Groove Enterprise Planning and Deploymentdownload.microsoft.com/download/A/A/A/AAA7F161... ·...

Groove Enterprise Planning and Deployment

Version 3.1

Administrator’s Guide

Groove Enterprise Planning and Deployment Copyright ii

Copyright

Copyright © 2001-2005, Groove Networks, Inc. All rights reserved.

You may not reproduce or distribute any part of this document in any form or by any means, without the written permission of Groove Networks, Inc., nor may you use it to create derivative works.

Groove Networks, Groove, the interlocking circles design, Groove Virtual Office, and groove.net are registered trademarks of Groove Networks, Inc. Other product or company names may be the trademarks of their respective owners.

Use of Groove Networks, Inc. software is subject to the terms of a license agreement and applicable export and import restrictions. Restricted rights for U.S. government users.

This product includes software used under license from third parties, including those par-ties identified by the following notices. Copyright © 1995 - 2001 International Business Machines Corporation and others. All rights reserved. VcardParser.cpp © Copyright Apple Computer, Inc., AT&T Corp., International Business Machines Corporation and Siemens Rolm Communications Inc. Outside In® ActiveX Control © 2002 IntraNet Solu-tions Chicago, Inc. All rights reserved. This software is based in part on the work of the Independent JPEG Group. ACME Labs Freeware Copyright © 2000 by Jef Poskanzer <[email protected]>. All rights reserved.

Table of Contents

Copyright ii

Table of Contents iii

Overview 1Groove Clients and Servers 2Groove Client-Server Architecture 5Protocol Support 6

Groove Clients 9

Relay and XMPP Servers 10

Management Servers 11

Managed User Identities and Devices 11

Product Licenses 11

User and Device Policies 12

Corporate Directories 12

Client Audit Service 12

Groove Components 12

Integration Services 13

Administrative Interfaces 13

Groove Client/Server Functionality 13Groove Client Functionality 14

Management Server Functionality 15

Groove Audit Server Functionality 18

Groove Components Functionality 18

Relay Server Functionality 18

XMPP Proxy Server Functionality 19

Enterprise Data Bridge Functionality 19

SharePoint - Groove Functionality 19

Resources 19Groove Enterprise Planning and Deployment Guide 20

Site Planning - Conditions and Requirements 22Network Planning 22Network Topology and Groove 23

Network Requirements 25

Groove Bandwidth Usage 26

Capacity Planning 27User Base Planning 27

Groove Enterprise Planning and Deployment Guide Table of Contents iii

Management Server Capacity 30

Relay Server Capacity 30

Data Bridge Server Capacity 33

Security Planning 33Network Level Security 34

Groove’s Built-in Security 34

Management Server Security 35

Relay and XMPP Server Security 35

Data Bridge Server Security 36

Deployment Scenarios 38Groove Hosted Management Services vs. Onsite Servers 38 Decision Factors 39Groove Hosted Management Server Benefits 39

Onsite Enterprise Management Server Benefits 40Groove Hosted vs. Onsite Relay Servers 41Hybrid Onsite/Hosted Management 43Additional Groove Management Services 44Enterprise Installer 44

Groove Component Server 45

Client Audit Server 46

XMPP Proxy Server 47

Enterprise Data Bridge Server 48

Groove Backup Service with EIS 50

Microsoft SharePoint with Groove 51

Closed Network Environments 54Migration Capabilities 54Migrating from a Hosted Management Services to Onsite Enterprise Management Servers 54

Migrating from Hosted Relay Services to Onsite Enterprise Relay Servers 55

Preparing Your Site for Deployment 56Site Planning Checklist 56Windows Server Checklist 58Recommended Best Practices 59 EMS and ERS Performance Best Practices 59

EMS and ERS Security Best Practices 60

EDB Best Practices 62

Disaster Recovery and Failure Contingencies 63

General Server Deployment Guidelines 65Identify Users and Assess Readiness 65Assess Network Infrastructure Readiness 66Determine Hosted or Onsite Server Configuration 67Choose Hosted Management & Relay Services or Onsite Servers 67

Choose Whether to Host Components from Onsite Server 67

Choose Whether to Include Client Auditing in Onsite Scenario 68

Deployment Process for Hosted Groove Services 68Optimize Network Infrastructure 70

Groove Enterprise Planning and Deployment Guide Table of Contents iv

Assemble Production Support for Groove Operations 70

Define Groove Management Domains 70

Prepare Groove Virtual Office Software for Distribution 71

Conduct User Deployment Pilot 72

Evaluate User Fulfillment 72

Deployment Process for Groove Onsite Servers 72Designing an Onsite Groove System 74

Design the DMZ Network Infrastructure 75

Plan the Enterprise Management Server Implementation 75

Plan the Enterprise Relay Server Implementation 76

Plan the Component Server Implementation 76

Installing and Configuring the Servers 77

Anti-Intrusion Hardening 77

Acceptance-Testing the Production System 78

FAQs 79

Index 84

Groove Enterprise Planning and Deployment Guide Table of Contents v

Overview

This guide is designed for IT managers planning a large Groove® deployment, to provide overview and conceptual information about Groove client-server operation in an enter-prise, and to present deployment options. Upon completion of the first half of this guide, readers should have a sufficient understanding of the Groove environment to determine the optimal Groove deployment scenario for their organization and to make any network adjustments that might be necessary. The latter half of the guide address how to prepare your site for deployment.

Groove Virtual Office (formerly Groove Workspace Virtual Office) is a software applica-tion designed to provide a dependable collaboration setting for people in a wide range of environments - corporate, small business, non-profit, in the field, en route, or at home. While collaboration is often a loose, flexible, spontaneous, ad hoc, and sometimes ‘edge-based’ activity, in an enterprise where compatibility with existing network and security operations is imperative, it acquires a more defined meaning.

The Groove management server is a Web-based application that provides comprehensive services for managing the use of Groove Virtual Office. Dedicated relay servers and optional corporate directory servers, as well as Groove client audit, Groove components, and Groove data bridge servers all enhance Groove management services and also play a part in establishing an efficient, customized, and secure collaboration environment.

Groove Enterprise Management and Relay Servers run on server machines at a company site while Groove Hosted Management and Relay Services generally run on servers at Groove Networks® in Cambridge, Massachusetts. The choice of whether to support onsite servers, enlist Groove Networks-hosted services, or utilize a combination of onsite man-agement servers and hosted relays, depends on an organization’s management practices and available resources.

This overview provides a summary description of the Groove environment to help lay the ground work for decision making. Overview topics are as follows:

• Groove Clients and Servers

• Groove Client-Server Architecture

• Groove Client/Server Functionality

• Resources

• Groove Enterprise Planning and Deployment Guide

Groove Enterprise Planning and Deployment Overview 1

Groove Clients and Servers

Groove client software, in its simplest form, allows two PC users at different locations to share information as if they were working side-by-side in the same office. From a Groove workspace on their PCs, people can outline plans interactively, jointly design projects, share support materials for analysis, and discuss their ideas by voice, written chat, or instant message. They can also pursue offline tasks and instantly share the results. The full capability of Groove tools and components can be exercised on just two user machines. Figure 1 illustrates this simple Groove setup.

Figure 1. Peer-to-Peer Groove

But outside direct connections on a local area network (LAN) other factors disturb the real-time flow of information between users. Corporate firewalls may block transmissions, data can be unaccountably lost, slow internet connections can hinder transmissions, exter-nal events can cause outages, and users in different time zones may be online at different times. As more people collaborate, the impact of external conditions becomes more appar-ent. Each user’s context and the environmental conditions affecting the internet as a whole challenge the effectiveness of direct peer-to-peer interaction.

To sustain successful communications among peers in this dynamic environment, Groove employs relay servers that enable timely information exchange regardless of corporate firewalls, weak communications links, internet traffic conditions, or client device down-time. Enterprises that want to manage dedicated relay servers can install Enterprise Relay Servers onsite instead of relying on public Groove Networks-hosted relay servers. Enter-prises also have the option of enlisting Groove Hosted Relay services for greater relay server availability without the administrative burden of relay maintenance.

While Groove software is designed to allow individual users to securely collaborate over the Internet, businesses require a higher level of control and management over software use. Enterprise software management generally involves network usage restrictions, prod-uct license distribution, security policy enforcement, and ongoing usage monitoring. The Enterprise Management Server installed onsite at an enterprise or Groove Hosted Manage-ment Services addresses this level of management. This Web-based server application allows administrators to provision users with Groove licenses and even onsite or hosted

Groove Enterprise Plannning and Deployment Overview 2

relay servers. It also lets administrators set Groove usage and device security policies and monitor overall Groove activity. For added control and security, enterprises can configure a Groove Component Server onsite, to maintain a store of the latest Groove component updates, instead of depending on downloads from the public Groove Networks site.

In addition, Groove users in an enterprise may need to access their organization’s data resources as part of their collaboration. A single point of integration with these data resources can facilitate collaboration within an enterprise, providing an alternative to mul-tiple individual connections. The Enterprise Data Bridge Server provides that single inte-gration point between Groove clients and their company’s supported applications, in the form of centralized automated services.

In summary, Groove’s enterprise servers provide the following capabilities:

• Management Servers

• Groove Hosted Management Services - Enable an enterprise to subscribe to Groove management services hosted by servers at Groove Networks. These services allow administrators to distribute Groove product licenses, set Groove usage policies to ensure the security of corporate resources, and oversee Groove user and device activity.

• Enterprise Management Server (EMS) - Enables administrators to manage Groove usage from an onsite server. From the server user interface, administrators can distribute Groove product licenses to users, set Groove usage policies to ensure the security of corporate resources, and oversee Groove user and device activity. In addition, onsite management servers allow administration of onsite relay servers and integration with a corporate directory of user identity information.

• Relay and XMPP Servers

• Groove Hosted Relay Services - Enable an enterprise to subscribe to Groove relay services hosted by servers at Groove Networks, in conjunction with onsite or hosted management servers. Relay servers support firewall navigation, store and forward capability, device discovery, and transmission fanout to more efficiently route messages to their destinations. Unlike the standard public relay services that support the Groove application, Hosted Relay Services provide an assured level of server availability as defined by the Groove Networks service contract.

• Enterprise Relay Server (ERS) - Enables administrators to configure and monitor onsite relay servers in conjunction with onsite management servers. Onsite relay servers provide the same firewall navigation, store and forward, device discovery, and transmission fanout support as hosted relays. In addition, onsite relay servers allow in-office administrators to control relay security and availability. And, they can be located within a private network. (See the Groove Enterprise Relay Server Administrator’s Guide for information about the Groove relay server.)

• Groove XMPP Proxy Server - Enables administrators to configure and monitor onsite XMPP Proxy Servers in conjunction with onsite management servers. This server provides a gateway that enables messaging between Groove and Jabber (or other XMPP) users. XMPP proxies depend on Groove’s relay server


architecture and, like relay servers, when installed onsite allow company administrators to monitor and control their use.

• Enterprise Data Bridge (EDB) Server - Enables enterprise to efficiently integrate trusted systems into Groove Virtual Office via administrator-defined services, typically employing Groove Web Services. The Groove workspace Backup Service and Groove EDB for CASAHL ecKnowledge® are packaged implementations of this capability. See the Groove Enterprise Data Bridge Administrator’s Guide for more information about the Groove Enterprise Data Bridge server.

• Groove Component Server - Enables administrators to install and maintain an onsite server of the latest Groove components and tools, for use by managed Groove users.

• Groove Audit Server - Enables an enterprise to install and maintain an onsite Groove client auditing service in conjunction with an onsite management server to audit Groove activities on client devices.

See Figures 2 an example of a server-supported Groove setup. Figure 3 introduces fire-walls to the plan.

Figure 2. Groove Installation with Supporting Servers


Figure 3. Groove Installation with Supporting Servers and Firewalls

Groove Client-Server Architecture

All Groove Virtual Office components and tools reside on the Groove client, making end users and their devices the mainstay of Groove communications, as expected of a peer-to-peer application. However, Groove’s relay functionality enables communications among collaborators when a peer device is inaccessible. This virtual peer-to-peer exchange depends on utilities and databases that reside on Groove relay servers. In addition, Groove management and specialized integration components, which support enterprise use of Groove Virtual Office, reside on management and data bridge servers.

The Groove client-server architecture consists of the following major elements:

• Protocol Support

• Groove Clients

• Relay and XMPP Servers

• Management Servers

• Managed User Identities and Devices

• Product Licenses

• User and Device Policies

• Corporate Directories

• Client Audit Service

• Groove Components

• Integration Services

• Administrative Interfaces


Protocol Support

Groove’s Simple Symmetric Transmission Protocol (SSTP) is the primary protocol of cli-ent-to-client and client-to-server communication. If SSTP port 2492 is unavailable, Groove clients can establish SSTP connections in other ways. If 2492 outbound connec-tions are blocked by a firewall, Groove Clients can establish SSTP connections via relay servers over Secure Socket Layer (SSL) port 443, using an HTTP Connect method. If port 443 is also blocked by a firewall, SSTP can be encapsulated within HTTP over port 80. Connections across HTTP, however, are less efficient because of the increased over-head of encapsulation and HTTP connections. Groove clients can also connect to Relays across proxy servers. As with browser connections across proxies, various ports can be specified for the local client-to-proxy connection. When communicating across a proxy, Groove cli-ents can use SSTP over SSL port 443 using the HTTP Connect method. HTTP Long-lived and Keep-alive over port 80 are also supported if allowed by the proxy server.

The management server is a Web application. As such, it processes Hyper Text Transfer Protocol (HTTP) requests from Groove clients as well as from an administrative browser interface. Groove clients communicate with the management server by sending Simple Object Access Protocol (SOAP) requests over HTTP to which the management server responds. The management server never initiates connections with Groove clients.

The management server also uses SOAP to communicate with any relay servers that it is managing. SOAP exchanges with the relay server are always initiated by the management server.

The Groove client and servers support protocols as summarized in the following table:

Groove Server and Client Protocols

Functions Listening Ports Used

Simple Symmetric Transport Protocol (SSTP) via TCP

Used by Groove clients and relay servers to transport Groove messages.

Supports:

Message queues for user identity and device targeted messages.

Fanout of SSTP message streams to multiple identities and multiple relay servers.

Device and user authentication for dequeuing SSTP messages.

Port 2492

Inbound on relay server.

Inbound on Groove clients.

Outbound from Groove clients to relay server and client port 2492.


SSTP over Hypertext Transfer Protocol (HTTP)

Used by Web-based management server to receive transmissions from Groove clients.

Used by Groove clients and relay servers to transport messages when direct SSTP is blocked by firewalls.

Supports:

Firewall transparency through HTTP encapsulation of SSTP.

Port 80

Inbound on relay server

Outbound from Groove clients to relay server port 80.

SSTP via SSL or HTTP (Connect) Proxy

Used by Groove clients and relay servers to transport messages when direct SSTP transmissions are blocked by firewalls and for client transmissions via proxies that support the HTTP Connect method.

Firewall transparency (via SSL).

Port 443


Outbound from Groove clients to relay server port 443.

Simple Object Access Protocol (SOAP) on administrative port

Used by Groove administrators to contact Web-based management server.

Used by Web-based management server to contact relay server.

Used by relay server to receive messages from Web-based management server.

Administrative port 8009

Inbound on management server.


Outbound from management server to relay server port 8009.

HTTP over SSL (HTTPS) Supports relay server’s administrative Web pages over SSL- secured HTTP.

Administrative port 8010


Open Database Connectivity (ODBC)

Used by management server to contact the SQL database server.

Port 1433 (typically)

Inbound on SQL database server.

Outbound from management server to SQL database server port 1433 (typically).

Lightweight Directory Access Protocol (LDAP)

Used by management server to integrate with optional LDAP-based directory server.

Port 389 (typically)

Inbound on LDAP directory server.

Outbound from management server to LDAP directory server port 389 (typically).

Local Area Network Device Presence Protocol (LAN DPP)

A Groove protocol (based on the User Datagram Protocol - UDP) used by Groove clients on a LAN.

Supports Groove device presence detection, enabling clients on a LAN to find each other via globally unique identifiers (GUIDs) associated with each device’s dynamic IP address.

Port 1211/UDP

Inbound on Groove clients.

Outbound from Groove clients to client port 1211/UDP.




Figure 4 illustrates the interaction between management and relay servers, and Groove cli-ents.

Application protocols over SSTP

Groove clients use these Groove protocols as follows:

WAN DPP - Supports Wide Area Network (WAN) device presence detection

Rendezvous Protocol (RVP) - Supports user presence detection

IM protocol - Supports instant messaging

Workspace protocol - Supports data synchronization on Groove clients.

Port 2492

Inbound on Groove clients. Inbound on relay server.

Outbound from Groove clients to client and relay server port 2492.

Ports 80, 443

Inbound on relay server

Outbound from Groove clients to relay server ports 80, 443.

Simple Message Transfer Protocol (SMTP)

Used by a Microsoft API. called by the management server, to forward email containing activation keys to a mail host for sending to Groove clients.

Port 25

Inbound on mail host.

XMPP Used by XMPP Proxy Servers to communicate with Jabber and other XMPP servers.

Port 5222




Figure 4. Interaction of Groove Servers and Clients

Groove Clients

Groove Virtual Office runs on unmanaged user PCs (clients), using Groove’s Simple Symmetric Transmission Protocol (SSTP) as the primary protocol of client-to-client and client-to-server communication. All Groove’s native components and tools reside on Groove client devices, along with user data and account information.

In order to collaborate, Groove users invite each other to workspaces - virtual meeting rooms where they can collaborate, exchange information, plan projects, review docu-ments, share files, and schedule events in real time. To invite a peer to a workspace, users must first find each other on the network. The primary means by which Groove users pub-lish information about themselves is by exchanging Groove contacts, which contain all the information that two independent Groove users need to identify, authenticate, and commu-nicate with one another.

For detailed information about Groove client architecture, see the Groove Platform Over-view in the Developer’s Reference Guide available at the Groove Web site


www.groove.net.

Relay and XMPP Servers

Groove relay and XMPP proxy servers have a similar architecture. The following sections highlight the distinguishing characteristics of each.

• Relay Server

• XMPP Proxy Server

Relay Server

Relay servers are an essential component of the Groove Virtual Office environment, enabling communications when peer communications are blocked or interrupted by fire-walls, network failures, device downtime, and slow connections. At a high level, relay servers include message handling software, message queue databases, a configuration interface, and Web-based relay server administrative interface. Relay servers store and hold messages for Groove clients that contact the relay server to deposit or collect mes-sages. The relay server never initiates client (or management server connections).

The Groove relay server supports multiple protocols to maintain communications among Groove clients when client devices cannot contact each other directly (due to firewall con-figuration or offline devices, for example). Among the supported protocols, Groove’s Simple Symmetric Transmission Protocol (SSTP) is the primary protocol of client-to-cli-ent and client-to-server communication. Like the Groove client, relay servers depend on Groove’s Simple Symmetric Transmission Protocol (SSTP) for processing Groove mes-sages, including instant messages, Groove workspace invitations, and workspace updates. However, when a user is behind a firewall that blocks SSTP transmissions, the relay server employs other protocols, such as SSL, or HTTP to allow messages to navigate fire-walls.To detect client online and offline status, relay servers also support Groove’s WAN Device Presence Protocol (DPP).

The Groove relay server contains a transactional database system that stores basic user information (including authentication keys and identity information), queues of Groove device-targeted messages (updates to Groove workspaces), and queues of user identity-targeted messages (instant messages and invitations). The size of these queues changes continuously as Groove clients deposit (enqueue) and retrieve (dequeue) messages. The relay server stores all Groove message queues in a series of database files. The database system also creates transaction log files that are used to maintain the integrity of the relay server databases in the event of system failure. The relay server depends on these log files to recover message queues and other related databases when restarting after an outage.

XMPP Proxy Server

The Groove XMPP Proxy Server enables Groove users to inter-operate with other clients using Jabber and other XMPP-based communications. The proxy serves multiple Groove clients, establishing XMPP connections on behalf of those with Jabber/XMPP accounts. XMPP proxy architecture relies on that of the Groove relay server. However, XMPP proxy servers do not enqueue or store data. XMPP proxies are stateless - processing data and messages instantly upon receipt. Instant messages (IMs) are sent to target clients and user contact information resides on the Jabber server.


Management Servers

Management Servers provide for administrative control over Groove use. These servers may be installed and operated by an enterprise, along with supporting SQL servers, or they may be hosted by Groove Networks. Management servers provide management domains that hold Groove user and device information, policy templates (collections of user and device policies), sets of Groove licenses, and lists of managed relay servers (vital compo-nents of Groove communications). They also provides a central directory of managed Groove contacts in the organization so that collaborating Groove users can easily find each other.

Management domains, in the context of this discussion, are the top-level management units on a Groove management server. Each management domain consists of a collection of Groove user identities, devices, licenses, policies, and managed relay server informa-tion, assembled and defined by the domain administrator. Administrators can log into a management server Web site to create groups within a domain (such as A1 Division), each group containing a separate collections of user identity information, licenses, policies, and relay server information.

Once a Groove identity is defined in a management server domain, the Groove client polls the management server periodically (generally, every 5 hours) for updates to products and policies, and to report statistics. This periodic contact is the primary mechanism by which all information is transferred between management servers and the Groove client soft-ware. Management servers do not initiate client communications. However, management servers do contact relay servers to deposit managed user relay assignments.

Managed User Identities and Devices

A managed user is a member of a management domain. Administrators add Groove users to a domain by entering users identity information on a management server and sending Groove activation keys to these users. Once users have processed their activation keys, Groove uses the associated identity information to create a managed identity for each user. The user then becomes a domain member, gains access to domain products, is subject to domain policies and is directed to any relay server(s) defined for the domain. For business environments, the management server provides a central directory which lists manage-ment domain identity information - contacts within the organization - so that fellow employees can easily find each other.

Associated with each Groove identity is one or more device. In a managed environment, devices can be managed by registering them with a Groove management domain. Apply-ing a management server registry setting to a device adds it to a management domain. Once an administrator adds devices to a domain, these devices become subject to domain policies for member devices.

Product Licenses

A Groove product license is a collection of technical data that allows access to a set of Groove client tools or components. Users gain access to product licenses upon product purchase, via membership in a management domain, or via individual product keys sent to them by a management domain administrator. Administrators assign products licenses to


each management domain and can revoke specific product licenses either from a domain or specific user.

User and Device Policies

Policies are rules that control Groove usage within a management domain or group. Cer-tain policies apply to managed user identities; others to managed devices. Upon initial management server installation, default policies are in effect which administrators can customize. The management server automatically propagates all policy changes to user identities and devices in the domain. Once a policy setting arrives at the Groove client, Groove blocks violations of this policy.

Device policies control password creation, which Groove components may be down-loaded to managed devices, and other aspects of Groove functionality on a device. User identity policies control publication of user contact information, whether managed identi-ties must be used on managed devices, whether managed devices require managed identi-ties, and other user activities.

Corporate Directories

An optional corporate directory server can automate the process of adding Groove identi-ties to a management server domain by allowing administrators to use existing company employee information instead of re-entering the necessary information manually. Man-agement server integration with a corporate directory server, such as a Lightweight Direc-tory Access Protocol (LDAP) server, provides a user interface for importing user identity information from the organizational units (OUs) on a corporate directory server directly into the management server.

Client Audit Service

The Groove Client Audit Service is a separate optional application for use with a manage-ment server. Like the management server, it relies on a database that resides on a dedi-cated SQL server (which it may share with the management server). Administrators schedule audits and select the type of events to be audited (including tool and member events) using a policy defined on the management server.

Groove Auditing consists of four parts:

• Client audit log which logs Groove user activity to an encrypted file.

• Audit Service which secures the audit log for upload to the Audit Server.

• Audit Server which collects the logs and stores them in a SQL server database.

• Management server device policy that controls what data should be audited.

Groove audit logs are immediately encrypted on clients upon event creation, and are decrypted only after arrival at the audit server, affording a highly secure auditing environ-ment. In addition, NTFS permissions are used to prevent unauthorized manipulation of logs and the Audit Service to manage them.

Groove Components

A Groove component is any file that can be written to the Open Software Description


(OSD) XML standard. The latest Groove components that comprise major Groove soft-ware releases or minor version updates reside on the Groove Networks servers, accessible for client download from the Groove Web site (www.groove.net).

IT administrators may choose to install an optional Groove Components application onsite, in conjunction with a management server, for added security and control over com-ponent installation. This application is basically a component ‘farm’ to which users are directed via an identity policy defined on the management server. It can be installed on a Web server or UNC file server.

Integration Services

At a high level, the Enterprise Data Bridge is a server application that facilitates interac-tion between Groove Virtual Office clients and external databases and other applications. The data bridge server comprises one or more administrator-defined services that enable Groove to process XML calls from external applications or processes. Typically, Groove Web Services mediates these exchanges, as in the case of Groove EDB for CASAHL ecKnowledge. In rare instances, automated scripts (agents or bots) are employed, as the Groove Workspace Backup Service.

Administrative Interfaces

With both onsite and hosted management servers, Groove administrators and clients com-municate with the management server via a management server Web site. Through a Web-based administrative interface administrators can configure and monitor their management servers, and perform management domain-level tasks, such as distributing Groove product licences, assigning relay servers, and managing users, and devices. Groove clients connect to a management server Web site to access assigned product licenses, policies, and relay assignments, and to report Groove usage statistics.

The Enterprise Relay Server provides two administrative interfaces: a Windows control panel applet for configuring the relay server, and an administrative Web interface for viewing relay server statistics and monitoring relay database queues.

The Enterprise Data Bridge includes a built-in Windows-based administrative interface for configuring and monitoring data bridge integration services.

Groove Client/Server Functionality

The combined functionality of Groove clients and servers provides a comprehensive set of capabilities and tools for establishing and managing Groove collaboration in an enterprise. Groove client and relay devices provide peer-to-peer and virtual peer-to-peer functional-ity, while management servers provide administrative and monitoring functionality. The sections below summarize the capabilities of the main components in a Groove enterprise-based system:

• Groove Client Functionality

• Management Server Functionality

• Groove Audit Server Functionality

• Groove Components Functionality


• Relay Server Functionality

• Enterprise Data Bridge Functionality

• SharePoint - Groove Functionality

Groove Client Functionality

The Groove client application provides all the functionality that supports peer-to-peer col-laboration. It enables collaboration and information sharing regardless of location or online status through the use of Groove spaces to which fellow collaborators are invited.

A Groove user can be active at any time in any Groove workspace of which the user is a member, regardless of whether other members are active or online. A user can also be active in a workspace when not connected to the Internet. The next time the user connects, Groove automatically adds offline updates and additions to the workspace. For example, while flying home from a meeting, a user might add responses to a collection of discussion documents offline. When the user next connects to the Internet, all the offline responses are automatically added and shared with all other members of the Groove workspace.

Key features of Groove Virtual Office include the following:

• Instant messaging - Instant voice or text messages, and invitations to Groove workspaces or chat sessions provide direct access to Groove contacts.

• Online collaboration spaces - Groove workspaces contain tool sets that allow invited users to jointly plan, schedule, design, and execute all online phases of a project. The number of members that can work productively in a Groove workspace is limited primarily by site hardware, network setup, and usage patterns and practices. Typically, Groove spaces accommodates teams of up to 100 users.

• File sharing- Secure environment for sharing files among fellow collaborators. Groove file sharing supports the following:

• Immediate access to latest file versions

• Live joint-editing of Word documents

• Live joint-viewing of Power Point slides

• Offline file editing

• Bandwidth optimization (only changes to files are exchanged)

• Rich tool set - Groove’s built-in tool set allows users to accomplish many common desktop tasks necessary for sharing content of all types and working together on ad hoc tasks and ongoing projects & meetings. Tools include, Files, Discussion, Calendar, Forms, Notepad, Sketchpad, Pictures, Meetings, Outliner, and Document Review.

• Extensibility - Users can enhance their Groove experience by injecting new and upgraded components and tools to their Groove workspaces, and adding new contact information to their Groove contact lists.

• Programmability - Software developers can use the Groove application program interface (API) to create custom Groove components and tools. In addition, Groove Professional Services and partners have developed and continue to develop a broad set of business-specific solutions.


• Security - Groove avoids storing user data on remote servers that may be insecure and over which administrators have no control. Instead, user data is transmitted directly to workspace members and stored on member PCs. Groove automatically and securely distributes and saves data that group members produce during their interactions. All communications are private, as they take place only among workspace members.The content of all Groove messages is encrypted

• Integration with popular applications - Groove’s interoperability with other products allows users to do the following:

• Convert MS Outlook email threads into Groove workspaces, and integrate contacts and calendar entries.

• Use MS Windows SharePoint Services offline and share site content with external contacts.

• Co-edit MS Word files with other workspace members.

• Co-edit MS PowerPoint files with other workspace members.

• Import/export between MS Project and the Groove Project toolset.

The Groove MSI-based Enterprise Installer package allows administrators to standardize and automate Groove installation. This package contains an enterprise-tailored Groove Virtual Office installation that can be used with MSI transforms to customize the installa-tion and Active Directory General Policy Objects (GPOs) to conduct the installation. For more information about this package, see the Groove Software Deployment Guide, avail-able from www.groove.net.

Management Server Functionality

The management server provides central control of Groove use within an enterprise. Groove clients periodically connect to the management server in order to receive provi-sioning updates and to report usage information. Supported by a Standard Query Lan-guage (SQL) database that stores most of its data, the management server allows administrators to manage Groove users and devices via an administrative Web interface. Through this interface, administrators can accomplish major tasks essential to managing Groove use on a corporate scale. These tasks include the following:

• Management Server Administration

• License, Policy, and Relay Server Assignment Distribution

• Groove Device Management

• Groove User Management

• Password Reset and Data Recovery

• Groove Account Backup

• Groove Usage Monitoring

To support Groove administration, the management server must be configured appropri-ately by a server administrator.

Management Server Administration

Outside of a managed environment, Groove Virtual Office is installed in default or user-specified directories on a user’s PC. Once Groove is installed, users, unhindered by corpo-


rate firewalls and other security measures, or by centralized usage policies, are free to pub-lish their contact information and set passwords as they choose. Users are also free to install Groove component updates as soon as such components are available. Groove licenses and relay servers are made available to these unmanaged users upon purchase of a Groove application (available from the Groove Web site).

In an enterprise where administrators manage software distribution and use, Groove users may be managed via onsite or Groove Networks-hosted management servers. The rela-tionship between managed users and PCs with Groove is somewhat different than that between private (unmanaged) clients and Groove. To begin with, IT administrators typi-cally want a standardized software installation to facilitate maintenance, monitoring, and troubleshooting. They also need to protect the integrity of corporate data resources while ensuring the smooth flow of communications within their workforce network and often with clients or associates outside that network. Therefore, in managed environments, server administrators determine where Groove should be installed and create ‘locked-down’ desk tops to limit components that can be installed on user devices.

Administrators typically want to control the distribution of Groove licenses, relay server assignments, components, and password creation. To follow best practices, they may also want to establish a systems for resetting passwords, conducting periodic Groove account backup schedule, and monitoring Groove usage. Most of these enterprise management requirements can be met by defining Groove user and device policies on Groove manage-ment servers. Domain administrators with specifically defined roles can then oversee Groove operations throughout the company.

A Groove management server provides two basic levels of administration: one for manag-ing the server, and another for managing domains (named organizational units, such as Sales, consisting of a combination of Groove users and devices). An administrative Web interface provides a control center where both types of administrators can conduct their respective tasks. Roles defined for each administrator determine which administrators are responsible for which server or domain-level tasks. The initial installing administrator defines roles, domains, and any corporate directory servers to lay the foundation for domain management.

Groove Enterprise Management Servers, operated by an enterprise, allow both levels of administration, server and management domain. Groove Hosted Management Services allow domain administration without the added overhead of server management.

License, Policy, and Relay Server Assignment Distribution

Groove Virtual Office requires that users be provisioned with product licenses and relay servers, and, in a managed environment, a set of usage and security policies. In unman-aged environments, users get licenses and relay assignments along with Groove installa-tion. In managed environments, domain administrators make licenses, relays, and policies available to end-users via a management domain in which users are given membership.

Administrators can use the management server to assign any managed relay servers installed at their site to management domains and groups. Managed relay assignments override default assignments to public relay servers. If multiple relay servers are installed at a site, administrators can assign managed users to a sequence of relay servers, to pro-


vide relay redundancy and fallback.

Groove Device Management

Managing devices primarily involves the distribution of usage security policies to devices via the management domain. These policies control password creation, component instal-lation, data recovery, and other device-dependent aspects of Groove operation. Devices running Groove must be registered with a domain on the management server in order to be managed and subject to device policies.

Groove User Management

Managing Groove users begins with emailing activation keys that provide an identity to each user. These identities confer membership in a domain defined on a Groove manage-ment server. As domain members, managed users gain access to the necessary Groove licenses, security policies, and relay servers set up for their organization.

In an unmanaged environment, users get their licenses and relay assignments when they install Groove on their devices; they are not subject to any management policies. In a fully managed environment, the domain administrator populates management domains with licenses, relay assignments, and the identity information of member users. Once the user information has been entered, administrators send activation keys to Groove users who apply the keys to their accounts, guided by the Groove activation process. This results in the creation of a managed, provisioned identity for each user. These managed users then become subject to identity policies that control Groove account backups, vCard publica-tion, peer authentication, and other identity-based aspects of Groove operation.

To automate the task of entering information for large numbers of users, the management server supports integration with corporate LDAP-based servers from which the necessary user information can be downloaded.

Password Reset and Data Recovery

If a managed user forgets a Groove password or is removed from a management domain, domain administrators may need reset the user’s password or access the user’s Groove data. To prepare for this eventuality, domain administrators can set a policy that allows administrators to enable users to reset an unknown or forgotten user password. Another policy permits administrative access to Groove data on managed devices in the manage-ment domain. When these policies are in place, domain administrators can use the Enter-prise Management Server’s data recovery feature to access data that would otherwise be irretrievable.

Groove Account Backup

The management server lets you set an identity policy that enables automatic account backup at specified intervals for users in a selected domain. Backed up information includes user contacts, the user’s Groove workspace list, identities and contact informa-tion, licenses and identity policies.

Groove Usage Monitoring

When a managed identity or device exists on a Groove client, the Groove software period-


ically reports statistics on Groove usage, providing information about managed user activ-ities, workspaces, and Groove tools being used. The management server also reports management domain events to an audit log. Administrators can view these reports via the management server’s administrative Web site.

Groove Audit Server Functionality

The Groove Audit Server, in conjunction with a Groove Enterprise Management Server, enables Groove administrators to oversee Groove activities on client devices. Auditable activities include, workspace events (such as member additions) and tool events (such as file creation and deletion).

Groove Components Functionality

Groove Components servers allow enterprise software administrators to maintain an onsite server of Groove components. Managed users can then be directed to this location via a Groove management server. With this setup, administrators can lock down their Groove components directory to allow for corporate testing and other security measures, prior to component distribution to managed Groove users.

Relay Server Functionality

Groove relay servers provide services that support Groove platform communications. Groove Networks hosts these services for users around the world. Companies with access to a Groove management server can purchase dedicated Groove Enterprise Relay Servers to manage at their own sites or they can employ Groove Hosted Relay Services.

Whenever possible, Groove transmits data directly from peer to peer, sending out individ-ual packets of data from one Groove user to another. However, when firewalls and proxy devices block this direct communication, relay servers provide a way for peer transmis-sions to navigate these obstacles and reach their destinations. When data is addressed to a peer that cannot be reached directly (because the user is offline, for example), the relay’s store and forward service enables otherwise inaccessible peers to receive timely data. And, when conditions call for a relatively large amount of data to be sent to a number of users, Groove uses relay servers to fan out data transmission, reducing the amount of data an individual user sends across the network.

Any of the data types transmitted by the Groove client can be transported or stored by the relay server, including:

• Groove workspace and contact information, addressed to a specific device, identity, and workspace (device-targeted messages).

• Instant messages and Groove workspace invitations, addressed to a specific identity (identity-targeted messages).

The relay server accepts Groove client and management server transmissions only; it does not initiate them. Client machines and the management server connect to the relay server to deposit and receive messages and data.

Relay functionality handles the following aspects of Groove communications:

• Firewall navigation


• Disconnected operation (store and forward services)

• Device presence detection

• Fanout

• Unclaimed identity handling

• Managed client relay provisioning via the management server

XMPP Proxy Server Functionality

Groove XMPP proxy servers allow Groove users with Jabber or other XMPP-based accounts to communicate with Jabber (or other XMPP) users. Groove Networks hosts these XMPP services for users around the world. Companies with access to a Groove management server can purchase dedicated Groove Enterprise XMPP Servers to manage at their own sites, allowing in-office administrators to control the use XMPP messaging within their managed environment. For example, a policy defined on the management server can limit XMPP communications to selected Groove users. In addition, as with relay servers, XMPP proxy usage statistics are viewable to administrators via Web browser.

Enterprise Data Bridge Functionality

The Groove Enterprise Data Bridge (EDB) allows administrators to facilitate interaction between Groove clients and third-party applications used by an organization. This is accomplished through the use of administrator-defined services that integrate third-party software with information contained in Groove spaces and merge easily into services-ori-ented architectures (SOAs). This third-party software can reside anywhere on the network.

EDB-based operations gain access to Groove workspaces via service identities which can be invited to workspaces. Once resident on an EDB server, a Groove workspace inherits a rich set of platform Web services that process XML-based calls from external applications in the data center. In this way, EDB functions as a data access tier, moderating data and process integration between Groove workspaces and other applications and processes.

Groove EDB for CASAHL ecKnowledge is an example of EDB’s utilization of Groove Web Services. The Groove Workspace Backup Service is an example of an EDB scenario that relies on units of application code (bots) that perform specific integration tasks.

SharePoint - Groove Functionality

Groove® Mobile Workspace for Microsoft® SharePoint™ extends the capabilities of Microsoft Windows SharePoint Services to offline users.

Resources

Several resources are available to support Groove Virtual Office in the enterprise, includ-ing the following:

• This Groove Enterprise Planning and Deployment Guide available on the Groove Web site

• Groove Software Deployment Guide, available on the Groove Web site


• Groove Enterprise Management Server Administrator’s Guide, available on the Groove Web site

• Groove Enterprise Relay Server Administrator’s Guide, available on the Groove Web site

• Groove Enterprise Data Bridge Server Administrator’s Guide, available from Groove Networks

• Web Services Developer's Guide and Web Services API Reference Guide that accompany the Web Services Groove Developer Kit (GDK). The Web Services GDK can be downloaded from groove.net.

• Groove server and client online Help

• Groove Web site www.groove.net

• Groove training

• Customer support

Groove Enterprise Planning and Deployment Guide

This Groove Enterprise Planning and Deployment Guide provides information about planning and deploying Groove Virtual Office in an enterprise. The first half of the book discusses planning issues and options; the second half offers guidelines and suggested pro-cedures for various deployment scenarios. Topics are as follows:

Overview - Provides summary information about Groove products and documentation.

Planning - Site Requirements and Considerations - Describes Groove site consider-ations and requirements, including discussions of capacity planning, network traffic and topology, security policies, disaster recovery, and hardware/software requirements

Planning - Deployment Scenarios (advantages of each)

• Hosted management and relay servers

• Onsite management and relay servers

• Onsite/Hosted management and relay server combination

• EDB and other supporting servers

• Closed network environments

• Migration capabilities (from hosted management and relay services to onsite servers)

The Deployment sections provide information about preparing the site, general server guidelines, server-specific procedures, and troubleshooting. Upon completion of this half of the guide, readers should know how to create a site-specific deployment plan and should be ready to install and configure servers (if onsite), set up Groove usage policies and licenses for managed users and devices, and install Groove clients. Topics are as fol-lows:

Preparing the Site for Deployment - Provides checklists for capacity planning, network planning, security considerations, and suggested disaster recovery/failover solutions.

General Server Deployment Guidelines - Provides deployment guidelines that apply to


all Groove servers.

Common Administrative Questions - Addresses questions frequently asked by IT plan-ners and administrators.

Troubleshooting - Describes general and server-specific problems and suggested solu-tions.

20050501


Site Planning - Conditions and Requirements

Attention to the issues discussed in this section will help you determine how best to deploy Groove software at your site so you can meet your current and foreseeable collaboration requirements. Successful deployment involves understanding basic Groove requirements and assessing the network management requirements of your site. You can use the fol-lowing questions as a foundation for planning:

• How does Groove affect your network? How does Groove interact with proxies, firewalls, and other similar devices on your network, what network port requirements does Groove have, and how does Groove affect network bandwidth? See “Network Planning” below for some answers.

• How many Groove users do you need to support and what hardware will you want to employ manage them? See “Capacity Planning” below for a discussion of these issues.

• What are your data security requirements? Do you need to control Internet access, restrict component downloads and upgrades, or limit contacts to trusted users only? Do you need to schedule periodic user account backups? Do you need to consider system failover? These and related questions affect where you locate management servers on your network and what usage policies you invoke. See “Security Planning” below for a discussion of these issues.

Each company contends with a unique set of administrative, technical, and environmental issues in setting up and maintaining its communications network. The conditions dis-cussed here are likely to arise at any site.

Network Planning

The following section discusses the effects of Groove deployment on your existing net-work, Groove’s basic network requirements, and Groove bandwidth usage. See the fol-lowing sections for information:

• Network Topology and Groove

• Network Requirements

• Groove Bandwidth Usage

Groove Enterprise Planning and Deployment Site Planning - Conditions and Requirements 22

Network Topology and Groove

One of the biggest IT challenges is setup network devices and configurations that enable efficient information exchange without jeopardizing the security of corporate data. Often conflicts arise and upset any hard-gained balance. Groove mitigates these problems. Aware of other devices and configurations on the network, Groove is designed to work within any communication constraints they present while maintaining the security of its transactions. For example, when firewall configurations block SSTP communications, Groove clients attempt to access relay servers using HTTP.

In addition, Groove maintains “business as usual” in the context of a wide range of com-munications tools and features. For example, despite the various bandwidth rates and latencies that characterize Internet traffic, Groove attempts to optimize communications and maintain timely delivery of information.

Table 1 summarizes Groove’s responses to various network and browser configurations. Table 2 lists some of the tools and features with which Groove cooperates seamlessly.


Table 1. Impact of Network and Browser Configurations on Groove

Table 2. Real-World Tools and Features with which Groove Cooperates

Network and Browser Configurations

Groove Responses

TCP port restrictions Direct peer-to-peer communication among Groove clients depends on Groove’s TCP-based Simple Symmetric Transfer Protocol (SSTP) over port 2492. When SSTP ports are not available, Groove encapsulates SSTP messages in HTTP and peer communications occurs via Groove relay servers over HTTP port 80.

Proxy configurations In a proxy environment, when SSTP ports are not available, Groove clients can communicate via HTTP proxies over any port specified in the browser, including ports other than 80.

HTTP proxy caching HTTP proxy settings can place additional limits on communications. For example, proxies generally cache data before transmitting. Although optimal Groove communications is based on real-time transmissions, Groove is resilient to this caching.

Auto-detection configuration When auto-detection is enabled for browsers in a proxy environment, the associated Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) configuration includes URLs for Java scripts that contain information about proxy device location. Groove clients can read the information in these scripts to locate proxies and communicate across them to target relay servers, which then forward client messages to the intended Groove recipients.

Auto-configuration scripts Web browser configurations often include URLs for Java scripts that include information about conditional proxy seeking. Groove clients can read the information in these scripts to locate proxies and communicate across them to target relay servers, which then forward client messages to the intended Groove recipients.

Proxy authentication

(NT LAN Manager,

Basic Authentication,)

Proxy devices often use authentication protocols that require login information when clients attempt to connect. Groove clients support Basic Authentication, and NTLM and Basic Authentication proxy authentications by displaying a dialog box requesting authentication information at connection time, enabling communication through the proxy.

Firewall settings, including Network Address Translation (NAT)

When firewall configurations block SSTP communications, Groove clients attempt to access relay servers using HTTP.

Domain Name System (DNS) Groove uses registered DNS names in its device URLs.

Virtual Private Networks (VPN) Groove operates across VPNs, providing that relay servers are accessible over the VPNs.

Communications Tools and Features

Groove Responses

Dial-on-demand routers Groove requires a persistent connection, which on-demand routers do not normally provide. Therefore, Groove may force the router to stay dialed-up as long as Groove is running.


Network Requirements

A Groove installation has the general network interface requirements described in the table below

Dial-up, pay-to-use services (such as in hotels and airports), and Network Interface Card (NIC) insertions/removals

These services acquire a temporary (transient) IP address while the connection is up. Groove supports such configurations.

Sociable communications Groove runs in the background as an icon in the system tray along with other Windows applications sharing the network resources. When sharing bandwidth with other applications, Groove attempts to optimize its bandwidth use.

Suspend/resume Most laptops support a sleep mode, for example when the lid is closed. Groove resumes after suspension, without requiring system shut down.

Various bandwidth rates and latencies

Groove is designed to accommodate differences in bandwidth rates, and though affected by these conditions, it attempts to optimize communications.

Communications errors Groove is designed to accommodate communications errors (short breaks in service caused by storms or network events).

Virtual Private Network (VPN) and Virtual Network Connection (VNC) communications

Groove co-exists with these links but does not depend on them.

Device Ports Open

Groove Virtual Office client Inbound port 2492 - Allows peer-to-peer communications via Groove’s Simple Symmetric Transfer Protocol (SSTP) and real-time communications via Groove relay servers.

HTTP ports (80, 443, or SOCKS) - Allow real-time communications via Groove relay servers.

Enterprise Management Server

Inbound port 80 - Receives Simple Object Access Protocol (SOAP) requests from Groove clients over HTTP.

Outbound TCP ports - For sending messages to the relay server and to the Customer Support Notification service at groove.net.

Outbound SMTP ports - For sending email and activation keys to Groove users.

Communications Tools and Features

Groove Responses


Groove Bandwidth Usage

When installed as recommended, a Groove system of clients and servers does not mea-suarably disrupt network performance and compares with most currently available browser or platform-based communications products in terms of bandwidth consumption. Subsequent sections discuss Groove’s bandwith usage patterns and the hardware and con-figuration recommendations that best support it. Understanding how Groove uses band-width will help you anticipate any network adjustments that may be necessary.

Groove bandwidth usage depends on several variables, including network configuration, and the amount and type of data being transmitted over the wire. While these factors vary among sites, the bandwidth usage results from Groove Networks experience and testing provide a useful baseline.

For example, bandwidth usage has been monitored under conditions where Groove is being used heavily in a workspace with fifty members and each member of the workspace sends, on average, approximately 350 bytes/second over the network during a typical workday. Results from this level of Groove activity show that Groove bandwidth utiliza-tion increases linearly as the number of members in Groove workspaces increases (assum-ing a user-to-device ratio of approximately 1:1).

Whenever possible, Groove transmits data directly from peer to peer, sending out individ-ual packets of data to each workspace member. When data is addressed to a peer that can-not be reached directly (because the user is offline, behind a firewall, or on a weak internet link, for example), Groove sends data to relay servers for replication and distribution, or for more efficient distribution via fan-out. Whether data is transferred through relay serv-ers or not, bandwidth utilization relative to the number of users in a workspace remains linear (see Figure 1, below), facilitating the task of predicting Groove bandwidth use once

Enterprise Relay Server Inbound ports 80, 443, or 2492 - Receive messages from Groove clients via HTTP or Groove’s SSTP.

Inbound port 8009 - Receives SOAP requests from the management server,

Inbound port 8010 - Supports browser requests for administrative statistics over SSL (HTTPS).

Corresponding ports on firewalls and related devices must allow communications across the above ports for transmissions to (and from) relay servers.

XMPP Proxy Server Same ports as for the relay server.

Outbound TCP port 5222 for XMPP connections

Enterprise Data Bridge Server

Inbound port 2492 - Receives SSTP transmissions from Groove Virtual Office clients.

Inbound port 9080 - Receives XML/SOAP-based calls from external applications.

Outbound SSTP port - For SSTP transmissions to Groove Virtual Office clients.

Outbound HTTP port - For communications with relay servers.

Device Ports Open


the application is online. Note that because relay servers are designed for expedient band-width use, total bandwidth use under conditions of high traffic is often less when relay servers assist in message transmission.

Figure 1. Groove Client/Relay Bandwidth Usage

Capacity Planning

To anticipate and plan for any large-scale software deployment, you need to know the size and location of your intended user base, as well as anticipated bandwidth consumption discussed above. Capacity planning centers around two basic questions:

• How many Groove users do you plan to support initially and over time?

• How do you want to manage Groove use?

The range of Groove enterprise services and servers that you engage depends mainly on the size of your user base. The sections below discuss Groove client and server capacities:

• User Base Planning

• Management Server Capacity

• Relay Server Capacity

• Data Bridge Server Capacity

The “Deployment Scenarios” section, later in this guide, compares the various Groove cli-ent-server combinations available to help you meet your requirements.

User Base Planning

In a large-enterprise environment, knowing the current and projected size of your Groove client base, along with the estimated per-user daily bandwidth usage, is essential for plan-ning a Groove installation that will operate smoothly from the start and over the long term. In small businesses (of less than 100 users), minimal planning is involved. You need only determine the number and type of Groove licenses you’ll need. The network and security configuration already in place at your site to support Internet access and email should be


sufficient for Groove, regardless of whether users collaborate under the same roof or across the globe.

When hundreds or thousands of users require collaboration support, and when corporate customers or consultants are involved as well as employees, close consideration of how you intend to manage such collaboration is necessary. Proper evaluation of your frame-works involves considering at least the following issues:

• Centralizing and automating large-scale Groove deployment.

• Setting Groove password entry requirements.

• Controlling Groove software upgrades and component downloads.

• Managing Groove use at both the user and device level.

• Identifying trusted collaborators outside a domain.

• Integrating Groove with corporate directories.

• Safe-guarding against Groove user account and data loss.

• Monitoring user activity and project work to ensure productive use of Groove.

• Employing dedicated relay services to ensure relay availability.

• Maintaining an enterprise-based component server from which users can download, instead of relying on Groove Network’s Web site.

• Integrating existing systems with Groove (for instance, Lotus Notes, MS Outlook, and MS Sharepoint.

• Integrating corporate applications and data.

• Auditing Groove client events to ensure proper use.

A suite of Groove applications and services is available to help resolve these administra-tive issues, all designed to facilitate large scale Groove deployments (of over 100 users). Once you know the number and location of users and devices that will be involved, you can choose any combination of Groove services and applications to help handle capacity. The following table summarizes the capabilities of each:

Groove Enterprise-based Products

Capabilities

Enterprise Installers (EI) An MSI-based Groove Virtual Office installation that enables customized, standardized Groove software installation within an organization. Customization can include the following:

• Specifying locations of Groove data directories.

• Specifying Lotus Notes or Microsoft Outlook integration with Groove.

• Registering devices with Groove management domains (controlled from Groove management servers) upon Groove installation.

When used with centralized deployment software, extends the customized installation to all clients defined in the deployment package.


Groove Hosted Management Services - Hosted by Groove Networks)

Enterprise Management Server (EMS) - Installed on servers onsite at an enterprise)

Enables and facilitates centralized administrative control over Groove use. Capabilities include:

• Setting password creation rules.

• Setting peer authentication policy.

• Defining component installation and upgrade policy.

• Enforcing managed Groove use.

• Establishing trusted users across management domains.

• Enabling Groove password and data recovery.

• Scheduling automatic Groove account backup

• Integrating corporate user directories with Groove user identity information.

• Monitoring Groove use.

Audit Service - Installed on server onsite at an enterprise

Audits Groove transceiver and workspace events.

Groove Components Server - Installed onsite at an enterprise

Allows enterprise surveillance over Groove components made available to managed users.

Hosted Relay Services - Hosted by Groove Networks

Enterprise Relay Servers (ERS) - Installed onsite at an enterprise

Enables relay server provisioning to managed users.

XMPP Proxy Server installed onsite at an enterprise

Enables XMPP-based communications between Groove users with Jabber (or other XMPP) accounts and other Jabber (or other XMPP) users.

Enterprise Data Bridge Server (EDB) - Installed onsite at an enterprise

Integrates the use of Groove with third-party (external) applications in use at an enterprise, through the use of bots.

EDB for CASAHL ecKnowledge is a packaged implementation of EDB that integrates data from external applications with Groove Virtual Office via Groove Web services.

Groove workspace Backup Service (EBS) - Installed onsite at an enterprise

Allows administrators to schedule periodic backup of user workspaces.

Groove® Mobile Workspace for Microsoft® SharePoint™

Groove Mobile Workspace for SharePoint is an application that accompanies Groove Professional edition. The Mobile Workspace application allows knowledge workers to perform offline tasks and to securely interact with team members outside enterprise firewalls while utilizing the collaboration centers afforded by Windows SharePoint servers. The Groove Mobile Workspace tool set includes specially designed file, discussion, list, and management tools to support the Groove-SharePoint connection in Groove.

Groove Enterprise-based Products

Capabilities


Management Server Capacity

Onsite Groove management servers provide a control center for comprehensive oversight of Groove usage. In planning how to incorporate one or more management servers into your network, consider your company’s usage statistics, bandwidth requirements, and what hardware/software is necessary to support those conditions. Groove Networks rec-ommends using one server to support up to 10,000 users, assuming the recommended hardware configuration cited in the Enterprise Management Server Administrator’s Guide (accessible on www.groove.net). A second management server device is typically recom-mended to support a larger user base. Larger-scale implementations can leverage the scal-ability of the underlying IIS and SQL platforms.

The following table summarizes workload statistics for 1 to 2 management servers, based on experience at Groove Networks

Relay Server Capacity

Onsite relay servers ensure relay availability to your Groove users and place all relay man-agement within the control of your server administrators. If you decide to install relay servers on site, so that you can secure and manage dedicated relays, plan on supporting no more than 10,000 Groove users on a single relay server. However, actual limitations on relay capacity may be lower and you should monitor Groove client and relay performance to determine when additional server hardware or software may be necessary.

If your organization supports a global network of users, to maximize the performance of your relay equipment, try to locate your relay servers in close proximity to your main user groups. The increased “hop” count necessary to support data transmissions from Groove clients to distant relays degrades network performance.

As a reference when planning your relay server deployment, keep in mind the following

Groove Users Transactions/Second

Management Server(s)

1,000 3 1

2,000 6 1

5,000 15 1

10,000 30 1

20,000 60 2


capacity statistics for a typical relay server setup:

In the statistics cited above, note that the ratio of online Groove users to devices connected to the relay server varies depending on the usage model. Consider the following two examples:

• In a closed network model, only those clients with accounts on the corporate relay server can connect to it (no users outside the organization can connect to the relay server or directly to clients inside the organization). In this environment, the number of users to devices is nearly 1:1. However, if any user has multiple devices connected to the network simultaneously, the number of devices will exceed the number of users.

• In a typical open network usage model, clients outside the organization can connect to the relay server in order to enqueue data for clients inside the organization and Groove users inside the organization can be members of workspaces with members from outside organizations. To sustain data exchange in the context of offline usage and firewall or DMZ configurations), external users must connect to the relay server. While external clients do not have accounts on the ‘internal’ relay server and therefore are not recognized as users, their devices connect to the internal relay server. These connected devices consume some relay resources, although substantially fewer resources than does a connected user. Therefore, the number of users (assigned users) connecting to the relay server is substantially less than the total number of connecting devices.

The chart above describes an organization with a community of 6,000 Groove users, but only 3,000 of them have accounts on the internal relay server and are connected concur-rently. In this scenario, about half the users involved in collaboration are from another organization (hosted on a different relay server).

The sections below discuss the following aspects of capacity planning:

• Relay Bandwidth Usage

• RAM

• CPUs

• Disk Space

• Hard Disk Controller

Relay Bandwidth Usage

Approximately 15 megabytes (~8 MB in, ~7 MB out) of data may pass through the relay server per user per day, based on Groove Networks’ average usage tests. Therefore, an

Hardware/Software Capacity

Intel Xeon, Dual Processor, 2.4 GHz, 2 GB RAM

Multiple disk controllers, NICs, and write-caching hardware RAID

300-GB RAID disk array

Windows 2000 Server

3,000 concurrent Groove users (with accounts on the relay server)

6,000 connected devices

Maximum bandwidth of 15 MB/concurrent user/day


environment of 3,000 concurrent Groove users, would generate about 45,000 megabytes (45 GB) of traffic per day. The amount of data directed to the relay server depends on the amount of data being sent in each transmission, communications speed, whether clients are behind firewalls, and the state of client connections. Whether data passes through relay servers or not, bandwidth utilization remains linear relative to the number of users in a workspace (assuming a user-to-device ratio of approximately 1:1).

Each Enterprise Relay Server supports up to approximately 3,000 users who can be con-nected simultaneously. One or more additional relay servers are recommended to support larger user bases. The following table shows the transaction statistics that can be expected on a typical production relay server running at capacity.

RAM

Tests on a typical relay server (dual 2.4-GHz Xeon processors, 2 gigabytes of memory, RAID 5 hard-disk configuration) show that the relay uses about .5 megabytes of memory for every user that is connected to it.

CPUs

Groove Networks recommends installing at least two processors on your relay server machine. The server is optimized for two or more processors.

Disk Space

The disk space required to support a client population varies greatly, depending on the cli-ent usage models. Client populations that are routinely offline for days or weeks at a time require more relay disk space because data must be stored while clients off line. In a typi-cal mixed client population model, a client may use approximately up to 30 MB of disk space per day. Therefore, 300 GB will support a community of about 10,000 Groove workspace users.

Based on Groove Networks experience, an average of 1 megabyte of data per second is enqueued or dequeued on a typical production relay server when about 3,000 Groove users are online concurrently. This means that the average user enqueues or dequeues only about 500 bytes per second. The low number is due to the fact that, at any given time, most users have Groove running in the system tray. These figures translate to about 3 mega-bytes passing through the relay server per user per day. Assuming a heavy-use scenario, where all users enqueue data and no one dequeues, and that the relay server expunges messages after 30 days in the queue, each user could add up to 1,500 megabytes before old data is deleted. Therefore, the total amount of queued data generated by 3,000 users, would be about 450 GB (1,500 MB/user x 3,000 users).

Hard Disk Controller

Relay servers place a high demand on disk input/output (I/O) capability. Write caching is critical to supporting the high I/O demand of a relay server. The relay server installation kit includes a utility called DBWriteTest.exe that you can run, to assess the performance viability of your disk subsystem. In addition, you should configure a hardware RAID so that your system can survive catastrophic failure of a disk drive with minimal down time and data loss.


The rate at which the hard-disk controller transfers data from the processor to the hard disk depends on the type of controller. Groove Networks average use tests show that adding 100 Groove users to the system typically increases the amount of data written to or read from the relay server hard disk by about 50,000 bytes per second. This suggests that a community of 10,000 Groove users would best be supported by a relay server with several hard disk controllers, a write-caching hardware RAID controller, and 10,000 to 15,000-rpm disks.

Data Bridge Server Capacity

The number of Groove users and Groove workspaces you intend to support and the expected volume (in bytes) of data to be transmitted per day are key considerations in set-ting up data bridge services at your site. Also, keep in mind that for maximum effective-ness, the EDB server should be available and connected to the network 24 hours per day, 7 days per week.

The following table summarizes capacity and performance results for a heavy EDB usage model involving three servers, each running Groove EDB for CASAHL ecKnowledge and hosting 500 Groove workspaces:

Discuss your company’s usage statistics with your Groove Networks representative to determine how best to allocate your current EDB server setup and when to consider expansion.

Security Planning

Data security across the Internet relies on several layers of protection. The lowest level of protection, accomplished by filtering and blocking transmissions over specific ports or protocols, is an important factor in network site planning. In addition, the various higher forms of cryptography-based security inherent in platform and applications software can

Parameters Value (per server in a 3-server EDB environment)

Jobs run/hour 400 (EDB Forms Tools are updated with data from SQL database via ecKnowledge)

Average workspace creation time:

70 seconds

Private memory bytes for EDB process:

Approximately 250 MB, relatively flat throughout usage period (could increase depending on workload, to accommodate rapid new space creation, for example),

Virtual memory for EDB processes:

750 MB (could increase depending on workload)

Disk and network I/O activity:

Minimal (likely to increase if Groove File Sharing is used.)

CPU usage: 20% over a 9-hour period, with spikes to 100% during workspace creation (including workspace creation, Groove invitation processing, data entry, and synchronization)

Disk space usage total: 13.7 GB of disk space (after all spaces were created and synchronized)


affect the choice of security measures implemented at the network level.

Groove client and server software both provide built-in security systems designed to pro-tect data resources and prevent unauthorized access. The following sections discuss these and other aspects of Groove security to provide a baseline for planning Groove deploy-ment:

• Network Level Security

• Groove’s Built-in Security

• Management Server Security

• Relay and XMPP Server Security

• Data Bridge Server Security

Network Level Security

A basic form of security for Internet transmissions is the blocking or filtering of data from unknown or suspect sources. One way to accomplish this is by restricting the number of open communications ports on the server, limiting inbound transmissions to those proto-cols supported by the few open ports. Firewalls are often used to implement these restric-tions. For example, you could locate a Groove server in a DMZ, behind a firewall that allows only TCP inbound traffic over port 80, limiting inbound transmissions to HTTP traffic only. This would allow Groove and other HTTP communications while blocking other transmission using non-HTTP protocols. In addition, proxy devices may be used to force transmissions through a single port, preventing access to other ports.

How you implement security measures at your site depends largely on your company’s specific security requirements, the software you use, and on your existing network topol-ogy. The “Recommended Best Practices” section in Preparing Your Site for Deployment, later in this guide, provides some guidelines.

Groove’s Built-in Security

Secure Internet communications is based on achieving three main objectives: authentica-tion of users and devices, confidentiality of communications, and data integrity. How you set up your network to obtain these objectives mostly depends on the software you are managing.

Groove client software addresses fundamental security issues via the following built-in mechanisms:

• Data encryption helps assure confidentiality of all information exchanges, whether on a LAN or across the Internet.

• Groove identities and accounts can be password-protected.

• Built-in authentication systems verify the identity of Groove users and devices.

• Component signature verification algorithms help assure the integrity and appropriateness of components installed on user devices.

• Role-based access control, defined by Groove workspace creators, determines what workspace members can access.


• Progressive slow-down of the password window display after repeated incorrect password attempts protects against external parties using password discovery scripts to access Groove.

• As of Groove version 3.0, automatic virus filtering of files passing through Groove helps assure data integrity.

Management Server Security

Groove management servers provide the following additional layers of security:

• Certificates (signed contact information) provided by the management server’s stand-alone Public Key Infrastructure (PKI) functionality provide for automatic user authentication within and across management domains. The management server also supports user authentication via third- party, enterprise PKI certificates.

• Device password polices help ensure that Groove login practices (passwords or smart cards) meet minimum requirements in place at an organization.

• Account lockout policies deter fraudulent Groove login attempts.

• Component installation policies restrict Groove component downloads on managed devices to authorized sources and versions.

• Peer authentication policies control communications among Groove users in different management domains.

• Password (or smart card) credential reset policies allow for safe reset of user login credentials.

• Role-based administrator access control enables administrators with varying levels of responsibility to share Groove management.

• Groove user account backup policies help secure vital account information by providing for scheduled account backups.

Security is an important consideration when distributing Groove managed identity activa-tion keys that enable the deployment of managed identities among your PC users. Groove's recommended activation key distribution method is secure mail.

See the Groove Enterprise Management Server Administrator’s Guide for detailed infor-mation about implementing user authentication and security policies.

Relay and XMPP Server Security

The relay server’s inherent design addresses key concerns of security-conscious IT depart-ments. To begin, relay servers use public key cryptography for initial authentication of devices and users via its primary protocol (SSTP), and for authentication of transactions received from the management server via SOAP. The relay server Web-based relay statis-tics interface is protected by the Secure Socket Layer (SSL) standard. In addition, the SSL port (8010) and the port used for SOAP transactions with the management server (8009) can both be secured by restricting access to these ports to a specific network interface card.

Groove client software is designed to protect against connection take-over, eavesdropping, or message modification, insertion, or deletion, as the Groove client software provides this protection. Other security features are built in to Groove relay servers, including:


• Device authentication when dequeueing device-targeted data (including Groove workspace and contact information) from the relay server.

• User account authentication when dequeueing identity-targeted data (including Groove instant messages and invitations) from the relay server.

• Server authentication when dequeueing both device-targeted and identity-targeted data.

Groove Virtual Office (formerly Groove Workspace) software contains a list of Groove relay servers and the public key certificate of each relay server. Upon installation, the Groove software randomly selects a relay server from the list (or, in a managed environ-ment, selects the assigned Enterprise Relay Server or Groove Networks-hosted relay server) and uses that server's public key to register the new account data. Henceforth, the software uses that relay server. User contact information includes the selected relay server's URL to establish a complete communication path for other Groove users.

When the Groove user account registers with a relay server, the account establishes a shared secret key with the relay server that provides a mutually authenticated link for all relay-to-client communication. The secret key shared solely with that user account over the life of the account prevents a false user or relay server from mounting a denial-of-ser-vice attack on the system.

The relay server can access only the message header information that is needed to locate devices (or a target device's relay server). Groove's end-to-end data encryption prevents the relay server from reading data inside messages (either update messages or instant mes-sages).

Groove client to XMPP proxy connections are protected by the standard Groove cryto-graphic and user authentication security measures. XMPP proxy to Jabber server connec-tions depend primarily on your network security configuration.

Data Bridge Server Security

Groove data bridge servers are based on the Groove platform and therefore inherit all of Groove’s built-in security mechanisms, including user authentication and data encryption. Groove's inherent cryptographic security ensures that workspace data and activities remain within the exclusive purview of the workspace’s member users. However, EDB service identities, like Groove users, may hold membership in multiple spaces and retain access to external applications. Therefore, exercise caution when defining a service’s pres-ence and role in a given workspace.

A basic tenet of EDB security is to logically locate the EDB server on your network to allow a minimum number of Internet protocols. Generally, this means leaving open on the EDB server port 80 for HTTP and port 2492 for SSTP, using firewalls to block all other Internet traffic.

In the context of Service Oriented Architectures (SOA) employing Groove Web Services, Enterprise Data Bridge servers communicate with external applications via standard XML-based protocols, such as SOAP. Native Groove security does not protect the con-nections between EDB servers and the external applications where the integration logic (code) lives and which integrates with Groove workspaces through Groove Web Services


on EDB. Therefore, pay careful attention to the security of these network connections prior when planning deployment. All connections to devices running external applications (those integrating with Groove workspaces through Groove Web Services on EDB) should be secured with standard techniques such as IPSec and SSH.

In summary, how you implement security measures at your site depends largely on your company’s specific security requirements, the software you use, and on your existing net-work topology.


Deployment Scenarios

Groove Networks provides a suite of applications and server options designed to facilitate Groove deployment and management in a business environment. Enterprises can choose whether to host servers onsite or use servers hosted by Groove Networks. Combinations of hosted and onsite servers are also options. The following section provides an overview of server options. Subsequent chapters highlight the features of the various products and ser-vices on offer.

Groove Hosted Management Services vs. Onsite Servers

Deciding whether to host Groove management services onsite or use Groove Networks-hosted services depends largely on the size of company’s Groove user base and its com-munications bandwidth requirements, although a complex of security and network consid-erations (as discussed above) also affects the decision. Generally, corporations that intend to support hundreds of Groove users consider centralized Groove management. Corpora-tions can access Groove management services by subscribing to Groove Hosted Manage-ment Services (hosted by management servers at Groove Networks) or by installing on or more Groove Enterprise Management Servers onsite.

Similarly, Enterprise Relay Servers can be installed onsite for maximum control and mon-itoring of relay events, or Hosted Relay Servers can be employed to allow for minimal administrative burden while affording increased assurance of relay availability (over pub-lic relay services). Because public relay servers are not subject to management server administration, organizations must engage dedicated hosted relay services or install onsite relay servers in order to utilize the management server’s relay administration capabilities. Dedicated relay servers in turn depend upon management servers in order to function within the managed environment.

When management servers are hosted by Groove Networks, Groove administrators can access an administrative interface via a browser that allows centralized management of Groove use. Complex deployments of Groove that rely on locally-situated servers to sup-port clients are a viable consideration for some companies. When management servers are hosted onsite at an organization, administrators have physical access to management serv-ers and to features that allow centralized server control and monitoring. A typical onsite deployment of Groove management servers involves both management and relay servers installed in an organization's DMZ (an area on a corporate network that allows limited external access).

Groove Enterprise Planning and Deployment Deployment Scenarios 38

The decision to enlist Groove Networks-hosted management services or to host onsite management or relay servers depends on the corporate setting. For example, a growing startup company with limited space and administrative resources is likely to benefit most from Groove-hosted services, while an established firm with a large IT department and specific security needs may benefit more from an onsite installation that affords direct internal control over server activity.

The following sections outline the advantages and considerations associated with each of the Groove management server options:

• Decision Factors

• Groove Hosted Management Server Benefits

• Onsite Enterprise Management Server Benefits

• Groove Hosted vs. Onsite Relay Servers

• Hybrid Onsite/Hosted Management

• Additional Groove Management Services

• Closed Network Environments

• Migration Capabilities (from hosted management and relay services to onsite servers)

Decision Factors

In light of the respective benefits offered by hosted, onsite, or hybrid management server architectures, several factors affect a decision of which route to pursue. These factors include the following:

• Time frame allowed for Groove deployment

• Size and location (distribution) of user base

• Availability of server administrator resources

• Corporate security requirements

• Use of a corporate employee directory (such as an LDAP directory)

• Failover and server redundancy requirements

• Access to the SQL database that supports the management server to customize reporting

Groove Hosted Management Server Benefits

Using hosted services allows:

• Rapid deployment - No servers need to be set up in the corporate DMZ. Use of Groove software only requires deployment of client side software, accessible from the Groove Networks Web site.

• Ease of administration - Administrators can control licenses, security settings, Groove users, and devices, and can view Groove usage reports via Web access to the hosted management services. Administrators do not need to worry about ongoing server maintenance.


• Availability assurance - Groove Networks Hosted Services provide a Service Level Agreement for availability assurance.

Figure 1, below, shows a Groove scenario where an enterprise relies on Groove hosted management servers to provide the administrative interface for overseeing Groove users and devices.

Figure 1. Hosted Management Server Scenario

Onsite Enterprise Management Server Benefits

Under certain conditions, bringing Groove Networks Enterprise Management and Relay Servers on site can be advantageous. Groove Networks supports both a fully onsite man-agement model, where both the management and relay servers are onsite, as well as a hybrid model, where the management server is onsite while relay services are hosted by Groove Networks.

The onsite option makes available a number of features and capabilities, including:

• Directory integration- Onsite management servers can be configured to allow user information to be imported and synchronized with the corporate LDAP/Notes/Active Directory. This feature reduces the administrative burden of managing user attribute changes.

• Domain creation - Onsite management server administrators can create, organize, and delete Groove domains at any time, without contacting Groove Networks.

• More control over security of corporate information - With onsite management servers, server administrators control the location of servers, as well as the assignment of delegated administrator roles and permissions that determine who can access the server’s administrative interface.


• Server monitoring - Onsite management server administrators can view an audit log of server and domain events, such as when a domain or user is added to the server.

• Access to the SQL database that supports the management server - SQL access allows administrators query the SQL database and create customized management server reports.

• Onsite relay management - With an onsite management server at your site, you can install dedicated onsite relay servers anywhere on your corporate LAN/WAN, enabling your organization to control relay deployment and usage.

• Multiple relay assignment - When deploying onsite management and relay servers, you can assign multiple relay servers per user. This configuration offers higher availability of relay services, as all contacts for that user will automatically contact secondary relays if that user's primary relay is unavailable.

Figure 2, below, shows how a Groove management server might be incorporated into a corporate network, along with existing LDAP servers and supporting corporate-hosted relay servers.

Figure 2. Onsite Management Server Scenario

Groove Hosted vs. Onsite Relay Servers

Groove Networks offers a Service Level Agreement for its hosted relay services, provid-ing a defined level of assurance of relay availability. Using Groove's hosted relay services reduces the administrative work required to setup and maintain onsite relay servers.


The main advantage of onsite relay servers is that IT administrators can directly control relay server security and availability. Specifically, they can secure relay activity within a private network.

Installing multiple relays onsite allows redundancy if a relay server encounters problems. Multiple relays also allow administrators to direct Groove users to a sequence of relay servers. This configuration offers higher availability of relay services, as all contacts for that user will automatically contact secondary relays if that user's primary relay is unavail-able.

Figure 3 shows a scenario of hosted management servers and relay servers.

Figure 3. Hosted Relay Services Scenario

Figure 4 shows a scenario involving an onsite management and relay server. If you plan to install one or more relay servers at your site, an Enterprise Management Server must also be installed onsite.


Figure 4. Onsite Relay Server Scenario

Hybrid Onsite/Hosted Management

If one or more Enterprise Management Servers are installed at your site, you have the option of installing relay servers at your site or engaging Groove Hosted Relay services, using a scenario similar the one shown in Figure 5.


Figure 5. Hybrid Scenario of Onsite Management and Hosted Relay Servers

Additional Groove Management Services

To enhance your Groove management environment and the scenarios discussed above, Groove provides the following servers and services:

• Enterprise Installer

• Groove Component Server

• Client Audit Server

• XMPP Proxy Server

• Enterprise Data Bridge Server

• Groove Backup Service with EIS

• Microsoft SharePoint with Groove

Enterprise Installer

The Groove Enterprise Installer is a packaged version of Groove Virtual Office (formerly Groove Workspace) software, based on Microsoft® Windows® Installer (MSI). Like MSI, the Enterprise Installer is an application installation and configuration service that depends on a Instmsi.exe file. It allows you to create a software package for centralized Groove deployment, typically from a deployment server.

See the Groove Software Deployment Guide for detailed information about using the


Enterprise Installer.

Figure 6 shows a sample scenario with an onsite management server and hosted relay ser-vices.

Figure 6. Centralized Groove Deployment with Enterprise Installer

Groove Component Server

Groove Components is an application that enables you to deploy and manage Groove components from a Web or file server located onsite at your enterprise. Once you locate this application on a File or Web Server accessibly by your Groove users, you will need to adjust management server device policies to allow for this capability. For example, you need to specify the HTTP or UNC server from which installations can occur. See the Groove Software Deployment Guide (available on www.groove.net) for more information installing the Groove Components application at your site.

Figure 7 shows a sample scenario with an onsite management and Groove Component servers.


Figure 7. Managed Groove Environment with Onsite Groove Component Server

Client Audit Server

The Groove Audit Server application that allows auditing of managed Groove clients. The application is installed in conjunction with a Groove Management Server, typically on the supporting SQL server. To enable audit logging, the device policy that enables audit log-ging of Groove client events must be turned on. The audit server allows you to audit events associated with Groove user accounts, providing that management server device policies that govern client auditing allow for this. See the Groove Enterprise Management Server Administrator’s Guide for information about installing and configuring the Groove client Audit Server. Figure 8 shows a sample scenario with onsite management server and a Groove client audit server.


Figure 8. Groove Client Audit Server Added to Management Environment

XMPP Proxy Server

Groove XMPP proxy servers employ the Groove relay server architecture to provide Groove users with a communications gateway to Jabber and other XMPP users. For con-trol over these types of connections in an enterprise that employs Groove management servers, you can install XMPP Proxy Servers at your site. From the management server, administrators can designate the extent of XMPP Proxy communications. Administrative access to XMPP statistics is available via Web browser, as for relay server statistics. See the Groove Enterprise Relay Server Administrator’s Guide for information about install-ing and configuring an XMPP Proxy Server at your site. Figure 9 shows a sample scenario with a management server and XMPP proxy server.


Figure 9. Groove XMPP Proxy Server Added to Management Environment

nario.

Enterprise Data Bridge Server

Groove Enterprise Data Bridge (EDB) servers enable seamless integration of Groove data with external applications and processes via Web Services that mediate the information exchange. External applications connect to EDB via SOAP/XML calls to Web Services on EDB. EDB-to-client connections occur via administrator-defined EDB service identities, present in Groove workspaces. Because EDB involves automated tasks that run on client devices, a managed environment is the most secure one for installing EDB servers, although management servers are not required for EDB operation. EDB should always be installed on a private corporate network or DMZ.

Groove EDB for CASAHL ecKnowledge is a packaged implementation of EDB that enables Groove data integration with CASAHL’s ecKnowledge application. In this sce-nario, an ecKnowledge-Groove connector acts as a Web Services API client to Groove, passing SOAP calls from ecKnowledge to Web Services running on EDB

Figure 10 shows an EDB server completing the Groove management scenario. Figure 11 shows an EDB server in the context of ecKnowledge.


Figure 10. Groove Enterprise Data Bridge Server Added to Onsite Management Environment


Figure 11. EDB for ecKnowledge

Groove Backup Service with EIS

The Enterprise Backup Service allows you to schedule automatic backups of your com-pany’s Groove spaces. You can use any third-party backup system to backup the .gsa files for offline storage.

Figure 12 shows a sample scenario with an EDB server hosting Groove Backup services.


Figure 12. Groove Backup Service with EDB Server

Microsoft SharePoint with Groove

Groove® Mobile Workspace for Microsoft® SharePoint™ is an application that accom-panies Groove Professional edition. The Mobile Workspace application allows knowledge workers to perform offline tasks and to securely interact with team members outside enter-prise firewalls while utilizing the collaboration centers afforded by Windows SharePoint servers. The Groove Mobile Workspace tool set includes specially designed file, discus-sion, list, and management tools to support the Groove-SharePoint connection with Groove virtual office software.

A typical SharePoint-enabled Groove workspace pulls content from Windows SharePoint sites for much of a team’s interaction, and returns any documents and other data that have been created or modified to that team’s SharePoint site. In this way, Groove provides a temporary ‘offline client’ from team workspaces.

Together, a combined SharePoint/Groove Mobile Workspace solution provides knowl-edge workers with easy-to-use collaboration tools that offer the unique benefits of offline


access to team content, automatic synchronization, and secure collaboration across net-work boundaries, regardless of network connectivity.

Figures 13 to 15 shows two typical SharePoint-Groove configurations and the SharePoint - Groove data path.

Figure 13. SharePoint - Groove Connection with Hosted Servers


Figure 14. SharePoint - Groove Connection with Onsite Servers

Figure 15. SharePoint - Groove Data Path


Closed Network Environments

In a highly secure environment where no external network connections are desired, you must install any Groove servers at your site on your internal network. Figure 16 illustrates a likely closed network scenario.

Figure 16. Groove in Closed Network Environments

Migration Capabilities

Over time, you may decide to migrate from a Groove Networks-hosted management and/or relay servers to onsite servers. Or, you may want to move from a hybrid (onsite man-agement server/hosted relay) environment to an entirely onsite Groove management envi-ronment. The process, in any case, is fairly simple. The following sections summarize the main steps you’ll need to take:

• Migrating from a Hosted Management Services to Onsite Enterprise Management Servers

• Migrating from Hosted Relay Services to Onsite Enterprise Relay Servers

Migrating from a Hosted Management Services to Onsite Enterprise Management Servers

If you are changing from Groove Hosted Management Services to an onsite Enterprise


Management Server, you need to create a new domain structure on your newly installed server. Once you have done this, you migrate your managed Groove users and devices to the newly defined management domains. Currently, this procedure must be performed manually and involves the Groove-hosted Web site, the onsite Enterprise Management Server, on the Groove client devices. For detailed instructions about migrating Groove users to another domain, see the Groove Enterprise Management Server Administrator’s Guide.

Migrating from Hosted Relay Services to Onsite Enterprise Relay Servers

The Enterprise Management Server administrative UI allows easy conversion from Groove Networks-hosted relay services to onsite relay servers. See the Groove Enterprise Management Server Administrator’s Guide for information about assigning Groove users to onsite relay servers.


Preparing Your Site for Deployment

This section is designed to help you prepare a site for Groove deployment. With this infor-mation and the more specific guidelines covered in subsequent sections, IT managers can develop site-specific corporate Groove deployment plans.

Upon completion of this half of the guide, readers should be ready to install and configure servers (if onsite), set up Groove usage policies and licenses for managed users and devices, and install Groove clients.

The following sections guide you through the preliminary steps of site planning:

• Site Planning Checklist

• Windows Server Checklist

• Recommended Best Practices

• Disaster Recovery and Failure Contingencies

Site Planning Checklist

The following checklist provides a starting point for planning a Groove client-server installation. The checklist covers the major site planning considerations of most enterprise deployments of communications software, including the following:

• Hardware inventory

• Capacity planning

• Network planning

• Management server preparation

• Disaster avoidance

Groove Client-Server Site Planning Checklist

Hardware Availability:

Windows Server 2000 or 2003 hardware available? Yes[ ] No[ ]

IIS installed? Yes[ ] No[ ]

Management server name: __________________________

SQL database server hardware available? Yes[ ] No[ ]

Groove Enterprise Planning and Deployment Preparing Your Site for Deployment 56

Corporate LDAP directory server available for downloading user information? Yes[ ] No[ ]

If using an LDAP directory server, what type? ___________________________

Microsoft Active Directory, IPlanet, and Lotus Domino R5 (or later) supported and recommended.

Directory path:

Relay Server hardware available? Yes[ ] No[ ]

If relay servers installed, how many?

Relay server names: ________________|___________________|_________________

Capacity:

How many users do you plan to support?

How many concurrent users do you plan to support?

How many Groove clients on LAN/WAN? External? Total?

Network Preparation:

Corporate Internet connection in place? Yes[ ] No[ ]

Firewall(s) used? Yes[ ] No[ ]

Brand:

Blocked ports:

Allowed ports:

Proxy device(s) used? Yes[ ] No[ ]

Brand:

Specifications:

Management Server Preparation:

How many management domains do you need to define?

Domain names: ________________|___________________|_________________

Server Administrator login name: ____________________ Password __________________

Additional Server administrators? Yes[ ] No[ ]

Server Admin names: ________________|___________________|_________________

Domain Administrator login name/password/role:

Domain: ______________| Admin: ________________|___________________|___________

Domain: ______________| Admin: ________________|___________________|___________

Domain: ______________| Admin: ________________|___________________|___________



Windows Server Checklist

In addition, to reduce troubleshooting time later, review these Microsoft-recommended checkpoints for preparing your Windows 2000 (or later) servers, excerpted from http://www.microsoft.com/windows2000/professional/evaluation/business/upgrading.asp:

• Does your system need a clean start? Most of the previous versions of Windows can be upgraded to either a client or server version of Windows 2000, but not all. Windows 95 and Windows NT® Workstation 4.0, for example, can be upgraded to Windows 2000 Professional, but Windows 3.1 cannot. For those versions of Windows that cannot be upgraded, you will need to perform a new installation of the Windows 2000 operating system (which in some cases may be preferable anyway, because a new installation gets your system off to a fresh start). Refer to Upgrading from Previous Versions of Windows for detailed information on the various upgrade scenarios.

• Is your system compatible? Windows 2000 supports a wide selection of computers, hardware components, and software applications, but a number of older systems, components, and applications may not be compatible. To begin with, make sure your system meets minimum requirements for processor speed, RAM, and hard drive space. Then, go to Check Hardware and Software Compatibility for search tools that will help you find compatible equipment and applications. If your devices or software aren’t listed, you should contact the manufacturers for information about the compatibility of their products with Windows 2000.

• Do you need updated drivers? Once you know your hardware is compatible, you need to make sure that Windows 2000 is equipped with the right drivers. Finding Hardware Device Drivers That Are Compatible with Windows 2000 has some basic pointers, and you may also want to check out popular Web sites that can connect you with the latest information and drivers for Windows-compatible hardware, such as CNET’s WinFiles.com, ZDNet’s Windows 2000 Resource Center, and WinDrivers.com.

What Groove licenses do you need?

Name of LDAP directory (if used):

Disaster Recovery:

What type of failover contingencies to you need to prepare for?

Supporting Servers (besides management and relay):

Groove Client Audit Server? Yes[ ] No[ ] How many?____

Enterprise Installer Yes[ ] No[ ] How many?____

Groove Components Server Yes[ ] No[ ] How many?____

XMPP Proxy Server Yes[ ] No[ ] How many?____

Enterprise Data Bridge Server Yes[ ] No[ ] How many?____

Groove Backup Service Yes[ ] No[ ]



• Is your system’s BIOS current? Windows 2000 requires a current basic input/output system (BIOS). You might not be able to use the advanced power management and device configuration features in Windows 2000 if you do not have the most current BIOS version for your system. Further, if your computer manufacturer has indicated that you need a new BIOS and you do not update it, or you install the wrong BIOS version, your computer may stop working properly. See BIOS Compatibility and Windows 2000 for a helpful Q&A on the matter.

• Do you have a back-up plan? Although you can cancel an upgrade during Setup without affecting your existing configuration, Windows 2000 does not include an uninstall feature that you can use after installation is complete. This means that once you’ve installed Windows 2000 on your system, you can’t go back to your previous configuration unless you wipe your system clean, reinstall the old operating system, and then reinstall all your applications. For this reason, be sure to have a plan to follow in the event that files are lost during Setup and back up your important files before proceeding with an upgrade.

Recommended Best Practices

The location of specific management and relay servers at your site depends on the perfor-mance objectives and security practices at your organization, as well as on the distribution of users with respect to your network topology. The following sections provide a founda-tion of server deployment guidelines and best practices, based on deployment of manage-ment, relay, and data bridge servers at Groove Networks:

• EMS and ERS Performance Best Practices

• EMS and ERS Security Best Practices

• EDB Best Practices

EMS and ERS Performance Best Practices

The Enterprise Management and Relay Servers both rely on Internet connections, so familiarizing yourself with the general best practices recommended for hosting an Internet server is a practical starting point for deployment preparation.

Some useful URLs are:

http://www.sans.org/top20.htm - for information about internet vulnerabilities

http://www.sans.org/infosecFAQ/index.htm - for general information about security.

http://www.sans.org/ddos_roadmap.htm - for information about Denial of Service issues

http://www.cert.org/nav/index_green.html - for up-to-date reports about a wide range server issues.

The following basic guidelines can help assure that a corporate Groove installation meets your performance and capacity requirements:

• Install the management server software on a clean stand-alone Windows Server 2000 (or later) machine. Do not try to install a management server on a domain controller or a machine where Groove is running. Doing so will cause the


installation process to fail. Install the SQL server on a separate Windows Server 2000 (or later) machine.

• The number of users that your system can support largely depends on the hardware configuration of the Internet Information Service (IIS) and SQL servers that comprise the management server installation. The stated minimum requirements should support a user community of up to 3,000 Groove users. Larger deployments will require additional RAM and disk storage capacity. Monitor Groove and management server performance to consider if and when additional hardware or software might be necessary.

• For the SQL server, plan on 20 KB storage per managed Groove user and approximately 5 transactions per hour.

• For any onsite relay server, equip the server machine with Dual 2.4-GHz Xeon processors, at least 2 GB of random access memory, 240 GB RAID 5 (formatted) hard drive, and Write-Caching Hardware RAID Controller with battery backup recommended.

• If your company uses proxy servers to control traffic out to the internet, Groove users should login to the network before installing Groove to facilitate the process.

EMS and ERS Security Best Practices

The following basic measures can help assure an adequate level of security for your man-aged Groove installation:

• Locate the management and relay server(s) in a DMZ. Figure 2, below, shows an example of a typical management server setup.

• Be sure to set the proper parameters to secure your management server Web site once it is created on the IIS machine. For example, with Windows Server 2000, all security parameters are open by default, which may not be satisfactory for your site.

• Implement Windows or other log-in authentication on your management server. Avoid using NT LAN Manager (NTLM) Basic Authentication which may not be a secure mechanism for authenticating the EMS Web site.

• To ensure secure distribution of Groove activation keys to your users, use one of the following methods:

• If possible, use an existing secure communication channel. For example, you could use security-enhanced email, such as Lotus Notes®, or email on a trusted local area network.

• If the above method is not feasible, exchange user fingerprints with each Groove user, via some means you trust for integrity-protecting the fingerprints (such as in-person or telephone), consistent with your security policy. Then use Groove’s instant message tool to securely (confidentially) distribute activation keys to each user.

• If neither of the above methods is feasible, manually distribute activation keys.

• Establish administrative roles, governing physical access to management server machines, access to server-level controls, and access to management domain controls.


• Consider installing the latest Critical Update Package and Security Rollup on the directory (SQL) server.

• To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the management server on a machine with redundant hard drive capability, typically a hardware RAID (software RAIDs provide protection for data only, not the operating system).

• The management and relay servers run exclusively on Microsoft Windows 2000 and 2003 Servers and are susceptible to systems and network-level vulnerabilities that are related to these servers. To limit exposure to denial of service and other vulnerabilities, see the Microsoft Web site, http://www.microsoft.com. For discussions of server vulnerability mitigations, see the System Administration, Networking, and Security (SANS) Institute Web site, http://sans.org/.

• Consider using proxy devices to force transmissions through a single port, in order to prevent access to other ports, limiting transmissions to those using HTTP, for example.

• Make sure to keep labeled copies of any certificates or private keys you use in a known secure location (such as on disk in a locked cabinet or in a directory on a secure private network). You may need access to these old certificates or private keys in the future (for example, if you need to recover client data but the client has an older version of the data recovery certificate).

• Install anti-virus software on the management server (and client) machines. When installing anti-virus software, make sure to disable Script Blocking, as script blocking can impede proper management server operation.


Figure 2. Example of Management Server Setup

EDB Best Practices

Groove Networks recommends the following best practices for deploying Enterprise Data Bridge Servers:

• To help secure your EDB server setup, observe the following guidelines:

• Locate the EDB server on a private network or in a DMZ.

• When defining a cluster account password, disable the Remember password option (unless you intend to run the EDB server as an auto-start Windows service, whih requires a password in order to function without user intervention).

• Never install the Platform Groove Development Kit (GDK) on a production EDB server, as the GDK enables you to disable component authentication (which is on by default).

• Be sure that component authentication is enabled on the EDB server (unless you are setting up a bot development and prototyping environment that does not involve confidential data). If component authentication is disabled (after the Platform GDK is installed), a message indicating this condition will appear when you start the server. Disabled component authentication is a serious security risk and overrides security policies governing component download


set for the EDB server. The Installation and Configuration chapter of this guide provides more information about setting component authentication.

• When setting up your cluster account policies for component downloads, make sure to define component update policies that allow only components that come from trusted sources, in order to ensure maximum security of data stored on the server.

• Install the platform and EDB software on a clean machine. Do not try to install an EDB server on a domain controller, Web server (such as IIS), or a machine where Groove is or has ever been installed.

• To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the EDB server on a machine with redundant hard drive capability, typically a hardware RAID (software RAIDs provide protection for data only, not the operating system).

• Install the EDB server in a private network. See Figure 5 for a suggested basic setup.

Figure 5. Sample EDB Server Setup

Disaster Recovery and Failure Contingencies

EMS - To protect your data and the server operating system from the effects of component failure, the Enterprise Management Server and SQL server machines should be equipped with reliable redundant hard-drive capability, or other fault-tolerant technology, such as clustering. As with any server installation, you are probably also concerned about total


server failure. To address this risk, you want to consider an additional management server to provide backup in the event that you initial installation fails.

ERS - In the unlikely event of relay server failure, a multi-relay installation can reduce the risk of interrupted or slowed communications within your Groove network. Using the Enterprise Management Server, administrators can prioritize Enterprise Relay Servers assigned to a management domain. Managed Groove identities in the domain are then directed to a series of relay servers. If one relay is inaccessible for handling a message from a managed identity in the domain, the Groove client will contact the next relay in the list and attempt to queue the message on that relay. In the event of disk failure, you can use the relay server’s FFQBackup and FFQRebuild utilities to reconstruct databases.

EDB - To protect your data and the server operating system from the effects of component failure, the Enterprise Data Bridge Server device should be equipped with reliable redun-dant hard-drive capability. As with any server installation, you are probably also con-cerned about total server failure. To address this risk, consider installing an additional server to take over data bridge services with the primary machine goes down.

To protect your data and the server operating system from the effects of component fail-ure, the relay and management server machines should be equipped with reliable redun-dant hard-drive capability, or other fault-tolerant technology.


General Server Deployment Guidelines

The sections below outline a procedure for incorporating Groove Virtual Office (formerly Groove Workspace) software into your corporate network - taking you from assessment, through planning, to software installation. Procedures in this section assume familiarity with the discussions and guidelines covered in previous sections of this guide.

The sections below outline the entire process, ultimately splitting into two paths - hosted or onsite server deployment:

• Identify Users and Assess Readiness

• Assess Network Infrastructure Readiness

• Determine Hosted or Onsite Server Configuration

• Deployment Process for Hosted Groove Services

• Deployment Process for Groove Onsite Servers

Identify Users and Assess Readiness

This activity involves enumerating all candidate Groove users and qualifying them for receiving the Groove virtual office software and managed ID. A qualified candidate Groove user is one that is specifically identified by name, email address, and any other rel-evant attributes, is approved to receive Groove by their business authority and has a PC with network access that meets or exceeds minimum operational requirements.

Tasks

• Identify target user communities for Groove.

• Get specific user names and email addresses for Groove identity candidates via:

• A central authority (such as a business unit management team)

• Contact with users in specific groups (via targeted email, offering Groove virtual office software and instructions on how to sign up, for example)

• Open requests to users (via non-targeted broadcast email or web site posting, for example)

• For each Groove identity candidate, obtain specific user contact information.

• For each Groove identity candidate, obtain specific PC technical data and Intranet/Internet location, and any other relevant device information.

Groove Enterprise Planning and Deployment General Server Deployment Guidelines 65

• Ensure that each Groove identity candidate's for Groove readiness and fulfillment approval. Approval criteria may include:

• Membership in allowed user community

• Adequate user contact information provided

• Ensure that each Groove identity candidate's device meets or exceeds the Groove technical and network requirements.

Result

Performing the above tasks should result in a list of qualified and approved Groove user identity candidates that are ready for fulfillment. The candidates should be grouped based on some community affinity and weighted with a fulfillment priority.

Assess Network Infrastructure Readiness

This activity involves investigating the corporate intranet, firewalls and Internet access systems for suitability to host Groove users. In the process, key persons responsible for operating the enterprise's network infrastructure will learn how Groove will communicate on their network.

Tasks

• Make sure that the Groove Essentials education course is delivered to key persons responsible for the intranet, firewalls and Internet access.

• Assemble high level IT description of your enterprise intranet. This typically includes network diagrams and details about:

• Major site links

• Bandwidth available

• Major data center locations

• Default communication routes

• DMZ/firewall/proxy locations

• Typical Internet Protocol (IP) subnet class size

• Network Address Translation (NAT) usage

• Domain Name Server (DNS) implementation

• SMTP implementation (including SPAM control system filters)

• Conduct a baseline test to determine if and how the Groove will communicate effectively while on the enterprise's intranet.

• Identify firewall rules as they pertain to Groove (outbound support for HTTP, SOCKS, HTTPS, SSTP).

• Establish Virtual Private Network (VPN) connectivity.

• Establish connectivity to Windows SharePoint Services server.

Result

Performing the above tasks should result in a determination as to how well Groove com-municates. Specific change recommendations will be made for improving the network infrastructure to optimize Groove's network performance and minimize any impact to


ongoing network operations.

Determine Hosted or Onsite Server Configuration

After you address user and network readiness for a business-scale Groove installation, weigh the options for Groove Networks-hosted vs. onsite-hosted management, relay, and component services, as outlined under the following topics:

• Choose Hosted Management & Relay Services or Onsite Servers

• Choose Whether to Host Components from Onsite Server

• Choose Whether to Include Client Auditing in Onsite Scenario

Choose Hosted Management & Relay Services or Onsite Servers

The decision to use hosted management and relay services or build onsite servers involves evaluating the enterprise business requirements, and weighing the costs and benefits for each option. Specific options are (as described in “Deployment Scenarios” earlier in this guide):

• Hosted Management Services and Relay Services

• Onsite Enterprise Management Server and Enterprise Relay Server

• Onsite Enterprise Management Server and Hosted Relay Server

Tasks

• Discuss the Groove Networks-hosted management and relay services option with your Groove Networks representative. Available Service Level Agreements (SLAs) and costs should be described.

• Discuss the option for hosting your own onsite Management, Relay, and/or component servers with your Groove Networks representative.

• Contrast hosted versus onsite management servers. Onsite management servers offer the following additional features:

• Relay assignments in support of client side failover.

• Active Directory / LDAP directory integration with the Groove management domain.

• Custom domain reporting.

• Make hosted service versus onsite server determination.

• If hosted services are to be used for the deployment, procure the hosted services with the appropriate SLA from Groove Networks.

Result

Performing the above tasks should result in an explicit decision, either to employ Groove's hosted services or to deploy Groove servers onsite at the enterprise. If onsite servers are to be deployed, see the “Deployment Process for Groove Onsite Servers” described below.

Choose Whether to Host Components from Onsite Server

This activity involves evaluating the business requirements, costs, and benefits of access-ing Groove components from a Groove-hosted sited versus an onsite server, and deciding


which will be used for the production deployment.

Tasks

• Discuss component hosting issues with your Groove Networks representative, including the following:

• Groove Networks component hosting services, available for all Groove released components

• Third parties (such as partners, integrators, etc.) that provide component hosting services for their own released component

• Technical issues around component major/minor versioning, component seeking and version management via policy

• Onsite component hosting options

• Determine whether to use Groove Networks or third party hosted components, versus using onsite component server(s).

Result

Performing the above tasks results in a decision in favor of using hosted component ser-vices or deploying component server(s) onsite at the enterprise.

Choose Whether to Include Client Auditing in Onsite Scenario

This activity involves evaluating the administrative requirements, costs, and benefits - par-ticularly in terms of bandwidth usage and server capacities - of including the Groove client Audit Server as part of your managed Groove installation onsite.

Tasks

Discuss audit log capacity planning issues with your Groove Networks representative, including the following:

• Technical issues around bandwidth usage

• Installation options (installation on the supporting EMS-SQL server or another server)

Result

Performing the above tasks results in a decision whether or not to install the Groove Audit Server in support of your overall Groove management strategy.

Deployment Process for Hosted Groove Services

This following is a model process for deploying Groove to a large number of users (approximately 10,000) and employing Groove Networks-hosted management and relay services. These processes assume that the necessary SharePoint servers are already opera-tional in the enterprise.

The flow chart below presents an overview of deployment activities in an environment of onsite Groove servers. Each activity in the chart is discussed in more detail in the sections that follow:


• Optimize Network Infrastructure

• Assemble Production Support for Groove Operations

• Define Groove Management Domains

• Prepare Groove Virtual Office Software for Distribution


• Conduct User Deployment Pilot

• Evaluate User Fulfillment

Optimize Network Infrastructure

This activity involves making the recommended network changes necessary to optimize Groove's communications and minimize impact on other network operations.

Tasks

• Modify or enhance the enterprise DMZ firewall / proxy configuration(s) to optimize support for Groove protocols.

• Enhance Intranet / Internet WAN links as needed (including additional bandwidth and routing modifications).

Result

Performing the above tasks results in a network infrastructure that has been optimized and is ready to support the expected Groove user community.

Assemble Production Support for Groove Operations

This activity involves establishing the enterprise's internal ability to manage the Groove software, user IDs and provide first line (escalated) support to end users.

Tasks

• Establish onsite operations staff for administering the Groove management domain(s).

• Plan for and add Groove user support to existing first line support with provisions for escalation to Groove support.

• Train in-house personnel responsible for operating and supporting Groove, via the following Groove Education course options:

• Course on administering hosted Groove management servers

• Course on supporting Groove

• Define Groove escalation process and identify named support contact(s)

• Decide on and purchase the appropriate Groove support contract.

Result

Performing the above tasks results in a trained staff ready to operate, manage and support the Groove users in the enterprise.

Define Groove Management Domains

This activity involves creating one or more Groove domains for the enterprise on the Man-agement Server(s). The domain(s) must be configured specifically to manage Groove in compliance with the enterprise's business requirements and policies.

Tasks


• Execute an appropriate hosted services contract with Groove Networks. The hosted services Groove domain is provisioned by Groove Networks, who creates the required management domains, defines administrator roles, loads license package(s) for seats purchased, and registers hosted relay servers with management domains.

• Create logon accounts for domain administrators and assign access control role.

• Configure domain settings.

• Create domain groups.

• Set managed user identity and device policies for domain groups.

• Assign License Package(s) to domain groups.

• Configure Groove relay services for domain groups.

Result

Performing the above tasks results in the creation of one or more Groove domains. Each domain is configured and ready to manage. Licenses are loaded. Groove devices and iden-tities are configured and ready to manage.

Prepare Groove Virtual Office Software for Distribution

This activity involves preparing the Groove virtual office software for large-scale distribu-tion and installation on all users' PCs.

Tasks

• Discuss options and features (such as silent installation) available in the Groove Enterprise Installer with your Groove Networks representative.

For information about the Groove Enterprise Installer, see the Groove Software Deployment Administrator’s Guide.

• Choose a Groove Virtual Office software distribution option, such as one of the following:

• Acquire Groove Enterprise Installer from Groove Networks if desired.

• Download from the Groove Networks Web site

• Install from CD

• Internally host from onsite server (self download/install, pulled-to-desktop)

• Package for silent install via software distribution system (pushed-to-desktop)

• Consider managed PC issues, including the following:

• User/group Windows file system permissions

Note that the Groove Enterprise Installer Service provides component installation on behalf of users whose file system permissions prevent them from otherwise installing or upgrading for themselves

• Windows group membership

• Installation directory paths (for system, program, and user data) and related permission modifications

• Engineer and test each package /delivery method needed to reach all users' PCs.


Result

Performing the above tasks results in a customized package for delivering, installing, and supporting Groove software on end user PCs.

Conduct User Deployment Pilot

This activity involves testing the entire user fulfillment processes and supporting systems with a small number of users (less than 100). The goal is to identify any problems that may exist and correct them prior to the large-scale deployment and placing Groove in a production setting.

Tasks

• Test user fulfillment for less than 100 users.

Pilot users should be selected on the basis of their ability to exercise the various unique deployment and operations issues expected, taking into account PC platform, software distribution method, VPN, and network location.

• Identify and correct any problem areas discovered in fulfillment or operations.

Result

Performing the above tasks results in a validated and production ready user fulfillment process suitable for supporting the entire deployment and long-term Groove operations.

Evaluate User Fulfillment

This activity involves the production rollout of Groove software to the enterprise. It enables each user to use Groove software with their assigned managed identity. Users are typically fulfilled in groups based on their community affiliations.

Tasks

• Execute the communications plan that sets user expectations for the Groove deployment.

• Given the deployment schedule, for users in each fulfillment group:

• Distribute and install Groove software using engineered packages and delivery methods to the user fulfillment group.

• Create Groove identities from the list of qualified and approved Groove user candidates.

• Deliver basic end user training to users in the fulfillment group

• Distribute ID activations to users in the fulfillment group.

Result

Performing the above tasks results in all users in each fulfillment group receiving Groove software, and being able to logon to Groove and become active Groove users.

Deployment Process for Groove Onsite Servers

If you decide to install Groove Enterprise Management and Relay Servers, and/or Groove


component servers onsite at the enterprise, additional onsite server deployment steps are necessary, beyond the basic Groove deployment processes described above for hosted ser-vices. Bear in mind the following important aspects of any onsite relay-management server deployment:

• Servers must be deployed in a DMZ and allow external client access over port 80.

• Communications can be optimized by opening port (2492) to native Groove protocols.

• Servers can be secured by limiting administrative access to servers and by controlling port access.

Install (or upgrade) Groove servers and clients in this recommended order:

1. Enterprise Relay Servers

2. Enterprise Management Servers

3. Groove Client Audit Servers

4. Enterprise Data Bridge Servers

5. Groove Virtual Office clients

The flow chart below presents an overview of deployment activities in an environment of onsite Groove servers. Each activity in the chart is discussed in more detail in the sections that follow:

• Designing an Onsite Groove System

• Design the DMZ Network Infrastructure

• Plan the Enterprise Management Server Implementation

• Plan the Enterprise Relay Server Implementation

• Plan the Component Server Implementation

• Installing and Configuring the Servers

• Anti-Intrusion Hardening

• Acceptance-Testing the Production System

For details about installing and configuring an Enterprise Management Server (ENS) at your site, see the G.roove Management Server Administrator's Guide. For detailed infor-mation about installing and configuring an Enterprise Relay Server (ERS) at your site, see


the Groove Enterprise Relay Server Administrator's Guide.

Designing an Onsite Groove System

This activity involves assessing the expected Groove user community, existing network infrastructure, and operational requirements in order to design a suitable onsite system that may include DMZ infrastructure(s), Enterprise Management Server(s), Enterprise Relay


Server(s), Component server(s).

Tasks

• Create an architecture that may include:

• Data center - Server location(s) and user location(s)

• Intranet WAN, DMZ and Internet topology considerations

• Server types: EMS, ERS, and Component servers

• Capacity plan for each type of server vs. expected users

• Failover / Load Balancing

• Integration - SMTP, LDAP, DNS

Result

Performing the above task results in a basic Groove deployment architecture and plan that specifies the number and types of servers needed, their locations in the enterprise topology and their various integrations with existing systems.

Design the DMZ Network Infrastructure

This activity involves assembling the implementation details for locating the onsite serv-ers in the enterprise DMZ. The design should address the requirements set forth by the enterprise architecture and incorporate current enterprise practices and security policies.

Tasks

• Review and incorporate enterprise practices and security policies for building DMZ systems into the design.

• Define Network / Firewall configurations and rules.

• Define a public-facing network.

• Define a private administrative network.

• Define the administrative VPN to private administrative network.

• Consider and design for secure back channel inter-server communications.

• Consider and design for intrusion detection system.

Result

Performing the above tasks results in a detailed design for securely implementing Groove onsite servers into the DMZ. Specific network topology, routing and firewall configura-tions, etc. are described in the design.

Plan the Enterprise Management Server Implementation

This activity involves assembling the implementation details for the management server. It assumes the basic requirements defined in your Groove design plans (discussed above) and incorporates current enterprise practices for production servers operated in the DMZ.

Tasks

• Specify the Enterprise Management Server hardware.

• Specify the hard disk channel I/O and partitioning configurations.


• Specify the operating system version, service pack level, updates and patch requirements.

• For the Internet Information Server (IIS) and SQL 2000 servers - specify the software versions, service pack levels, updates and patch requirements.

• Specify the Audit Server hardware (if utilizing this application)

• Specify the operating system options to be installed.

• Specify the server software options to be installed.

• Specify the network interface card (NIC) configurations.

Result

Performing the above tasks results in a detailed design for implementing and configuring the Enterprise Management Server (and optional Audit Server) on the specified host hard-ware. The design includes explicit server specifications and configuration recommenda-tions for the server hardware, operating system, Web server, SQL server and EMS.

Plan the Enterprise Relay Server Implementation

This activity involves assembling the implementation details for the relay server. It assumes the basic requirements as set forth by the enterprise architecture activity and incorporates current enterprise practices for production servers operated in the DMZ.

Tasks

• Specify the Enterprise Relay Server hardware.

• Specify the Hard Disk channel I/O and partitioning configurations.

• Specify the Operating System version, service pack level, updates and patch requirements.

• Specify the Operating system options to be installed.

• Specify the server software options to be installed.

• Specify the NIC configurations.

Result

Performing this activity results in a detailed design for implementing and configuring the Enterprise Relay Server on the specified host hardware.

Plan the Component Server Implementation

This activity involves assembling the implementation details for the component server. It assumes the basic requirements as set forth by the enterprise architecture activity and incorporates current enterprise practices for production servers operated in the DMZ.

Tasks

• Specify the Component Server hardware.

• Specify the Hard Disk channel I/O and partitioning configurations.

• Specify the Operating System version, service pack level, updates and patch requirements.


• For the IIS servers - specify the software versions, service pack levels, updates and patch requirements.

• Specify the Operating system options to be installed.

• Specify the NIC configurations.

Result

The result of the activity is a detailed design for implementing and configuring the compo-nent server on the specified host hardware. Explicit server specifications and configura-tion recommendations for the server hardware, operating system and component server are made. Using the information provided by this design, the server may be built.

Installing and Configuring the Servers

This activity implements the architecture and design for the onsite servers and their related DMZ network infrastructure. All specified onsite server and DMZ hardware and software must be available to complete this activity.

Tasks

• Build, install and configure the designed DMZ network infrastructures.

• Install and configure the Enterprise Management server(s) and associated SQL server in the respective DMZ infrastructures. (This process includes options for incorporating a company directory server and Groove Client Auditing Service into the system.) See the Groove Enterprise Management Server Administrator’s Guide for installation instructions.

• Install and configure the Groove Enterprise Relay server(s), and an XMPP Proxy Server if desired, in the respective DMZ infrastructures. See the Groove Enterprise Relay Server Administrator’s Guide for installation instructions.

• To support onsite Groove component services, install and configure any Groove Component Server(s) into the respective DMZ infrastructures. See the Groove Software Deployment Administrator’s Guide for installation instructions.

• To support Groove integration with other applications, install and configure the Groove Enterprise Data Bridge Server. See the Groove Enterprise Data Bridge Server Administrator’s Guide for installation instructions.

Result

Performing the above tasks results in a completely built and configured onsite server sys-tem that follows the planned architecture and design. This will become the operational production system for the enterprise upon successful system acceptance.

Anti-Intrusion Hardening

This activity involves analyzing the entire onsite server system with the goal of preventing and mitigating system intrusions. The activity investigates each server, the DMZ network infrastructure and the overall onsite system for intrusion susceptibility and proposes steps to identify and correct problems

Tasks


• Check Service Packs, critical updates, patches, and related items.

• Uninstall unnecessary components.

• Disable unnecessary OS services.

• Harden logon accounts.

• Apply NIC protocol filters.

• Implement DMZ infrastructure restrictions and lock-downs.

• Check and tune intrusion detection system.

Result

Performing the above tasks results in a methodical anti-intrusion hardening of the onsite server system so that it may operate securely as a production service to the enterprise. Once anti-intrusion hardening is completed, the system is ready for production acceptance testing.

Acceptance-Testing the Production System

This activity involves evaluating the overall functionality and production readiness of the onsite server system as it relates to the system's architecture and design.

Tasks

• Test EMS functionality.

• Test ERS functionality.

• Test component server functionality.

• Test system penetration (for all servers and DMZs).

• Test intrusion detection system (for all DMZs).

• Test full system (Groove virtual office software, EMS, ERS, component server, network infrastructure).

Result

Performing the above task results in a production ready and fully operational onsite server system suitable for hosting the expected user community.


FAQs

This section presents answers to questions commonly asked with regard to Groove client-server deployments in a business setting.

What impacts does a Groove deployment have on network performance?

A Groove system of clients and servers does not measurably disrupt network performance. See “Network Topology and Groove” in the Site Planning section of this guide for a dis-cussion of Groove interaction with other network devices and tools.

How is performance affected compared to browser-based systems?

A Groove system of clients and servers compares with most currently available browser or platform-based communications products in terms of bandwidth consumption and perfor-mance. See “Groove Bandwidth Usage” in the Site Planning section of this guide for a dis-cussion of Groove performance and bandwidth usage.

Do all servers need to communicate with the Internet?

If you intend to support Groove users outside your local network or if you employ Groove Networks-hosted servers (or any other external Groove-related servers), at least some of your Groove servers, must have Internet access. However, in closed network environ-ments, when all Groove clients and servers are on a private network, Internet connectivity is not a requirement.

The following table summarizes when Internet access is required for the various servers (and client devices):

This Device Needs Internet Access:

If any of the following are external:

Management Server • Groove clients

• Relay services (such as Groove-hosted)

• Corporate directory (LDAP)

• Component services (such as Groove-hosted)

• Backup services

Relay Server • Groove clients

• Component services (such as Groove-hosted)

• Backup services

Groove Enterprise Planning and Deployment FAQs 79

Should all machines be in a DMZ?

Yes, unless you are running Groove on a closed network, locating Groove servers - includ-ing management, relay, and data bridge servers - in a DMZ is highly recommended to pro-tect the integrity of corporate data. Note that, if you employ Groove Hosted Management, Relay, or Component services, you need not be concerned with setting up a DMZ to sup-port Groove.

How do I control network bandwidth utilization?

Groove management servers allow you to control overall Groove network bandwidth utili-zation within your organization via a device policy setting. However, bear in mind that Groove does not limit its use of communications bandwidth except when addressing the requirements of “sociable communications,” when bandwidth usage is determined by an internal optimization protocol. Typically, this policy should remain disabled or the value field left blank. Enabling the policy and specifying a value to limit Groove network band-width usage substantially impedes Groove performance. See the section on setting a Groove bandwidth limit for devices, in the Groove Enterprise Management Server Admin-istrator’s Guide for more information on this topic.

How do I prevent virus propagation in a Groove client/server environment?

Groove virtual office software, as of version 3.0, automatically performs virus scanning on all files that pass through Groove. If Groove finds the file to be infected, it prohibits the file transfer.

In a business environment, installing anti-virus software on the management server (and client) machines is recommended. When installing anti-virus software, make sure to dis-able Script Blocking, as script blocking can impede proper management server operation.

Note that Installing anti-virus software on a relay server machine can significantly impede relay performance and therefore is not recommended.

Do I need to back up my management servers?

Data Bridge Server • Groove clients

• Management services (such as Groove-hosted)

• Corporate application servers integrating with Groove

Component Server • Component source (www.groove.net, unless updating fro CD only)

Audit Server • Groove clients

• Enterprise Data Bridge Server

Groove clients • Any other Groove client to be included in Groove workspaces

• Relay services

• SharePoint services in use

This Device Needs Internet Access:

If any of the following are external:


Yes, backing up user accounts on management server is highly recommended, in order to avoid the consequences of lost or corrupted user account data. You cannot retrieve the account information or the user’s workspace data unless you have some backup system in effect. See section on backing up and restoring user accounts the Groove Enterprise Man-agement Server Administrator’s Guide for detailed information on this topic.

Do I need to back up my relays?

Yes, backing up relay server data is highly recommended. Immediately after installing and before reinstalling or upgrading the relay server, you should back up critical key files, reg-istry settings, and database directories, and save them to a secure location. In addition, you should consider backing up these settings, files, and directories periodically, such as when you rename or regenerate key files. If you neglect to backup these items and then uninstall or reinstall the relay, or if the relay server disk drive fails, you risk permanently loosing relay server identity information. See the Groove Enterprise Relay Server Administrator’s Guide for detailed information about backing up relay servers.

Note: If you employ Groove Hosted Relay Services, Groove Networks handles relay backups.

Can I back up Groove workspace data?

Yes, by installing the Enterprise Data Bridge Server, supplemented by the Enterprise Backup Service at your site.The backup service uses bots (automated pieces of agent code) to periodically back up all spaces under its control onto a file system. See the Groove Enterprise Backup Service Administrator’s Guide for detailed information about backing up Groove workspaces.

How can I make sure that user names match their email names?

Groove management servers allow server administrators to integrate user identity infor-mation (including email addresses) on a directory server with managed Groove user infor-mation defined on the management server. See the section about configuring directory synchronization in the Groove Enterprise Management Server Administrator’s Guide for detailed information on this topic.

How can I audit Groove usage?

The Groove Client Audit Log, provided with the Groove Enterprise Installer application, allows you to configure automatic audit logging, via the Windows NT Event Viewer. The Groove audit log is an optional Groove capability, made available through a registry file included with the Groove Enterprise Installer and subsequently applied to client devices. This capability allows you to audit events associated with Groove user accounts, provid-ing that management server device policies that govern client auditing allow for this. See the Groove Software Deployment Administrator’s Guide for details about setting up man-aged client auditing.

Can I use other database servers besides SQL (such as Oracle) to support the Enter-prise Management Server?

No, Groove management servers currently require SQL servers to store Groove manage-ment data.


Can I run all servers on one machine?

No, with the exception of the Groove component server, each server machine has different configuration requirements and installing the server software on stand-alone machines is recommended. A managed Groove environment has the following minimum device requirements:

• SQL server, requires EMS access but not Internet access

• IIS server for EMS, requires Internet access

• Enterprise Relay Server without IIS (or Groove-hosted relay services), requires Internet access

• Enterprise Data Bridge Server (if used), requires Internet access

How can I ensure that only trusted components are installed?

Groove management (and integration) servers let administrators define device policies that specify which components can be installed on managed devices. See the Groove Enterprise Management Server Administrator’s Guide for details about setting this policy.

As an added level of security in the context of Groove component availability, you can consider deploying a dedicated Groove Component Server, typically installed on a closed network. In this way, administrators have complete control over what Groove components are available for download to managed clients, eliminating the need for client contact with groove.net over the Web. The component server can be updated by periodic contact with www.groove.net or via Groove component CD. See the Groove Component Server Guide form details about this product.

How can I ensure that my system supports only trusted users?

Groove management (and integration) servers let administrators define peer authentication policies that identify trust levels of Groove identities within a management domain. Administrators can then control how managed Groove users should respond to contacts, depending on a contact’s trust level.

Management servers also provide for cross-domain certification, allowing administrators to certify managed Groove identities across specific management domains.

See the Groove Enterprise Management Server Administrator’s Guide for details about setting peer authentication policy and certifying different domains to allow trusted interac-tion between them.

How do I handle employee termination?

Groove workspace and account data reside on the Groove user’s device and are protected with the user’s password. This means that, by default, if a user leaves the company or for-gets a password, no one can access that user’s workspaces unless they know the user’s password. The management server and the Data Recovery Tool that supports it enable you to reset a user’s password and restore data on managed devices in the domain.

Note that. if a managed device is cleaned out before connecting to the management server for the user’s managed contact information, the contact information remains intact on the management server.


For more information about recovering managed user data and account information when the user’s device password is forgotten or lost, see Groove Enterprise Management Server Administrator’s Guide.

How do I handle lost management server machines?

Backup your managed user accounts to avoid permanent loss, then restore on a new man-agement server device, as described in the Groove Management Server Administrator’s Guide.

Use the EDB-based Groove Backup Service to backup Groove workspaces. You (or users) can then restore the resulting .gsa file to the appropriate client devices using the Restore Workspace feature of Groove Virtual Office. See the Groove Backup Service Administra-tor’s Guide for detailed information about this service.

What happens when a relay disk is lost?

Immediately after installing and before reinstalling or upgrading the relay server, you should back up critical key files, registry settings, and database directories, and save them to a secure location. In addition, you should consider backing up these settings, files, and directories periodically, such as when you rename or regenerate key files. If you neglect to backup these items and then uninstall or reinstall the relay, or if the relay server disk drive fails, you risk permanently loosing relay server identity information. See the Groove Enterprise Relay Server Administrator’s Guide for detailed information about backing up relay servers.

What advantages do multiple management servers offer?

Multiple management servers provide failover coverage. Performing periodic manage-ment server backup onto another machine (and registering users in mirrored domains on that machine), allows that machine to continue service in the event of catastrophic damage to the first machine. The additional server may be connected to the same SQL server as the first machine or to a separate one with backed up copy of the original SQL server data.

What advantages to multiple relay servers offer?

Multiple relay servers provide failover coverage. Performing periodic relay server backup onto another machine (and registering users in mirrored domains on that machine), allows that machine to continue service in the event of catastrophic damage to the first machine. In addition, multiple relay servers allow administrators to distribute relay usage across those machines, providing an alternate (secondary) server to domain clients when the pri-mary server is busy. This configuration generally improves Groove performance, as band-width usage is spread across multiple devices.


Index

AAdministrative Interface 13Anti-Intrusion Hardening 77Application protocols over SSTP 8Architecture, Groove client/server 5Architecture, management server 20Audit Server, Groove client 46Audit Server, including in onsite EMS installation 68Audit server,description of 4Audit service, Groove client 12Auditing Groove usage 81

BBandwidth Usage 23, 31Bandwidth utilization

control of 80C

Client Audit Server 46Closed Network Environments 54Componant installation

controlling 82Component Server, planning implementation of 76Component server,description of 4Corporate directories 12Corporate Directory Integration 12CPUs 32

DData Bridge Server Capacity 33Data Bridge Server Security 36Data Bridge server,description of 4Data Recovery 17Database server, SQL requirement 81Defining Groove Management Domains 70Deployment Process for Hosted Groove Services 68Deployment Scenarios 38Device and Identity Policies 12Device policies 12Devices, managing 17Disk Space 32DMZ Network Infrastructure, desiging 75DMZ, and server installation 80Domains 11

Groove Enterprise Planning and Deployment Guide Index 84

EEDB Best Practices 62EDB server, description of 4EDB services, description of 13EDB, for CASAHL ecKnowledge 48EDB,server failure,contingencies 64EIS,server failure,contingencies 63Employee termination 82EMS 1EMS and ERS 60EMS and ERS Performance Best Practices 59EMS failure contingencies 63EMS, overview 1Enterprise Data Bridge Functionality 19Enterprise Data Bridge Server 48Enterprise Data Bridge, description of 4Enterprise Data Bridge, for ecKnowledge 48Enterprise Installer 44Enterprise Installer package 15ERS, failure contingencies 64Evaluating User Fulfillment 72

FFailure contingencies 63Filtering and Component Blocking 34Functionality, management server 15

GGroove Audit Server Functionality 18Groove Backup Service 4Groove Backup Service with EIS 50Groove Bandwidth Usage 26Groove client/server deployment, overview 1Groove Clients 9Groove Clients and Servers 2Groove Component Server 45Groove Components Funtionality 18Groove EDB for CASAHL ecKnowledge 4Groove Enterprise Installer package 15Groove Enterprise Management Server 1Groove Hosted Management Server 1Groove Hosted Management Server Benefits 39Groove Hosted Management Services vs. Onsite Servers 38Groove Hosted vs. Onsite Relay Servers 41Groove Management Domains, defining 70Groove Onsite Servers, deployment process 72Groove performance,compared to browser-based systems 79Groove usage

auditing 81Groove usage monitoring 17Groove Usage Reporting 17Groove user authentication 82Groove Virtual Office Software, preparing for Distribution 71


Groove,impact on network performance 79Groove’s Built-in Security 34

HHard Disk Controller 32Hosted Groove Services, deployment process for 68Hosted Management & Relay Services or Onsite Servers, choosing 67Hosted management servers, migrating to onsite EMS 54Hosted or Onsite Server Configuration, determining 67Hosted relay services, migrating to onsite ERS 55Hosted vs.onsite, decision Factors 39Hosting Components from Onsite Server 67HTTP encapsulation 7HTTP over SSL 7Hybrid Onsite/Hosted Management 43

IIdentity policies 12Integration Services 13Internet connectivity requirements 79

LLAN DPP 7LDAP 7Licenses 11Local Area Network Device Presence Protocol (LAN DPP) 7

MM protocol 8Managed Devices and Identities 11Management server architecture 20Management server backup 80Management Server Capacity 30Management server loss 83Management server protocols 6Management server protocols, LDAP 7Management server protocols, SOAP 7Management Server Security 35Management server, managing 15Management server, overview 1Management Server, planning implementation of 75Management server,architecture 11Management server,description of 3Managment server functionality 15Managment server, site planning 56Migrating from a Hosted Management Services to Onsite Enterprise Management Servers 54Migrating from Hosted Relay Services to Onsite Enterprise Relay Servers 55Migration Capabilities 54Monitoring Groove usage 17Multiple management servers

advantages 83Multiple relay servers

advantages 83Multiple servers on one machine 82


NNetwork Infrastructure Readiness, assessing 66Network Infrastructure, optimizing 70Network Level Security 34Network performance,impact of Groove on 79Network Requirements 25Network Topology and Groove 23

OOLE DB 7Onsite Enterprise Management Server Benefits 40Onsite Groove System, desigining 74Overview 1Overview of Groove client/server deployment 1

PPassword reset 17Production Support, assembling for Groove Operations 70Production System, acceptance testing of 78Protocols 6Protocols, LDAP 7Protocols, SOAP 7Protocols, SSTP 6Provisioning users 16

RRAM 32Recommended Best Practices 59Relay disk loss 83Relay Protocols 6Relay server architecture 10Relay server backup 81Relay Server Capacity 30Relay server functionality 18Relay Server Security 35Relay Server, planning implementation of 76Relay server,description of 3Rendezvous Protocol (RVP) 8

SSecurity 33, 62Security Planning 33Security,best practices 62Server Deployment Guidelines 65Server failure 63Servers, installing and configuring 77Servers, summary of Groove offerings 3SharePoint, integrating with Groove 51SharePoint, integration of Groove with 19Simple Message Transfer Protocol (SMTP) 8Simple Object Access Protocol (SOAP) 7Simple Symmetric Transport Protocol 6Site planning 56Site Planning - Conditions and Requirements 22Site planning considerations 22


SOAP 7SQL server requirement 81SSTP 6SSTP over Hypertext Transfer Protocol 7SSTP over Secure Socket Layer (SSL) Proxy 7SSTP via HTTP 7

UUDP 7User Base Planning 27User Deployment, conducting pilot for 72User names and email names 81Users, identifying and asseing readiness 65Users, managing 17Users, provisioning 16

VVirus propagation

preventing 80W

WAN DPP 8Windows SharePoint Services 19Workspace data backup 81Workspace protocol 8

XXMPP 19XMPP protocol 8XMPP Proxy Server 47XMPP Proxy Server Functionality 19XMPP server architecture 10XMPP Server Security 35XMPP server,description of 3


Groove Enterprise Planning and Deploymentdownload.microsoft.com/download/A/A/A/AAA7F161... ·...

Documents

Transcript of Groove Enterprise Planning and Deploymentdownload.microsoft.com/download/A/A/A/AAA7F161... ·...