Administration Guide
Copyright Statement Copyright © Acronis International GmbH, 2002-2014. All rights reserved. “Acronis” and “Acronis Secure Zone” are registered trademarks of Acronis International GmbH. "Acronis Compute with Confidence", “Acronis Startup Recovery Manager”, “Acronis Active Restore”, “Acronis Instant Restore” and the Acronis logo are trademarks of Acronis International GmbH. Linux is a registered trademark of Linus Torvalds. VMware and VMware Ready are trademarks and/or registered trademarks of VMware, Inc.
Table of contents 1 Mobile Access ..................................................................................................................6 1.1 Concepts ....................................................................................................................................6 1.2 Policies .......................................................................................................................................8 1.2.1 1.2.2 1.2.3 1.3 On-boarding Mobile Devices ........
3.7 Email Templates.......................................................................................................................75 3.8 Licensing ..................................................................................................................................77 3.9 Debug Logging .........................................................................................................................78 3.10 Monitoring ............................................................
6 Configuring an AppConnect tunnel between the Access Mobile client and the Access server via username/password authentication........................................................................... 140 7 Adding Kerberos Constrained Delegation Authentication .............................................. 151 7.1.1 7.2 7.2.1 7.2.2 7.2.3 7.3 Installing Acronis Access on a Windows 2003 Microsoft Failover Cluster ..............................................
1 Mobile Access This section of the web interface covers all the settings and configurations affecting mobile device users. In this section Concepts..................................................................................................... 6 Policies ....................................................................................................... 8 On-boarding Mobile Devices ...................................................................26 Managing Mobile Devices ......................
Any number of Gateway Servers can later be added to the network and configured for access from the client app. Note: Details on installing Acronis Access are included in the Installing section of this guide. Configuration of Gateway Servers and Data Sources is explained in the Mobile Access (p. 6) section. If you wish to remotely manage your Access Mobile Clients, Acronis Access Client Management allows you to create policies per Active Directory user or group.
Fig 2. One Gateway Server, one Gateway Server + Acronis Access Server, many clients 1.2 Policies In this section User & Group Policies ................................................................................ 8 Allowed Apps ...........................................................................................22 Default Access Restrictions ......................................................................24 1.2.
If you would like all or most of your users to receive the same policy settings, you can enable the Default group policy. If it's enabled all users which are not members of a group policy and do not have an explicit user policy, will become members of the Default group. The Default group is disabled by default. If you would like to deny a group of users’ access to Acronis Access management, ensure that they are not members of any configured group policies.
1. Open the Group Policies tab. 2. Click the Add new policy button to add a new group policy. This will open the Add a new group policy page. 3. In the Find group field, enter the partial or complete Active Directory group name for which you'd like to create a policy. You can perform 'begins with' or 'contains' searches for Active Directory groups. Begins with search will complete much faster than contains searches. 4. Click Search and then find and click the group name in the listed results. 5.
1. Open the User policies tab. 2. Click the Add new policy button to add a new user policy. This will open the Add a new user policy page. 3. In the Find user field, enter the partial or complete Active Directory user name for which you'd like to create a policy. You can perform 'begins with' or 'contains' searches for Active Directory users. Begins with search will complete much faster than contains searches. 4. Click Search and then find and click the user name in the listed results. 5.
1.2.1.3 Modifying Policies Existing policies can be modified at any time. Changes to policies will be applied to the relevant Access Mobile Client users the next time they launch the mobile app. Client management connectivity requirements Access Mobile Clients must have network access to the management server in order to receive profile updates, remote password resets, and remote wipes.
7. 8. 9. 10. 11. 12. On the Blocked Path Lists page press Add List. Enter a name for the list. Enter a path or list of paths that will be blacklisted. Each entry should be on a new line. Open the Apply to User or Group tab. Assign the list to the desired user(s)/group(s). Press Save. To enable the blacklist for a User or Group policy: 1. 2. 3. 4. 5. Open the web interface as an administrator. Open the Policies (p. 8) page. Click on the desired User policy or Group policy. Open the Server Policy (p.
1.2.1.5 App password creation - The Access Mobile Client application can be set with a lock password that must be first entered when launching the application. Optional - This setting will not force the user to configure an application lock password, but they will be able to set one from the Settings menu within the app if they desire. Disabled - This setting will disable the ability to configure an application lock password from the Settings menu within the app.
15 Minimum password length - The minimum allowed length of the application lock password. Minimum number of complex characters - The minimum number of non-letter, non-number characters required in the application lock password. Require one or more letter characters - Ensures that there is at least one letter character in the application password.
1.2.1.6 Application Policy Require Confirmation When Deleting Files - When enabled, the user will be asked for confirmation each time they delete a file. If you would like the user to be able to later modify this setting, select Allow user to change this setting. Set the Default File Action - This option determines what will happen when a user taps a file in the Access Mobile Client application. If this is not set, the client application defaults to Action Menu.
and have not changed, providing performance and bandwidth conservation benefits. Maximum Cache Size can be specified and the user can optionally be allowed to change this setting. Content in My Files and File Inbox Expires after X days - If this option is enabled, files in the File Inbox and in My Files will be deleted from the device after the set number of days. Allow These settings can be used to disable certain Access Mobile Client application features and capabilities.
Folder Operations Folder Copies - If this option is disabled, the user will not be able to copy folders on or to the Gateway Server. This setting supersedes any NTFS permissions that client may have that allow folder creation. File copies / creation must be enabled for this setting to be enabled. Folder Deletes - If this option is disabled, the user will not be able to delete folders from the Gateway Server.
Emailing Files from Acronis Access - If this option is disabled, the Access Mobile Client application will omit the Email File button and not allow files in Acronis Access to be emailed from the application. Printing Files from Acronis Access - If this option is disabled, the Access Mobile Client application will omit the Print button and not allow files in Acronis Access to be printed.
Auto-Sync Interval - When this option is enabled, Acronis Access will automatically sync never, on app launch only or on several time intervals. Allow User to Change This Setting - When this option is enabled, the users will be able to change the time interval from the Access Mobile Client app. Only Allow File Auto-Syncing While Device is on WiFi Networks - When this option is enabled the auto-sync will not occur unless the user is connected via WiFi. 1.2.1.
1.2.1.9 Required login frequency for resources assigned by this policy- sets the frequency that a user must log into the servers that are assigned to them by their policy. Once only, then save for future sessions - The user enters their password when they are initially enrolled in management. This password is then saved and used for any file server connections they later initiate.
Block access to specific network paths - When enabled, allows the administrator to create and use blacklists of network paths which the users shouldn't be allowed to self-provision. Only allow this Mobile Client to connect to servers with third-party signed SSL certificates - If this option is enabled, the Access Mobile Client will only be permitted to connect to servers with third-party signed SSL certificates.
Adding Apps Available for Lists ................................................................23 Finding an app's bundle identifier by browsing the files on your device 23 Finding an app's bundle identifier in an iTunes Library ...........................23 1.2.2.1 Adding Apps Available for Lists To add an app to be included on a whitelist or blacklist: 1. Click Allowed Apps in the top menu bar. 2. Click Add app in the Apps Available for Lists section. 3. Enter the App name.
2. On a Mac, this is typically in your home directory, in ~/Music/iTunes/Mobile Applications/ 3. On a Windows 7 PC, this is typically in C:\Users\username\My Music\iTunes\Mobile Applications/ 4. If you have recently installed the app on your device, make sure you have performed an iTunes sync before you continue. 5. Locate the app that you require in the Mobile Applications folder. 6. Duplicate the file and rename the extension to .ZIP 7.
Configure the client enrollment status, client app types and authentication methods that can be used to connect to this Acronis Access server and any Gateway Servers configured to use the default access restrictions. Require that client is enrolled with an Acronis Access server - If you select this option, all Access Mobile Clients connecting to this server are required to be managed by an Acronis Access server that is listed under Allowable Acronis Access servers.
1.3 On-boarding Mobile Devices To get started with the Acronis Access mobile client, users need to install the Access Mobile Client application through the Apple App Store. If your company is using client management, the users also need to enroll the Access Mobile Client app on their device with the Acronis Access Server. Once enrolled, their mobile client configuration, security settings, and capabilities are controlled by their Acronis Access user or group policy.
2. 3. 4. 5. Log in as an administrator. Open the Mobile Access tab. Open the Settings tab. Select the desired device enrollment requirements Acronis Access includes two device enrollment mode options. This mode is used for all client enrollments.
Download enrollment invitations as CSV - The entire or filtered invitations list can be exported to a CSV file and opened in Excel or imported into a custom process. Using basic URL enrollment links when PIN numbers are not required: If your server is configured to not require PIN numbers for client enrollment, you can give your users a standard URL that will automatically start the enrollment process when tapped from the mobile device.
8. Choose the number of PINs you'd like to send to each user on the invitations list. This can be used in cases where a user may 2 or 3 devices. They will receive individual emails containing each unique one-time-use PIN. Note: Acronis Access licensing allows each licensed user to activate up to 3 devices, each additional device beyond 3 is counted as a new user for licensing purposes. 9.
The email guides them through the process of installing the Access Mobile Client and entering their enrollment information. If the Access Mobile Client app has already been installed, and the user taps the "Tap this link to automatically begin enrollment..." option while viewing this email on their device, Acronis Access will automatically launch and the enrollment form will be displayed.
To enroll in management Enroll automatically via enrollment email 1. Open the email sent to you by your IT administrator and tap the click here to install the Acronis Access link if you have not yet installed Acronis Access. 2. Once Acronis Access is installed, return to the invitation email on your device and tap Click this link to automatically begin enrollment in step 2 of the email. 3. An enrollment form will be displayed.
Ongoing Management Updates After the initial management setup, Access Mobile Clients will attempt to contact the management server each time the client app is started. Any settings changes, server or folder assignment changes, application lock password resets, or remote wipes will be accepted by the client app at that time.
Here you can view every managed device and information about them. You can also wipe the device or change it's app password. Display Name – the user's Active Directory (AD) full name Username – the user's AD account username Domain – the domain that the user's AD account is a member of. Device name – the device name set by the user. Model – type/model of the device. OS – version of the operating system of the device. Version – version of the Acronis Access Mobile app on the device.
1.4.1 Performing Remote Application Password Resets The Access Mobile Client can be secured with an Application Lock Password that must be entered when Acronis Access is launched. If a user forgets this password, they will not be able to access Acronis Access. The Access Mobile Client app password is independent of the user's Active Directory account password. When a password is lost, the only recourse a user has is to uninstall Acronis Access from their device and reinstall it.
1.4.2 Performing Remote Wipes Acronis Access Client Management allows an Access Mobile Client application to be remotely wiped. This selective remote wipe removes all files that are locally stored or cached within the Acronis Access app. All app settings are reset to previous default settings and any servers that have been configured in the app are removed. Queuing a Remote wipe 1. Open the Mobile Access tab. 2. Open the Devices tab. 3.
1.5 Managing Gateway Servers The Acronis Access Gateway Server is the server contacted by the Access Mobile Clients that handles accessing and manipulating files and folders in file servers, SharePoint repositories, and/or Sync & Share volumes. The Gateway Server is the "gateway" for mobile clients to their files. The Acronis Access Server can manage and configure one or more Gateway Servers from the same management console.
Support for content search of shared is enabled by default, and can be enabled or disabled by checking this option. You can enable or disable content searching for each Gateway Server in the Edit Server dialog. In addition to enabling this setting, content search requires that the Microsoft Windows Search application be installed on the Acronis Access Gateway server and be configured to index any data source where content search is enabled.
4. 5. 6. 7. Open the Acronis Access Web Interface. Open the Mobile Access tab. Open the Gateway Servers page. Press the Add New Gateway Server button. 8. Enter a Display Name for your Gateway Server. 9. Enter the DNS name or IP address of your Gateway Server.
Status The Status section gives you information about the Gateway Server itself. Information like the operating system, the type of the license, number of licenses used, version of the Gateway Server and more. Logging The Logging section allows you to control whether the logging events from this specific Gateway Server will be shown in the Audit Log and allows you to enable Debug logging for this server. To enable Audit Logging for a specific gateway server: 1. 2. 3. 4. 5. 6. 7.
8. Press the Save button. To enable Debug Logging for a specific gateway server: Note: The default location for the debug logs is: C:\Program Files (x86)\Acronis\Access\Gateway Server\Logs\AcronisAccessGateway 1. 2. 3. 4. 5. 6. 7. 8. Open the web interface. Log in as an administrator. Open the Mobile Access tab. Open the Gateway Servers tab. Find the server for which you want to enable Debug Logging. Press the Details button. In the Logging section check Debug Logging. Press the Save button.
3. Open the Use Custom settings tab. 4. Select the specific access restrictions you want for this Gateway Server. 5. Press Apply. General Settings Display Name - Sets the display name of the Gateway Server. Address for administration - Sets the address on which the Gateway Server is reachable by the Acronis Access Server. Address for client connections - Sets the address on which mobile clients will connect to the Gateway Server.
Support content search using Microsoft Windows Search where available Support for content search of shared is enabled by default, and can be enabled or disabled by checking this option. You can enable or disable content searching for each Gateway Server in the Edit Server dialog.
1. Open the SharePoint Central Administration. 2. Click on Application Management.
3. Under Web Applications click on Manage web applications. 4. Select your web application from the list and click on User Policy. 5. Select the checkbox of the user you want to give permissions to and click on Edit Permissions of Selected Users. If the user is not in the list, you can add him by clicking on Add Users.
6. From the Permission Policy Levels section, select the checkbox for Full Read - Has Full read-only access. 7. Press the Save button.
Advanced Note: It is recommended that these settings only be changed at the request of a customer support representative. Hide inaccessible items - When enabled, files and folders for which the user does not have the Read permission will not be shown. Hide inaccessible items on reshares - When enabled, files and folders located on a network reshare for which the user does not have the Read permission will not be shown.
1. In Active Directory Users and Computers, locate the Windows server or servers that you have the Gateway Server installed on. They are commonly in the Computers folder. 2. Open the Properties window for the Windows server and select the Delegation tab. 3. Select Trust this computer for delegation to specified services only 4. Select Use any authentication protocol, this is required for negotiation with the SharePoint server. 5.
To create a cluster group: Please make sure that you have already configured a correct Address for Administration on each Gateway before proceeding. This is the DNS or IP address of the Gateway server. 1. 2. 3. 4. 5. 6. 7. 8. Open the Acronis Access Web Interface. Open the Mobile Access tab. Open the Gateway Servers page. Press the Add Cluster Group button. Enter a display name for the group. Enter the DNS name or IP address of the load balancer.
Adding members to an existing cluster group: 1. Open the web interface and navigate to Mobile Access -> Gateway Servers. 2. Open the action menu for the desired cluster group and select Add Cluster Members from the available actions. 3. Select the desired Gateway Servers from the list and press Add. 1.6 Managing Data Sources You can share NTFS directories located on your Windows server or on a remote SMB/CIFS file share for access by Access Mobile Client users.
Acronis Access Data Sources that reside on another SMB/CIFS file server are accessed using an SMB/CIFS connection from the Gateway Server to the secondary server or NAS. In this case, access to the secondary server is performed in the context of the user logged into the Access Mobile Client app. In order for that user to have access to files on the secondary server, their account will need both "Windows Share Permissions" and NTFS security permissions to access those files.
Acronis has partnered with Salesforce to offer an option for logging access to files shown to customers using Acronis Access. Enabling this option will require any user who has this folder assigned to their management policy to log a customer activity in Saleforce before they can open any file in the folder. This is done completely within the Access Mobile Client app.
Creating a Data Source To create a Data source: 1. 2. 3. 4. 5. 6. 7. 8. Open the Acronis Access Web Interface. Open the Mobile Access tab. Open the Data Sources tab. Go to Folders. Press the Add New Folder button. Enter a display name for the folder. Select the Gateway Server which will give access to this folder. Select the location of the data. This can be on the actual Gateway Server, on another SMB server, on a SharePoint Site or Library or on a Sync & Share server.
10. Select the Sync type of this folder. 11. Enable Show When Browsing Server if you want this Data Source to be visible when Acronis Access mobile clients browse the Gateway Server. 12. Select if the folder should require Salesforce activity logging. 13. Find and select the User or Group the folder will be assigned to. 14. Press the Save button.
By pressing the Edit resources assigned to button, the administrator can quickly edit the assignments for this policy. 1.6.3 Gateway Servers Visible on Clients Gateway Servers can be assigned to User or Group policies and can be used as Data Sources. This page displays all Gateway Servers displayed on the user's Acronis Access Mobile client and if those Gateway Servers are assigned to a User or Group policy. You can also edit these assignment here.
If you want to assign a new User or Group to this server, find the User/Group name and press it. 2. Press the Save button. 1.6.4 Legacy Data Sources If you have updated to Acronis Access from a previous mobilEcho installation, all of your assigned folders will carry over automatically and will be put in this section. If you're still using a mobilEcho 4.5 server or older, you can also create a volume in the mobilEcho Administrator, and add it to the Legacy Data Sources from this page.
To move your Legacy Data Sources to the new system: 1. 2. 3. 4. 5. Find the mobilEcho File Server on which the Data Source resides. Upgrade the mobilEcho File Server to the Acronis Access Gateway server. Open the Acronis Access web interface and log in as an administrator. Open the Gateway Servers tab. Add your server to the list of Gateway Servers. For more information on this process, visit the Managing Gateway Servers (p. 36) section. 6. Add a license for the Gateway Server. 7.
57 Active Directory username and password only - A user can activate their Acronis Access app using only their Active Directory username and password. This option allows a user to enroll one or more devices at any point in the future. Users just need to be given the name of their Acronis Access Client Management server, or a URL pointing to their Acronis Access Client Management server, which can be posted on a web site or emailed, simplifying the rollout of Acronis Access to large numbers of users.
2 Sync & Share This section of the Web Interface is available only if you have enabled Sync & Share functionality. Otherwise you will see a button Enable sync & share support. In this section Managing Users .......................................................................................58 Sharing Restrictions .................................................................................60 LDAP Provisioning ....................................................................................
Name – shows the name used to login to the server. Last Logged in – time and date of last log in. Admin – if the user has administrator privileges there will be a check mark. Licensed - if the user is licensed there will be a check mark. Disabled – if this account is disabled there will be a check mark. Authentication – shows whether the user authenticates using his LDAP credentials or through Ad-hoc.
2. Log in with an administrator account. An account with the Manage Users rights can be used as well. 3. Open the Sync & Share tab. 4. Open the Users tab. 5. Press the Add User button. 6. Write the email of the user. 7. Select whether the user should have administrative rights or not. 8. Select the language of the invitation. 9. Press the Add button. The user will now be able to log in with his LDAP credentials. His account will be complete once he logs in.
Minimum Expiration Time - Controls the minimum amount of time (in days) that the users can set. Maximum Expiration Time - Controls the maximum amount of time (in days) that the users can set. Whitelist If the whitelist is enabled, only users in the configured LDAP groups or with the email domains (like example.com) specified in the list can login. Wildcards can be used for domains (e.g. *.example.com).
2.4 Quotas Administrators can set the amount of space dedicated to each user in the system. There are distinct default settings for external (ad-hoc) and internal (Active Directory - LDAP) users. Administrators can also assign different quota values based on individual users or Active Directory group membership. Enable Quotas? - If enabled, limits the maximum space a user has by a quota. Ad-hoc User Quota - Sets the quota for Ad-Hoc users. LDAP User Quota - Sets the quota for LDAP users.
2.5 File Purging Policies In Acronis Access, documents, files and folders are normally preserved in the system unless explicitly eliminated. This allows users to recover deleted files and maintain previous versions of any document. Acronis Access allows administrators to define policies to determine how long deleted files will be preserved, the maximum number of revisions to keep and when older revisions will be deleted.
2.6 User Expiration Policies Users who expire will lose access to all their data. You can reassign the data from the Manage Deleted Users page. Delete passkeys after X days - If enabled, deletes all passkeys after a set number of days. Delete pending invitations after X days - If enabled, deletes all pending invitations after a set number of days. Delete adhoc users who have not logged in for X days - If enabled, deletes adhoc users who have not logged in for a set number of days.
2.7 File Repository These settings determine where files uploaded for syncing and sharing will be stored. In the default configuration, the file system repository is installed on the same server as the Acronis Access Server. The File Repository is used to store Acronis Access Sync & Share files and previous revisions. The Acronis Access Configuration utility is used to set the file repository address, port and file store location.
2.8 Acronis Access Client These settings are for the Access Desktop Client. Force Legacy Polling Mode - Forces the clients to poll the server instead of being asynchronously notified by the server. You should only enable this option if instructed to do so by Acronis support. Client Polling Time - Sets the time intervals in which the client will poll the server. This option is available only when Force Legacy Polling Mode is enabled.
3 Server Administration In this section Administering a Server .............................................................................67 Administrators and Privileges ..................................................................67 Audit Log ..................................................................................................70 Server .......................................................................................................72 SMTP ........................................
This section allows you to manage your administrative groups. Users in these groups will automatically receive the group's administrative privileges. All of the rights are shown in a table, the ones that are currently enabled have a green mark. Using the Actions button you can delete or edit the group. You can edit the group's administrative rights. To add a provisioned LDAP administrator group: 1. 2. 3. 4. 5. 6. Press the Add Provisioned Group. Mark if the group should have Sync & Share functionality.
4. Press the Add Administrator button under Administrative Users. 5. Select either the Active Directory/LDAP or Invite by Email tab depending on what type of user you are inviting and what you want them to administer. LDAP users without emails cannot be given Sync & Share functionality. a) To invite via Active Directory/LDAP do the following: 1. Search for the user you want to add in the Active Directory and then click on their Common Name to select a user.
2. 3. 4. 5. 6. Open the Users tab Press the Actions button for the User you want to edit. Press Edit. Mark all of the administrative rights you want your user to have. Press Save. To give an administrator specific rights: 1. 2. 3. 4. Press the Actions button for the User you want to edit. Press Edit. Mark all of the administrative rights you want your user to have. Press Save. 3.3 3.3.
To enable Audit Logging for a specific gateway server: 1. 2. 3. 4. 5. 6. 7. 8. Open the web interface. Log in as an administrator. Open the Mobile Access tab. Open the Gateway Servers tab. Find the server for which you want to enable Audit Logging. Press the Details button. In the Logging section check Audit Logging. Press the Save button.
3.4 Server Server Settings Server Name – cosmetic server name used as the title of the web site as well as identifying this server in admin notification email messages. Web Address – specify the root DNS name or IP address where users can access the website (starting with http:// or https://). Do not use 'localhost' here; this address will also be used in email invitation links. Color Scheme – select the color scheme for the website.
3.5 SMTP Acronis Access Server uses the configured SMTP server to send emails to invite users to share or enroll mobile devices, as well as notify users and administrators of server activity. SMTP server address - enter the DNS name of an SMTP server that will be used to send email invitations to your users. SMTP server port - enter your SMTP server port. This setting defaults to port 587. Use secure connection? - enable the option to use a secure SSL connection to your SMTP server.
3.6 LDAP Microsoft Active Directory can be used to provide mobile access and sync and share access to users in your organization. LDAP is not required for unmanaged mobile access or sync and share support, but is required for managed mobile access. Other Active Directory products (i.e. Open Directory) are not supported at this time. 74 Enable LDAP? - If enabled, you will be able to configure LDAP.
Note: If you're supporting multiple domains you should probably use the global catalog port. Use LDAP secure connection? - disabled by default. Check the box to connect to Active Directory using secure LDAP. LDAP username / password - this login credentials will be used for all LDAP queries. Ask your AD administrator to find out if you have designated service accounts that should be used. LDAP Search Base - enter the root level you would like searches for users and groups to begin.
Available Parameters - The available parameters are different for each template and will change based on the template you've selected. Email Subject - The subject of the invitation email. Pressing the View Default link will show you the default subject for that language and email template. HTML Email template - Shows the HTML-coded email template. If you enter valid HTML code, it will be displayed. Pressing the Preview button will show you a preview of how your current template looks.
Make sure you click the Save Templates button when you finished modifying your templates. 3.8 Licensing Licensing You will see a list of all your licenses. License - Type of the license (Trial, subscription etc.). Clients - Maximum number of allowed licensed users. Current Licensed Client Count - Number of currently used user licenses. Current Free Client Count - Number of free users currently in the system. Adding a new license 1. 2. 3. 4. Copy your license key.
To license them, you will need a mobilEcho license. Follow the steps below: 1. Open the web interface and log in as an administrator. 2. Open the General Settings tab and open the Licensing page. 3. In the Legacy mobilEcho Licenses section you have a list of all Gateway servers using the old licensing. 4. Press Add License for the desired Gateway and enter your license key. 5. Press Save. 3.
Note: For information on enabling/disabling debug logging for a specific Gateway Server visit the Server Details (p. 38) article. Warning: These settings should not be used during normal operation and production conditions. General Debug Logging Level - Sets the main level you want to be logged (Info, Warnings, Fatal errors etc.) Note: Enabled debug modules always log at the debug level, regardless of the general debug logging level above.
3.10 Monitoring The performance of this server can be monitored using New Relic. If you would like to monitor this server, please enable monitoring and provide the path to your New Relic YML file. To obtain a New Relic YML file, you will need to create an account with New Relic. Note: It is highly recommended not to put your New Relic YML file into the Acronis Access server directories to avoid having your file accidentally removed or altered on upgrade or uninstall.
All the information the Acronis Access server logs about trying to connect to New Relic and set up monitoring is in a file called newrelic_agent.log found here - C:\Program Files (x86)\Acronis\Common\apache-tomcat-7.0.34\logs. If you have any problems, you can find information in the log file.
4 Maintenance Tasks To backup all of Acronis Access's elements and as part of your best practices and backup procedures, you may want to read the Disaster Recovery guidelines (p. 82) article. In this section Disaster Recovery guidelines ...................................................................82 Backing up and Restoring Acronis Access ................................................84 Tomcat Log Management on Windows ...................................................86 4.
PostgreSQL database. This is a discrete element running as a Windows service, installed and used by Acronis Access. The Acronis Access database is one of the most critical elements because it maintains all configurations, relationships between users and files, and file metadata. All those components are needed in order to build a working instance of Acronis Access.
4. If needed, restore the FileStore. Make sure the relative location of the FileStore is the same as it was in the source computer. If this is not the case, the location will need to be adjusted by using the Configuration Utility. 5. Verify that the PostgreSQL service is running (Windows Control Panel/Services). 6. Restore the Acronis Access database. 7. Start the Acronis Access Tomcat service. 8. Migrate DNS to point to the new node. 9. Verify Active Directory and SMTP are working 4.
1. Go to the server on which you have your Acronis Access Gateway Server installed. 2. Navigate to the folder containing the database. Note: The default location is: C:\Program Files (x86)\Acronis\Access\Gateway Server\database 3. Copy the mobilEcho.sqlite3 file and paste it in a safe location. Restoring Acronis Access Restoring your Acronis Access's database The database restore process is similar to the backup process. 1.
Note: Typing the password will not result in any visual changes in the Command Prompt window. Info: For full psql command syntax, please visit http://www.postgresql.org/docs/9.2/static/app-psql.html http://www.postgresql.org/docs/9.0/static/app-psql.html Restoring your Gateway Server's database 1. Copy the mobilEcho.sqlite3 file you have backed up. 2. Go to the server on which you have your Acronis Access Gateway Server installed. 3. Navigate to the folder containing the database and paste the mobilEcho.
ECHO OFF REM Script: aETomcatLogsPurge.bat REM 2012-05-12: Version: 1.
In Acronis Access the log files are stored in the same folder as Tomcat's. (C:\Program Files (x86)\Acronis\Access\Common\apache-tomcat-7.0.34\logs) 3. Save the file. 4. To automate the process, open Task Scheduler and create a new task. Define a name and a description for the task. 5. Set the task to run daily.
6. Define at what time the task should start. It is recommended to run this process when the system is not under extreme load or other maintenance processes are running. 7. Set the action type to “Start a program”.
8. Click the Browse button, locate and select the script (batch) file. 9. When done, click Finish. 10. In the tasks list you may want to right click on the task, select properties and verify the task will run whether a user is logged on or not, for unattended operation. 11. You can verify the task is properly configured and running properly by selecting the task, right clicking on it and selecting “Run”. The scheduler’s log should report start, stop and any errors.
5 Supplemental Material In this section Conflicting Software .................................................................................91 Load balancing Acronis Access .................................................................91 Third-party Software for Acronis Access..................................................97 Using Acronis Access with Microsoft Forefront Threat Management Gateway (TMG) Unattended desktop client configuration..............................................
In the setup example we will use three separate machines. One of them will act as our File Repository and Database and the other two as both Access and Gateway servers. Below you can see a guide on how to configure this setup. This guide will provide the details necessary to properly load balance the Acronis Access product in your environment. On the server that will be hosting your PostgreSQL database and File Repository, perform the following steps: 1. Start the Acronis Access installer and press Next.
Note: You will need to set the same address and port in the Acronis Access web interface. For more information visit the Using the Configuration Utility and File Repository (p. 65) articles. c. Select the path to the File Store. This is where the actual files will reside. d. Click OK to apply changes and close the Configuration Utility. 7. Navigate to the PostgreSQL installation directory (e.g. C:\Program Files\PostgreSQL\9.2\data\ ) and edit pg_hba.conf with a text editor. 8.
Enter the address and port on which your Acronis Access management server will be reachable (i.e. 10.27.81.3 and 10.27.81.4). Select your certificate. This should be the same SSL certificate that is tied to the DNS address of the load balancer. Press Apply. Note: If you don't have a certificate, a self-signed certificate will be created by Acronis Access. This certificate should NOT be used in production environments. c.
5. Set the username, password, and internal address of the server that will be running the PostgreSQL database and save the file. This will configure your Access Server to connect to your remote PostgreSQL database. e.g.: DB_DATABASE =acronisaccess_production DB_USERNAME =postgres DB_PASSWORD =password123 DB_HOSTNAME =10.27.81.2 DB_PORT =5432 6. Open Services.msc and restart the Acronis Access services.
Enter your LDAP credentials, with the domain. (e.g. acronis\joe). Enter your LDAP search base. Enter the desired domain(s) for LDAP authentication. (i.e.to enable LDAP authentication for an account with the email joe@glilabs.com, you would enter glilabs.com) Press Save. e. Under the Local Gateway tab: Note: If you're installing both a Gateway Server and the Acronis Access Server on the same machine, the Gateway Server will automatically be detected and administered by the Acronis Access Server.
2. If a health-check is required (looking for an HTTP status of 200 to be returned), a ping to https://INTERNALSERVERNAME:MANAGEMENTPORT/signin will satisfy it (i.e. https://myaccessserver1.company.com/signin and https://myaccessserver2.company.com/signin). Using a browser, open https://mylb.company.com to verify the configuration is working. 5.3 Third-party Software for Acronis Access In this section PostgreSQL ............................................................................................
By using New Relic, you can monitor your Acronis Access server's activity in real time in an easy and user friendly way. For more information visit http://newrelic.com/ http://newrelic.com/ For information on installing New Relic for your Acronis Access server, visit the Monitoring Acronis Access with New Relic (p. 114) section. 5.4 Using Acronis Access with Microsoft Forefront Threat Management Gateway (TMG) In this section Overview ......................................................................
5.4.2 Introduction Acronis Access clients connect to the Acronis Access server running inside your firewall securely via HTTPS and need to traverse your firewall via either VPN, HTTP reverse proxy or an open HTTPS port.
3-Leg Perimeter - This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network. Back/Front Firewall - In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network.
5.4.2.2 Understanding Forefront Threat Management Gateway authentication TMG provides 3 general methods of authenticating users and they are: HTTP authentication: Basic authentication - The user enters a username and password which the TMG server validates against the specified authentication server. Digest and WDigest authentication - Has the same features as the Basic authentication but provides a more secure way of transmitting the authentication credentials.
9. On the Password page, type the password provided by the entity that issued this certificate. 10. On the Certificate Store page confirm that the location is Personal. 11. The Completing The Certificate Import Wizard page should appear with a summary of your selections. Review the page and click Finish. Verify that your CA is in the list of trusted root CAs: 1. On each edge server, click Start, and then click Run. In the Open box, type mmc, and then click OK. This opens an MMC console. 2.
4. The Welcome to the New Web Listener Wizard page appears. Give a name to the Web Listener (e.g. Access WL) and click Next. 5. On the Client Connection Security page select Require SSL secured connections with clients and click Next. 6. On the Web Listener IP Addresses page select External and click Next.
7. On the Listener SSL Certificates page select Use a single certificate for this Web Listener and click the Select Certificate button. Select the appropriate certificate and click the Select button to confirm your choice. 8. Confirm that the correct certificate appears on the Listener SSL Certificates page and click Next. 9. On the Authentication Settings page choose the type of authentication you'd like Acronis Access to use when it contacts the TMG reverse proxy server, and click Next.
SSL Client Certificate Authentication - Use this option if you'd like the Access Mobile Client app to authenticate with the TMG reverse proxy with an SSL user identity certificate. This certificate must be added to the Access Mobile Client app before the user can authenticate with the TMG reverse proxy server. Additional instructions can be found here. http://support.grouplogic.com/?p=3830 10. On the Single Sign On Settings page verify that the SSO setting is disabled and click Next.
11. Review your selections on the Completing The New Web Listener Wizard page and click Finish. 12. Click the Apply button to commit the changes. 13. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration tab in the middle pane. Keep clicking on the Refresh Now link in the right pane (Tasks tab) until there is a green icon with the checkbox in front of the TMG computer name (array name). 5.4.5 Create a New Web Site Publishing Rule 1.
2. Right-click Firewall Policy, select New, and click Web Site Publishing Rule. 3. The Welcome to the New Web Publishing Rule Wizard page appears. Enter a name for the Web publishing rule (e.g. Access WP) and click Next. 4. On the Select Rule Action page verify that the Allow option is selected and click Next.
5. On the Publishing Type page choose the applicable option for your case and click Next. 6. On the Server Connection Security page choose the Use SSL to connect to the published Web server or server farm option and click Next. 7. On the Internal Publishing Details page type "intname.domain.
Note: Create a DNS entry in the internal DNS server of your organization for "intname.domain.com". 8. On the Internal Publishing Details page enter "/*" in the Path (optional) field to allow access to the entire content of the Acronis Access Gateway server. Click Next.
9. On the Public Name Details page you need to specify the name that the remote clients will use to connect to the published server. Enter "access.domain.com" in the Public name field, where domain is a placeholder for the domain name of the server you want to publish. Leave the other options the way they are by default and click Next. 10. On the Select Web Listener page select the web listener that you have created for Acronis Access from the drop-down menu and click Next.
11. On the Authentication Delegation page select the No delegation, but client may authenticate directly option from the drop-down menu and click Next. 12. On the User Sets page verify that the default All Users option is present and click Next to continue.
13. On the Completing The New Web Publishing Rule Wizard page review the summary of your selections. Click Test Rule to confirm that the publishing rule is working properly. Click Finish to complete the process. 14. Click the Apply button to commit the changes. 15. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration tab in the middle pane.
2. In the Server Name or IP Address field, write the path to your server (e.g. yourserver.companyname.com/a http://yourserver.companyname.com/mobilechoccess). 3. Fill in your credentials ( username / password ). 4. Tap Save. 5.4.8 Using the Access Desktop Client with a TMG reverse proxy server. This feature is built-in and requires little to no configuration. For the desktop client: 1. RIght click on the tray Acronis Access icon. Select Preferences. 2.
2. Set the Action to Create. 3. For the path, enter the following token: %USERPROFILE%\Desktop\AAS Data Folder Creating the registry: Right-click on Registry and select New -> Registry Item. Set the Action to Create. For Hive, select HKEY_CURRENT_USER. For the path, enter the following: Software\Group Logic, Inc.\activEcho Client\ Now do the following for the desired entries: For the Username: a. For Value name enter "Username". b. For Value type select REG_SZ. c.
6. 7. 8. 9. Download the New Relic script - newrelic.yml. Open your Acronis Access web UI. Go to Settings and click on Monitoring. Enter the path to the newrelic.yml including the extension (e.g. C:\software\newrelic.yml). We recommend you put this file in a folder outside of the Acronis Access folder so that it will not be removed or altered on upgrade or uninstall. 10. Click Save and wait a couple of minutes or until the Active application(s) button becomes active on the New Relic site. 11.
Installing your certificate to your Windows certificate store 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. On the server, click Start, and then click Run. In the Open box, type mmc, and then click OK. On the File menu click Add/Remove snap-in. In the Add/Remove Snap-in dialog box, click Add. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account (this is not selected by default), and then click Next.
5.8 Creating a Drop Folder This guide will cover setting up a Drop Folder using Acronis Access and Windows Active Directory. A Drop Folder is a folder in which certain users can only add new files and folders (without the ability to edit or delete any of the files) while other users have full control. In the Active Directory, do the following: 1. Either select two existing LDAP groups or create two new groups. One will be used for the superusers (e.g.
List Folder/Read Data Create Files/Write Data Read Permissions For the Creator Owner group Press Edit and under Allow, mark the following permissions: Delete In the Acronis Access Server web interface, do the following: 1. Expand the Mobile Access tab and open the Policies page. 2. Press Add Group Policy. 3. For the superuser group (Group A), fill out all policy tabs per your company's requirements. For more information visit the Policies (p. 8) section. 4.
1. Make a copy of one of the default style sheets in the \stylesheets directory. They are generally located at: C:\Program Files (x86)\Acronis\Access\Access Server\Web Application\stylesheets. 2. Place it in the customizations folder. This folder is generally located at: C:\Program Files (x86)\Acronis\Access\Access Server\Web Application\customizations. 3. Edit the style sheet and change colors and settings based on your preference and save the changes. 4.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Go to the machine on which Acronis Access is installed. Stop the Acronis Access File Repository Server service. Stop the Acronis Access Tomcat service. You will find the current FileStore in the folder which you selected with the Configuration Utility. Copy or move the entire FileStore folder with all its contents to the target point, like so: D:\MyCustom Folder\FileStore Open the Configuration Utility.
managed using the Good Dynamics platform and also provide the app with FIPS 140-2 certified on-device encrypted secure storage and Good secure communication. Acronis Access for Good Dynamics requires: Acronis Access for Good Dynamics client app - The Acronis Access for Good Dynamics client app available on the Apple App Store http://www.grouplogic.com/web/megoodappstore is specifically designed as a Good Dynamics integrated application.
5.12.3 Requesting and configuring Acronis Access within Good Control Before a Acronis Access for Good Dynamics client app can be enrolled in Good Dynamics, Acronis Access must be added to the list of Managed Applications on your Good Control server. For this to happen, you must request access to the Acronis Access for Good app using the Good Dynamics beGood Communities site.
On the Acronis Access for Good app page, click the Get Application button to request a trial or licensed version of the app. https://begood.good.com/gd-app-details.
If you select a trial version of the app, your access should be granted within a few minutes. You should receive a notification from the beGood site when your request has been accepted and notifying you that the Acronis Access for Good app as been published to your Good Control server. Once this has happened, log into your Good Control server and click Manage Applications in the lefthand menu. Acronis Access should now be listed as a Partner app in your managed applications list.
In the Server Info box, enter the DNS name or IP address of your Acronis Access Gateway server. The Port number is usually 443, unless you've configured Acronis Access to run on a non-standard port. All communication between Acronis Access clients and the Gateway servers occurs on port 443 by default. Click the 'Check' button to save this change. 5.12.3.
In the Additional Servers box, enter the Gateway server's DNS name or IP address and it's port, then click the "+" icon to add it to the list. The default Gateway server port is 443. 5.12.4 Good Dynamics Policy Sets and Acronis Access The Acronis Access for Good Dynamics app respects the policy settings included in a user's assigned Policy Set. Policy sets are configured on the Good Control server.
An upcoming version of Acronis Access for Good Dynamics will add the ability to transfer files directly between the Acronis Access for Good Dynamics app and other 3rd party Good Dynamics apps. This capability requires changes to Acronis Access for Good Dynamics and to the 3rd party apps involved, so any app that you need to transfer files to will also need to be updated by its vendor. 5.12.
4. Select Acronis Access for Good from the list of available applications and click OK. To generate an Access Key that will allow a user to enroll their Acronis Access for Good app with Good Dynamics: 1. Select Manage Users from the lefthand menu in the Good Control console. 2. Select the user you'd like to create an Access Key for. 3. On the Access Keys tab, select the number of keys you'd like to send and click the Provision button.
5.12.6 Enrolling the Acronis Access client app in Good Dynamics The Acronis Access for Good client app available on the Apple App Store http://www.grouplogic.com/web/megoodappstore is purpose build as a Good Dynamics integrated application. When first installed on a device, the Acronis Access app starts and required the user to activate it in your Good Dynamics system. To enroll a Acronis Access client app in Good Dynamics: 1. Launch Acronis Access for Good Dynamics on your device. 2.
4. If required by your Good Dynamics policy, you will be asked to set an application lock password. If you are also using Good for Enterprise, Acronis Access may require that you log into Good for Enterprise in order to gain access to the Acronis Access app. 5. Once this process is completed, you will be taken to the Acronis Access application's home screen.
From this point on, when you start the Access Mobile Client app, you may be required to enter the Acronis Access for Good Dynamics application password that you configured earlier, or you may be required to authenticate with your Good for Enterprise app before Acronis Access opens. Aside from that requirement, Acronis Access for Good Dynamics functions the same way that standard Access Mobile Client does. Some features in the app may be restricted based on your Good Dynamics policy set.
5.13.1 Introduction Acronis and MobileIron have partnered to bring Acronis Access's mobile file management to the MobileIron AppConnect platform. This Acronis Access capability allows the standard Access Mobile Client app to optionally be auto-configured and managed, along with other AppConnect-enabled apps, by AppConnect defined policies. The Acronis Access also supports MobileIron AppTunnel for remote access to Acronis Access Gateway servers residing inside the corporate data center.
1. Access Mobile Client app Configuration – this allows AppConnect to auto-configure the Access Mobile Client app, completing some or all of the Acronis Access “Enrollment Form” and taking the place of the Acronis Access user invitation process. 2. Access Mobile Client app Container Policy – this policy allows the restriction of some of the capabilities of Acronis Access. In this section Creating a Access Mobile Client app Configuration ...............................
Within this new AppConnect App Configuration, enter the following information: Name – This can be any name you’d like to assign to this configuration. You may create more than one configuration and assign those configurations to different MobileIron labels. Description – This can be any description you like. Application – This must be set to the Bundle Identifier of the Access Mobile Client app, which is: com.grouplogic.
requirePIN – This key is optional. If you are distributing a PIN to Acronis Access mobile users that they will need to manually enter into the Acronis Access enrollment form, you can specify that the PIN field is immediately shown in the form by setting this key’s value to: Yes enrollmentUserName – This key is optional. The value of this key will be inserted into the Username field in the Acronis Access enrollment form.
5.13.3.3 Assign labels to the new Configuration and Container Policy In order for these new policies to be applied to mobile devices, ensure that you assign the MobileIron labels for any required users to both the Configuration and the Container Policy. 5.13.4 Activating the Acronis Access iOS client with AppConnect Once the needed Configuration and Container Policy have been created on the MobileIron VSP, you are ready to install and configure Acronis Access on client devices.
If the Mobile@Work app is not present on the device, Acronis Access will display a warning on this Settings menu rather than an Enable button. 5.13.4.3 Acronis Access has not yet been installed on the device In this scenario, you will need to install Acronis Access for the first time from the Apple App Store http://www.grouplogic.com/web/meappstore. Once installed, start Acronis Access.
username/password authentication before moving on to Kerberos to eliminate steps in problem determination. Before you begin Kerberos Constrained Delegation, abbreviated KCD, allows users to authenticate to network resources by Kerberos after their identity is established using a non-Kerberos authentication method. In the case of Acronis Access, this allows users to authenticate using iOS device-level identity certificates distributed by MobileIron.
MaxPacketSize from 0 to 1 in the registry editor. For information about how to do this, refer to the following Microsoft KB article: http://support.microsoft.com/kb/244474 http://support.microsoft.com/kb/244474. The iOS device must be able to reach the VSP and the Sentry. iOS Device registered on VSP. Mobile@Work installed on the device and registered in the VSP. The MDM profiles properly installed during the registration.
6 Configuring an AppConnect tunnel between the Access Mobile client and the Access server via username/password authentication The first step towards configuring an AppConnect tunnel between the Acronis Access mobile client and the Acronis Access server is to add and configure the Sentry to the VSP. This is a muti-step process broken down into the following phases.
4. Click Generate. 5. Then click Save. 6. Click View Certificate on the new CA. 7. Copy the certificate to a new text file and save to the desktop. 1. Open the MobileIron VSP Admin Portal. 2. Select Policies & Configs and open Configuration.
3. Press Add New and select SCEP. Name: Enter a name based on your preference. Setting Type: Select Local. Local CAs: Name of the CA created in "Generate a new Local CA". Subject: Enter a name based on your preference (e.g. CN=tunneling) but it must start with CN=.. Key Size: Select the same value you selected when generating the CA. In this case, select 2048. 4. Click Save. 1. Still within the MobileIron VSP Admin Portal, select Settings open Sentry. 2.
Sentry Host Name/IP: The DNS name your sentry is installed on. It must be reachable via the MobileIron VSP. Sentry Port: The port open for connection via the MobileIron VSP (default is 9090). Enable App Tunneling: Mark the checkbox. Device Authentication: Select Identity Certificate. 3. Click Upload Certificate. 4. Browse and select the text file you saved to desktop in "Generate a new local CA". 5. Click Upload Certificate.
6. 1. Still within the MobileIron VSP Admin Portal, select Policies & Configs and open Configurations. 2. Press Add New, select AppConnect and select Container Policy. Name: Enter a name based on your preference. Application: Enter com.grouplogic.mobilecho. This is a Bundle ID from the iOS App Store. Policies: Set whatever MobileIron policies you want to use for managing Acronis Access. 3. Click Save. 1.
2. Press Add New, select AppConnect and select Configuration. Name: Enter a name based on your preference. App Tunnel Application: Enter com.grouplogic.mobilecho. This is the Bundle ID as seen in the Apple store. URL Wildcard: The URL that the client will try to contact the Acronis Access gateway server on. This must match the "Address for client connections" configured for the Gateway server in the Acronis Access admin interface.
*Address for client connections from the Acronis Access web interface. This address will be used in profiles sent to the mobile client for making file system connections. The sentry URL Wildcard must match this address and port to route those connections through to the sentry. 1. Still within the MobileIron VSP Admin Portal, select Users & Devices and open Labels. 2. Press Add new. Name: Enter a name based on your preference. Description: Enter a description based on your preference. 3. Click Save.
2. Mark the SCEP, AppConnect policies, and AppConnection configurations you created while following this document. Open Configurations to view them listed. 3. Press More Actions and select Apply to Label. 4. Mark the Label created in "Create a new label". 5. Click Apply. 1. Still within the MobileIron VSP Admin Portal, Select Users & Devices and open Devices.
2. Mark the iOS device to be used for Sentry testing. 3. Select Actions -> Apply to Label. 4. Check Label created in "Create a new label". 5. Click Apply. 1. Open the Mobile@Work app and open the Settings. 2. Tap on Check for Updates. 3. Tap on Force Device Check-In. If this is successful the SCEP configured in this document should show up in the device settings at Settings -> General -> Profiles.
4. Install Acronis Access from the App Store and Launch it. 5. Select Enroll Now on the Welcome view or go to Settings and scroll down to Enrollment. 6. Enter the address used for client connections to the Acronis Access Gateway and configured in the AppConnection Configuration. For a true test this URL should not be reachable by the mobile client (use celluar or an external network). 7. Tap continue. 8. Enter Username and Password and tap Enroll Now.
5. When traffic comes from the mobile device you should see the sentry log scroll with entries related to the hostname configured.
7 Adding Kerberos Constrained Delegation Authentication Once you have setup and verified the AppTunnel works via Username/Password authentication for Acronis Access, you can modify the configurations created to allow Kerberos Constrained Delegation authentication to the Acronis Access Gateway. When this is properly configured the end user will not have to supply a username or password to enroll with management or to browse data sources.
Ensure that the correct domain name is selected in the field next to the User Logon Name field. If the correct domain is not selected, choose the correct domain name from the drop-down list next to the User Logon Name field. 5. Click Next. Password: Enter a password. Password never expires: Ensure that User must change password at next logon is not selected. Typically, in the enterprise, the User cannot change password and Password Never Expires fields should be selected. 6. Click Next. 7.
4. Find and select the Kerberos user account that you created in "Create a Kerberos Service Account". 5. Right-click on the account and select Properties. Click on the Delegation tab. Select Trust This User For Delegation To Specified Services Only. Select Use Any Authentication Protocol. 6. Press Add…. 7. Press Users or Computers…. 153 Enter the computer name of the Acronis Access Gateway Server. Click on Check Names.
The correct computer name should appear in the object name box. 8. Click OK.
9. Find and select the "http" service in the Add Services window. 10. Click OK. Note: For a large deployment with multiple Gateway Servers you should repeat steps 6 through 10 for each Gateway Server. However, for the initial setup, it's best to begin with a single Gateway Server hosting some local test folders. Once you have confirmed access to those, then you can expand to additional Gateway Servers and non-local folders. 1. Open the MobileIron VSP Admin Portal. 2.
4. Click on its name and click Edit in the panel on the right. Enter two Subject Alternative Name Types NT Principal Name: $USER_UPN$ Distinguished Name: $USER_DN$ Note: These entries require user accounts on the VSP to come from the active directory and these variables to be supplied by it. This configuration is beyond the scope of this document. 5. Click Save. 6. Since you have modified the SCEP, you will have to re-provision the device in Mobile@Work before testing the iOS client.
1. Still in the MobileIron VSP Admin Portal, select Settings and open Sentry. 2. Find the Sentry created in "Add and Configure the Sentry". 3. Click on the Edit icon. In the Device Authentication Configuration select the following for the Certificate Field Mapping: Subject Alternative Name Type: NT Principal Name Value: User UPN In the App Tunneling Configuration change the Server Authentication to Kerberos. In the Kerberos Authenication Configuration section.
Using either the Sentry EXEC or the Sentry logs in the System Manager verify the Sentry is able to reach and receive a Kerberos ticket from the KDC. Find the line "Informational only: Successfully Received Sentry Service Ticket from KDC". This verifies the Sentry is able to reach and communicate with the KDC. The changes we made to the SCEP must be pushed down to the iOS device. The changes we made to the Sentry can take several minutes to be pushed down to it.
You can verify the SCEP is properly updated using the iOS Settings app. Under Settings -> General -> Profiles -> The SCEP name you created -> More Details -> Certificate -> The portion after CN= you enter in the subject name of the SCEP, you should see entries for "Subject Alternative Name" and "Directory Name". If this is properly pulled from Active Directory it should match the user that you used to activate Mobile@Work. If that is correct reinstall the Acronis Access Mobile Client.
2. 3. 4. 5. 6. 7. 8. 9. Find the computer object corresponding to the Gateway server. Right-click on the user and select Properties. Open the Delegation tab. Select Trust this computer for delegation to specified services only. Under that select Use any authentication protocol. Click Add. Click Users or Computers. Search for the sever object for the SMB share or SharePoint server and click OK. For SMB shares, select the cifs service. For SharePoint, select the http service. 10.
2. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 3. Double-click on the installer executable. 4. Press Next to begin. 5. Read and accept the license agreement. 6. Press Install. Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 7.
9. Choose a location on a shared disk for the Postgres Data folder and press Next. 10. A window displaying all the components which will be installed appears. Press OK to continue. When the Acronis Access installer finishes, press Exit. Creating the cluster group 1. Open the Cluster Administrator and open Groups. 2. Right-click on Groups and select New and then Group. Give the cluster group a proper name. (e.g.
3. Select the machines which will be a part of this cluster group and press Finish. Configurations on the Active node 1. Configure your Gateway Server's database to be on a location on a shared disk. a. Navigate to C:\Program Files (x86)\Acronis\Access\Gateway Server\ If you're upgrading, the path will be C:\Program Files (x86)\GroupLogic\mobilEcho Server\ b. Find the database.yml file and open it with a text editor. c. Find this line: database_path: './database/' and replace .
2. Open New and select Resource. 3. Enter a name for the service and select the correct cluster group. 4. From the Resource Type drop down menu select Generic Service and press Next.
5. Make sure both of your nodes are listed as Possible owners and press Next. 6. Skip the dependencies for now by pressing Next. 7. Enter the correct service name of the service you are adding (e.g. postgresql-x64-9.2) and press Next. 8. Skip the Registry Replication window for now by pressing Next. 9. Press Finish to complete the procedure. Setting an IP address for the cluster group 1. Right-click on the Acronis Access cluster group. 2. Open New and select Resource. 3.
4. From the Resource Type drop down menu select IP Address and press Next. 5. Make sure both of your nodes are listed as Possible owners and press Next. 6. Skip the dependencies for now by pressing Next. 7. Enter the IP address you will use for this cluster group. 8. Enter the subnet mask and press Finish. Adding a shared disk 1. Right-click on the Acronis Access cluster group.
2. Open New and select Resource. 3. Enter a name for the resource and select the correct cluster group. 4. From the Resource Type drop down menu select Physical Disk and press Next.
5. Make sure both of your nodes are listed as Possible owners and press Next. 6. Skip the dependencies for now by pressing Next. 7. Select an available disk from the drop down menu and press Finish. Configuring dependencies For PostgreSQL and Acronis Access File Repository do the following: 1. 2. 3. 4. Right-click on the appropriate service and select Properties. Click on the Dependencies tab. Click on Modify. Select the shared disk you have added and move it to the right side. 5. Press OK.
2. Press Add and enter the following: SYSTEM\CurrentControlSet\Services\postgresql-some version (e.g. postgresql-x64-9.2) For the Acronis Access Gateway Server service do the following: 1. 2. 3. 4. Right-click on the appropriate service and select Properties. Click on the Dependencies tab. Click on Modify. Select the IP Address and Physical disk and move them to the right side. 5. Press OK.
For the Acronis Access Tomcat service do the following: 1. 2. 3. 4. Right-click on the appropriate service and select Properties. Click on the Dependencies tab. Click on Modify. Select the PostgreSQL and Acronis Access Gateway Server services and move them to the right side. 5. Press OK. Bringing the cluster group online and using the Configuration Utility 1. Right-click on the cluster group and press Bring online. 2. Launch the Configuration Utility.
3. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 4. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services. Installation and configuration on the second node 1. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 2.
7. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 8. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
9. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 10. Click OK to complete the configuration and restart the services. 7.2.2 Installing Acronis Access on a Windows 2008 Microsoft Failover Cluster Installing Acronis Access Please make sure you are logged in as an administrator before installing Acronis Access. 1. Download the Acronis Access installer. 2.
Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 7. Either use the default paths or select new ones for each component and press OK. 8. Set a password for the user Postgres and write it down. This password will be needed for database backup and recovery. 9. Choose a location on a shared disk for the Postgres Data folder and press Next. 10.
3. Select the Create Empty Service or Application and press Next. Give the service group a proper name. (e.g. Acronis Access, AAS Cluster). Configurations on the Active node 1. Configure your Gateway Server's database to be on a location on a shared disk. a. Navigate to C:\Program Files (x86)\Acronis\Access\Gateway Server\ If you're upgrading, the path will be C:\Program Files (x86)\GroupLogic\mobilEcho Server\ b. Find the database.yml file and open it with a text editor. c.
2. Select Generic Service. 3. Select the proper service and press Next. 4. On the confirmation window press Next. 5. Press Next on the Replicate Registry Settings window. 6. On the summary window press Finish. Setting a Client Access Point 1. Right-click on the Acronis Access service group and select Add a resource.
2. Select Client Access Point. 3. Enter a name for this access point. 4. Select a network. 5. Enter the IP address and press Next. 6. On the Confirmation window press Next. 7. On the summary window press Finish. Adding a shared disk 1. Right-click on the Acronis Access service group and select Add a resource.
2. Select the desired shared drive. 3. On the Confirmation window press Next. 4. On the summary window press Finish. Configuring dependencies 1. Double click on the Acronis Access Service group. For PostgreSQL and Acronis Access File Repository services do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added. 4. Press Apply and close the window.
1. Click on the Registry Replication tab. 2. Press Add and enter the following: SYSTEM\CurrentControlSet\Services\postgresql-some version (e.g. postgresql-x64-9.2) For the Acronis Access Gateway Server service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added and the Network Name (this is the name of the Client access point).
4. Press Apply and close the window. For the Acronis Access Tomcat service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the PostgreSQL and Acronis Access Gateway Server services as dependencies.Press Apply and close the window.
3. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 4. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services. Installation and configuration on the second node 1. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 2.
7. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 8. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
9. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 10. Click OK to complete the configuration and restart the services. 7.2.3 Installing Acronis Access on a Windows 2012 Microsoft Failover Cluster Installing Acronis Access Please make sure you are logged in as an administrator before installing Acronis Access. 1. Download the Acronis Access installer. 2.
Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 7. Either use the default paths or select new ones for each component and press OK. 8. Set a password for the user Postgres and write it down. This password will be needed for database backup and recovery. 9. Choose a location on a shared disk for the Postgres Data folder and press Next. 10.
2. Select Create empty role. Give the role a proper name. (e.g. Acronis Access, AAS Cluster) Configurations on the Active node 1. Configure your Gateway Server's database to be on a location on a shared disk. a. Navigate to C:\Program Files (x86)\Acronis\Access\Gateway Server\ If you're upgrading, the path will be C:\Program Files (x86)\GroupLogic\mobilEcho Server\ b. Find the database.yml file and open it with a text editor. c. Find this line: database_path: './database/' and replace .
1. Right-click on the Acronis Access role and select Add a resource. 2. Select Generic Service. 3. Select the proper service and press Next. 4. On the Confirmation window press Next. 5. On the summary window press Finish. Setting an Access Point 1. Right-click on the Acronis Access role and select Add a resource.
2. Select Client Access Point. 3. Enter a name for this access point. 4. Select a network. 5. Enter the IP address and press Next. 6. On the Confirmation window press Next. 7. On the summary window press Finish. Adding a shared disk 1. Right-click on the Acronis Access role and select Add Storage.
2. Select the desired shared drive. Configuring dependencies 1. Select the Acronis Access role and click on the Resources tab For PostgreSQL and Acronis Access File Repository services do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added. 4. Press Apply and close the window.
1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added and the Network Name (this is the name of the Client access point). 4. Press Apply and close the window. For the Acronis Access Tomcat service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3.
Note: If you want to run the Gateway and Access servers on different IP addresses add the second IP as a resource to the Acronis Access role and set it as a dependency for the network name. Starting the role and using the Configuration Utility 1. Right-click on the Acronis Access role and press Start role. 2. Launch the Configuration Utility.
Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box. 5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services.
c. Find this line: database_path: './database/' and replace ./database/ with the path you want to use (e.g. database_path: 'S:/mobilEcho_cluster/database/'). Note: Use slashes(/) as a path separator. Note: You can copy the configured database.yml from the first node and paste it to the second node. Note: The path should match the path set on the first node. For PostgreSQL you will need to manually replicate the registry: 1. Open Regedit. 2.
2. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 3. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
4. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 5. Click OK to complete the configuration and restart the services. 7.3 Upgrading from mobilEcho 4.5 on a Microsoft Failover Cluster Warning! Acronis Access failover clustering is not supported by versions older than 5.0.3. If you're using an older version, you will have to upgrade to version 5.0.
4. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 5. Double-click on the installer executable. 6. Press Next to begin. 7. Read and accept the license agreement. 8. Press Install. Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 9.
11. Choose a location on a shared disk for the Postgres Data folder and press Next. 12. A window displaying all the components which will be installed appears. Press OK to continue. 13. When the Acronis Access installer finishes, press Exit. Navigate to your shared disk, locate and copy these 3 files: production.sqlite3, mobilEcho_manager.cfg and priority.txt (this one might not exist) and paste them to the Acronis Access installation directory, replacing the existing files.
2. Open New and select Resource. 3. Enter a name for the service and select the correct cluster group. 4. From the Resource Type drop down menu select Generic Service and press Next.
5. Make sure both of your nodes are listed as Possible owners and press Next. 6. Skip the dependencies for now by pressing Next. 7. Enter the correct service name of the service you are adding (e.g. postgresql-x64-9.2) and press Next. 8. Skip the Registry Replication window for now by pressing Next. 9. Press Finish to complete the procedure. Configuring dependencies For PostgreSQL and Acronis Access File Repository do the following: 1. 2. 3. 4.
For PostgreSQL also do the following: 1. Click on the Registry Replication tab. 2. Press Add and enter the following: SYSTEM\CurrentControlSet\Services\postgresql-some version (e.g. postgresql-x64-9.2) For the Acronis Access Gateway Server service do the following: 1. 2. 3. 4. 201 Right-click on the appropriate service and select Properties. Click on the Dependencies tab. Click on Modify. Select the IP Address and Physical disk and move them to the right side.
5. Press OK. For the Acronis Access Tomcat service do the following: 1. 2. 3. 4. Right-click on the appropriate service and select Properties. Click on the Dependencies tab. Click on Modify. Select the PostgreSQL and Acronis Access Gateway Server services and move them to the right side. 5. Press OK. Bringing the cluster group online and using the Configuration Utility 1. Right-click on the cluster group and press Bring online. 2. Launch the Configuration Utility.
3. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 4. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services. Installation and configuration on the second node 1. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 2.
7. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 8. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
9. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 10. Click OK to complete the configuration and restart the services. 7.3.2 Upgrading a mobilEcho server on a Windows 2008 Failover Cluster to Acronis Access 1. Open the Failover Cluster Manager and double-click on your service group. 2. Delete the mobilEcho service resources.
Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 9. Either use the default paths or select new ones for each component and press OK. 10. Set a password for the user Postgres and write it down. This password will be needed for database backup and recovery. 11. Choose a location on a shared disk for the Postgres Data folder and press Next. 12.
If you're upgrading, the path will be C:\Program Files (x86)\GroupLogic\mobilEcho Server\ b. Find the database.yml file and open it with a text editor. c. Find this line: database_path: './database/' and replace ./database/ with the path you want to use (e.g. database_path: 'S:/mobilEcho_cluster/database/'). Note: Use slashes(/) as a path separator. Note: You can copy the configured database.yml from the first node and paste it to the second node.
3. Select the proper service and press Next. 4. On the confirmation window press Next. 5. Press Next on the Replicate Registry Settings window. 6. On the summary window press Finish. Configuring dependencies 1. Double click on the Acronis Access Service group. For PostgreSQL and Acronis Access File Repository services do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added. 4.
For PostgreSQL also do the following: 1. Click on the Registry Replication tab. 2. Press Add and enter the following: SYSTEM\CurrentControlSet\Services\postgresql-some version (e.g. postgresql-x64-9.2) For the Acronis Access Gateway Server service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab.
3. Click on Resource and select the shared disk you have added and the Network Name (this is the name of the Client access point). 4. Press Apply and close the window. For the Acronis Access Tomcat service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the PostgreSQL and Acronis Access Gateway Server services as dependencies. Press Apply and close the window.
Bringing the service group online and using the Configuration Utility 1. Right-click on the Acronis Access service group and press Bring this application or service group online. 2. Launch the Configuration Utility. On a clean install, this is generally located at C:\Program Files (x86)\Acronis\Access\Configuration Utility On an upgrade from mobilEcho, this is generally located at C:\Program Files (x86)\GroupLogic\Configuration Utility 3.
5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services. Installation and configuration on the second node 1. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 2.
7. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 8. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
9. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 10. Click OK to complete the configuration and restart the services. 7.3.3 Upgrading a mobilEcho server on a Windows 2012 Failover Cluster to Acronis Access 1. Open the Failover Cluster Manager and double-click on your service group. 2. Delete the mobilEcho service resources.
Note: If you're deploying multiple Acronis Access servers, or you are installing a non-standard configuration, you can select which components to install from the Custom Install button. 9. Either use the default paths or select new ones for each component and press OK. 10. Set a password for the user Postgres and write it down. This password will be needed for database backup and recovery. 11. Choose a location on a shared disk for the Postgres Data folder and press Next. 12.
If you're upgrading, the path will be C:\Program Files (x86)\GroupLogic\mobilEcho Server\ b. Find the database.yml file and open it with a text editor. c. Find this line: database_path: './database/' and replace ./database/ with the path you want to use (e.g. database_path: 'S:/mobilEcho_cluster/database/'). Note: Use slashes(/) as a path separator. Note: You can copy the configured database.yml from the first node and paste it to the second node.
3. Select the proper service and press Next. 4. On the Confirmation window press Next. 5. On the summary window press Finish. Setting an Access Point 1. Right-click on the Acronis Access role and select Add a resource. 2. Select Client Access Point. 3. Enter a name for this access point.
4. Select a network. 5. Enter the IP address and press Next. 6. On the Confirmation window press Next. 7. On the summary window press Finish. Adding a shared disk 1. Right-click on the Acronis Access role and select Add Storage. 2. Select the desired shared drive. Configuring dependencies 1. Select the Acronis Access role and click on the Resources tab For PostgreSQL and Acronis Access File Repository services do the following: 1. Right-click on the appropriate service and select Properties.
2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added. 4. Press Apply and close the window. For the Acronis Access Gateway Server service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the shared disk you have added and the Network Name (this is the name of the Client access point). 4. Press Apply and close the window.
For the Acronis Access Tomcat service do the following: 1. Right-click on the appropriate service and select Properties. 2. Click on the Dependencies tab. 3. Click on Resource and select the PostgreSQL and Acronis Access Gateway Server services as dependencies. Press Apply and close the window. Note: If you want to run the Gateway and Access servers on different IP addresses add the second IP as a resource to the Acronis Access role and set it as a dependency for the network name.
3. Configure the Acronis Access Gateway Server service to listen on the IP address(es) for the Acronis Access Service group. 4. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box.
5. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk. This path should be the same for both nodes. 6. Click OK to complete the configuration and restart the services. Installation and configuration on the second node 1. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 2.
3. Change the value of the key to this: -D "The path you selected for the PostgreSQL data location" –w (e.g. -D "E:/PostgreSQL/data" -w) 4. Close Regedit and continue with the steps below. 5. Move the Acronis Access role to the second node. Using the Configuration Utility on the second node 1. Launch the Configuration Utility.
3. Configure the Acronis Access Server service to listen on the IP address(es) for the Acronis Access Service group. Note: If Accept connections on port 80 is selected, Tomcat will listen for incoming traffic on the unsecure port 80 and redirect it to the HTTPS port you have specified above. If you have another program listening on port 80, do not check this box. 4. Configure the Acronis Access File Repository to listen on localhost and change the Filestore path to be on the shared disk.
3. Stop all of the Acronis Access services (including postgres-some-version). The shared disk must be online. 4. Disable any anti-virus software you have or it may interrupt the installation procedure resulting in a failed installation. 5. Double-click on the installer executable. 6. Press Next to begin. 7. Read and accept the license agreement.
8. Press Upgrade. 9. Review the components which will be installed and press Install. 10. Enter the password for your postgres super-user and press Next. 11. When the installation finishes, press Exit to close the installer. Warning! Do not bring the cluster group online! 12. Move the cluster group to the second node. 13. Complete the same installation procedure on the second node. 14. Bring all of the Acronis Access services online.
8 What's New In this section What's New in Acronis Access Server ....................................................228 What's New in the Acronis Access app ..................................................238 Previous Releases...................................................................................239 8.1 What's New in Acronis Access Server Acronis Access 6.1 ENHANCEMENTS Web Services API for the Acronis Access Server administration.
BUG FIXES The active session count will be refreshed when the Gateway Servers page is reloaded. Type-ahead search for selecting users to invite to shared files and folders is now supported on Internet Explorer 8. The Acronis Gateway Server service is now dependent on other key services so it should be assured to start properly when the server starts up.
Acronis Access 6.0.2 BUG FIXES Includes upgraded OpenSSL DLL to address HeartBleed vulnerability. Acronis Access 6.0.1 ENHANCEMENTS Added a new policy to specify which gateway or cluster group will be used to share users’ Active Directory assigned home folders. Active Directory assigned home folders will now automatically be shared by a gateway without the need to manually created a data source or enable the “Allow User to Add Network Folders by UNC path or URL” policy setting.
Self-provisioned folders now can be added and removed successfully when the profile is configured to use either a gateway server or a cluster group, regardless of whether or not the server or cluster group is online. Policy priority order will be respected, so users will receive the highest priority group policy to which they are entitled. Clients who do not have sync and share enabled will no longer be incorrectly reported as “unmanaged” in the audit log.
A new Advanced Setting for Gateway Servers has been added that, if enabled, users will authenticate with their UPN (example: username@domain.com). Otherwise, users will authenticate with their separate domain and usernames (example: domain\username). This is sometimes needed when authenticating to some federated scenarios, i.e., SharePoint 365. BUG FIXES The Default Language setting in Server Settings has been renamed to be clear that it is the default audit log language.
Error messages from some dialogs are now properly cleared when the error condition is resolved. Only one instance of the Configuration Utility can now be run at a time. The Configuration Utility now generates an error if the Gateway Service is configured to bind to all address on a port and the Access Server on a specific address with the same port. By default on clean installs Tomcat is now configured to not listen for shutdown requests on port 8005.
Acronis Access Server can now be installed on a Windows Failover Cluster, for Windows Server 2003 SP2, 2008/2008R2 and 2012/2012R2. Please see Installing Acronis Access on a cluster (p. 160) and Upgrading Acronis Access on a cluster (p. 196) for instructions on how to install or upgrade in this configuration. BUG FIXES Email notifications are now sent properly after an upgrade when custom templates were used. Newly created data sources are now checked to see if they are searchable immediately.
BUG FIXES Fixed an issue where the database migration from mobilEcho 4.5 to 5.0 would fail if there were device password resets still pending which had been created in an earlier version of mobilEcho. This caused an error to be displayed in the web browser when starting up the server similar to the following: ActiveRecord::JDBCError: ERROR: value too long for type character varying(255): INSERT INTO "password_resets" ....
The previous revisions feature for finding / downloading / restoring previous versions of files has been redesigned and is more flexible. Previous revisions can be selected to be "made current". activEcho desktop clients (Mac/Windows) now show progress indicators files being synchronized. Notifications can now be configured to be sent when a file is downloaded / synced. Improved user interface responsiveness for re-assigning content when there are 1000s of users in the system.
New policy options allow specification that content on the device within the "My Files" and "File Inbox" folders expires and is removed after a certain amount of time. When sending an enrollment invitation to an Active Directory group, users who are already enrolled through another group can be filtered out. A warning is presented if a user is invited for enrollment but does not match any existing user/group policy.
8.2 What's New in the Acronis Access app Access Mobile Client 6.1 ENHANCEMENTS Added support for iOS 7 managed app configuration. Miscellaneous fixes and improvements. Updated MobileIron AppConnect integration to version 1.7. Addressed an issue where iWork files might appear as zip files. Added new mobilecho:// link variables (action=edit & action=preview) that can be used to automatically open the linked file. Access Mobile Client 6.0.
mobilEcho 4.5.2 ENHANCEMENTS Added support for using smart cards to unlock the mobilEcho app and to authenticate with mobilEcho servers. This feature utilizes the Thursby PKard Reader app and the smart cards (CAC, PIV, etc) and card readers the Thursby app supports. Miscellaneous fixes and improvements. mobilEcho 4.5.1 mobilEcho now supports iOS 7, both when operating as a standalone app and when MobileIron AppConnect-enabled. Miscellaneous fixes and improvements. mobilEcho 4.
well as the web application. Acronis Access Server 6.0 can be installed as an upgrade to mobilEcho and/or activEcho and existing licenses will continue to work. Customers are entitled to exchange their existing mobilEcho and/or activEcho license(s) for a new Acronis Access license that will enable the full functionality of the combined product. To request this upgrade, please submit this web form. For the latest information, please visit the What' New in Acronis Access Server (p. 228) article. activEcho 5.
Improved file upload handling, including progress indicators in the web interface and the ability to cancel uploads. Folders can be downloaded as a ZIP file from the Projects view in the Web UI. Sharing invitation dialogs now support type-ahead against both local users and users in Active Directory / LDAP. The previous revisions feature for finding / downloading / restoring previous versions of files has been redesigned and is more flexible.
activEcho 2.7.3 (Released: June 2013) ENHANCEMENTS: Switched to using the official AWS library file for Amazon S3 connections. Files now can be successfully uploaded to any of the eight Amazon S3 bucket regions. BUG FIXES: Pending users can now be deleted without error. Files which were not fully uploaded to the Amazon S3 file repository will now be removed from the repository if the repository is accessible after the upload failure occurs.
activEcho 2.7.0 (Released: February 2013) ENHANCEMENTS: Mac and Windows sync clients will now be notified when they have updated content available for download. These notifications will reduce load on the server and improve performance by avoiding many unnecessary requests from clients to the server to check for updates when none are available. Mac and Windows sync clients have been made more resilient to errors on single files and folders.
Files will no longer be marked deleted if they can't be found in the repository. They will need to manually be removed. Tomcat no longer needs to be restarted when S3 repository settings are changed. All activEcho server logging is now written to a date-stamped activEcho.log file which is rotated daily. This log file can be found inside the Tomcat logs folder. A configuration flag has been added to allow the activEcho web server to support HTTP connections instead of HTTPS.
Duplicate files will no longer appear in the web interface if you pause and resume the client in the middle of uploading a file. Fixed a Mac client bug where the client receives an error when a file is deleted off the server side while the client is downloading the file. The sync client will no longer fail to complete in rare cases where folders are aggressively renamed with similar names. The sync client will no longer attempt to delete files repeatedly if it cannot succeed.
Quotas can now be defined specifically for administrative users. Automatic purging of user accounts if no activity has occurred, or a specific absolute time has passed. Support for configuring the length of time before expiration of shared links. New share permissions allow owner to hide display of share members to non-owners, and prevent non-owners from inviting others. New behavior when unsharing projects, local data will be deleted from the client on next connection.
The domain for LDAP authentication list can use either ; or , as a delimiter. Various improvements on syncing files and folders where an item or the parent folder(s) have been deleted. Fixed files modification dates that were not set properly based on timezones under some circumstances. Period is a valid character in S3 bucket names when using Amazon S3 for the file repository. Fixed high CPU usage on both Mac and Windows desktop clients. Miscellaneous other bug fixes. activEcho 2.5.
The activEcho 2.5 client is not compatible with the 2.1 server. Please upgrade your server to 2.5 first, and then upgrade the clients. The activEcho 2.1 client is compatible with the 2.5 server but will not have all of the new features available. ENHANCEMENTS: Support for quotas. Different quotas values can be set for Active Directory vs. ad-hoc users, as well as based on Active Directory group membership.
Email template notification errors could occur after a user is deleted from activEcho if they were sharing content. LDAP settings are no longer validated if LDAP has been disabled in the management settings. When a folder is unshared, the owner can now see past events in the web log for that folder. The web log allows filtering of past events for users who are no longer part of the shared folder.
Miscellaneous usability enhancements. BUG FIXES: Various bug fixes related to authentication with Active Directory via email addresses. The built-in Administrator account will now never use Active Directory for authentication. Miscellaneous bug fixes in desktop syncing. activEcho 2.0.2 (Released: March 2012) BUG FIXES: Improvements to desktop syncing when Microsoft Office files are edited directly in the activEcho Folder. Various bug fixes in desktop syncing.
ENHANCEMENTS Users with mobilEcho 5.1 or later on iOS can now create their data sources directly from the application to access any file share or SharePoint location. Users enter UNC paths or SharePoint URLs from the client. New policy settings have been introduced on the management server to control whether clients are allowed to create these data sources, and which Gateway Servers are used for these requests. Multiple Gateway Servers can now share a common configuration via a Cluster Group.
mobilEcho 5.0.3 BUG FIXES When configuring data sources the %USERNAME% token can now be used as part of a folder name, instead of the whole name. Newly created data sources are now checked to see if they are searchable immediately. Previously they were only checked in 15 minute intervals. Search is now available on data sources that add search indexing after the Gateway Server has started. mobilEcho 5.0.
mobilEcho 5.0 ENHANCEMENTS The mobilEcho Client Management Server is integrated with Acronis Access Server and built on Apache Tomcat and PostgreSQL database for improved scalability and resilience. The mobilEcho Administrator previously used to manage individual mobilEcho servers has been removed; Access Gateway Servers (formerly mobilEcho File Access Servers) are now managed directly within the Acronis Access Server web administration user interface.
BUG FIXES Home directory configuration is now retrieved properly when LDAP is configured to use the global catalog. Improved handling of Active Directory lookups when trailing spaces are used. The "Enrolled at" date is now formatted properly when exporting to .CSV file. Improved support for displaying Unicode via the web administration user interface. SharePoint folders ending with a space can now be enumerated by clients.
Increased the maximum volume name length to 127 UTF-8 characters to allow for longer volume names when using Unicode characters. Added separate columns to the exported .csv devices list for display name and common name to make the usernames more clear. BUG FIXES: Fixed an issue where the exported .csv devices list would display the domain name incorrectly if the domain name contained numerical characters.
mobilEcho 4.3 (Released: March 2013) ENHANCEMENTS: The mobilEcho server now supports mobilEcho clients with optional support for MobileIron AppConnect activated. The server now allows administrators to require or restrict mobilEcho access to iOS clients with AppConnect enabled. This setting is located in the "Settings" window of the "mobilEcho Administrator" application, on the "Security" tab. BUG FIXES: Fixed an issue where clients upgrading from mobilEcho Server 4.0.
Fixed a problem where whitelists and blacklists could not be assigned when adding or editing a user or group profile. Fixed a problem where files that were already on the device could sync again unnecessarily if the sync source was within an activEcho volume. The password field on the login page of the client management web UI now has auto-complete disabled. Removing a user or group profile now causes the name information for that user/group to be removed from cache.
Added a column to the LDAP search table for Distinguished Name so that users with the same name in different subdomains can be distinguished. Added new management profile setting to allow or disallow users from opening and/or sending links to files. Added client Good Dynamics status in the management server Devices list. Devices enrolled with Good Dynamics will no longer have the "Reset App Password" option available. The app password is managed within the Good Control console in this scenario.
Fixed a problem where selecting the "Reindex all volumes" button in the mobilEcho Administrator would generate an invalid error message. Fixed a problem where filtering on a Unicode string in the Client Management Administrator could generate an "incompatible character encodings" error. SharePoint "Wiki Page Gallery" libraries are now removed from site enumerations because they are not supported by mobilEcho. Fixed a problem where new profile settings could become corrupted on upgrade.
ENHANCEMENTS: Added profile settings for "Number of days to warn of pending lock" and "Number of days to warn of pending wipe". These settings relate to existing settings that can wipe or lock the mobilEcho app if the device does not contact the management server for a specified period of time. Added pagination, filtering and sorting to the Users and Groups pages within the mobilEcho Client Management server.
The mobilEcho Client Management server can now filter the invitations tables by username. The mobilEcho Client Management server can now export the devices list to a .csv file. The mobilEcho Client Management server now sorts and paginates the devices, users, groups and invitations tables. Added a profile setting to allow/disallow users from creating bookmarks. Added a profile setting to disable My Files while still allowing sync folders.
Fixed a problem where users could fail to see their home directories if the client authenticated to the management server with a user principal name (UPN) such as user@domain.com. Fixed a problem where the "%USERNAME%" wildcard would fail to use the correct username if the client authenticated to the management server with a user principal name (UPN) such as user@domain.com. mobilEcho 3.6 (Released: April 2012) ENHANCEMENTS: Improved performance of Active Directory lookups for users and groups.
Fixed a problem where the server could allow mobilEcho clients to overwrite files that were flagged as read-only. Fixed some mobilEcho Client Management display issues on Mac Safari. Fixed a problem where Verizon iPad 3 devices were displayed as "AT&T" (and vice versa) in the mobilEcho Client Management devices page. Fixed a problem where the mobilEcho Administrator could crash when viewing the list of connected users. Fixed a problem where the invitation email would fail to show the username. mobilEcho 3.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mobilEcho\Parameters4\Refreshable\P ez\GetShowHiddenSMBShares BUG FIXES: Fixed a problem where the mobilEcho Client Management server would appear to allow access without a proper username and password. Fixed a problem where files would incorrectly require a sync after a change in daylight savings time. Fixed a problem where renamed files would continue to be returned in search results when searching under the old filename.
The text of enrollment invitation emails can be customized. Please visit the GroupLogic Knowledge Base for more information: http://support.grouplogic.com/?p=3749 Added a setting to the management configuration file to control the name that enrollment invitation emails appear from (e.g. "mobilEcho Invitation ". Version 3.0 only allowed an address to be specified (e.g. "mobilEcho_invitation@example.com").
Fixed a problem in the mobilEcho Administrator where the Help button would not adjust properly as the Users window was resized. mobilEcho 3.0 (Released: October 2011) ENHANCEMENTS: Centrally managed device enrollment. Client enrollment invitations are now generated and emailed to the user from the mobilEcho Client Management Administrator. These invitations include a one-time use PIN number required for client enrollment. Remote wipe and remote reset of app passwords is now performed on a per-device basis.
Fixed a bug when listing the contents of folders which may have resulted in slow performance or client timeouts if many of the folders were not accessible to the client. mobilEcho 2.1.0 (Released: July 2011) ENHANCEMENTS: Added the ability to create mobilEcho shares that reshare data on a remote system. The mobilEcho reshare feature is only available for customers with an enterprise license. Reshares can be a particular share (e.g. "\\server\share") or an entire server ("\\server\").
