Server Administratorâ€™s Guide

Microsoft® Office Groove® Server 2007

Groove Manager

Server Administrator’s Guide

Groove Manager System Administrator’s Guide Copyright ii

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, prod-uct, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, with-out the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellec-tual property rights covering subject matter in this document. Except as expressly pro-vided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Copyright © 2006 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Office Excel, Office InfoPath, Office Outlook, Office PowerPoint, Office Word, and Windows SharePoint Ser-vices are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Table of Contents

Copyright ii

Table of Contents iii

Overview of Groove Manager 1Groove Manager Architecture 2Website Component 3

Database Component 5

Communications Protocols 5

Management Domains 6

Groove Manager Functionality 8Groove Manager Administration 8

Management Domain Administration 9

The Groove Manager System Administrator’s Guide 10

Site Planning 12Capacity Planning 12 Security 13Network Requirements 13Recommended Best Practices 14Failure Contingencies 16

Installing and Configuring the Groove Manager 17Requirements 17Hardware 18

Software 18

Expertise 19

Setting Up the SQL Server 19 Setting Up the Groove Manager IIS Server 20Configuring IIS 20

Groove Manager Web Site Setup 21

Creating a Custom Groove Manager Web Site (optional) 22

Installing and Configuring the Groove Manager 22 Before You Begin 22

Installing the Groove Manager 23

Accessing the Groove Manager Administrative Web Site 26 Accessing the Groove Manager Administrative UI 26

Groove Manager Administrative UI Overview 27

Groove Manager System Administrator’s Guide Table of Contents iii

Getting Help 27

Setting Administrative Preferences 27

Changing the Language of the Administrative Web Pages 28

Securing the Groove Manager Administrative Web Site 28Security Recommendations 28

Defining an Initial Administrator Role 29

Configuring an Initial Groove Manager Domain 31Configuring SMTP for the Groove Manager 32Utilizing Onsite Directories of User Information 33Deploying Groove on Client Devices 33Setting up Groove Auto-Account Configuration/Restoration 33Enabling Auto-Account Configuration/Restoration 34

Setting up Groove Auto-Activation 36

Viewing and Editing Groove Manager Server Properties 38Upgrading the Groove Manager 38Uninstalling the Groove Manager 39

Adding and Managing Domains 40Adding a Groove Management Domain 40Enterprise vs. Groove PKI 41

Password/Smart Card Reset Private Key 42

Creating a Management Domain 42

Viewing and Editing Groove Manager Domains 46Deleting a Groove Management Domain 47

Managing Administrative Roles 48Setting Administrator Roles 48Role-Based Access Control 48

Enabling Administrative Access Control 49

Adding Administrators 49

Editing Administrator Roles 52Deleting Administrators 53

Defining a Directory Server 54Overview of Directory Integration 54Adding a Directory Server 55Before You Begin 55

Defining a Directory on the Groove Manager 56

Integrating User Data with a Management Domain 59

Editing a Directory Server 59Customizing Management and Directory Server Mapping 59Configuring Directory Synchronization 62Scheduling Directory Synchronization 62

Manually Triggering Data Synchronization 63

Viewing Directory Synchronization Status 64Automating Directory Integration 65Deleting an Integration Point 67Deleting a Directory Server 67

Groove Manager System Administrator’s Guide Table of Contents iv

Monitoring the Groove Manager 69Viewing the Audit Log 69Exporting Reports 71Using the Windows Event Viewer for Server Diagnostics 71

Auditing Groove Activity 72Overview of Groove Client Auditing 72Groove Audit Requirements 73Installing and Configuring Groove Client Auditing 74Interpreting Client Audit Data 76

Troubleshooting the Groove Manager Server 78Groove Manager Problems 78Auto-Account Configuration Problems 81

Index 83

Groove Manager System Administrator’s Guide Table of Contents v

Overview of Groove Manager

The Microsoft® Office Groove® Server 2007 is a Windows-based software package that provides comprehensive services for managing Microsoft Office Groove. The Office Groove Server 2007 contains three components: the Groove Server Manager, Groove Server Relay, and Groove Server Data Bridge applications, any of which can be installed on Windows servers in a corporate network.

The Groove Server Manager (Groove Manager henceforth) component of the Office Groove Server enables administrative control of Groove clients, as well as oversight of Groove Relay and operations. Groove administrators and clients communicate with the Groove Manager via its Web site, which provides both an administrative interface and a base for client contact. The site’s administrative Web interface allows two levels of control - server management and domain management. The Groove Manager’s SOAP-based cli-ent interface allows the Groove client application to access the Groove Manager server for identity and device policies and relay assignments, and to report Groove-related events.

From the administrative Web interface, secured by its underlying IIS configuration, administrators can perform the following server system-level tasks:

• Create management domains.

• Define administrative roles.

• Monitor server events.

• Integrate an onsite LDAP directory server with an onsite Groove Manager.

Note: Microsoft Office Groove Enterprise Services provides an alternative to an onsite Groove Manager installation, enabling the same domain-level administration as that provided by an onsite Groove Manager, without the added over-head of main-taining the Groove Manager servers.

For detailed information about Groove Domain management, via an onsite Groove Manager installation or Groove Enterprise Services, see “Overview of Groove Domain Administration” and the topics listed under Groove Manager Domain Administration in the latter half of the online Help.

Information in this overview covers the following system-level topics:

• Groove Manager Architecture

• Groove Manager Functionality

• The Groove Manager System Administrator’s Guide

Groove Manager Server Administrator’s Guide Overview of Groove Manager 1

Groove Manager Architecture

The main physical components of the Groove Manager are an IIS server and a SQL data-base server. A set of communication protocols, the application Web interfaces, and under-lying software reside on the IIS server; system databases reside on the SQL server. Other integral components of a Groove management system are Groove clients and supporting relay servers. Relay servers provide message storage and forwarding, and other peer-to-peer services when direct client connections are unavailable or infeasible. Optional com-ponents include the Groove client auditing application and corporate LDAP directory inte-gration. Figure 1, below, shows the relationships between management (IIS and SQL) servers, supporting relay servers, and Groove clients.

Management domains, defined by the server administrator, are the fundamental manage-ment unit of a Groove Manager. All managed Groove users are members of a Groove Manager domain that defines Groove usage policies and assigns relay servers for those members. In addition, if Groove devices are registered with a management domain (as rec-ommended), device-based policies govern Groove activities (such as password creation) on those devices.

The following sections describe the main components of a Groove Manager:

• Website Component

• Database Component

• Communications Protocols

• Management Domains

For information about the Groove Relay server, see the Groove Relay Administrator’s Guide included with the Groove Relay component of the Groove Server.


Figure 1. Interaction of Groove Servers and Clients

Website Component

The interactive portion of the Groove Manager is its Web site, built on a Windows IIS server. The IIS login procedures in place at an enterprise secure the site. The Web site con-sists of two interfaces: an administrative interface and an Internet-accessible client inter-


face.

The following sections describe the main features of the Groove Manager Web interfaces:

• Administrative Interface

• Client Interface

Administrative Interface

The administrative Web interface, created during Groove Manager installation on the IIS server, enables server administrators to manage Groove Manager operation and Groove usage in their organizations. While this interface relies on the underlying security config-ured in IIS by the site administrator, a built-in role-based access control system offers an additional level of security.

The Groove Manager server administration interface consists of the following major ele-ments:

• Management Domains - Collections of Groove users, policy templates, and relay server sets.

• Administrative roles - Administrative roles and permissions, defined by Groove Manager administrators as part of the Groove Manager Role Based Access Control (RBAC) system. When RBAC is enabled, administrators determine who can access which parts of the Groove Manager administrative Web interface.

• Reports - Server-wide audit log of Groove Manager events.

• Corporate directory support - Corporate directory server definitions for integrating user information with the Groove Manager, if an LDAP server directory is installed onsite at an enterprise. Directory integration requires an onsite Groove Manager server; it does not apply to Groove Enterprise Services.

Once management domains are configured in the Groove Manager, administrators can access domain Web pages, as well as directory integration pages (to use enterprise directo-ries for adding user information to a domain), role-setting pages, and Groove Manager event reports. Domain pages allow administrators to manage Groove users and devices, provisioning them with Groove Relay servers and enforcing Groove usage policies.

Management domain administration does not require server-level permissions and is usu-ally assigned to domain administrators. The Groove Enterprise Services package presents only this domain portion of the Groove Manager interface. For detailed information about the domain management portion of the administrative interface, see the Groove Manager Domain Administration portion of the Help.

Client Interface

Groove clients access the Groove Manager via an Internet-accessible Simple Object Access Protocol (SOAP) interface on the Groove Manager. The Groove Manager does not initiate communications with Groove clients, but responds to requests from client devices.

At periodic intervals (generally every five hours), clients contact the Groove Manager for the latest user and device polices, and relay server assignments. Clients also report Groove user events to the Groove Manager via this SOAP interface. This periodic contact is the primary mechanism by which all information is exchanged between the Groove Manager


and the Groove client software.

Groove Relay servers facilitate Groove peer communications at various levels, including storing and forwarding messages, enabling firewall navigation, and overcoming network discontinuities. As part of a managed Groove environment, specific Groove Relay servers - installed onsite as part of the Groove Server or procured through Groove Enterprise Ser-vices - must be registered with the Groove Manager. For more information about the role of Groove Relay servers in a managed Groove installation, see the Groove Relay Admin-istrator’s Guide, included with the Groove Relay component of the Groove Server.

Database Component

Groove Managers store all data, including user account and device information, in a Microsoft SQL Server database. The local IIS/Groove Manager server is not used for data storage. Server administrators can use SQL-compatible reporting tools to create custom-ized Groove usage reports from the Groove Manager information stored in SQL views. If the Groove client auditing option is part of the installation, the same SQL server can sup-port Groove auditing as well as other Groove Manager activities.

Communications Protocols

The Groove Manager is a Web application and utilizes various Web-compatible protocols, primarily HyperText Transfer Protocol (HTTP), to process Groove administrative input and client requests through its Web site. Administrators interact with the Groove Manager using a browser to access its administrative Web site. Groove clients communicate with the Groove Manager by sending XML-based Simple Object Access Protocol (SOAP) requests over HTTP to which the Groove Manager responds. The Groove Manager never initiates connections with Groove clients.

The Groove Manager also uses SOAP to communicate with any Groove Relay servers that it is managing. SOAP exchanges with Groove Relay servers are always initiated by the Groove Manager.

To communicate with the SQL server which stores all Groove Manager data, the Groove Manager uses Microsoft’s OLE DB data access specification. To communicate with any LDAP-based directory servers that the Groove Manager is configured to support, the Groove Manager uses Lightweight Directory Access Protocol (LDAP).


The following table summarizes Groove Manager protocols:

Management Domains

A management domain is an organizational unit, such as Contoso Corporation. One or more domains form the top-level management units on a Groove Manager. Each domain contains one or more groups of Groove users, along with a collection of identity and device policy templates and relay server sets.

The Groove Manager provides an initial domain, but server administrators can add others. Each management domain is independent of other management domains - users and devices in one domain are not subject to another’s policies or relay assignments. However, the Groove Manager’s cross-domain certification feature allows administrators to estab-lish a trust relationship among domains.

Users gain domain membership via a managed Groove identity defined for them on the Groove Manager. Once the account associated with this identity is configured on a client device, the Groove software begins polling the Groove Manager periodically for updates to products and policies, and to report statistics.

Domains encompass the following types of objects:

• Groups

• Managed Identities

• Managed Devices

• Device and Identity Policy Templates

• Relay Server Sets

Groove Server and Client Protocols

Listening Ports Used Functions

SSTP over Hypertext Transfer Protocol (HTTP)

Port 80 Used by Groove clients, and Groove Relay servers. Supports HTTP encapsulation of SSTP.

Simple Object Access Protocol (SOAP)

Port 80 Used by Groove Manager to listen to client SOAP requests and to communicate with Groove Relay servers.

Open Database Connectivity (ODBC)

Port 1433 (typically)

Inbound on SQL database server.

Outbound from Groove Manager to SQL database server port 1433 (typically).

Used by Groove Manager to contact the SQL database server.

LDAP Port 389 (typically) Used by Groove Manager to integrate with optional LDAP-based directory server.

Simple Message Transfer Protocol (SMTP)

Port 25 Used by a Groove API, called by the Groove Manager, to forward e-mail containing Groove account configuration codes to a mail host for sending to Groove clients.


Groups

Each management domain contains at least one group - an initial top-level group, and any sub-groups that an administrator wishes to create. Each group, such as a Sales Division group, consists of a collection of Groove identities (members) associated with specific identity policy and device policy templates, and a relay server set. Administrators can edit group properties and move members between groups.

Managed Identities

A managed user is a member of a management domain. Administrators add Groove users to a domain by adding user information to a domain group - manually from a file or imported from a corporate directory server. Administrators then distribute account config-uration codes to each user. Once a user applies the codes to Groove, Groove uses the asso-ciated identity information to create a managed identity for that user. Managed identities are management domain members, governed by domain usage and security policies, and assigned to Groove Relay servers. The Groove Manager provides a central directory of domain member contact information that appears in Groove contact lists so that collabo-rating Groove users in an organization can easily find each other.

Managed Devices

A managed device is a client PC that an administrator has registered with the Groove Manager. Once an administrator downloads a management domain registry key to a client device, the device becomes subject to domain rules, or policies. Administrators can set a domain policy to remove devices from the domain after 90 days of inactivity.

Device and Identity Policy Templates

Policies are rules that control Groove activities within a management domain group. Cer-tain policies apply to managed identities; others to managed (registered) devices. Collec-tions of policy settings reside in identity or device policy templates, which administrators can assign to domain groups. The Groove Manager supplies an initial modifiable identity and device policy template for each domain, to which administrators can add others.

All policy changes to identities and devices are propagated to Groove clients automati-cally during periodic contact with the Groove Manager. Once a policy setting arrives at the Groove client, or in some cases at Groove startup or login, Groove prevents policy viola-tions.

Identity policy templates include settings that control the following:

• Availability of Groove contact information.

• Whether managed identities must be used on managed devices.

• User password reset.

Device policy templates include settings that control the following:

• Password creation, such as minimum length and expiration period, that apply to managed devices in a domain or group.

• Managed identity use on multiple accounts.

• Groove client event auditing.


Relay Server Sets

Groove relay servers facilitate communication among Groove users, enabling communi-cations when direct client connections are unavailable or infeasible. Public relay servers support the general community of Groove users. Enterprise relay servers, installed as the Groove Relay component of the Groove Server, support onsite Groove Manager installa-tions. Using the Groove Manager interface, Groove administrators can provision Groove users with enterprise relay servers. These relay server assignments override default assign-ments to public Groove relay servers.

In order for relay provisioning to take place, administrators must first register the relay servers with the Groove Manager. Then each relay server is added to a set, a container for one or more relay servers, which administrators can assign to domain groups or individual users. If multiple relay servers are installed at a site, administrators can assign managed users to a sequence of relay servers, to provide redundancy and fallback.

Groove Manager Functionality

The Groove Manager provides central administrative control over Groove usage within an organization. Groove clients periodically connect to the Groove Manager to in order to receive the latest administrative changes and report statistics. Via an administrative Web interface, administrators can create management domains, view server reports, define administer roles, and accomplish other tasks essential to managing Groove use on a corpo-rate scale.

Two levels of administration are possible through the Groove Manager: server administra-tion and the administration of management domains. A Groove Manager installed onsite at an enterprise affords both levels of administration, as described in the following sec-tions:

• Groove Manager Administration

• Management Domain Administration

Groove Manager Administration

With the Groove Manager application installed onsite, administrators can manage the server as well as Groove users and devices. With Microsoft-hosted Groove Enterprise Ser-vices, enterprise administrators manage only Groove users and devices within a manage-ment domain.

Groove Manager server-level administration involves the following tasks, performed from


the Groove Manager administrative Web interface:

Management Domain Administration

The interface for administering management domains appears in full on both onsite Groove Manager and Groove Enterprise Services, providing that administrators have the necessary permissions. This section highlights the most important aspects of domain administration. For detailed information about management domain administration, see the Groove Manager Domain Administration portion of the Help.

Management domain administration involves the following tasks, performed from the Groove Manager administrative Web interface:

Server-Level Tasks Description

Defining administator roles As a recommended added security level, administrators can enable a Role Based Access Control (RBAC) for the Groove Manager, limiting Groove Manager administrative rights to specific administrators defined on the system.

Defining management domains

The Groove Manager supplies an initial domain, to which server administrators can create additional domains. Once the management sever is configured with management domains, domain administrators can add users to the domain and provision them.

Monitoring Groove Manager server events, via the audit log

The Groove Manager logs server events (such as the addition of a new administrator) to an audit log report, accessible from the server-level Reports tab of the administrative Web interface.

Integrating LDAP directories with an onsite Groove Manager

The Groove Manager administrative interface allows server administrators to import user information from directory server organizational units (OUs) into the Groove Manager, automating the process of adding Groove identities to a management domain.

Domain-Level Tasks Description

Creating managed Groove identities

To manage Groove users, administrators add Groove user information to a Groove Manager domain (utilizing corporate user databases if LDAP directory servers are installed onsite and registered with an onsite Groove Manager) and then distribute managed identities to each user, placing them under domain administrator control.

Managing Groove devices Registering Groove client devices with the Groove Manager allows administrators to manage devices through domain-wide or group-wide device usage and security policies.

Setting Groove identity policies

Setting Groove identity policies for a domain or group controls publication of Groove identity information, user account backup, peer authentication, and other user activities.

Setting Groove device policies

Setting device policies for a domain or group controls Groove password creation, cross-domain certification, and other Groove-related activities on managed devices.

Provisioning Groove users with Groove Relay servers

This task involves registering any onsite Groove Relay servers with the Groove Manager and assigning relay server sets to domain or group members.


The Groove Manager System Administrator’s Guide

This Groove Manager System Administration portion of the Help provides instructions for administering the Groove Manager server system. For information about management domain administration, see the Groove Manager Domain Administration portion of the Help, which also includes a Glossary.

This Groove Manager System Administration portion of the Help covers the following topics:

Viewing Groove usage reports

When a managed identity or device exists on a Groove client, the Groove software periodically reports various usage statistics and audit log events to the Groove Manager, including information about managed user activities, Groove spaces and Groove tool usage.

Administering password reset

A Groove Manager device policy allows administrators to control user reset of unknown or forgotten user passwords, and optionally to recover Groove data.

Backing up Groove user accounts

A Groove Manager identity policy allows administrators to schedule automatic account backup for users in a management domain. Backed-up information includes user contacts, the user’s Groove space list, identities and contact information, and identity policies.

Administering Groove client auditing

If Groove’s client auditing feature is installed onsite along with the Groove Manager, administrators can set a Groove Manager device policy that enables auditing of managed Groove client activity. (Groove client auditing requires an onsite Groove Manager server; it does not support Groove Enterprise Services.)

Topic Content

Overview Describes the Groove Manager server system functionality and architecture.

Installing and Configuring the Groove Manager

Provides instructions for installing, configuring, and monitoring the Groove Manager and supporting SQL server, and guidelines for setting up Groove clients.

Managing Groove Domains Managing Groove Domains - Provides instructions for adding, modifying, and deleting management domains.

Managing Administrative Roles Provides guidelines for defining Groove Manager administrator roles and permissions.

Defining a Directory Server Provides guidelines for integrating an existing corporate directory server (if installed at your site) with the Groove Manage

Monitoring the Groove Manager Provides instructions for accessing Groove Manager Audit and Event Viewer logs.

Auditing Groove Activity Provides instructions for installing and setting up Groove client auditing at your site, and provides basic information about interpreting Groove client auditing data.

Domain-Level Tasks Description


Troubleshooting the Groove Manager Server

Lists common problems related to the Groove Manager and suggests ways to address them.

Topic Content


Site Planning

The Groove Server Manager is a Web-based application for managing Groove clients. As a component of the Microsoft Office Groove Server 2007 installed on your corporate net-work, the Groove Server Manager (subsequently called Groove Manager) enables server control, as well as administrative oversight of Groove user and device activity. As an alter-native, you can access Groove Manager functionality by engaging Microsoft Office Groove Enterprise Services, which allows you to manage Groove users and devices with-out the overhead of managing the server.

The associated Groove Server Relay, subsequently called Groove Relay, application can also be engaged as an onsite component of the Microsoft Office Groove Server or via Groove Enterprise Services. For specific information about Groove Relay servers, see the Groove Relay Administrator’s Guide included with the Groove Relay component of the Office Groove Server.

The Groove Manager Domain Administration portion of the Help provides comprehensive information about using Groove management domains to administer Groove users and devices.

The following sections summarize basic site planning issues and best practices to consider when setting up the Groove Manager server application at your site:

• Capacity Planning

• Security

• Network Requirements

• Recommended Best Practices

• Failure Contingencies

Capacity Planning

One Groove Manager device typically supports up to 10,000 Groove users, with the hard-ware configuration recommended for a standard installation. A second Groove Manager is generally recommended to support a larger user base. Larger-scale implementations, with additional RAM and disk storage capacity, can leverage the scalability of the underlying IIS and SQL platforms.

When Groove is being used heavily in a workspace with fifty members, each member of the workspace sends, on average, approximately 350 bytes/second over the network dur-ing a typical workday. The number of users that your system can support largely depends

Groove Manager System Administrator’s Guide Site Planning 12

on the hardware configuration of the Internet Information Service (IIS) and SQL servers that comprise the Groove Manager installation. Monitor Groove and Groove Manager per-formance to consider if and when additional hardware or software may be necessary. For the SQL server, in an environment of approximately 5 transactions per user per hour, plan on 6 MB of storage per managed Groove user, including space for account backup.

Security

Groove client and server software both provide built-in security systems designed to pre-vent unauthorized access and protect data resources. In addition to the built-in security mechanisms provided by the Microsoft Office Groove application, Groove Manager pro-vides additional layers of security, including the following:

• Groove’s symmetric key encryption helps ensure the integrity of bi-directional data transmissions between Groove clients and the Groove Manager.

• Role-based access control settings ensure that only designated administrators can access Groove Manager Web pages.

• Certificates (signed contact information) provided by the Groove Manager’s stand-alone Public Key Infrastructure (PKI) functionality provide for automatic user authentication. The Groove Manager also supports user authentication via third- party, enterprise PKI-issued certificates. See the Groove Manager Domain Administration portion of the Help for more information about the Groove Manager’s implementation of PKI.

• Critical server information stored on the SQL server (including signature and encryption keys, and passwords) are secured by encryption with a master password.

• User identity policy settings allow administrators to determine such activities as the level of interaction allowed between managed domain members and non-member Groove users, how user passwords are reset, and what file types Groove blocks from managed user workspaces.

• Device policy settings allow administrators to determine such practices as Groove password and smart card login requirements, account lockout behavior after failed login attempts, and the use of strong private key protection.

Security is an important consideration when distributing Groove account configuration codes that enable the deployment of managed identities among your PC users. The pre-ferred account configuration code distribution method is via the Groove Manager auto-matic account configuration feature. Otherwise, secure e-mail, set up in accordance with your company’s security policy is recommended.

See “Recommended Best Practices” for important security measures that Groove Manager administrators can take to secure the Groove Manager administrative Web site.

Network Requirements

Inbound port 2492 must be open on all Groove client devices in order to enable peer-to-peer communications.

The Groove Manager has the following network interface requirements:


• Inbound TCP port 80 must be open in order to receive Simple Object Access Protocol (SOAP) requests from Groove clients over HTTP.

• Outbound TCP ports must be open in order to send messages to the Groove Relay TCP port 8009 (for version 3.1 or earlier Groove Relay servers).

• Outbound SMTP port to the defined Smart Host must be open in order to send e-mail with account configuration and account restoration codes to Groove users (TCP port 25).

Recommended Best Practices

The location of specific Groove Manager and Relay devices at your site is largely gov-erned by the performance and security objectives at your organization, as well as on the location and distribution of users with respect to your network topology. Work with your Microsoft Office Groove representative to determine how to implement a Groove Man-ager configuration that accommodates the Groove user base at your site.

In administrating a Groove Manager, follow the best practices generally recommended for hosting an Internet server. For helpful information on this topic, review the Microsoft security Web site by clicking here.

The following basic measures can help promote a reliable and secure installation:

• Install the management software on a clean stand-alone Windows 2003 machine. Do not try to install a Groove Manager on a domain controller or a machine where Groove is running. Doing so will cause the install process to fail.

• To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the Groove Manager on a machine with redundant hard drive capability, typically a hardware RAID (software RAIDs provide protection for data only, not the operating system).

• Consider installing the latest Critical Update Package and Security Rollup on all servers.

• Review available information about any Windows server security vulnerabilities, and address them as needed at your site. For information about Windows security, see the Microsoft Windows Security Web pages, click here.

Also see the Microsoft Technet Security site, by clicking here.

• Proxy or firewall devices may be used to control transmissions and allow access only to those ports necessary for Groove transmissions.

• Locate the Groove Manager in a perimeter network (also known as screened subnet) to afford relative security while allowing managed external Groove users to access the Groove Manager from the internet. Similarly, locate any Groove Relay devices in a perimeter network for security and to allow other Groove users to contact your managed users. Figure 2 shows an example of a typical Groove Manager setup.

• If your site plan includes multiple Groove Manager devices, install the administrative portion of the Web site on a secure server, separate from the server supporting the client-accessible portion of the site. The SQL server is typically


http://r.office.microsoft.com/r/rlidGMSSecurity?clid=1033

http://r.office.microsoft.com/r/rlidGMSSecurity?clid=1033

http://r.office.microsoft.com/r/rlidGMSSecuritySpecif?clid=1033

shared by multiple Groove Manager devices. Consult a Microsoft Office Groove technician for information about multiple-server installations.

• Further secure the Groove Manager administrative Web pages by enabling Secure Socket Layer (SSL) encryption and setting the server SSL port to 443. For more information about SSL, refer to the Microsoft MSDN Web site by clicking here:

• Further secure the Groove Manager administrative Web pages with Windows or other login authentication. If using Basic Authentication, where passwords are transmitted over the network without encryption, make sure to enable SSL.

• To aid the secure distribution of Groove account configuration codes to your users, use one of the following methods:

• If possible, use an existing secure communication channel. For example, you could use security-enhanced e-mail or e-mail on a trusted local area network.

• Manually distribute account configuration codes.

• Make sure to keep labeled copies of any certificates, private keys, and passwords you use in a known secure location, such as on disk in a locked cabinet or in a directory on a secure private network. You may need access to these old certificates or private keys in the future - for example, if you need to recover client data but the client has an older version of the data recovery certificate.

• Establish administrative roles which govern physical access to Groove Manager machines, access to server-level controls, and access to management domain controls.

• To allow for Groove account restoration when needed (to replace a damaged account, for example), ensure that the identity policy that schedules Groove account backups is enabled.


http://r.office.microsoft.com/r/rlidGMSSecuritySSL?clid=1033

Figure 2. Example of Groove Manager Setup

Failure Contingencies

To protect your data and the server operating system from the effects of component fail-ure, the Groove Manager IIS and SQL server machines should be equipped with reliable redundant hard-drive capability, or other fault-tolerant technology, such as clustering. As with any server installation, the possibility of total server failure is also a concern. To address this risk, you want to consider an additional Groove Manager to provide backup in the event that your initial installation fails.



Installing the Microsoft Office Groove Server 2007 Manager software and bringing the server online at your organization involves the following main steps: setting up an SQL server, setting up the Microsoft Internet Information Services (IIS) server, installing the Groove Server Manager software on the IIS server, configuring the Groove Server Man-ager, and configuring SMTP. The context is for a general setup that meets the needs of many enterprises. Upon successful completion of the procedures described in this section, the Groove Manager will be ready for domain administration, described in the Groove Manager Domain Administration portion of the Help.

For information about upgrading from a previous version of the Groove Manager, see “Upgrading the Groove Manager”.

For information about uninstalling the Groove Manager, see “Uninstalling the Groove Manager”.

Groove Manager installation and initial configuration involves the following basic steps, each of which is covered in subsequent sections:

• Checking hardware and software Requirements

• Setting Up the SQL Server

• Setting Up the Groove Manager IIS Server

• Installing and Configuring the Groove Manager

• Accessing the Groove Manager Administrative Web Site

• Securing the Groove Manager Administrative Web Site

• Configuring an Initial Groove Manager Domain

• Configuring SMTP for the Groove Manager

• Utilizing Onsite Directories of User Information

• Deploying Groove on Client Devices

• Setting up Groove Auto-Account Configuration/Restoration

• Viewing and Editing Groove Manager Server Properties

Requirements

The following sections list minimum and/or recommended hardware and software require-

Groove Manager System Administrator’s Guide Installing and Configuring the Groove Manager 17

ments for installing and running Groove Manager at your site. See the Groove Relay Administrator’s Guide (included with the Groove Relay component of the Groove Server) for information about Groove Relay installation and configuration.

• Hardware

• Software

• Expertise

Hardware

The Groove Manager requires the following hardware:

Software

The Groove Manager requires the following software:

Machine Specifications

Groove Manager - IIS server

• Processor: 64-bit processor supporting AMD64 or Intel® EM64T instruction set

• Processor speed: AMD 1.8GHz or higher, or Intel 2.4 GHz or higher

• RAM: 2 GB minimum

• Disk: 40 GB RAID disk array

Groove Manager - SQL Server

• Dual-processor Intel Xeon

• 2 GHz minimum

• 2 GB RAM

• 100 GB RAID disk array

LDAP directory server machine (optional)

Standard directory setup at your enterprise.

Groove Relay server As specified in the Groove Relay documentation that accompanies the Groove Relay component of the Microsoft Office Groove Server.

Microsoft Office Groove clients

As specified in the documentation that accompanies Microsoft Office Groove.

For this Machine You Need this Software

Groove Manager - IIS server

• One of the following:

> Windows Server 2003 Standard or Enterprise x64 Edition Service Pack 1 (or later)

> Windows Server Vista (requires IIS6 Management Compatibility component)

• Microsoft® Internet Information Services (IIS) version 6.0 for Windows Server 2003 Standard or Enterprise x64 Edition

• Microsoft .Net Framework 2.0 (or later), including ASP.NET

• Simple Message Transfer Protocol (SMTP) virtual server

• Microsoft® Office Groove® Server 2007 Manager


Expertise

As a Groove Manager administrator, you need expertise with the following:

• Windows Server 2003

• Internet Information Services (IIS)

• SQL database administration

• SMTP server administration

• Internet Domain Name System (DNS) naming

• Network security and topology

• Groove operation

Domain administrators must be familiar with the following:

• Software deployment and administration

• Password policies

• Software usage and security policies

• Software event reports

• Groove operation

Setting Up the SQL Server

The Groove Manager stores most of its data, including user information and certificates, on an SQL server machine.

Set up an SQL server to support the Groove Manager installation as follows:

Groove Manager - SQL server

• Windows Server 2003 Standard Edition or Windows Server 2003 Enterprise Edition, with the latest Service Pack required

• Microsoft SQL Server 2000 Service Pack 2 (or later)

Browser on administrative PC

Internet Explorer (IE) 6.0 or later is running on the administrative PC, with the following settings in place:

• JavaScript, Cookies, and Forms are enabled

• Minimum Screen Resolution: 1024 by 768 pixels

• Maximum Display DPI Setting: Normal size (96 DPI)

Directory server (optional) • LDAP 3.0-based software

• Microsoft Active Directory, Lotus Domino R5 or later, and Sun One supported

Groove Relay server • Microsoft® Office Groove® Server 2007 Relay

• Groove Enterprise Relay Server 3.0 or later supported

Microsoft Office Groove client

• Microsoft Office Groove 2007 recommended, to utilize the full set of Groove Manager features

• Groove Workspace 2.5, Groove Virtual Office 3.0, or later supported

For this Machine You Need this Software


1. Install an SQL Server on a Windows server machine using your company’s standard practices for SQL server configuration.

2. In an environment of approximately 5 transactions per user per hour, configure disk storage to allow 6 MB of storage per managed Groove user, including space for account backup.

3. Make sure that the MS-SQL port (usually 1433) is open for incoming transmissions from the Groove Manager.

4. Define a unique SQL server host name, preferably a fully qualified Domain Name System (DNS) or Internet Corporation for Assigned Names and Numbers (ICANN) name, such as gmssql.contoso.com.

5. Select an authentication system for the SQL server: native SQL or NT-based. When setting up the authentication system, select the ‘Mixed mode’ option.

6. Once the Groove Manager is running with your SQL server, as described in the following sections, be sure to back up the Groove Manager databases and log files on the SQL server each day to ensure that sufficient space is maintained on the SQL server for the Groove Manager database and transaction log.

Note: If the SQL server cannot accommodate the Groove Manager database and transaction log, Groove Manager operations may cease.

When you are finished configuring the SQL storage, communications, and authentication settings, proceed to “Setting Up the Groove Manager IIS Server”.

Setting Up the Groove Manager IIS Server

The Groove Manager is a Web-based application accessible by administrators from a Web browser. As such, it relies on Microsoft Internet Information Services (IIS). Therefore, you must configure IIS to support the Groove Manager Web site. You configure IIS on the same Windows server machine where you will install the Groove Manager software.

The following sections provide guidelines for properly configuring IIS for a Groove Man-ager:

• Configuring IIS

• Groove Manager Web Site Setup

• Creating a Custom Groove Manager Web Site (optional)

Configuring IIS

The following sections describe how to set up the Internet Information Services (IIS) to support your Groove Manager installation. The Groove Manager installation process cre-ates a Groove Manager Web site for you, or you can create one yourself prior to installa-tion.

To set up IIS for the Groove Manager, do the following:

1. Install a clean version of Windows Server 2003 Standard Edition x64 Edition 1 or later on a clean stand-alone machine. Do not try to install a Groove Manager on a domain controller or a machine where Microsoft Office Groove is installed. Doing so will cause the install process to fail. This IIS machine will house the Groove


Manager software which cannot coexist with the Microsoft Office Groove client. Installing Groove Manager on an existing production Web server falls outside of the scope of the Help; if you choose to do so, consult with a Microsoft Support technician for guidance.

2. To install IIS 6.0 on the Windows Server 2003, open the Windows Control Panel, click Add or Remove Programs, and follow the instructions.

3. From IIS, enable SMTP and configure it as described in “Configuring SMTP for the Groove Manager”, so that administrators can send e-mail containing account configuration codes to Groove users.

4. To enhance security, after creation of the Groove Manager Web site, bind the client access (gms.dll) and administrative UI (Groove Manager directory) portions of the site to separate network interface cards (NICs). Secure the administrative card as needed to meet your organization’s IT standards.

5. Note that the iSAPI extension, gms.dll, that supports the Groove Manager Web site, requires Scripts and Executables to be enabled in IIS. This Windows parameter is set automatically during creation of the default Groove Manager Web site.

The following section describes the directory structure for the Groove Manager Web site files that will be set up in IIS during the Install process.

Groove Manager Web Site Setup

During installation, the Groove Manager software creates a default Web site, installing the necessary files in IIS, or it uses an existing custom Web site that you created in IIS, as described in “Creating a Custom Groove Manager Web Site (optional)”. In either case, the Groove Manager Web site consists of two main parts: a client URL interface, and an administrative user interface. Both the client-accessible entry point (a .dll file) and the directory containing the administrative Web pages reside in the Groove Manager Web site’s root directory.

The following list describes the main components of the Groove Manager Web site, including the optional Auto-Account Configuration component:

Groove Manager Web Site Components

Description Important Notes

gms.dll This dynamic link library (DLL) is the main entry point for transactions from Groove clients. The Groove Manager URL (that you define during installation) must point to this DLL.

Groove clients must be able to connect to the gms.dll in the home directory as anonymous users, so the top-level gms.dll file must be accessible from the Internet and must not be secured.

Do not set up login authentication for this directory.


Creating a Custom Groove Manager Web Site (optional)

The Groove Manager install process creates a Groove Manager Web site for you. You need not create one. However, if you are experienced with creating Web Sites in IIS and have specific requirements, follow the guidelines below to create a Groove Manager Web Site that will be used in the Groove Manager installation process:

• When defining your Web site in IIS, follow the directory and file hierarchy described in “Groove Manager Web Site Setup”.

• Because the Groove Manager Web site depends on active server pages (ASPs), be sure to enable Scripts and Executables in IIS.

• During the Groove Manager installation process, specify the Web site that you created instead of accepting the default option.


This section describes the process for installing and setting up the Groove Manager. The installation procedure involves defining the Groove Manager, establishing its relationship to the SQL server that will store all administrative data, and creating a Web site for the Groove Manager administrative interface. During this installation, Groove Manager uses your inputs to create a database on your SQL server.

The following sections provide installation prerequisites and instructions:

• Before You Begin

• Installing the Groove Manager

Before You Begin

To facilitate the installation process, do the following:

• Note the SQL server host name.

Groove Manager directory

If you install the full Groove Manager application with both client and administrative interfaces, this directory is created to hold the administrative interface Web pages (.aspx files) and the index.htm file which contains the main entry point to the administrative interface.

Due to the sensitive information available through the administrative interface, you should secure this administrative directory and all of its files with a reliable IIS authentication scheme.

AutoActivation directory If you install the full Groove Manager application with both client and administrative interfaces), this directory is created to support the Groove Auto-Account Configuration/Restoration feature, described in “Setting up Groove Auto-Account Configuration/Restoration”.

This directory uses SSL for encryption and is secured using IIS Integrated Windows authentication (formerly called NTLM). The SOAP transactions involved in the Auto-Account Configuration/Restoration process depend on SSL for encryption.

Groove Manager Web Site Components

Description Important Notes


See “Setting Up the SQL Server” for information about installing the Groove Manager SQL server.

• Note the name of SQL database to be used for storing Groove Manager data.

• Ensure that you have the necessary SQL login credentials, native SQL or Windows NT-based, with Database Creator permissions.

• Note the certification authority name for the Groove Manager. This must be an official, fully qualified, unique name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN).

• If convenient, configure any onsite Groove Relay servers before configuring the Groove Manager, as described in the administrative Help that accompanies the Groove Relay component of the Office Groove Server.

Installing the Groove Manager

To install the Groove Manager on the IIS machine, follow these steps:

1. Read “Before You Begin”.

2. From the Windows server machine where you set up IIS for the Groove Manager Web site, insert the Microsoft Office Groove Server CD into the drive.

3. Select the option to install Microsoft Office Groove Server 2007 Manager. This process will create a Groove Manager installation directory that includes a setup.exe file and a readme.htm file.

4. Follow the Install wizard instructions, entering the product ID key code when prompted. If .NET Framework is not installed, an informational message appears, asking you to install it before proceeding.

5. Click Continue. The Microsoft Software License agreement appears.

6. Read and accept the Microsoft Software License agreement.

7. Click Continue. A window appears displaying the Basic or Advanced install options.

8. Select Basic to install now, or select Advanced to specify more options, as described in the following table, then click Install Now:

Groove Manager Install Options

Explanations

Basic To install the complete Groove Manager application (including the administrative interface and the Groove client interface of the Groove Manager Web site) in the default installation directory: c:\Program Files\Microsoft Office Servers\12.0\Groove\Groove Management Server

Advanced To specify the following options, then install the complete Groove Manager application:

• File location – To specify a Groove Manager installation directory.

• Feedback – To specify whether you want to participate in the Customer Experience Improvement Program. For information about CEIP and its privacy policy, click here.


http://r.office.microsoft.com/r/rlidGMSCEIPInfo?clid=1033

9. Once the software installation finishes and the Groove Manager Welcome page appears, click Next.

10. Select whether to install Groove Manager alone or Groove Manager with the Auditing capability. For information about Groove Auditing, see “Auditing Groove Activity”.

11. Click Next. The Groove Manager Database Configuration window appears.

12. Enter your SQL server information, as described in the table below.

Have on-hand the SQL server host name, and, if SQL authentication is chosen, your SQL server login name and password. The Groove Manager uses this infor-mation to establish a connection to the database server on which the Groove Man-ager depends for data storage. Make sure that the login name and password have sufficient permissions to allow you to create a database on this server:

13. Click Next. The Groove Manager Master Password or Groove Audit Server Configuration window appears, depending on your installation selection.

14. If the Groove Audit Server window appears, supply the required information, as described in “Auditing Groove Activity”, then click Next. The Groove Manager Master Password window appears.

15. Enter and confirm a Master Password for the Groove Manager. If you are upgrading, you enter the existing password and confirmation is not required. This password is used to encrypt critical server data stored on the SQL server, including signature and encryption keys, and passwords.

Note: Do not lose this password, as it cannot be restored easily. If you lose your password, contact Microsoft Support. You can change the password on the server Properties page after the Groove Manager is installed.

Groove Manager Database Configuration Fields

Explanations

Use the Following SQL Server Login

Select this check box to specify native SQL server authentication.

Clear this option to specify Windows authentication and enter login information.

User Name Appears if ‘Use the Following SQL Server Login’ is selected.

Type the login information for the SQL server.

Note: Make sure that the login gives you database creation rights.

Password Appears if ‘Use the Following SQL Server Login’ is selected.

Type a password for the SQL server.

Database Information:

SQL Server Name Type the host name or Internet Protocol (IP) address of your SQL server.

Database Name Type a SQL database name, such as gmsDb. The Installer will create or upgrade this database.


16. Click Next. The Groove Manager Configuration window appears.

17. Enter the required Groove Manager Configuration information, as described in the following table:

Groove Manager Configuration Fields

Explanations

Administrator’s E-mail Address

Type the e-mail address of the administrator who is responsible for Groove Manager operation. This name may be used in the ‘From’ field of default emails to Groove clients.

Organization Name Type the name of your organization. This name will form the basis of the Groove Manager server name and the initial domain name used in the Groove Manager administrative interface.

URL of Groove Manager Server

Accept the default Universal Resource Locator (URL) for the Groove Manager, or edit the name. The initial default is the IIS machine name. If editing the name, use the format:

http://<hostname>

where <hostname> is a registered fully qualified DNS or ICANN name of the Groove Manager server. For example:

groovemanager.contoso.com.

This URL must be accessible from the Internet and the host name must be resolvable into an IP address. If this value is incorrect, Groove clients will not be able to communicate with the Groove Manager.

Note: The Groove Manager URL is propagated to all clients in your domain. You should not change this value once the Groove Manager is established; doing so requires that you uninstall and re-install the Groove Manager, then re-configure all Groove client accounts.

Certification Authority Name

Type the unique official name of your Groove Manager (such as groovemanager.contoso.com). This name will be used as the default Groove PKI Certificate Authority name in your initial domain.

The name you enter must meet the following requirements:

• Must be a fully qualified DNS name, properly registered with the Domain Name System (DNS) authorities or with the Internet Corporation for Assigned Names and Numbers (ICANN).

• Must be unambiguous and unique.

The qualified DNS must describe a third-level domain or higher within your organization. Therefore, it must have at least three text blocks (components) and two dots - one dot (.) separating each section, such as groovemanager.contoso.com where:

com = Customary DNS generic top-level domain (gTLD) identifier of com for company, net for network, or org for organization.

contoso = DNS second-level domain, such as your company name.

groovemanager = DNS third-level domain, such as company branch or department.

If you are registered in a country-code top-level domain (ccTLD), you may need to use at least four components, separated by three dots.


http://www.ntia.doc.gov/ntiahome/domainname/domainhome.htm

http://www.ntia.doc.gov/ntiahome/domainname/domainhome.htm

http://icann.org

18. Click Next. The Summary window appears.

19. Click Next.

20. Follow the Configuration wizard to the end and click Finish, then Close.

The Groove Manager administrative Web site opens. This site is created for you and includes an administrative Web interface that you can access through the URL, http://<hostname>. Groove clients access this site via the URL that you defined, http://<hostname>/gms.dll.

An initial management domain is also created for you. Associated with the domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a set of default policies that the domain administrator can edit. The certification authority name that you defined applies to this domain. The section,“Configuring an Initial Groove Man-ager Domain”, describes how to complete initial domain setup.

Accessing the Groove Manager Administrative Web Site

The sections below provide instructions for accessing and using the Groove Manager administrative Web site:

• Accessing the Groove Manager Administrative UI

• Groove Manager Administrative UI Overview

• Getting Help

• Setting Administrative Preferences

• Changing the Language of the Administrative Web Pages

Accessing the Groove Manager Administrative UI

When you finish installing the Groove Manager software, go to the administration Web site to configure Groove Manager settings. You can access the Groove Manager adminis-trative Web site from any PC, using the login authentication system that you established for the site.

To access the Groove Manager administrative user interface (UI), follow these steps:

1. From an administrative PC, open an Internet Explorer (IE) browser that meets the requirements specified in “Software”.

2. Enter the URL for your new Groove Manager site (typically, http://<hostname>). Depending on your authentication system, a login window may appear.

3. If asked to log in, enter the Web site login information required by your authentication system. The Groove Manager home page appears, as described in Groove Manager Administrative UI Overview.

For information about how to get online Help at any time, see “Getting Help”.

For information about changing administrative preferences, see “Setting Administrative Preferences”.

For information about changing the language setting, see “Changing the Language of the Administrative Web Pages”.


When you are ready, proceed to “Securing the Groove Manager Administrative Web Site”, for information about securing the Groove Manager site.

Groove Manager Administrative UI Overview

The Groove Manager administrative Web interface comprises a navigation pane on the left, and a main window. The navigation pane displays the Groove Manager server name along with an initial management domain automatically created for you. The Web page has the following characteristics:

• Main window - Reflects the current selection in the navigation pane, and includes a set of tabs. When the management server is selected, a set of domain tabs appears, where you access Groove Manager server administration tasks, as summarized in the table below.

• Toolbar - Appears at the top of the main window and displays icons appropriate for the task being performed on the current tab.

• Navigation tree - Appears in the left pane and displays the management domains, groups, policy templates, and relay server sets defined on this serve.

Getting Help

To get help using the Groove Manager, follow these guidelines:

• Click the Help link in the upper left of a Groove Manager administrative Web page to display online Groove Manager Help.

• For Groove Manager server-level information, see the Groove Manager Administration portion of the Help.

• For domain-level information, see the Groove Manager Domain Administration portion of the Help.

• The Readme file included with the Groove Manager product provides late-breaking information.

Setting Administrative Preferences

You can change administrative Web page preferences (such as setting a start page) by using the Preferences link above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins.

Server Tabs Descriptions

Reports Allows you to view Groove audit log reports, as described in “Monitoring the Groove Manager”.

Domains Allows you to add and delete management domains, as described in “Adding and Managing Domains”.

Roles Allows you to add, edit, and delete administrator roles as described in “Managing Administrative Roles”.

Directory Integration

Allows you to integrate an LDAP-based directory server of user information with the Groove Manager, providing that a directory server is installed at your site, as described in “Defining a Directory Server”.


To edit administrative preferences, follow these steps:

1. Go to the Groove Manager administrative Web interface and click the Preferences link in the top left side of the current page. The Start Page window appears with an image of your navigation tree.

2. To change the default number of Display items that appear on any list page, select a number in the ‘Default number of items to display’ drop-down box. The initial default setting is to display 25 items per page.

3. To select a start page, select an item from the Start Page tree.

4. Click OK.

Your changes take effect immediately. This page will open the next time you log into the Groove Manager Web site.

Changing the Language of the Administrative Web Pages

Administrators can change the language of the Groove Manager administrative interface by using their browser’s language setting, providing that the Groove Manager supports the browser-set language.

The Groove Manager’s supported display language depends on the following factors:

• The language of the Groove Manager installation.

• Any language packs added to the Groove Manager system.

• The browser setting on the administrative PC used to access Groove Manager.

If a browser-selected language is not available on the Groove Manager server as an instal-lation language or language pack, a default language is used, generally the language in which Groove Manager was installed.

Securing the Groove Manager Administrative Web Site

Like other Web applications, the Groove Manager’s administrative Web interface (in the Groove Manager directory of the Groove Manager root directory in IIS) should be secured by a reliable authentication system via passwords, smart cards, or SecureID tokens. Designed to be independent of any specific authentication system, the Groove Manager allows you to choose the one that will properly secure your Groove Manager administra-tive Web pages. For instance, you may choose a scheme already in place for your other Web sites. The following sections describe measures you can take to secure your Groove Manager’s administrative Web pages:

• Security Recommendations

• Defining an Initial Administrator Role

Security Recommendations

Windows Internet Information Services (IIS) supports several authentication schemes that can help secure the administrative Web interface, including Basic Authentication, Active Directory Authentication, LDAP authentication, and Kerberos authentication. Or, you can implement your own custom login authentication mechanism.


As stated previously, you can bind the administrative UI portion of the Groove Manager Web site to a separate NIC from the internet-accessible client portion of the site. You can then configure the NIC that supports the administrative pages to meet the necessary secu-rity requirements, leaving an Internet-accessible NIC available for client access.

Once an administrator logs into the administrative Web interface as required by the chosen authentication system, access within the site may be controlled by the administrator's role. If enabled, the optional Role Based Access Control (RBAC) feature provides an added layer of security to the administrative Web pages. To enable this feature, as recommended, see “Defining an Initial Administrator Role”.

Securing the administrative portion of the Enterprise Managent Server Web site with the Secure Socket Layer (SSL) encryption protocol is strongly recommended. To enable SSL for the Administrative Web pages, configure the following Windows system communica-tions settings:

• Require SSL; 128-bit encryption.

• Bind SSL port 443 to the internal (private) administrative network interface card (NIC) as follows:

Using the IIS user interface, go to the Properties for the Groove Manager Web site, then go to the Advanced configuration settings to assign SSL port 443 to the private administrative NIC. For more information about SSL, refer to the Security pages of the Microsoft MSDN Web site.

Defining an Initial Administrator Role

To control access to the Groove Manager administrative Web site, you must enable the Roles Based Access Control (RBAC) on the Groove Manager. Enabling RBAC requires that you establish yourself as the Groove Manager server administrator. RBAC lets you specify who can access the Groove Manager administrative interface and which tasks they can perform. Omitting this step leaves the entire Groove Manager administrative interface open for viewing and modification by anyone who learns the login credentials.

For more information about RBAC, see “Role-Based Access Control”.

To define an initial administrator role and enable role-based access control, follow these steps:

1. Make sure that you set up an authentication system for the Groove Manager directory in IIS, as described in “Setting Up the Groove Manager IIS Server”. Otherwise, RBAC cannot effectively safeguard the Groove Manager’s administrative interface.

1. Start the Groove Manager from Internet Explorer, as described in “Accessing the Groove Manager Administrative Web Site”.

2. Select the Groove Manager from the left navigation pane. The Groove Manager page appears.

3. Click the Roles tab.


4. From the Groove Manager Roles tab, select Add Administrator in the toolbar. The Add Administrator page appears. For reference, this page displays the name that you used to log in to the Groove Manager administrative Web site.

5. In the Name field, enter the exact login name (in this initial case, your login name) that the administrator will use to log in to the Groove Manager Web site, as defined by your authentication system.

Note: Make sure that the administrator name that you specify exactly matches the login name used by your Web site authentication scheme, or you will not have any privileges on the Groove Manager after RBAC is enabled.

6. From the Scope drop-down menu of the Groove Manager, listing server and domain names defined on this machine, select the Groove Manager server.

7. Click the Add button. The selected Groove Manager name appears in the Assigned Scopes scrolling list, and the role of Groove Manager Administrator appears under Assigned Roles Within Select Scope.

Later, if you enter a domain as the scope for an administrator name, selecting that domain in the Assigned Scopes displays a list of Assigned Roles options that you can select. Note that at least one administrator must be assigned the Scope of <GrooveManagername> and the Role of Groove Manager Administrator.

8. Click OK to accept the server name and Server Administrator role.

This enters your name as the first administrator in the name list on the front page of the Roles tab and gives you, as Groove Manager Administrator, management access to all Groove Manager fields. You cannot remove this role. However, if you assign another administrator to the Server Administrator role, that administrator can edit your role.

Note: You must set your own role to Groove Manager Administrator before setting ‘Enable role-based access control’

9. From the Groove Manager Roles page, select the option, ‘Enable role-based access control’. This allows only those administrators listed in the Name list to access the Groove Manager.

Note: If you do not turn on Enable role-based access control, anyone who accesses the Groove Manager’s administrative site will have full access to all admin-istrative fields and pages on the site.

10. Click OK.

Note: You can add only one administrator at a time in the Add Administrator dialog box. To add another, select Add Administrator in the toolbar again.

For information about adding more administrators, editing administrator roles and scopes, or deleting administrators, see “Managing Administrative Roles”.

When you are satisfied with the security of the administrative site, proceed to “Configur-ing an Initial Groove Manager Domain”.


Configuring an Initial Groove Manager Domain

A management domain contains groups of Groove users and devices that the domain administrator places under domain management. Associated with each new domain are encryption keys and a pair of signature keys for authenticating the domain, as well as a private key for password/smart card login reset and data recovery. Customizable usage and security policy templates, and Groove Relay server sets apply to groups in the domain.

Management domains are independent and secure from each other. However, if Groove PKI authentication is in effect at an organization, domain administrators can use the Groove Manager interface to export the domain certificate to other domains, either within the organization or on a Groove Manager at another organization, to establish a trust rela-tionship with those domains (cross-domain certification). See the Groove Manager Domain Administration portion of the Help for information about setting up cross-domain certification.

The Groove Manager installation process supplies an initial management domain, with Groove PKI specified as the identity authentication mechanism. The initial domain name is based on the Organization that you entered during Groove Manager installation. The ini-tial domain setup page typically appears on the screen following Groove Manager installa-tion, requiring you to supply some basic information in the blank fields. Once you finish configuring the domain, it is ready for domain-level administrators to populate it with Groove users.

Note: If you have engaged Groove Enterprise Services to provide Groove Manager functionality, initial domain creation and administrator role assignment occurs during product registration.

To configure the initial Groove management domain, follow these steps:

1. Start the Groove Manager from Internet Explorer, as described in “Accessing the Groove Manager Administrative Web Site”.

2. Click the domain in the left navigation pane to display the domain setup window, then accept or edit the value in the Domain Name field. The name for this initial management domain is supplied automatically during the Groove Manager installation process and configurable by administrators.

3. If necessary, add a domain description in the Description field.

4. Enter a valid e-mail address of a contact administrator. Note that Groove Public Key Infrastructure (PKI) is the selected mechanism for certifying member identities in this initial domain; the Identity Authentication Setting is not configurable for this domain. If you prefer to use a PKI implementation already in place at your enterprise, you can create another domain from the Domains tab, as described in “Adding a Groove Management Domain”.

5. Select whether to complete password reset setup now, or to allow a domain administrator to supply this information (by clicking Members, under the domain in the left navigation panel). You can define domain administrators from the Domains tab, as described in “Managing Administrative Roles”.


6. If you chose to supply the password reset information now, accept or edit the Password or Smart Card Reset Setup options as necessary. Note that you or another administrator must finish configuring the domain in order to add domain members.

For more information about Groove password reset and data recovery, see “Password/Smart Card Reset Private Key”.

7. Click OK.

Next, set up the SMTP environment for the Groove Manager, as described in “Configur-ing SMTP for the Groove Manager”.

Configuring SMTP for the Groove Manager

In order to enable the Groove Manager to send e-mail and Groove account configuration codes to PC users, you must configure the IIS Simple Message Transfer Protocol (SMTP) virtual server.

To configure the IIS SMTP virtual server to deliver mail via your enterprise’s SmartHost, follow these steps:

1. Open Internet Information Services on the Groove Manager machine.

2. Right-click on Default SMTP Virtual Server and select Properties. The Default SMTP Virtual Server Properties page appears.

3. Click Delivery tab.

4. Click the Advanced button.

5. In the Host name field, enter the fully qualified domain name in the form <GrooveManagerhostname>.domain.com.

6. In the SmartHost field, enter the name of the SMTP server that will be used for mail routing in the form, <smarthostname>domain.com, then click OK.

While the Groove Manager does not require any special settings, as it sends only small textual e-mails without attachments, you may need to configure other properties for the SMTP server. Best security practices for configuring the SMTP virtual and actual servers include the following:

• Configure the SMTP virtual server not to accept external connections (allowing only connections from itself, LocalHost).

• Set Access\Relay restrictions on the virtual SMTP server as follows:

• Set to Only the list below: Granted 127.0.0.1 (localhost).

• Clear the ‘Allow all computers...’ check box.

• Set Access\Connection control on the virtual SMTP server as follows:

• Set to Only the list below: Granted 127.0.0.1 (localhost).

• Enable logging and define a Logfiles drive.

You have now set up the Groove Manager to support administrative e-mails to Groove cli-ents. Most often this capability is used to send account configuration codes to Groove cli-ents - the last step in the process of adding Groove users to a management domain. Once Groove is installed on client devices, users enter the codes into Groove and become man-aged domain members. See “Deploying Groove on Client Devices”, next, for information


about deploying Groove in your enterprise.

Upon successful completion of the installation procedures, the Groove Manager should be ready for domain administration, described in the Groove Manager Domain Administra-tion portion of the Help. The Domain Administration portion of the Help provides instruc-tions for defining groups in a management domain, setting domain policies, defining domain relay servers, and adding users and devices to a domain.

Utilizing Onsite Directories of User Information

If your organization maintains an LDAP-based directory server of user contact informa-tion, you can incorporate in-house user directories with the Groove Manager to facilitate Groove management. Integrating a corporate directory with the Groove Manager is rec-ommended and offers the following benefits:

• Facilitates the process of entering user contact information into management domains.

• Allows for automatic configuration (and restoration) of managed Groove accounts.

• Facilitates the process of migrating members of a Groove Enterprise Services (or other) domain to an onsite domain.

• Facilitates the use of external enterprise PKI for domain member authentication, providing that the directory is properly configured with valid PKI certificates to be used for Groove identity authentication.

For information about sharing LDAP-based directories with the Groove Manager, see “Defining a Directory Server”.

Deploying Groove on Client Devices

In small enterprises, the Microsoft Office Groove application can be installed and config-ured on individual client devices. But a more efficient way to deploy Groove, especially in in larger enterprises, is to use the Office Customization tool, available with the Office Resource kit, and the Microsoft Systems Management Server (SMS) or other compatible centralized deployment software.

Once Groove is installed on client devices, users must enter the account configuration codes sent to them by domain administrators to make them managed members of a domain. Or, you can automate the account configuration process, by utilizing the Groove Manager’s Auto-Account Configuration feature (see “Setting up Groove Auto-Account Configuration/Restoration”). With the automated option, which is recommended for large-scale deployment, users can start Groove for the first time without needing to process con-figuration codes, and can immediately use their managed identities to participate in work-spaces.

Setting up Groove Auto-Account Configuration/Restoration

Automatic Groove account configuration and restoration is the recommended approach to configuring Groove on client devices in corporate environments. To support this capability the Groove Manager associates the Windows login names of Groove users with their man-


aged member information, imported to a Groove Manager domain from an Active Direc-tory database. Users do not need to enter an account configuration code in order to start Groove for the first time; Groove starts up automatically. If a user starts Groove for the first time without having configured an account previously, the new account creation pro-cess begins. If a user starts Groove without an account and a valid backed-up account exists, Groove will restore that account.

Auto-account configuration and restoration depends on a correctly configured Windows intranet environment using IIS Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication). For information about extending this capability beyond your intranet, consult a Microsoft Support technician.

Note: If you are integrating Groove Manager with Active Directory databases, be sure to enable the automatic account configuration feature to ensure smooth integration and Groove 2007 deployment.

The Groove Auto-Account Configuration feature supersedes the device-management-based Auto-Activation feature available with Groove Manager version 3.1, but the older Auto-Activation feature is still supported for environments that include earlier (pre-Groove 2007) client versions. Instructions for each method (both, optional) appear in the following sections:

• Enabling Auto-Account Configuration/Restoration

• Setting up Groove Auto-Activation

Enabling Auto-Account Configuration/Restoration

Auto-Account Configuration expedites Groove 2007 deployment in your enterprise. It also facilitates restoration of backed-up Groove accounts, and allows you to use the Auto-matic Domain Migration facility, described in “Automatically Migrating Users to Another Domain”. If you are integrating an LDAP-compliant directory server with Groove Man-ager to support a community of Groove 2007 users, the automatic account configuration/restoration feature is highly recommended.

Before you begin, make sure that your Groove management setup meets the following requirements:

• Office Groove 2007 should be installed on Windows XP Pro devices.

• Groove client devices must be joined to a Windows network domain.

• Office Groove Server 2007 Manager must be installed on your network, as described in “Installing and Configuring the Groove Manager”.

• The Groove Manager server must be joined to the same Windows network domain as Groove clients. This domain must be setup to authenticate users to the same directory that supports Groove Manager directory integration.

• Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication) must be configured on the Groove Manager IIS server. Refer to Microsoft documentation for information on configuring IIS Integrated Windows authentication environments.


• Groove client devices must be able to successfully authenticate with the Groove Manager IIS server that is set up to use Windows Authentication for auto-account configuration.

• The AutoActivate directory on the Groove Manager IIS server must support SSL.

• An onsite Active Directory server of user information must be integrated with the Groove Manager, as described in “Defining a Directory Server”.

If your setup does not meet these requirements, the Auto-Account Configuration cannot function. The auto-activation procedure, described in “Setting up Groove Auto-Activa-tion”, is an alternative.

To enable automatic Groove account configuration or restoration, follow these steps:

1. From the Groove Manager, go to the Identity Policy template assigned to the relevant domain group, and verify that the Member Policy for scheduling Groove account backup is enabled.

For more information about account backup and restoration, see “Backing Up and Restoring User Account Data”.

2. Update the registries of Groove client devices. The recommended method for accomplishing this is to use an Active Directory Group Policy Object (GPO), as follows:

a. Locate the administrative template file, Groove.ADM, in the Microsoft Office Resource Kit toolbox (ork.exe). This file contains the required GPO. For download and other information about the toolkit, click here.

a. Customize the ‘ADM’ to include the auto-account configuration DNS name for your Groove Manager server. Groove device registries will be updated with the following key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\Groove\Manager\<ServerName> where <servername> is the fully qualified DNS name of the Groove Manager IIS server to be used for auto-account configuration.

b. Copy the .ADM file to your Windows network’s Primary Domain Controller (PDC) for distribution to Groove devices.

c. Use the Windows Group Policy snap-in to distribute the policy to Groove devices.

3. On the IIS machine that hosts both the Groove client and administrator Web sites, use IIS Manager to do the following:

a. Ensure that NTLM authentication is enabled for the AutoActivate directory.

b. Configure the Groove Manager AutoActivate directory for ‘Secure communications’ by applying a Web server SSL certificate to the Web site, and for the AutoActivate directory, select the ‘Directory Security Tab/Edit/Require secure channel (SSL)’ option.

4. Import Groove user contact information from your onsite Active Directory server into the Groove Manager, as described in “Defining a Directory Server”. Note that each user entry must include a valid e-mail address in order for auto-account configuration/restoration to function.


http://r.office.microsoft.com/r/rlidGMSorkinfo/?clid=1033.

Note: Auto-account configuration is available only to users with a ‘pending mem-ber’ status on the Groove Manager domain Members page. Auto-account restoration is available only to users with an ‘active member’ status.

5. Test your auto-account configuration setup as follows:

a. On a client device on which no previous account configuration has been attempted, start Groove for the first time. The Account Configuration Wizard opens and a dialog box appears displaying a new Groove account name and password setup fields.

b. Enter a new Groove password (or smart card, depending on domain device policy), confirm it, enter a hint, if desired, and optionally select the option to remember the password.

c. Click Finish to login to the newly configured account.

6. Test your auto-account restoration setup as follows:

a. Confirm that the member account was backed up by checking the management domain’s Member Activity report on the Groove Manager:

b. On a client device on which no previous account configuration has been attempted, start Groove for the first time. If a backed-up account exists, a login window for the user’s restored account appears.

c. Login to the restored account.

The Groove Manager compares the user’s authenticated login information with the imported Active Directory server account name and if the information corresponds, the Groove account will be auto-configured or a backed-up account will be restored on the client device. The user will be a member of the associated Groove management domain. Note that account restoration restores the managed member; it does not manage or register the client device with the Groove domain.

For information about troubleshooting account configuration problems that may arise, see “Auto-Account Configuration Problems” in the Troubleshooting section of this guide.

Setting up Groove Auto-Activation

If you must support environments that include earlier (pre-Groove 2007) client versions, you can use the Groove Manager Auto-Activation feature to automatically activate man-aged user accounts.

Once you have set up Groove devices and registered them with the Groove Manager, as described in the following procedure, the Groove Manager will rely on managed users’ Microsoft Windows domain login credentials to associate Groove users with domain member information defined in its database. Users will not need to enter an activation key. Note that this auto-activation feature does not restore backed-up accounts.

Note: The term ‘activation’ is used here only to describe this previously existing feature; its meaning does not equate to the meaning of the term as used in Office Groove or other applications in the Office suite.

Note: For information about using the Auto-Account Configuration feature to automati-cally activate managed user accounts, see “Enabling Auto-Account Configura-tion/Restoration”.


Before you begin, make sure that your Groove management setup meets the following requirements:

• Groove 3.0 or later must be installed on user devices that will be registered with the Groove Manager, as managed devices.

• Groove client devices must be joined to a Windows network domain.

• Groove Manager 3.0 or later must be installed and configured on your network, as described in the “Installing and Configuring the Groove Manager” section of this guide.

• The Groove Manager 3.0 or later must be joined to the same Windows network domain as Groove clients. This domain must be setup to authenticate users to the same directory that supports Groove Manager directory integration.

• Windows authentication (NTLM) must be configured on the IIS front end of the server that will be the Groove Manager server. Refer to Microsoft documentation for information on configuring IIS Integrated Windows authentication environments.

• Groove client devices must be able to successfully authenticate with the Groove Manager IIS server that is set up to use Windows Authentication for auto-account configuration.

• An onsite Active Directory server of user information must be integrated with the Groove Manager, as described in “Defining a Directory Server”.

To enable Groove Auto-Activation, follow these steps:

1. Import Groove user contact information from your onsite Active Directory server into the Groove Manager, as described in “Defining a Directory Server”. Note that each user entry must include a valid e-mail address in order for auto-account configuration/restoration to function.

2. On the IIS machine that hosts the Groove Manager client and auto-activation, secure the AutoActivate/gms.dll file by enabling Integrated Windows Authentication as the only authenticated access. The AutoActivate directory is provided by the Enterprise Management Server during full EMS installation (including the client and administrative interfaces). Anonymous access to the AutoActivate directory is not permissible.

3. Configure Groove client devices, as follows:

• Install Groove 3.0 or higher.

• Register client devices with a Groove Manager domain (the domain that contains any Groove Manager accounts that you imported from a directory server). See “Registering User Devices with the Groove Manager” in the Groove Manager Domain Administration portion of the Help for information about registering devices in a domain.

• Update the Windows registry with the following AutoActivate setting:

HKEY_LOCAL_MACHINE\Software\Groove Networks, Inc.\Groove\ManagementDomain\ "AutoActivate"=dword:00000001

4. Test the auto-account configuration/restoration feature on a Groove client as follows:

a. Login to a Windows domain (not the LOCAL machine).


b. Start Groove for the first time on a clean device (on which no previous automatic configuration has been attempted). A dialog box appears displaying a Groove account name and prompting for a password.

c. Enter a new Groove password (or smart card, depending on domain device policy).

If the Windows authentication check passes on the Groove client, the Groove Manager checks the account name, comparing the Windows client logon name with the imported Active Directory server account name in Groove Manager. If these checks succeed, the new Office Groove account will be auto-configured (activated) on the client device. Both the user and device will be members of a Groove management domain.

For information about troubleshooting account configuration problems that may arise, see “Auto-Account Configuration Problems” in the Troubleshooting section of this guide.

Viewing and Editing Groove Manager Server Properties

The Groove Manager server properties page allows you to change the administrative con-tact e-mail address and change the Groove Manager Master Password.

To view or edit Groove Manager server Properties, follow these steps:

1. Go to the Groove Manager administrative Web site and select the server in the left navigation pane. A set of server tabs appears.

2. Click Server Properties in the tool bar. A Groove Manager Properties window appears.

3. To change the administrative contact e-mail address, edit the E-mail field. The default is the managing administrator's e-mail address, supplied during installation.

4. To change the Groove Manager Master Password, enter the old and a new password in the appropriate fields. The Master Password is used to encrypt critical server data stored on the SQL server, including signature and encryption keys, and passwords.

Note: Do not lose this password, as it cannot be restored easily. If you lose your password, contact Microsoft Support. You can change the password on the server Properties page after the Groove Manager is installed.

5. Click OK.

Upgrading the Groove Manager

The procedure for upgrading a 3.0 or later version of the Groove Manager to the current version is similar to that described previously for installing a new Groove Manager appli-cation, once you take the necessary measures to back up your data.

Note: Groove Manager 2.5 cannot be directly upgraded to Groove Manager 2007.

To upgrade the Groove Manager from version 3.0 or later, follow these steps:

1. Back up the Groove Manager database that resides on the SQL server.


2. Back up your existing version of the Groove Manager if you do not have access to the original installation CD.

3. Backup the existing Groove Manager entries in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Groove\ManagementServer

4. Shut down the Groove Manager Web site from IIS.

5. Run the installation for the new version of the Groove Manager. This will upgrade the existing version. See “Installing the Groove Manager” for details about the installation.

6. When the installation is complete, reboot the Groove Manager server.

You should now be able to run the upgraded Groove Manager as usual, with your settings and data intact.

Uninstalling the Groove Manager

To uninstall the Groove Manager, use Add/Remove Programs from the Windows Control Panel. If you encounter problems during uninstall or re-install, contact a Microsoft Sup-port technician.


Adding and Managing Domains

This section provides information about adding, editing, and deleting Groove management domains in the Groove Manager. Management domains are organizational units defined by the Groove Manager server administrator. They contain groups of users, usage and security policies, and Groove relay assignments. Any administrator with at least domain-level permissions can configure domain contents, as described in the Groove Manager Domain Administration portion of the Help.

Once an initial management domain has been generated by the Groove Manager and con-figured by the Groove Manager administrator during the Groove Manager setup process (as described in “Configuring an Initial Groove Manager Domain”), you can create addi-tional domains, edit them, or delete them, as described in the sections below.

• Adding a Groove Management Domain

• Viewing and Editing Groove Manager Domains

• Deleting a Groove Management Domain

Adding a Groove Management Domain

Groove Manager administrators can create management domains to supplement the domain that the Groove Manager provides initially. You define a management domain by supplying the following information:

• Domain display name.

• A user identity authentication system - either an existing Public Key Infrastructure (PKI) system in place at your enterprise or Groove’s PKI implementation.

• Domain Certificate Authority name (if you choose to use Groove PKI identity authentication when creating the domain).

• Name and password for the certificate and private key that will enable administrators to reset user passwords and to recover user data when necessary, providing that Groove Manager device policies support these capabilities.

Note: Only Groove Manager administrators can add domains to a server.

The following sections provide background information and instructions for creating man-agement domains:

• Enterprise vs. Groove PKI

• Password/Smart Card Reset Private Key

• Creating a Management Domain

Groove Manager System Administrator’s Guide Adding and Managing Domains 40

Note: If you have registered Groove Relay servers with the Groove Manager in a Groove Enterprise Services environment, the relay servers are assigned to any existing domain groups. They will also be assigned to any additional domains or groups upon domain/group creation.

Enterprise vs. Groove PKI

Groove relies on Public Key Infrastructure (PKI) certificates to authenticate Groove iden-tities - either the native Groove PKI implementation or an external PKI system. If a PKI system is already in place at your organization, with valid certificates from your Certifi-cate Authority (CA) accessible to Groove clients, you can specify your enterprise PKI as the identity authentication mechanism for management domain members. You choose between Groove PKI and external Enterprise PKI during domain creation and configura-tion.

Typically, corporate PKI systems are general and apply to various applications in use at your site. If you select the Enterprise PKI option when configuring a management domain, Groove integrates your corporate PKI system, along with a set of identity policies (config-urable on the Groove Manager by domain administrators) to provide the following capa-bilities:

• Groove Manager domain administrators can set Groove identity policies on the Groove Manager that control which enterprise-PKI certificates managed Groove users can use for Groove identity authentication. By default, users can choose any certificate in the personal certificate store on their device.

• Groove contacts with Enterprise PKI-certified certificates are automatically validated. The certificate validation process applies to the entire enterprise PKI certificate chain and checks Certificate Revocation Lists (CRLs, often generated by Certificate Authorities) using Microsoft’s CryptoAPI.

• Identity authentication level indicators, as follows:

Groove’s PKI implementation is application-specific; it applies only to the Microsoft Office Groove application. Choosing Groove PKI during domain creation generates a cer-tificate and private key used to authenticate Groove identities when they configure their managed accounts. In this context, the Groove management domain is the Certification Authority. This authentication scheme allows the following:

• Groove Manager domain administrators can set up cross-domain certification to facilitate collaboration between users in different management domains.

Enterprise PKI Identity Authentication Indicators

Manually authenticated

Enterprise PKI-certified

Conflicting identity names

Not authenticated


• Identity authentication level indicators, as follows

Groove PKI is a viable option if any of the following conditions exist in your organization:

• You do not have an existing PKI system.

• You want to use the Groove Manager’s cross-domain trust feature, described in the Groove Manager Domain Administration portion of the Help.

• Your corporate security policies favor the use of application-specific authentication systems.

For more information about Groove’s application of PKI and how it can be used to estab-lish cross-domain trust, see “Setting Up Cross-Domain Certification” in the Groove Man-ager Domain Administration portion of the Help.

For information about choosing a PKI option, see “Creating a Management Domain”.

Password/Smart Card Reset Private Key

When creating and configuring a management domain, in addition to generating the certif-icate and private key used by the Groove Certification Authority (if Groove PKI is enabled), you also create a certificate and private key for resetting Groove passwords and smart card logins, and for recovering Groove data. The login credentials reset private key resides in a password-protected private key file (.xml file), generated during initial domain configuration. The public key file (.cer file) is handled by the device policy that enables resets and data recovery.

You can configure Groove password or smart card login reset options during domain con-figuration, as described in “Creating a Management Domain”.

Creating a Management Domain

This section provides instructions for creating new domains on a Groove Manager installed at your site. Once a Groove Manager administrator creates a domain, any admin-istrator with at least domain-level privileges can edit its properties, and populate it with groups of users, user devices, and Groove relay assignments. Administrators can also cus-tomize user and device policies for the domain.

For information about editing a management domain, see “Viewing and Editing Manage-

Groove PKI Identity Authentication Indicators

Manually authenticated

Inside the organization and certified

Outside the Organization and certified

Conflicting identity names

Not authenticated


ment Domain Properties” in the Groove Manager Domain Administration portion of the Help.

To add a new Groove management domain to the Groove Manager (or to complete initial domain creation), follow these steps:

1. Go to the Groove Manager administrative Web site and select the Groove Manager device name from the navigation pane on the left, then click the Domains tab.

If you just installed the Groove Manager and need to finish configuring the initial default domain, see “Configuring an Initial Groove Manager Domain”.

2. Click the Add Domain button. The Add Domain page appears.

3. Enter the requested information in the Add Domain fields described in the table below, then click OK.

Domain creation may take up to 10 seconds to complete, while the Groove Manager creates the encryption and authentication keys used for domain authentication, and stores them in a SQL database. The new management domain then appears in the domain list, ready for domain administrators to populate with users, devices, and relay assignments.

Domain Fields Explanations

Domain Setup

Domain Name Type the display name of the domain. This name is used in the Groove Manager user interface to refer to the domain and appears after the user name in managed Groove user contacts.

If this is an initial domain, the Groove Manager supplies a domain name, which you can edit.

Contact E-mail Enter the e-mail address of the contact administrator for the domain.

Description Type a description of the domain, if desired.


Identity Authentication Settings (cannot be undone)

Click one of the following options, depending on the security practices and policies in place at your organization:

• Use Enterprise PKI to authenticate members’ identities - Select this option only if your organization has an existing Public Key Infrastructure (PKI) system that you want to use for managed user identity authentication, instead of Groove’s PKI.

NOTE: Management domain member names must exactly match the names associated with valid PKI certificates and these certificates must be accessible from Groove clients via the Internet Explorer CryptoAPI (CAPI) store. When configuring managed Groove accounts, users will be prompted to select a certificate, so make sure that the Identity Authentication Certificates policy is properly set, as described in “Specifying Enterprise PKI Certificates”.

• Use Groove PKI to authenticate member’s Identities - Select this option if you do not have a corporate PKI system in place at your organization. Choosing this option generates a certificate and private key used by the Groove Certification Authority.

Note: To use the Groove Manager cross-domain trust feature, you must select the Groove PKI option. For information about setting up cross-domain trust, see “Setting Up Cross-Domain Certification” in the Groove Manager Domain Administration portion of the Help.

Note: You cannot change this setting after you click OK.

See “Enterprise vs. Groove PKI” for more information about these options.

Default: Use Groove PKI

Certificate Authority (CA) Name

If the Groove PKI option is selected, type the unique registered Domain Name Service (DNS) name of your Groove Manager domain (such as sales.contoso.com). This field does not apply to the Enterprise PKI option.

Domain names must be unambiguous - no two domains on the Groove Manager can share the same DNS name. Entering a Groove Manager name that is not a registered DNS name may result in ambiguous names. Version 2.5 (or later) of the Groove Manager normally detects this condition when domains are created and displays an informational message alerting you if a name already exists in the Groove Manager.

For more information about DNS names, see the description of Certification Authority name in “Installing the Groove Manager”.

Password or Smart Card Reset Setup



Setup password reset options

Accept the default or select one of the following options:

• Setup password reset now. - Lets you setup password reset now, instead of letting another administrator complete domain configuration.

• Allow domain administrator to setup password reset. - Lets you exit the domain setup page without setting password reset options, leaving the task of supplying a reset password to a domain administrator. No one can add domain members until password reset configuration is complete. Clicking Members for this domain in the navigation panel, displays a pop-window requesting this information.

You can define a domain administrator from the Roles tab, as described in “Managing Administrative Roles”.

Default: Setup password reset now.

Private Key Name Accept the default private key name or type another one. The default name reflects the date and time of key creation for archival purposes, if subsequent keys are created. This private key (and its associated certificate, or public key) supports the Groove user login credential reset and data recovery features. Resetting of Groove password or smart card logins is regulated by the management domain’s identity security policies, described in the Groove Manager Domain Administration portion of the Help.

See “Password/Smart Card Reset Private Key” for more information about the password or smart card login reset private key.

Private Key Password Type a password to protect access to the password/smart card reset private key.

Confirm Private Key Password

Verify the private key password that you entered.

Private key storage options Select one of the following private key storage options:

• Configure private key settings to allow use of the automatic password reset identity policy. - Saves the login reset private key (an .xml file), along with the associated reset password, on the Groove Manager, providing that the Automatic option is selected on the domain’s Identity Policy Security page, as described in “Controlling Login Credential Reset and Data Recovery” in the Groove Manager Domain Administration portion of the Help.

• Save private key on Groove Manager and require private key password to manually reset member passwords. - Saves the login reset private key (an .xml file) on the Groove Manager when you press OK to submit your entries.

• Save private key to a file and require key and password to manually reset member passwords. - Lets you browse to a directory on your network where the login reset private key (an .xml file) should be saved when you press OK to submit your entries.

For information about changing these settings, see “Changing Reset/Recovery Private Keys and Key Locations” in the Groove Manager Domain Administration portion of the Help.

Default: Configure private key settings to allow use of the automatic password reset identity policy.



Viewing and Editing Groove Manager Domains

You can view or edit domains defined for a server from the Domains tab. The Groove Manager provides an initial domain, along with a default group, identity template, device template, and relay server set. You or any domain administrator can edit the domain. You or any Groove Manager server-level administrator can define new domains as described in “Adding a Groove Management Domain”.

To view or edit domains already defined for a domain, follow these steps:

1. Go to the Groove Manager administrative Web site and select the Groove Manager device from the navigation pane on the left. The Groove Manager server-level tabs appear: Reports, Domains, Roles, and Directory Integration, as described in “Accessing the Groove Manager Administrative Web Site”.

2. Click the Domains tab. A list of domains in the Groove Manager appears, showing columns of information as described in the following table. Only the default domain appears until you add other domains.

3. To edit a domain, click a domain name in the main window. Several tabs appear, where you can edit domain information, as described in the following table. Note that you or any domain administrator can also edit domains by clicking a domain in the navigation pane and clicking Domain Properties in the tool bar.

4. Click a tab, edit the desired domain information, then click OK. For details about setting these domain properties, see “Viewing and Editing Management Domain Properties” in the Domain Administration portion of this Help..

Domain Information Description

Domain Name The supplied domain name.

Certificate Authority The domain’s Certificate Authority name if Groove PKI is the chosen identity authentication method. If a corporate PKI system is used, ‘Integrating with Enterprise PKI’ appears in place of the CA name.

Domain Tabs Description

Domain Settings Domain attributes, including the following:

• Domain name and description

• Domain contact e-mail address

• Domain member affiliation

• Periods of inactivity

Password Settings Settings that support login credential reset and data recovery.

Cross-Domain Certification Setup for cross-certifying other management domains, if Groove PKI is selected during domain creation.

Advanced Settings Setup for automating domain migration.


Deleting a Groove Management Domain

You can delete a management domain from the Domains tab, after deleting all users from the domain. Note that deleting users from a domain removes all user information and blocks access to data.

Removing the domain and its members deletes the managed identities and devices that belong to that domain or any of its groups and has the following effects:

• Users from the removed domain or any of its groups cannot use the managed identities that belonged to the removed domain or its groups.

• Users cannot access Groove spaces to which their managed identities belonged.

• Users can no longer access any of the Groove Relay servers associated with the domain.

• Users are no longer subject to domain policies governing their managed identity.

• User devices are no longer subject to domain device policies.

• Files in Groove Folder Synchronization (GFS) directories will no longer be synchronized, although GFS files on user devices will remain intact and accessible.

For more information about deleting users from a management domain, see “Deleting Domain Members” in the Groove Manager Domain Administration portion of the Help.

To delete a domain, including all members, and associated groups and group members, from the Groove Manager, follow these steps:

1. Go to the Groove Manager administrative Web site and select the domain you want to remove in the navigation pane. A set of domain tabs appears.

2. Delete the domain members as follows:

a. Select Members in the left navigation pane. The Member page appears.

b. Select the top checkbox to delete all domain members from the domain.

c. Select Delete Members from the Managed Members drop-down list in the tool bar.

d. Click OK to confirm the members deletion.

e. Select any groups under Members to display the Members page for the group. Repeat the above process to delete members in the group.

3. Select the Server in the navigation pane. A set of server tabs appears.

4. Click the Domains tab.

5. Select the domains that you want to delete.

6. Click Delete Selected Domains in the toolbar, then click OK to confirm the deletion.

You have now removed the selected domains, along with the associated identities and devices, from the server.


Managing Administrative Roles

The sections below discuss how to utilize the Groove Manager’s optional role-based access control (RBAC) system to strengthen the security provided by the authentication mechanism in place for the Groove Manager administrative Web site. Administering RBAC involves the following tasks:

• Setting Administrator Roles

• Editing Administrator Roles

• Deleting Administrators

Setting Administrator Roles

Defining server administrators takes place on the server Roles pages. The sections below provide background and procedures for enabling role-based access and setting up Groove administrator roles:

• Role-Based Access Control

• Enabling Administrative Access Control

• Adding Administrators

Role-Based Access Control

The Groove Manager employs an optional role-based access control (RBAC) system to strengthen the security provided by the administrative Web site’s authentication scheme. Once a server administrator chooses to enable this system, whenever an administrator logs in to the Groove Management Server administrative Web-site using the organization’s established IIS authentication system, the assigned role that has been assigned to that administrator determines what fields will be available for administration. Enabling RBAC requires that at least one administrator be defined as Server Administrator.

This access mechanism lets you specify who can access the Groove Manager administra-tive interface and which tasks they can perform. Entering any user as an administrator gives that user some degree of access to Groove Manager administration. You determine the degree of access that the user has by setting the scope of authority as a Groove Man-ager or a selected management domain, and specifying the user’s role.

Unlike an authentication system which specifies who someone is, role-based access is an authorization system which specifies what someone is allowed, or authorize, to access. Initially after installation, no Groove Manager administrators are defined and full access is

Groove Manager System Administrator’s Guide Managing Administrative Roles 48

allowed to all Groove Manager features, including the ability to add other administrators and define roles for them. Note that assigning a role to an Administrator in RBAC affects only the Groove Manager application; it does not affect any users, roles, or groups in the NT Domain.

Note: If you do not enable role-based access control, anyone who accesses the Groove Manager’s administrative site will have full access to all administra-tive fields and pages on the site.

To enable role-based administrative access control for the Groove Manager, see “Enabling Administrative Access Control”.

Enabling Administrative Access Control

Enabling role-based access control allows you to define administrative access to the Groove Manager is an important part of securing your Groove management system. For a description of this functionality, see “Role-Based Access Control”.

To enable role-based access control on the Groove Manager, follow these steps:

1. Go to the server Roles page of the Groove Manager administrative Web site.

If you are not a server administrator, assign yourself that role, as described in “Defining an Initial Administrator Role”.

2. From the server Roles page, select ‘Enable role-based access control’. This allows only defined administrators (described in “Adding Administrators”) to access the Groove Manager.

Adding Administrators

If you choose to employ the recommended role-based access control system, you can add domain-level and other administrator roles at any time. This allows you to delegate differ-ent administrative responsibilities to specific administrators.

To define administrator roles, follow these steps:

1. Make sure that you have set up an authentication system for the Admin directory in IIS as described in “Setting Up the Groove Manager IIS Server”. Otherwise, RBAC cannot effectively safeguard the Groove Manager’s administrative interface.

If an initial server administrator has not been defined and RBAC control has not been enabled, complete these steps as described in “Defining an Initial Administrator Role”.

2. Open a browser and go to the Groove Management Server administrative Web site.

The Groove Manager administrative home page appears, with a navigation pane that lists the Groove Manager name and its domains and groups.

3. Select the Groove Manager from the navigation pane on the left, then click the Roles tab. The Roles page appears, listing any administrators that have been defined, along with associated server names or domain scopes.

4. From the server Roles tab, click Add Administrator in the toolbar. The Add Administrator page appears. For reference, this page displays the name that you used to log in to the Groove Manager administrative Web site.


5. In the Name field, enter the exact login name that the administrator will use to log in to the Groove Manager Web site, as defined by your authentication system.

Note: If the administrator name that you specify does not exactly match the login name used by your Web site authentication scheme, the new administrator will not have any privileges on the server after RBAC is enabled.This is spe-cially important to remember when adding an administrator whose login name is in LDAP Common Name (CN) format, which may not suggest a typical login name.

6. From the Scope scrolling list, select a server or domain from the drop-down menu, to indicate the scope of the administrator’s role.

7. Click the Add button. The selected server or domain name appears in the Assigned Scopes scrolling list, and the default role appears under Assigned Roles Within Select Scope.

Note: At least one administrator must be assigned the Scope of servername and the Role of Server Administrator. This allows at least one administrator to access all levels of Groove Manager administration and to enable or disable role-based access control.

8. If you need to delete an assigned scope, select it and click the Remove From Scopes button.

9. If you entered a domain as the scope for an administrator name and you want to assign a role now, select that domain in the Assigned Scopes list, then select the appropriate options in the Assigned Roles list. These roles control what fields in the Groove Manager’s administrative UI the administrator can access. The following table describes how each role determines UI access and tasks:

Administrator Role

Description Tasks

Server Administrator

Allows full UI access to all server and domain administration fields. At least one administrator must be assigned the Server Administrator role.

Note: You must set your own role to Server Administrator before setting Enable role-based access control

• Adding and deleting management domains

• Adding and deleting administrators

• Monitoring server events

• Configuring a corporate directory server if present

• All domain-level tasks.


Domain Administrator

Allows full UI access to domain-level administration within a selected management domain (scope).

All domain-level tasks, including:

• Configuring management domains: editing the domain name and setting up identity authentication, password reset, and data recover systems

• Adding, deleting, and modifying domain member groups

• Adding, deleting, and editing identity policy templates

• Adding, deleting, and editing device policy templates

• Adding, deleting, and editing license sets (for Groove 3.1 or earlier)

• Adding, deleting, and editing relay server sets

• Reassigning roles to other administrators of the domain (not to Server Administrators)

Member Administrator

Limits UI access to fields that affect domain member administration, within a selected management domain.

• Adding Groove users to management domain groups

• Assigning identity and device policy templates, and relay server sets to groups and identities

• Editing member contact information

• Removing domain group members

License Administrator

(for version 3.1 or earlier Groove clients only)

Limits UI access to fields that affect Groove license administration within a selected management domain (for Groove 3.1 or earlier clients).

• Assigning Groove licenses (3.1 or earlier) to management domain groups and users

• Removing license assignments and removing licenses from license sets (for 3.1 or earlier Groove clients).

Support Administrator

Limits UI access to fields that control Groove user passwords and data recovery within a selected domain.

• Resetting managed Groove user passwords or Smart Card login credentials upon request

• Restoring backed up Groove user accounts upon request

Report Administrator

Limits UI access to Groove usage reports for a selected management domain.

• Reviewing Groove usage reports of managed user activities, Groove use, and Groove tool use

no roles selected

Blocks access to management domain tasks. The domain (scope) appears in the navigation pane of the Groove Manager administrative Web site, along with a message instructing the administrator to see the server or domain administrator to gain domain access.

None.

Administrators without a role cannot access domain tasks until a server or domain administrator assigns them a role.

Administrator Role

Description Tasks


10. Click OK.

The added administrator appears in the list of administrator names and scopes on of the Roles tab. To add another administrator, return to the beginning of this proce-dure and click the Add Administrator tool again. You can add only one administra-tor at a time in the Add Administrator dialog box).

The administrator you added now has Groove Manager administration access in accor-dance with your specifications.

Editing Administrator Roles

Any administrator with at least domain-level permissions on the Groove Manager can edit administrator scopes and roles, by going to the Roles page for a selected server or manage-ment domain.

To edit administrator roles, follow these steps:

1. Go to the Groove Management Server administrative Web site and select a server from the navigation pane.

2. Click the Roles tab. The Roles page appears with a list of administrator names and their associated server name or domain scope.

3. From the Roles tab, click the administrator name that you want to edit. The Edit Administrator page appears.

4. Edit the fields shown in the following table as needed:

Edit Administrator Fields Descriptions

Name The exact login name that the administrator will use to log in to the Groove Manager Web site, as defined by your authentication system.

Scope Drop-down menu of defined Groove Manager server and domains. Clicking the Add button displays the server name in the Assigned Scopes scrolling list and the administrator’s role in the Assigned Roles Within Selected Scope check-list for that scope.

Assigned Scopes Scrolling list of Groove Managers and domains that have been assigned to an administrator. Selecting a server or domain in this list, displays the possible roles available for the selected scope.


5. To delete a scope assignment for the administrator being edited, select the scope and click the Remove From Scopes button.

6. Click OK.

Deleting Administrators

Any administrator with the Server Administrator role can delete administrators, with the exception of the initial Manager for Server, which cannot be deleted.

To remove an administrator from the Groove Manager, do the following:

1. Go to the Groove Management Server administrative Web site and select a server from the navigation pane.

2. From the Roles tab, select the administrator(s) that you want to delete

Note: You cannot delete yourself.

3. Click Delete Administrator in the tool bar.

4. When a confirmation pop-up appears, click OK.

Assigned Roles Within Selected Scope

Appears if Add button is pressed. Displays possible roles for a selected scope, as follows:

• Server Administrator - Allows full access to all server and domain-level administration for the selected server.

• Domain Administrator - Allows full access to all domain-level administration for the selected domain.

• Member Administrator - Allows access to management domain member administration only, within the selected domain.

• License Administrator - Allows access to Groove license administration only, within the selected domain (for Groove 3.1 or earlier).

• Support Administrator - Allows access to Groove identity authentication and data recovery/password reset administration only, within the selected domain.

• Report Administrator - Allows access to Groove usage reports for the selected domain.

Select any roles that you want to apply to a selected scope for the administrator that you are editing.

For more information about assigned roles, see “Adding Administrators”.

Edit Administrator Fields Descriptions


Defining a Directory Server

The Groove Manager’s optional directory integration feature lets you incorporate user information from a Lightweight-Directory Access Protocol (LDAP) v3.0-based directory server at your site into Groove Manager domain user lists.This expedites the administra-tive task of provisioning a large number of users with Groove usage policies and Groove Relay servers. It also allows you to take advantage of the automatic user account configu-ration/restoration feature and the automated domain migration feature currently available with the Groove Manager.

In addition, if the LDAP directory is configured with valid PKI certificates for authenticat-ing users, you can more easily set up Enterprise PKI for a Groove Manager domain, pro-viding that the user names in the directory exactly match user names on the certificates and that the certificates are accessible via Groove client browsers.

To allow domain administrators to import user information from an onsite directory server at your organization, you must properly configure the Groove Manager to recognize the directory server.

This feature requires an onsite Groove Manager server; the feature is not available via Microsoft-hosted Groove Enterprise Services.

The sections below describe the following directory server tasks:

• Overview of Directory Integration

• Adding a Directory Server

• Editing a Directory Server

• Customizing Management and Directory Server Mapping

• Configuring Directory Synchronization

• Viewing Directory Synchronization Status

• Automating Directory Integration

• Deleting an Integration Point

• Deleting a Directory Server

Overview of Directory Integration

If your management network includes a corporate LDAP directory of user information, you can utilize this directory to populate Groove Manager domains with users. You begin by defining the directory server on the Groove Manager to the Groove Manager and

Groove Manager System Administrator’s Guide Defining a Directory Server 54

LDAP directory to communicate.

Once a directory server is defined on your Groove Manager, you can import directory user information to management domains in one of two ways: by allowing domain administra-tors to import directory information to specific domain groups, or by enabling automatic directory integration via integration points that may or may not involve the full directory structure. Automatic data integration eliminates the need for a domain administrator to manually import each new user that is added to the corporate directory.

In summary, the Groove Manager provides two options for integrating user information from an LDAP server with Groove Manager domain user lists:

• Manually importing members from a directory server using the Add Members Wizard.

• Automatically importing members from a directory server through an integration point, with or without the directory structure.

The Groove Manager uses an internal mapping scheme, shown in “Table 1. Groove Man-ager to LDAP Attribute Mapping”, to map user directory attributes to the Groove Manager user attributes. Changes in the directory can be synchronized on the Groove Manager automatically at scheduled intervals or manually as needed. The Groove Manager is designed to support Microsoft Active Directory, Lotus Domino R5 (or later), and Sun ONE directory applications.

Adding a Directory Server

In order to enable directory integration, you must first identify the directory server to the Groove Manager. The following sections provide detailed instructions about defining and configuring a corporate directory server on your Groove Manager:

• Before You Begin

• Defining a Directory on the Groove Manager

• Integrating User Data with a Management Domain

Before You Begin

Before you define a directory server on the Groove Manager, note the following require-ments and recommendations:

• Each user record that you intend to import to the Groove Manager must include a valid e-mail address, particularly when using Domino directories. The Domino format automatically populates blank user e-mail addresses with default entries that are not valid e-mail addresses on the Groove Manager.

• The directory server login administrator must have at least read-only access rights to the distinguished name (DN), name, e-mail, and unique identifier attributes on the directory server. See “Table 1. Groove Manager to LDAP Attribute Mapping” below for mapping details. The Unique Identifier (UID) is used to locate users who cannot be located using DN or e-mail. If all attempts fail, the user is treated as deleted.


• A hidden unique identifier (UID) for each user on the Groove Manager maps to a unique identifier on the directory server, as shown in “Table 1. Groove Manager to LDAP Attribute Mapping”. The unique identifier must point to a unique attribute of the user. Users who cannot be located in the directory are treated as deleted users.

• The distinguished name (DN), name, e-mail, and unique identifier attributes on the directory server should not be null.

• You cannot use the Groove Manager to modify identity contact properties for users that have been imported from a directory server - that information should be maintained on the directory server itself, followed by Groove Manager synchronization as described in “Configuring Directory Synchronization” later in this section.

Defining a Directory on the Groove Manager

To define a directory server to the Groove Manager, follow these steps:

1. Select the Groove Manager from the list in the Groove Manager navigation pane, then click the Directory Integration tab.

2. Click Add Directory Server in the toolbar. The Add Directory Server page appears with tabs as described in the following table:

3. From the Add Directory Server/Server Properties tab, enter the required and optional information in the fields described in the following table:

Add/Edit Directory Server Tab

Explanation

Server Properties Allows server administrators to configure and edit directory server properties.

Field Mapping Allows server administrators to map Groove Manager fields to directory server fields.

Synchronization Allows server administrators to synchronize the Groove Manager with the latest changes on the directory server.

Directory Server Properties Fields

Description

Directory type Required. Specifies one of the following directory types, as selected from the drop-down list:

• Microsoft Active Directory

• Lotus Domino R5 (or later)

• Sun ONE

• Generic LDAP Server

Display Name Lets you specify a display name for the directory server.

Server Name Required. Specifies the registered, fully qualified DNS name of the directory, such as CompanyA.EmpDirectory.net.

Server Port Required. Port number (usually 389 or 636).


Root Naming Context Lets you specify a default root name to be used for executing a search. This name will indicate where in your directory hierarchy the search should begin.

For example, if you want search entries to begin with your organization name by default, enter the name for your organization in this field. An Active Directory entry might be: dc=company,dc=net.

This is a required field for Lotus Domino and Sun ONE, which do not expose a default root naming context, but not for Active Directory.

Unique Identifier Required. Specifies the name of a field in your directory server which contains a unique, unchanging identifier for each user. The Groove Manager uses this field to map users on your directory server to management domain user lists.

If the default entry specifies a field that may change, enter another directory field, such as EmployeeID or BillingCode, that contains permanent user identifiers. This mechanism allows the Groove Manager to locate individual users even if you relocate them in the directory server hierarchy or update other user information.

Default: the name of a commonly used field that uniquely identifies each user within a specific LDAP server environment, such as Active Directory, Domino, or Sun ONE

Require SSL Lets you require Secure Socket Layer (SLL) technology for connections to your directory server, providing that your server has the necessary SSL certificates and ports enabled.

Chase directory referrals Lets you instruct the Groove Manager to extend directory searches to referral devices if other servers support your main directory server. If you do not set this feature, the Groove Manager will return a null set when searching for user data that does not reside on the main directory server but on a referral server.

Note: This feature requires that the directory server and any referral device must share the same login name and password.


Description


4. Click OK. This creates a directory connection with the Groove Manager and displays the directory name in the list of integration servers on Directory Integration tab.

You have now defined the directory server so that domain administrators can import a cor-porate directory of user information to a Groove Manager domain, or you can define directory integration points that automate this process.

At the Groove Manager level, you can further specify directory server settings as follows:

Login name Required. Specifies the name for logging into the directory server from the Groove Manager - preferably an LDAP Distinguished Name (DN), such as CN=administrator,CN=users,DC=contoso,DC=com.

The name should correspond to a directory server account that has full read access to user directories. The Groove Manager uses this login name to access the directory server for data synchronization and to import names into a domain when configured to do so by a domain administrator.

Access to user directories depends on how you define permissions for the account associated with this login sequence on the directory server. Successful integration of management and directory servers requires full read access to user directories. Therefore defining a dedicated account and login sequence for Groove Manager access to the directory server is highly recommended.

CAUTION: Changing the directory Login name to use a different directory server account that has different read access to the directory can cause some user accounts in Groove Manager to change their directory status from ‘Imported’ to ‘Deleted’ because they cannot be found during directory synchronization. Though not deleted from Groove Manager, they are marked as Deleted in the directory.

Allowing Groove Manager logins to multiple directory server accounts can result in irretrievable loss of Groove user accounts during data synchronization.

Login password Required. Specifies the password for logging into the directory server from the Groove Manager. The Groove Manager will use this password to access the directory server for data synchronization and to import names into a domain when configured to do so by a domain administrator.

Note: Do not leave the login password blank. The LDAP server treats logins with blank passwords as anonymous logins which can result in data loss, as described in the above Caution. Due to this LDAP authentication issue, the Groove Manager requires that you supply a password for any LDAP accounts used in conjunction with the Groove Manager, thus preventing possible data loss.

Use secure binding Lets you instruct the Groove Manager to use your local administrative platform to secure the login information before sending it to the directory server. Enabling this feature is the more secure login method, providing that your directory server is configured to support this method.

Note: Make sure to select this secure connection option when attempting to import members with double-byte characters from Active Directory into the Groove Manager.


Description


• Modify the default Groove Manager-directory server field mapping, as described in “Customizing Management and Directory Server Mapping”.

• Configure data synchronization (user attributes and integration points), as described in “Configuring Directory Synchronization”.

Integrating User Data with a Management Domain

For information about importing user information from the directory server to a Groove Manager domain, see the following:

• For information about administrative import of Groove user information from a directory server to the management domain, see the Groove Manager Domain Administration portion of the Help.

• For information about automating directory integration of user information, see “Automating Directory Integration”.

Editing a Directory Server

To edit directory configuration information, follow these steps:

1. Select the Groove Manager in the Groove Manager navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

2. From the list of directory servers, click the server that you want to edit. The Edit Directory Server Properties page appears, with three tabs: Server Properties, Field Mapping, and Synchronization, described in the “Add/Edit Directory Server Tab” table.

3. From the Server Properties tab, edit the values you want to change, as described in the “Directory Server Properties Fields” table.

4. To edit the default Groove Manager-directory server field mapping, click the Field Mapping tab and edit the values you want to change, as described in the “Field Mapping Text Boxes” table.

5. To edit synchronization parameters or integration points, click the Directory Synchronization tab and edit the values you want to change, as described in the “Directory Synchronization Fields” and “Select Integration Point Option” tables.

6. Click OK.

Customizing Management and Directory Server Mapping

The Groove Manager follows a default schema for mapping the user information fields on each of the three directory server types (Active Directory, Domino, or Sun ONE) to Groove contact properties. See “Table 1. Groove Manager to LDAP Attribute Mapping” for mapping details.You can edit the way in which these fields are mapped by using the directory server field mapping pages. Usually, administrators customize attribute mapping before importing directory server user information to the Groove Manager. However, you can also perform this task after users have been imported, providing that you synchronize the servers after making the mapping changes.


Table 1. Groove Manager to LDAP Attribute Mapping

To customize the mapping of Groove Manager user information fields to corresponding fields on the directory server, follow these steps:

1. Define a directory server, as described in “Adding a Directory Server”.

2. Select the Groove Manager from the list in the Groove Manager navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

3. From the list of directory servers, click the server for which you want to customize field values. The directory Server Properties page appears.

4. Click the Field Mapping tab. The Field Mapping form for the selected directory appears. The form displays the Groove contact properties used on the Groove Manager along with text boxes where you can enter the corresponding field names used on your directory server.

Note: All text box entries, including blank entries, overwrite the default field map-ping values. Make sure to enter a value in each field that you do not want to

Groove Manager/Groove Client Contact Properties

Active Directory Domino Sun ONE

Full Name cn cn cn

First Name givenName givenName givenName

Last Name sn sn sn

title title title title

e-mail mail mail mail

orgPhone telephonenumber telephonenumber telephonenumber

orgCell mobile mobile mobile

orgFax facsmileTelephoneNumber facsimileTelephoneNumber Fax

Company company CompanyName o

orgStreet streetAddress officestreetaddress street

orgState st st st

orgCity l l l

orgCountry/Region

c c c

orgPostalCode postalcode postalcode postalcode

Unique Identifier (not in Groove contact properties)

objectGUID UID nsuniqueid


lose. You must enter at least a full name and e-mail address in order to pro-cess this form.

5. Fill out the form as advised in the following table:

6. Click Apply, then OK.

7. If users have already been imported into a domain on the Groove Manager, make sure to synchronize the management and directory servers either manually, or on schedule, as described in “Configuring Directory Synchronization”.

Field Mapping Text Boxes

Explanations

Full Name Required. Enter the name of the attribute that holds user names on the selected directory server. This is the Full Name field in Groove contact properties.

For example, to map a user’s full name in Groove to a name on an Active Directory server, you would enter one of the following in the Full Name text box.

• Full/Common Name (cn) - To use the directory’s common name.

• Unique Identifier (UID) - To use the directory’s unique identifier.

• Common Name + Unique identifier - To use both the directory’s common name and unique identifier.

This field is especially useful with Windows Active Directory which does not ensure unique common names. In this case you would choose one of the unique identifier options.

Note: If you are using Enterprise PKI integration in any domain with users from the current directory server, map the full name field to either the Subject Distinguished Name or the Subject Alternative Name e-mail address in the user's certificate to avoid member authentication failure.

Default: Common Name

E-mail Required. Enter the name of the attribute that holds user e-mail address on the selected directory server.

Default: E-mail

Other fields Enter attribute name equivalents for all other attributes on the directory server that you want to map to Groove contact properties. These fields reflect the directory type that you are specifying. Remember that all text box entries, including blank entries, overwrite the default field mapping values. Make sure to enter a value in each field that you do not want to lose.

To reset fields to their default values, click the Restore Default button.

Custom Fields Labels #1 - 10

Enter any custom field values, such as EmployeeID or BillingCode, that you want to define in your mapping scheme but which are not among Groove contact properties. Specified values will appear in the Groove Manager member contact details for all users originating from the directory server.

Restore Defaults Click this button when you want to restore the original system defaults in this Field Mapping form.


The Groove Manager will now use your customized field mappings to match user infor-mation on the directory server with user contact information. Custom fields appear on the Member details page at the bottom of the field list after the Fax field, as described in the Managing Users section of the Groove Manager Domain Administration portion of the Help.

Configuring Directory Synchronization

The Groove Manager allows you to synchronize the Groove Manager with updates or deletions made to user contact information on your directory server. You can configure either scheduled or on-demand synchronization. You can enable and schedule Groove Manager synchronization with the latest corporate directory updates, or trigger manual synchronization from the Directory Synchronization tab.

Only those user records that have already been imported will be synchronized on the Groove Manager. To add new users from the directory server to a Groove Manager, a server or domain administrator must import them to a domain group, as described in the Groove Manager Domain Administration portion of the Help; or, you can automate this process by defining integration points, as described in “Automating Directory Integra-tion”.

This section covers the following topics:

• Scheduling Directory Synchronization

• Manually Triggering Data Synchronization

Scheduling Directory Synchronization

The Synchronization tab allows you to enable data synchronization on the Groove Man-ager, schedule periodic data synchronization, and define integration points that allow auto-matic transfer of directory user information to the Groove Manager.

Note: Users deleted from the directory since the last synchronization show a Directory Status of Deleted in the domain Member list but these members remain in the domain group until an administrator manually deletes them (as described in “Deleting Domain Members” in the Groove Manager Domain Administration portion of the Help). To find members who have been deleted from the directory server, go to the domain Member’s list and change the sort order by clicking the Directory Status column until Deleted members appear at the top of the list.

To schedule directory synchronization, follow these steps:


2. Select the Groove Manager from the list in the Groove Manager navigation pane, then click the Directory Integration tab. The list of defined directory servers appears.

3. From the list of directory servers, click the server for which you want to schedule synchronization. The directory Server Properties page appears.

4. Click the Synchronization tab. A page of data synchronization parameters appears.

5. Select the ‘Enable directory synchronization’ checkbox.


6. Enter the requested information in the remaining Directory Synchronization fields as described in the table below, then click OK.

Manually Triggering Data Synchronization

On-demand synchronization is available from the Directory Integration tab. Clicking a synchronization link for the desired directory server updates the domain list with the latest changes, as described in “Configuring Directory Synchronization”.

Note: Users deleted from the directory since the last synchronization show a Directory Status of Deleted in the domain Member list but these members remain in the domain group until an administrator manually deletes them (as described in “Deleting Domain Members” in the Groove Manager Domain Administration portion of the Help). To find members who have been deleted from the directory

Directory Synchronization Fields

Descriptions

Schedule Directory Integration

Enable Directory Synchronization

Enables or disables scheduled synchronization of the Groove Manager with the latest updates on a defined corporate Groove Manager.

Synchronize every__ ___ Specifies the number of hours, days, or weeks between synchronizations. This field is required when ‘Enable directory synchronization’ is selected.

Enter the information as follows:

• Text box - Enter a number from 1 to 24 for hours, from 1 to 31 for days, or from 1 to 52 for weeks.

• Drop-down menu - Select Hours, Days, or Weeks.

Default: 1 Day (daily synchronization)

Begin Synchronization: Specifies the date and time when scheduled synchronization should begin. This field is required when ‘Enable directory synchronization’ is selected.

Enter date and time information, as follows:

Date - In the date text box, enter a date in the mm/dd/yyyy format, such as 10/31/2002, or click the calendar pop-up and select a date, using the arrow tools at top of the calendar to navigate through dates. Clicking a specific date closes the calendar and enters the date.

Time - In the time text box, enter a time in the hh:mm format, such as 12:30.

AM/PM - From the time drop-down menu, select AM or PM.

Integration Point

Add The Integration Point button displays a pop-up window that lets you customize Groove Manager-directory server integration points. The Integration Point option appears on the Directory Synchronization page only if you are editing existing directory server properties, not if you are defining a new directory server.

For information about defining integration points, see “Automating Directory Integration” below.


server, go to the domain Member’s list and change the sort order by clicking the Directory Status column until Deleted members appear at the top of the list.

To manually synchronize Groove Manager user data with your directory server, follow these steps:



3. Synchronize the Groove Manager with the associated directory server by clicking the Synchronize link for the desired server.

Viewing Directory Synchronization Status

Once you have defined a directory server on the Groove Manager, as described in “Adding a Directory Server”, you can check the directory synchronization status of the Groove Manager from the main Directory Synchronization page.

To view directory server synchronization status, do the following:

1. Select Groove Manager from the list in the Groove Manager navigation pane, then click the Directory Integration tab. A list of defined directory servers appears, with columns of information as described in the “Directory Server List Columns” table below.

2. From the Groove Manager Directory Integration tab, look at the Last Synchronized and Scheduled columns to see if synchronization is Enabled or Disabled and when synchronization is scheduled.

3. If you want to synchronize Groove Manager with the associated directory server now, click the Synchronize link.

For information about enabling and scheduling data synchronization, see “Configuring Directory Synchronization”.

4. To view directory synchronization events in a report, click the Reports tab, as described in “Monitoring the Groove Manager”.

Directory Server List Columns

Descriptions

Server The name of the corporate user directory server, as defined on the Groove Manager, described in “Defining a Directory on the Groove Manager”. This field shows the Display Name for the server if one exists or the Server Name if no display name exists.

Last Synchronized The date of the most recent Groove Manager synchronization with directory server updates.

Scheduled Enabled or Disabled, indicating whether scheduled synchronization has been enabled on the Groove Manager via the fields on the Directory Synchronization tab, as described in “Configuring Directory Synchronization”.


Automating Directory Integration

Once you define a corporate directory server on the Groove Manager, as described in “Adding a Directory Server”, you can automate data integration by defining one or more integration points. An integration point is a location in the Groove Manager hierarchy where managed domain users or groups originating from the directory server will auto-matically be created on the Groove Manager, based on a specified synchronization sched-ule. If no integration points are selected, automatic data integration cannot occur and server or domain administrators must import directory server user information into speci-fied domain groups. The procedure below explains how to automate directory integration.

Note: You cannot edit an integration point once you create it. However, you can delete an integration point, as described in “Deleting an Integration Point”.

Note: In scenarios where you have already imported users from a directory (from a pre-vious Groove Manager version, for example), the Groove Manager does not re-import existing users; only new users are added to the directory at the integration point for the automated data integration.

To specify an integration point for automatic directory integration, follow these steps:


2. From the list of directory servers, click the server for which you want to define integration points. The directory Server Properties page appears.


4. Set up data synchronization as described in “Configuring Directory Synchronization”.

5. Click the Add button to launch a wizard that allows you to create a directory integration point. The Select Integration Point Options page appears.

Mapped To Specified integration points on the directory server, as defined on the Directory Synchronization page, described in “Automating Directory Integration”.

Action A button that lets you initiate data synchronization of user attributes and/or data integration points immediately.

Directory Server List Columns

Descriptions


6. From the Select Integration Point Options page, enter the requested information in the fields as described in the following table:

7. Click the Next button. The Select Member Group page appears.

8. Select a target group on the Groove Manager, as follows:

• If you selected the option to import users only, you can select any group that is not already an integration point.

• If you selected the option to import users and directory structure, you can select only groups which have no subgroups or existing members and which are not already integration points.

Groups unavailable for selection in either case appear in gray.

Select Integration Point Option

Explanation

Import users options Select one of the following options:

• Automatically import users - Automatically imports users from the specified location in the directory hierarchy into the member group selected on the next page of the Add Integration Point Wizard.

‘Include users from all sub-OU’s’ - Select this option to include users from all sub-OU’s of the specified location. The users will be imported without regard to their existing directory structure.

• Automatically import users and directory structure - Recreates the directory structure specified in the directory server From location in the member group selected on the page of the Add Integration Point Wizard. The directory server controls the creation and deletion of member groups beneath the selected member group and the location of members within those groups.

Note: Any previously imported users will be ported to the proper location in the structure, as determined by the integration point, at the time of synchronization.

Default: Automatically import users.

Name Enter a name for the integration point, such as CompanyA.

From DN Enter the location in the directory server hierarchy of the user data to be transferred (such as the domain name). The string value that you enter depends on your directory structure, but generally you use the following format:

<fieldname>=<value>,<fieldname>=<value>, etc.

For example:

ou=Boston Office,dc=contoso,dc=com

where ou =Organizational Unit

dc = Domain Context

Search Filter If you want to add users who reside in the From location and match a particular search criteria, enter a search string in this field. For information about creating LDAP search strings, see the Groove Manager Domain Administration portion of the Help.

Note: The Search Filter option is not available if you select the ‘Automatically import users and directory structure’ option.


9. Click the Finish button. The integration point that you defined appears in the Integration Points list on the Synchronization page and in the Integration Server Settings list on the Properties page of the associated domain group, as shown in the following table:

Deleting an Integration Point

You can delete an integration point from the Synchronization page. Deleting an integration point means that automatic data transfer and ongoing synchronization will not occur for that point.

To delete an integration point from the Groove Manager, follow these steps:


2. From the list of directory servers, click the server from which you want to delete an integration point. The directory Server Properties page appears.


4. Click the Delete button in the row of the integration point that you want to delete. A Delete Integration Point pop-up window appears.

5. From the Delete Integration Point pop-up window, select one of the following options:

• Do not delete members from this integration point - Retains member identities imported from the chosen integration point.

• Delete members imported from this integration point - Deletes from the Groove Manager domain, member identities imported from the chosen integration point. Members will continue to be synchronized and will be treated in the same way as members who are manually imported from the directory server.

6. Click OK.

Deleting a Directory Server

You can delete selected directory servers from the Groove Manager from the Directory Integration tab. When you delete a directory server, all users and groups imported from

Integration Point Information

Field Description

Name The name of the integration point defined via the Synchronization page.

From Point of integration from the directory server hierarchy (defined on the first page of the integration wizard).

To (on the Synchronization page only)

Point of integration on the target Groove Manager (the member group defined on the second page of the integration wizard).

Search Filter (on the group Properties page only)

Search filter, if specified.


that server can be managed like non-imported users defined on the Groove Manager.

To delete a directory server from the Groove Manager, follow these steps:

1. Select the server from the list in the Groove Manager navigation pane, then click the Directory Integration tab. A list of defined directory servers appears.

2. From the list of directory servers, select the server(s) that you want to delete.

3. Select Delete Directory Server in the toolbar.


Monitoring the Groove Manager

The Groove Manager reports server events to an audit log which you can access from the Groove Manager Web site. It also reports operational problems to the Windows Event Log.

Refer to the following server monitoring procedures as needed:

• Viewing the Audit Log

• Exporting Reports

• Using the Windows Event Viewer for Server Diagnostics

Viewing the Audit Log

The Groove Manager audit log report allows you to monitor server and domain events, such as when a domain or user is added to the server. The server audit log also reports an event when a disconnect causes the management and onsite Groove Relay or directory servers to become unsynchronized or when the Groove Manager cannot connect to an onsite relay or directory server. This report does not contain Groove data associated with the optional Groove Client Auditing application.

To view the audit log, follow these steps:

1. Go to the Groove Manager administrative Web site and select the server from the navigation pane. The Reports tab displays the Audit Log report.

2. To customize the current report, click the Filter expansion arrow and use the Filter controls, as described for domain reports in “Filtering Reports”. Filtering options are as described in the “Server Audit Log Filtering Field” table below.

3. Click the Display Report button to display the report, as described in the “Server Audit Log Report Field” table below.

4. To navigate within the report, use the arrow controls in the page.

5. To sort on a specific field, click an underlined title in the column that you want to sort on. To reverse the sort order, click the title again.

6. To change the number of items displayed per page, select a value in the ‘Items per page’ drop-down list below the display area. The default is 25 items per page.

Groove Manager System Administrator’s Guide Monitoring the Groove Manager 69

For more information about audit log report entries and about using the Groove Manager report and filtering controls, see the Groove Manager Domain Administration portion of the Help.

Server Audit Log Filtering Field

Description

Domain Drop-down list of domains. Lets you filter for audit log information from a specific domain.

Associated comparators:

• Is

Event Type Text box for audit log event. Lets you filter for specific audit log events, such as Added member.


• Is

Member Text box for a management domain member. Lets you filter for audit log events associated with specific members. (Does not appear in report.)


• Is

• Begins With

• Ends With

• Contains

Who Text box for administrator login name. Lets you filter for specific audit log events associated with a specific administrator.


• Is

• Begins With

• Ends With

• Contains

Server Audit Log Report Field

Description

Date Date and time that event occurred. The time value reflects the time zone of the Groove Manager.

Who Name of administrator associated with event.

Where Where the event originated from: domain, group, member, policy, or Groove Relay server. Information only (not filterable).

Event Description of event, such as Added MemberA in CompanyDomain.


Exporting Reports

You can export a displayed report to an .xml or a .csv file from the server Reports tab.

To export a server report, follow these steps:

1. Go to the Groove Manager administrative Web site and select the Groove Manager from the navigation pane. The Reports page appears with a list of recently audited server events.

2. To filter the events included in the report, from the Reports tab, use the Period and Display fields to filter the events shown, then click the Display Reports button. An updated list of audited events appears, based on your filter specification.

3. Click Export Report in the toolbar. An Export pop-up window appears.

4. Select CSV or XML as a target file type, then click OK. A File Download pop-up window appears.

5. Browse to a file location for the exported report, then click OK.

Using the Windows Event Viewer for Server Diagnostics

The Groove Manager reports errors to the Application Log section of the Windows 2003 Event Viewer. The source of these entries is GrooveManagementServer. Error codes dis-played in the Event Viewer correspond to Win32 error codes (under 10,000), or Winsock error codes (above 10,000). Proficiency with kernel debugging is required to understand these error codes. Event Viewer error entries can help diagnose server problems, so, if you encounter problems that require assistance from Microsoft Support, you may be asked to supply Event Viewer information.

To access the Windows 2003 event log, do the following:

1. Go to Start --> All Programs --> Administrative Tools --> Event Viewer.

2. If you want to filter a log for certain types of events, select a log (such as Application), select View/Filter, and select one of the following filters:

• Information - Displays informational messages that do not require administrative action.

• Error - Displays onsite Groove Manager error events that require administrative action.

• Warning - Displays onsite Groove Relay events that may require administrative action in order to prevent an error condition.


Auditing Groove Activity

Groove Auditing is an optional feature of the Groove Manager that allows administrators with onsite servers to audit Groove client activities. The following sections describe Groove Auditing and provide instructions for setting up Groove client auditing at your site:

• Overview of Groove Client Auditing

• Groove Audit Requirements

• Installing and Configuring Groove Client Auditing

• Interpreting Client Audit Data

Overview of Groove Client Auditing

The Auditing option lets you set a device policy that triggers Groove auditing on managed client devices. Audited information is collected and stored in SQL databases where you can use standard SQL-compatible reporting tools to view the logged data. The Groove Auditing capability consists of four parts:

• The Groove audit log which logs Groove user activity to an encrypted file on managed client devices.

• The Groove Audit Service which secures the audit log for upload to the Groove Audit application.

• The Groove Audit server components which collect the logs and store them in an SQL server database.

• The Groove Manager device policy that controls what events should be audited.

Groove audit logs are immediately encrypted on clients upon event creation, and are decrypted only after arrival at the Groove Audit server, affording a highly secure auditing environment. In addition, NTFS permissions are used to prevent unauthorized manipula-tion of logs and the Audit Service that manages them. The Audit Service purges client logs once they have been uploaded to the Groove Audit server and applies security credentials that prevent spoofing of the audit server and of other operating system users on the Groove client.

Each Groove Audit application is associated with and depends upon a single Groove Man-ager. If you have multiple Groove Managers installed at your site and want to enable auditing for all of them, you must install the Groove Audit application separately for each.

Groove Auditing can have a substantial impact on system resources. Therefore, you

Groove Manager System Administrator’s Guide Auditing Groove Activity 72

should use discretion when setting policies that enable and control auditing. Affected resources include the following:

• Disk space on Groove client devices (for log storage)

• Disk space on Groove Audit server (for log storage)

• Disk space on SQL server (for audit databases)

• Bandwidth to upload logs

• Processing time to encrypt and decrypt logs

Groove Audit Requirements

Before you begin setting up Groove client auditing, address the following checklist:

Devices and Software To Do:

Hardware/Software requirements

Ensure that your Groove Audit setup complies with the specifications in “Requirements”.

Onsite Groove Manager Install Groove Manager under either of the following conditions:

• Separate installation session, prior to Groove Audit

• Same installation session as Groove Audit

See “Installing and Configuring the Groove Manager” for Groove Manager installation information.

Groove Audit server Decide where to install the Groove Audit application:

• On the primary Groove Manager server, or

• On a separate dedicated server machine that meets the Groove Manager requirements described in the “Requirements” section.

Note the server name and login for future use.

SQL server Decide where to install the Groove Audit SQL database:

• On a Groove Manager SQL server, or

• On a dedicated SQL server

Note the server name and login for future use.

Groove client Ensure that Groove is installed on client devices, as follows:

• Office Groove 2007 (preferred)

• Groove 3.0, minimum

Note: To audit activities in managed 2.5 workspaces (with older tool versions), create new Groove 3.0 workspaces and copy the contents from the old spaces to the new

Groove users Ensure that Groove users are members of a Groove Manager domain.

See “Adding Groove Users to a Domain” in the Groove Manager Domain Administration portion of the Help for information about adding users to a domain.


Installing and Configuring Groove Client Auditing

Groove Auditing supplements the Groove Manager by providing another layer of adminis-trative control. In setting up your site, beware that a single Groove Audit installation is dedicated to a single specific Groove Manager; one Groove Audit installation cannot sup-port multiple Groove Managers. However, multiple Groove Audit installations may be associated with a single Groove Manager.

Note that auditing Groove client events can have a substantial impact on system resources, including bandwidth usage and disk storage on clients and servers. Therefore, set the pol-icy to enable client device auditing only if necessary.

To install and enable Groove client auditing at your site, follow these steps:

1. Review “Groove Audit Requirements”.

2. Start the Groove Manager setup.exe, if it is not already running and follow the Setup wizard instructions to configure the Groove Manager as described in “Installing and Configuring the Groove Manager”. If the Groove Manager has already been set up at your site, the Groove Manager server information fields will already contain the required information.

3. When the Installation Options window appears, select ‘Install Groove Server Manager with Groove Audting. Selecting this option displays additional fields to configure Groove client auditing.

4. When the Groove Audit Server Configuration page appears, enter the required information, as described in the following table:

Groove devices Ensure that domain member devices are registered with a Groove Manager domain.

See “Registering User Devices with the Groove Manager” in the Groove Manager Domain Administration portion of the Help. for information about adding devices to a domain.

Groove Audit Service Enable the resident Groove Audit Service by opening the Windows Services manager and setting the Microsoft Office Groove Audit Service to Automatic Startup.

Groove Audit Server Configuration Fields

Explanations

Use the following SQL Server Login

Select this check box to specify native SQL server authentication (the preferred authentication method).

Clear this option to specify Windows authentication and enter login information.

User Name Enabled only if ‘Use the following SQL Server Login’ is selected.

Type your login information for the SQL server to be used for Groove auditing information.

Note: Make sure that the login gives you database creation rights.

Devices and Software To Do:


5. Click Next.

6. Follow the Install wizard to the final window and click Finish. The Groove Manager administrative Web site opens.

7. Enable Groove auditing on the Groove Manager as follows:

a. From the Groove Manager administrative Web site, in the left navigation pane, click Device Policy Templates under the domain, then click Default or another template that you want to edit.

b. Click the Audit Policies tab at the bottom of the window.

c. In the Audit Server Policies section of the page, enter the Audit Server URL (for example, http://grooveaudit.contoso.com).

d. Enter the number of minutes, hours, or, days in the ‘Upload audit logs every’ field to set the audit log upload interval.

e. Select the client, workspace, and tool events that you want to audit.

f. Set any other audit policies as needed.

Note that enabling the option, ‘Audit the contents of files added to tools,’ will have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers.

g. Click Save Changes in the toolbar.

For more information about setting Audit policies, see “Enabling Groove Client Auditing” in the Groove Manager Domain portion of the Help.

Once Groove users and devices have been added to a Groove Manager domain, and domain members log in and receive the audit policy, Groove activities will be logged and dispatched to SQL databases where you can view them. The Microsoft Office Groove Audit Service will be running on Groove clients and GrooveAuditService.exe will appear in the Windows Task Manager.

For information about viewing and understanding client audit reports, see “Auditing Groove Activity”.

For information about adding Groove users and devices to a domain, see “Getting Started” in the Groove Manager Domain Administration portion of the Help.

Password Enabled only if ‘Use the following SQL Server Login’ is selected.

Type the password for the SQL server to be used for Groove auditing information.

Database Information

SQL Server Name Type the host name or Internet Protocol (IP) address of the SQL server to be used for Groove auditing information.

Database Name Type the SQL database name for the Groove Auditing service, such as auditDb. The Installer creates this database, where the Groove Audit service will store collected Groove client audit logs.

Groove Audit Server Configuration Fields

Explanations


For more information about setting device audit policies, see “Enabling Groove Client Auditing” in the Groove Manager Domain Administration portion of the Help.

Interpreting Client Audit Data

Groove Auditing data, generated via the optional Groove Client Auditing feature of the Groove Manager, is encrypted and stored on the client so that only the Groove Audit application can decrypt and read the data. Once the client reports the data, the Audit appli-cation decrypts and parses the data into relational database tables in a SQL directory. The following information provides background for understanding the data and the relation-ships among data tables. You can use this information to create customized Groove audit reports using SQL-compatible reporting tools. In addition, the Groove Audit Server pro-vides two Views that you may want to use as a starting-point for generating your own SQL Views from the audit server tables:

• Auditv_EventAttributes

• Auditv_EventProperties

A typical Groove client audit log entry looks as follows, once decrypted:<E _ag="s3shybqzefebxvp9h8zgg68hs3un89ggr6qqr4i" _c="7" _dt="06/30/2004

13:03:39:28" _in="2137 Bill 3" _iu=grooveIdentity://9ht6sitjgpv69xa93ez2iirp77ibugbi@"

_q="886" _t="903"><INV _bd="" _rc="0" _rn="2139 Bill 2" _ro="Manager" _ru="grooveIdentity://

wcdfuqfaf8h5jet43cx9s9pxm4zxqqws@" _sip="" _sn="http://wss1/sites/Site1/WeB%203/default.aspx" _su="grooveTe-

lespace://pk4vegikcyf7sqaeg3t4habyq9fasgnpmr582hs" _vm="0" _zn="2137 Bill 3" _zu="grooveIdentity://

9ht6sitjgpv69xa93ez2iirp77ibugbi@" /> </E>

The table below lists and summarizes the SQL tables associated with this client informa-tion.

Client Auditing SQL Table Description and Contents

Main Event-specific Data

audit_LogEntryProperties Seven attributes, common to all audit log entries:

• Account GUID (_ag)

• Event Category (_c)

• Event Time (_dt)

• Identity Name (_in)

• Identity URL (_iu)

• Sequence Number (_q)

• Event Type (_t)

One table entry is associated with each device GUID/Sequence Number pair (sequence numbers are unique to each Groove device).

audit_EventCatagoryReadableNames

Mapping of Event Categories to their readable names.


audit_EventTypeReadableNames Mapping of Event Types to their readable names.

Other Event-specific Data

audit_LogEntryAttributes This data, which exists only in an enclosed XML element, is stored in a series of name/value pairs that correspond to the XML attribute name/value pairs found in the enclosed XML element. One table entry is associated with a DeviceGUID/Sequence Number/Attribute name combination. Typically, this table holds many entries - one for each Groove client event. Each ‘known’ attribute name is preceded by an underscore, and is usually relatively short to minimize network traffic.

audit_AttributeReadableNames Maps the attribute names to their readable names.

Session Data

audit_LogSessionProperties Logs four pieces of data that are unique to a device:

• Device GUID

• Time that the session started

• Hostname of the devices

• Logged in (OS) user

Current Device-specific Data

audit_Devices Current device-specific data, including the last time log data was received and the last sequence number received for a device.

Files

audit_FileStorage Files, indexed by their digests, so that no file names appear in the table. The Groove Audit log file-specific entries reference files by these digest values.

Client Auditing SQL Table Description and Contents


Troubleshooting the Groove Manager Server

This section describes how to resolve problems you may encounter while managing your Groove Manager server system. For information about management Domain-Level trou-bleshooting, see the Groove Manager Domain Administration portion of the Help.

For further help, contact a Microsoft Office Groove Server support technician. To help diagnose server problems, you may be asked to supply information from the Windows Event Viewer, which reports server application errors. See “Using the Windows Event Viewer for Server Diagnostics” for information about using the Windows Event Viewer, and “Viewing the Audit Log” for information about using the Groove Manager Audit Log.

For the latest information about addressing specific Groove Manager conditions, visit the Microsoft Office Groove Web site.

The following sections suggest solutions to server problems that may arise in a managed Groove environment:

• Groove Manager Problems

• Auto-Account Configuration Problems

Groove Manager Problems

This section suggests ways to address typical problems that you may encounter during Groove Manager use.

Problem

User input of an account configuration code fails, displaying the message ‘Account Con-figuration server cannot be reached’.

Solution

The Groove client (user’s device) cannot communicate with the server to download domain data, including usage and security policies and Groove Relay assignments. Check the Account Configuration server name (the Groove Manager name) sent to the user to make sure that it is correct.

Groove Manager System Administrator’s Guide Troubleshooting the Groove Manager Server 78

Problem

Groove clients are not updated with Groove Manager settings and policies.

Solution

Groove clients may not be able to access Groove Manager server. Check your IIS settings and make sure that Scripts and Executables is enabled. If enabling scripts does not resolve the problem, you may have set up authentication for the entire Groove Manager Web site, preventing client contact. If this is the case, reconfigure authentication to protect the Groove Manager administrative interface in the Admin directory of IIS, leaving the home directory accessible to the Internet.

Problem

The color of the Groove Manager screens does not display properly.

Solution

Set the color quality parameter of your Windows Display Properties to at least 16-bit.

Problem

Groove clients cannot connect to the Groove Manager.

Solution

You may have set up authentication for the entire Groove Manager Web site, preventing client contact. If this is the case, reconfigure authentication to protect the Groove Manager administrative interface in the Admin directory of IIS, leaving the home directory accessi-ble to the Internet.

Problem

A managed Groove identity tries to connect to a Groove Relay but the connection is unsuccessful and the relay logs Event Log messages similar to the following:

RQS-Manager: User open failed - user object initialization failed, user name (86etwfwjijhpibxschk6wxwbewrg6zmra99kcci), hr(0x80210009)

PreauthRequired and no User ID found in users database, user 86etvfwjijhpibxschk6wxwbewrg6zmra99kcci,account grooveAccount://3tuf966hej5zaw3w8upkk2x48wezs984iag7rws@

192.168.1.24:1133 user layer message verification failed for user grooveAccount://3tuf966hej5zaw3w8upkk2x48wezs984iag7rws@ on device dpp://r030.groove.net/eurovpsx53khzrffdm3uxaphqh64bzzktggwxk2

Solution


The Groove Manager has not successfully downloaded the managed identity information to the Groove Relay. This unsynchronized condition can occur if an administrator registers a Groove Relay with a Groove Manager domain or group and adds users to the domain or group, but does not immediately start the Groove Relay.

To fix this problem in environments of Groove Relay 2007 servers, force a Groove Man-ager connection to the Groove Relay by going to the Groove Manager administrative Web site, selecting a domain from the navigation panel, clicking the Relay Servers tab from the Relay Server Sets page, clicking a relay server, and lowering the value in the Message Lifetime fields to the lowest setting. After the purge has occurred (for example, after 24 hours day if the Message Lifetime value is 1 day), check the Users link on the Groove Relay administrative Web site and make sure that the user has been added.

If the problem persists, contact Microsoft Support for assistance.

Problem

The time stamp reflects a different time than the local administrative machine.

Solution

Your Groove Manager may be located in different time zone from your login time zone. The Groove Manager records and displays times based on the server time zone. For exam-ple, if you are using Groove Enterprise Services based in the United States, and you log in from a location in Europe, the reported times on the server will differ from your local time.

Problem

Clicking a button on a Groove Manager administrative interface page has no effect.

Solution

This may be the result of utility software settings that suppress the display of advertise-ment pop-up windows, thereby affecting Groove Manager pop-up windows also. Disable software for suppressing the display of pop-up advertisements or, if the software allows, exempt the Groove Manager server URL from pop-up prevention settings.

Problem

JavaScript errors or missing dialog boxes appear on the Groove Manager.

Solution

Advertisement-blocking software that interferes with the Groove Manager user interface may be present. To correct this issue, configure any advertisement-blocking software to exclude filtering on the Groove Manager Web site.


Problem

The Groove Manager Audit log reports that the SQL server has reached capacity so that no more space is available for the Groove Manager database and transaction log. The Groove Manager may cease operation.

Solution

Back up the existing Groove Manager database and transaction log to make more space on the SQL server, then restart the Groove Manager if necessary. To avoid this problem in the future, back up the Groove Manager database and transaction log on the SQL server on a daily basis.

Auto-Account Configuration Problems

This section suggests ways to address Auto-Account Configuration problems, most of which have associated error messages.

Problem

Groove could not find a user’s account information on the Groove Manager.

Solution

Try the following approaches to resolve the problem:

• The Windows Active Directory User that has logged in as on the Windows client might not have been imported into the Groove Manager. Or, an old account with the same name might exist on the Groove Manager. Use the Groove Manager’s directory synchronization capability, as described in “Configuring Directory Synchronization” to verify that the directory account is current.

• The Groove client may be a managed device for a different management domain than the user’s account was imported into. Check the client registry to verify the correct Groove Manager domain name.

• Authentication may be misconfigured for the AutoActivate directory in IIS on the Groove Manager. Configure the directory, as described in “Setting up Groove Auto-Account Configuration/Restoration”.

Problem

A managed Groove account already exists for a user on another device.

Solution

The user has a valid account that has already been configured on another client, or previ-ously configured from the same client. Check the user’s status (Active or Pending) on the Groove Manager administrative Web site. Verify that no one is using this Groove account on another device. Delete the existing account from the Groove Manager, then re-import it from a directory (or manually re-instating it) and re-configure it.


Problem

Groove cannot reach the Account Configuration server (Groove Manager).

Solution

Your Groove Manager is unable to connect to the directory server. Check the connection by using the Groove Manager’s directory synchronization capability, as described in “Configuring Directory Synchronization” to verify that the directory account is current.

Problem

The user receives a Windows login prompt during an auto-account configuration attempt.

Solution

If the user is correctly logged into the Windows domain on their device, the account con-figuration feature uses this information to continue account configuration. However, if either of the following conditions occurs, corrective action is necessary:

• If the user is logged into the Windows LOCAL machine instead of the Windows domain, the correct credentials for the Windows domain login should be entered.

• The user is logged into a non-trusted Windows domain client. If the Windows client is in a different domain than the Groove Manager, correct this condition and retry auto-account configuration.


Index

AAdd Directory Server 56Add integration point 63Adding a Domain to Groove Manager 42Administrative Access Control, about 49Administrative access control, enabling 49Administrative contact e-mail address 38Administrative Interface 4Administrative Preferences, setting 27Administrative user interface, accessing 26Administrator E-mail Address, entering at installation 25Administrator Name 52Administrator name 30Administrator Roles, descriptions of 50Administrator, setting UI preferences 28Administrators, adding 49Advanced install 23Allow domain administrator to setup password reset 45Architecture, Groove Manager 2Assigned Roles Within Selected Scope 53Assigned Scopes 52Assigning relay server 9Audit log events 70Audit log report, server 70Audit log, viewing 69Audit Server Requirements 73Auditing Groove Activity 72Auditing, setting up 72Auto-Account Configuration/Restoration, setting up 33AutoActivation directory 22Automatically import users 66Automatically import users and directory structure 66

BBasic install 23Begin Synchronization 63Best practices 14

CCapacity planning 12Certificate Authority, domain information 46Certification Authority (NA) name, domain 44Certification Authority Name, of Groove Manager server 25

Groove Manager System Administrator’s Guide Index 83

Chase directory referrals 57Client auditing 10Client auditing data 76Client auditing, interpreting data 76Color display, correcting 79Configure private 45Configuring Directory Synchronization 62Configuring Initial Management Domain 31Confirm Private Key Password 45Contact E-mail 43Contact Propagation and Discovery 7Creating managed Groove identities 9Custom Fields Labels 61Customizing 59

DData recovery 10Database Information 24Date, audit log event 70Deploying Groove client 33Device and Identity Policies 7Device policies 7Devices, managing 9Diagnosing Groove Manager problems 71, 78Diagnostics, relay-related problems 69Directories of User Information, utilizing with Groove Manager 33Directory and management server attribute mapping

editing 59Directory Integration tab 56, 64Directory integration, benefits of 33, 54Directory integration, information and instructions for configurng 54Directory server list 59Directory server mapping 59Directory server mapping, customizing 59Directory server properties

directory type 56Require SSL 57Root naming context 57

Directory server properties, Chase directory referrals 57Directory server properties, display name 56Directory server properties, server name 56Directory server properties, Use secure binding 58Directory server synchronization status 64Directory Server Tabs 56Directory server, adding 32, 55Directory server, adding, prerequisites 55Directory server, defining 32, 56Directory server, editing 59Directory server, login name 58Directory server, login password 58Directory server, removing 67Directory server, viewing information about 59


Directory synchronization, configuring 62Directory synchronization, enable 63Directory synchronization, scheduling 62Directory type field 56Display Name 56Display Report, button in server report 69Domain

audit log information, server 70Certification Authority name 44

Domain Administrator, definition 51Domain fields 43, 61Domain Name 43Domain Name,domain information 46Domain Setup 43Domain, adding to Groove Manager 40Domain, management, adding 42Domain, management, deleting 47Domain-Level Tasks 9Domains

managing 40Domains tab 43, 46, 52Domains, viewing 46

EEditing Groove Manager Server Properties 38E-mail address, changing adminsitrative contact 38Enable Directory Synchronization 63Enable role-based access control, setting 30Enterprise PKI 41Enterprise vs. Groove PKI 41Event Viewer 71Event, audit log 70

FFailure contingencies 16Field Mapping, definition 56Field mapping, E-mail field 61Field mapping, Full Name field 61Field mapping, restore defaults 61From, Add Integration Point field 66Functionality, Groove Manager 8

GGetting Help 27GMS directory 22gms.dll 21Groove Audit Server Configuration Fields 74Groove Auto-Account Configuration/Restoration, setting up 33Groove client auditing 10Groove Client Auditing, installing and configuring 74Groove Client Auditing, overview 72Groove client requirements, hardware 18Groove client requirements, software 19Groove Enterprise Services 1


Groove Manager Administrative UI Overview 27Groove Manager Administrative Web Site, accessing 26Groove Manager architecture 2Groove Manager Configuration Fields 25Groove Manager diagnostics 71, 78Groove Manager functionality 8Groove Manager installation, Basic 23Groove Manager protocols 5Groove Manager protocols, LDAP 6Groove Manager protocols, SOAP 6Groove Manager requirements 13Groove Manager Server Administration 1Groove Manager Server Properties, viewing and editing 38Groove Manager to LDAP Attribute Mapping 60Groove Manager Web site, setup 21Groove Manager, administering 8Groove Manager, audit log 69Groove Manager, before installing 22Groove Manager, best practices 14Groove Manager, changing Master Password 38Groove Manager, Help 27Groove Manager, installing software 22Groove Manager, monitoring 69Groove Manager, overview 1Groove manager, site planning 12Groove Manager, troubleshooting server 78Groove Manager, uninstalling 39Groove Manager, upgrading 38Groove Manager, viewing domains on 42Groove PKI 41Groove Server 1Groove usage monitoring 10Groove Usage Reporting 10Groove user auditing 10Groove, deploying on client devices 33

HHelp, accessing 27HTTP encapsulation 6

IIdentity Authentication setting, in initial domain 31Identity Authentication Settings 44Identity policies 7IIS configuration 20IIS, setting up server 20Include users from all sub-OU’s 66Installing the Groove Manager Software 22Integrating User Data with a Management Domain 59Integration Point 63Integration point options, Automatically import users 66Integration point options, Import users and directory structure 66Integration point options, Name field 66


Integration point, definition 65Integration point, deleting 67Integration points, definition 65Internet Information Services (IIS), setting up server 20

LLanguages, changing for administrative site 28LDAP 6LDAP Attribute Mapping 60License Administrator, Groove 3.1 or earlier) 51Login name

for directory server 58Login password 58Login reset options 45

MMain window 27Managed Devices and Identities 7Management domain, adding to server 40Management domain, configuring initial 31Management domain, creating 42Managing domains 40Master Password, changing 38Master Password, entering during installation 24Member Administrator, definition 51Member, audit log report filtering 70Microsoft® Office Groove® Server 2007 1Monitoring Groove usage 10Monitoring the Groove Manager 69

NName field, Administrator 52Name field, administrator 30Navigation tree 27Network requirements 13

OOLE DB 6Organization Name, entering at installation 25Overview 1

PPassword and Data Recovery Private Keys 42Password or Smart Card Reset Setup 44Password reset options 45Password reset, administering 10Password, for SQL server login 24Password, SQL login, for Audit install 75PKI setting, initial 31Preferences, editing administrator 28Private Key Name 45Private Key Password 45Private key storage options 45Protocols 5Protocols, LDAP 6Protocols, SOAP 6


Provisioning Groove users with Groove Relay servers 9R

RBAC, about 49RBAC, enabling 49Relay connection, unsuccessful 79Relay contact, forcing from Groove Manager 79Relay Protocols 6Relay server provisioning 9Relay server sets 8Relay servers registered via Groove Enterprise Services, domain assignment 41Relay synchronization, forcing 79Relay, forcing synchronization 79Report Administrator, definition 51Report, navigating in server report 69Report, sorting in server report 69Reports tab, domain 71Reports tab, Groove Manager server 69Require SSL 57Requirements, network 13Restore defaults button 61Role-based Access Control, about 48Role-based access control, about 49Role-based access control, enabling 30, 32, 49Roles tab 29, 49Root naming context 57

SSave private key on Groove Manager and require private key password to manually reset member passwords 45Save private key to a file and require key and password to manually reset member passwords 45Schedule Directory Integration 63Scheduling Directory Synchronization 62Scope, administrator 52Search Filter, Add Integration Point field 66Security 13Security Recommendations 28Server Administrator, definition 50Server audit log information 70Server Name 56Server Port 56Server Properties, definition 56Server Tabs 27Server, troubleshooting 78Setting device policies 9Setting Up Auto-Account Restoration 72Setting user policies 9Setup password reset now 45Simple Object Access Protocol (SOAP) 6Site planning 12SMTP configuration 21, 32SMTP, security best practices 32


SOAP 6Sort on a specific field, in server report 69SQL database name 24SQL Database Name, entering at Audit install 75SQL database specification 24SQL server login, password 24SQL server login, user name 24SQL server setup 19SSTP over Hypertext Transfer Protocol 6Support Administrator, definition 51Synchronization status, directory data 64Synchronization tab, description 56Synchronization, scheduling 62Synchronize every 63Synchronizing management and directory servers, scheduling 62Syncronization, problems between Relay and Manager servers 79

TToolbar 27Troubleshooting 78Troubleshooting server 78

UUI, help using 27Uninstalling the Groove Manager 39Upgrading the Groove Manager 38URL of Groove Manager server 25Use secure binding 58Use the following SQL Server Login, for Audit install 74Use the Following SQL Server Login, option for choosing Windows or SQL server authentication 24User auditing 10User information, integrating with management domain 59User Name, for SQL server login 24User Name, SQL login, entering during Audit install 74

VViewing Groove Manager Server Properties 38

WWeb site, securing 28Web site, setup 21Where, audit log event 70Who, audit log event 70Windows EventViewer 71


Documents

Server Administratorâ€™s Guide