\Groove you clicked OK past 2. Delete the PersistRoot key. the error, and now the 3. Set the GDBInstallState key value to 0. Groove Data Bridge will not run. The Groove data You can configure Groove Data Bridge to automatically delete Bridge server contains spaces when it becomes the last member of the space. To numerous orphaned configure the Data Bridge to automatically delete any space that workspaces (spaces changes from multiple members to one member, follow these with no other members steps: than the Data Bridge 1. From the Start menu, run regedit and navigate to: identity). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Groove\ 2. Add the following key: 3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Groove\EDB 4. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Groove\EDB 5. Add the following DWORD value: 6. DeleteOrphanSpaces = 1 7. Restart the Data Bridge server. Note that any spaces that have made this transition prior to this change will not be automatically deleted. The Event Viewer for You can correct this problem, by uninstalling, then reinstalling Groove Data Bridge the Groove Data Bridge Windows service. cannot be accessed. To uninstall and reinstall the Groove Data Bridge service, follow these steps: Uninstall the Data Bridge service by entering the following at a command line: GrooveEIS.exe -u Reinstall the Data Bridge service by entering the following at a command line: GrooveEIS.exe - I This issue will be addressed in future product versions. The following The Archive Workspace log was created in Groove version 3.1. message appears when The administrator's Groove client can be configured to accept an administrator tries invitations from pre-2007 Groove versions as follows: to accept an invitation 1. Select Preferences from the Options menu. to an Archive 2. Click the Security tab. Workspace: "You 3. Clear the Workspace Restrictions setting: Restore or join only 83 Issue or Question Answer cannot accept Microsoft Office Groove 2007 (or later) workspaces. invitations from earlier 4. Click OK. Groove versions. For managed Groove users, the management domain Groove is configured administrator should configure the workspace acceptance policy to accept invitations to to allow pre-2007 versions, as follows: 1. From the Groove Manager, navigate to the identity policy template for workspaces created in the domain. Groove version 2007 2. Go to the Workspace Version Policies section of the Member Policies or later." page and ensure that the Workspace Acceptance and Restoration Policy for Minimum Workspace Version is set to Client Default or No Minimum.
Summary of Changes from Prior Versions The Office Groove Server 2007 Groove Data Bridge differs from prior Groove Data Bridge versions as follows: Groove Data Bridge services (as distinct from Web services) are now called identities, corresponding to Microsoft Office Groove client identities on which Groove Data Bridge is based. Workspace backup is now called workspace archiving, to more accurately reflect this functionality. New server account backup feature. The Groove Data Bridge installer is now MSI-based and includes a simplified setup wizard. Improved administrative interface. New facility for account restoration and disaster recovery. New command line option for clearingEvent Log queues. Third-party PKI support. Compatibility with Groove Folder Synchronization (GFS) workspaces. Groove Data Bridge event logs are now managed from the Windows Event Viewer. See Also: Getting Started with Groove Server Data Bridge
Requirements for Groove Data Bridge The following sections describe the hardware and software required to install and run the Groove Data Bridge. In this article: Hardware Requirements Software Requirements Expertise Requirements
Hardware Requirements The Groove Data Bridge requires the following hardware.
84 Machine Specifications Microsoft® Office Groove® Data Bridge Processor: 64-bit processor supporting server AMD64 or Intel® EM64T instruction set Processor speed: AMD 1.8GHz or higher, or Intel 2.4 GHz or higher RAM: 3 GB minimum Disk: 400 GB Communications: 2 Gigabit Ethernet cards (fiber or copper) Note: Groove Data Bridge requires a dedicated machine. Do not install the Microsoft® Office Groove® client or any Groove server application on the Groove Data Bridge machine. Groove Manager server As specified in the Groove Manager (for managed environment) documentation that supports the Groove Manager component of the Microsoft Office Groove Server. Office Groove client devices As specified in the Office Groove product requirements. Application server Any device necessary to support the software with which Groove Data Bridge is integrating.
Software Requirements To support the current set of Groove Data Bridge features, Groove Data Bridge requires the following software. Notes Set the screen resolution to 800 x 600 pixels or higher to ensure that the complete Groove Data Bridge administrative interface windows fit on your computer screen.
For this Machine You Need this Software Microsoft Office Groove Data Bridge One of the following: server Windows Server 2003 Standard x64 Edition Service Pack 1 (or later) Windows Server Vista Microsoft® Office Groove Server 2007 Data Bridge Groove Manager server (optional) To support managed Groove Data Bridge identities, you need one of the following: Microsoft Office Groove Server 2007 85 For this Machine You Need this Software Manager (for onsite installations) Microsoft Office Groove Enterprise Services Manager (requires Internet connection) Office Groove Client software Microsoft Office Groove 2007, recommended Microsoft Office Groove 3.0 or later, supported Application software Database or other software packages that are you are integrating with Groove.
Expertise Requirements Groove Data Bridge administrators should have the following expertise: Network security and topology Windows server administration Familiarity with Microsoft Office Groove Familiarity with setting security policies
See Also: Getting Started with Groove Server Data Bridge
Installing the Groove Data Bridge This section explains how to install the Microsoft Office Groove Data Bridge (Groove Data Bridge) software and set up a server account. Note that, unlike a Groove account, a Data Bridge account cannot be active on more than one device at a time. To install the Groove Data Bridge*: *Make sure that Groove is not (and never has been) installed on this machine. The Groove Data Bridge installation is separate from any Groove installation. 9. Install Windows Server 2003 Standard Edition x64 Edition Service Pack 1 (or later) on the Groove Data Bridge machine. 10. Insert the Microsoft Office Groove Server 2007 CD into the drive. 11. Select the option to install Microsoft Office Groove Server 2007 Data Bridge. 12. Follow the Install wizard instructions, entering the product ID key code when prompted. 13. Click Continue. The Microsoft Software License agreement appears. 14. Read and accept the Microsoft Software License agreement. 15. Click Continue. A window appears displaying the Basic or Advanced install options. 16. Select Basic to install now, or select Advanced to specify more options, as described in the following table, then click Install Now. Groove Data Explanations 86 Bridge Install Options Basic To install the Groove Data Bridge application in the default installation directory, c:\Program Files\Microsoft Office Servers\12.0\Groove\Groove Data Bridge. Advanced To specify the following options, then install the Groove Data Bridge application: File location – To specify a Groove Data Bridge installation directory. Feedback – To specify whether you want to participate in the Customer Experience Improvement Program (CEIP). You can choose to participate later or opt out of the program via the Groove Data Bridge Help menu. For more information about configuring this option, see Participating in the Microsoft Customer Experience Improvement Program in the Groove Data Bridge Administrator’s Guide. For information about CEIP and its privacy policy, see http://go.microsoft.com/fwlink/?LinkId=52143 . 17. Once the software installation finishes, click Close. 18. Start the Groove Data Bridge Application from the Start menu by going to Start –> Programs –> Microsoft Office Server –> Microsoft Office Groove Data Bridge 12. 19. When prompted, accept the default Groove Data Bridge data storage location, or browse to another directory location, then click OK. The Groove Data Bridge Configuration Wizard begins. 20. Select the option Create a new Groove Server Data Bridge to set up a new Groove Data Bridge server, then click Next. If you need to restore an existing Groove Data Bridge, select the option Restore a previously installed Microsoft Office Groove Server Data Bridge, and select the automatic or manual option for fetching your workspaces, then click Finish. The Setup Groove Data Bridge window appears. 21. Type the requested information in the Setup fields as shown in the table below: Account Setup Descriptions Fields Server name Enter the machine name (such as Groove Data Bridge_Server_1). Password Type a password for the account. Confirm Re-type the password to confirm it. Password Remember Select this option if you want the Groove Data Bridge to password remember your password when operating as an auto-run Windows service - the recommended mode of operation, as it reduces vulnerability by limiting the frequency of Groove Data Bridge logins. Note If you select this option, make sure that you have secured the server against unauthorized access. 87 Backup Accept the option to back up server data on
Accessing the Administrative Interface The Groove Data Bridge provides an administrative interface that facilitates server management and monitoring. This section explains how to access this interface and the supporting online Help. In this section: Overview of the Groove Data Bridge Administrative Interface Accessing the Groove Data Bridge Administrative Interface Getting Help
Overview of the Groove Data Bridge Administrative Interface The Groove Data Bridge administrative user interface (UI) consists of a navigation pane on the left and a main display window with a toolbar and menus at the top, as follows: Navigation pane - Hierarchical tree on left side of screen, that displays the Groove Data Bridge server name and the server constituents, including: Identities - Groove Data Bridge identities defined on the server. Messages - Groove messages received or sent by Groove Data Bridge identities. Identity management options for each identity: Workspace - Listing of workspaces of which identity is a member. Archive Schedule - Setup for scheduling workspace archiving for identity. Archive Workspace - Setup for managing archived workspaces for identity. GFS Location- Setup for enabling Groove File System workspaces for identity. Main window - A display window showing the contents of the item selected in the navigToolbar - Buttons above the main window that perform specific tasks (such as creating a new identity), depending on the navigation selection. Menus - File, Options, and Help menus, as described in the following table. Menu Menu Items File Close Window - To close the Groove Data Bridge UI window. Shutdown Server - To shut down the Groove Data Bridge server. Options Edit Default Messages - To edit the default messages that a Groove Data Bridge identity uses for accepting or declining Groove invitations. (Available when identity is selected.) Activate Identity - To activate (configure) a Groove Data Bridge managed identity. Log Web Services Events - To report Groove Web Services events to the Windows Event Log. Change Server Password - To change your Groove Data Bridge server password. Proxy Settings - To configure proxy settings for Groove Data Bridge. 89 Backup Server Settings - To backup Groove Data Bridge server data, for use in recovery after unplanned outages. Dynamic menu items - Corresponding to current toolbar items. Help Online Help - To view Help for using Groove Data Bridge. About Groove Data Bridge The following table lists administrative tasks associated with the server and identity: Scope Tasks Server When the Groove Data Bridge server is selected in the navigation pane, you can do the following: View and edit server status, Web services status, and contact list. Add Groove contact to the server. Delete Groove contact from the server. Export server contact information. See Managing Groove Data Bridge Servers later in this guide for detailed information about server management. All When Identities is selected in the navigation pane, you can do the Identities following: Create identities. Delete identities. See ‘Managing Groove Data Bridge Identities’ in the book Operations for Office Groove Server 2007 Groove Data Bridge for detailed information about identity management and specific identity tasks. Selected When an identity is selected in the navigation pane, you can do the Identities following: Edit identity contact properties. Export identity contact information. Manage workspaces of which identity is a member. Schedule and manage workspace archive Enable Groove File System (GFS).
Accessing the Groove Data Bridge Administrative Interface You can access the Groove Data Bridge administrative interface from the Start menu. To access the Groove Data Bridge administrative interface: 1. Start the Groove Data Bridge Application by going to Start –> Programs –> Microsoft Office Server –> Microsoft Office Groove Data Bridge 12. 30. Select an item from the left navigation pane, depending on what you want to accomplish.
90 Getting Help You can access Help and instructions for configuring and using the Groove Data Bridge from the Data Bridge administrative interface. To access the Groove Data Bridge online Help: 1. Start the Groove Data Bridge application. 31. Click the Help menu, and select Microsoft Office Groove Server 2007 Data Bridge Help.
Deploying a Groove Data Bridge Identity The usual method of deploying an identity to Groove clients (users) is for clients to invite the identity into a Groove workspace (although this can also be accomplished programmatically). Typically, users in your local area network can access a Groove Data Bridge identity from the local area network contacts list for your company. If you use the No Listing setting and want to allow specific users to invite an identity to a space, you can send them the contact information for the identity to add to their personal contacts list. You can experiment with inviting a Groove Data Bridge identity to a Groove client workspace, and with sending an instant message from the Groove Data Bridge identity to a Groove client. To experiment with a Groove Data Bridge identity: 1. Start Microsoft Office Groove on a client device. 32. Create a Groove client workspace by clicking ‘New Workspace’ in the Groove Launchbar and following the online instructions. 33. Invite the Groove Data Bridge identity to the workspace, selecting it from the local network directory list. 34. If the Data Bridge identity is not configured to accept invitations, accept the invitation manually, from the Groove Data Bridge Messages window. Otherwise, the invitation will be automatically accepted (the default setting) and you can skip this step. Once the Groove Data Bridge accepts the invitation, the Data Bridge identity appears in the Workspace Members list. See “ Error: Reference source not found” for information about configuring invitation acceptance. 35. Send an instant message from a Groove Data Bridge identity to a client identity, click Messages in the navigation pane, click New in the toolbar, enter an identity in the To and From fields, type a message in the text box, then click Send. 36. For more information about Messages, see “ Error: Reference source not found” . 37. When you are ready, you can end the session by closing the administrative interface or shutting down the server, as described in “ Error: Reference source not found” .
See Also: Getting Started with Groove Server Data Bridge 91 Ending the Session You can end an administrative session by simply closing the administrative interface window. This does not shut down the Groove Data Bridge server, which is a separate step. To maximize server efficiency, close the administrative interface when you are not using it. For information about shutting down a Windows service and other ways to shut down the server, see “ Error: Reference source not found” in the Managing Groove Data Bridge Servers section of this guide. To close the administrative window and shut down the server: 1. From the Groove Data Bridge navigation pane, select the Groove Data Bridge server. 38. To close the administrative window only, click Close Window. To close the administrative window and shut down the Groove Data Bridge server, click the File menu and select Shutdown Server. Once you have set up a Groove Data Bridge identity, you can use the Groove Data Bridge server administrative interface to set up other identities and perform other Groove Data Bridge server management tasks, as described in the remaining topics of this guide.
See Also: Getting Started with Groove Server Data Bridge
92