Advanced configuration
Select Configuration > Advanced to access the Advanced options.
In this section:
- DSCP QoS configuration
- HTTP access
- TLS
- NTP
- Load Balancer status
- SMB storage authentication
- SMTP configuration (2020.2 and earlier)
- Syslog server
- SSH Access
- Web Proxy Server
DSCP QoS configuration
This setting is only required if your organization uses Differentiated Services Code Point (DSCP) settings to help manage its network traffic.
The setting must be applied to in accordance with your organization’s networking requirements. Your network team will be able to advise which setting to apply.
In the DSCP QoS Configuration area of the Advanced options, select the required configuration and click Update.
HTTP access
In the HTTP Access area of the Advanced options, configure the required setting and click Update to apply.
This option should only be used to enable connection by HTTP in a load balanced environment or with an SSL offload appliance.
Secure Session Cookies
For load balanced configurations where SSL offload is being used secure session cookies will not be issued automatically. If secure session cookies are required the load balancer request headers should be configured to include: x-secure-cookie=1
TLS 1.0
PCI compliance requires SSL v3/TLS 1.0 to be disabled in File Director. Configuring endpoints to default to a secure protocol (TLS 1.1 or TLS 1.2) requires the implementation of registry settings and potentially an update. Customers that are unable to implement this change can toggle TLS 1.0 on in File Director. For further information, see this Microsoft support article 3140245.
Select Configuration > Advanced and apply the Enable TLS 1.0 option as required.
When enabled, this is done across the whole cluster.
Ivanti recommends turning off TLS 1.0 support as soon as all legacy endpoints in the environment are updated or replaced.
Network Time Protocol (NTP)
Add the server addresses or fully qualified domain names (FQDNs) of the NTP servers you want to use. File Director is configured with the addresses of three default NTP servers. If you use your own NTP servers, replace the default addresses with the addresses of your own. You can specify between one and three NTP servers. Refer to Prerequisites for internal firewall settings help.
(File Director 2021.3 and later) If File Director detects a problem with time synchronization on the appliance, a message is displayed in the Notifications panel.
Synchronization issues can be caused by network outages or firewall configuration problems for example. At notification, Administrators are advised to restart the NTP server(s) but should note that the refresh process may take several seconds to complete.
Load Balancer status
To check the health status of a server in a load balanced environment click the Status URL link.
A status page is displayed showing one of the following:
- Success - The server is functioning correctly within the load balancer pool.
- Failure - The server is either offline or is not functioning correctly within the load balancer pool.
The examples below illustrate example responses - and what they mean.
Appliance is healthy and can accept traffic:
> GET /status HTTP/1.1
> Host: appliance:8001
> User-Agent: curl/7.71.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Server: WEBrick/1.4.2 (Ruby/2.6.5/2019-10-01)
< Date: Thu, 10 Sep 2020 15:38:40 GMT
< Content-Length: 20
< Connection: Keep-Alive
<
{"status":"Success"}
Note the response code = 200, and status = Success
Appliance is at capacity and the load balancer should treat it as down:
> GET /status HTTP/1.1
> Host: appliance:8001
> User-Agent: curl/7.71.1
> Accept: */*
>
< HTTP/1.1 409 Conflict
< Content-Type: application/json
< Server: WEBrick/1.4.2 (Ruby/2.6.5/2019-10-01)
< Date: Thu, 10 Sep 2020 15:25:25 GMT
< Content-Length: 19
< Connection: Keep-Alive
<
{"status":"Failed"}
Note the response code = 409, and status = Failed
Enable Maintenance Mode
Select Enable Maintenance Mode to temporarily take the server offline. The server is no longer available in the load balancer pool and cannot be communicated with. This allows any necessary maintenance and configuration tasks to be completed. Whilst the server is in Maintenance Mode, the status of the server shows as 'failure'.
De-select Enable Maintenance Mode to make the server available in the load balancer pool once again.
SMB storage authentication
Set the authentication method used by the File Director appliance to connect to the SMB Storage - NTLM or Kerberos.
If you select Kerberos, you must configure the Realm and Key Distribution Center (KDC) settings in the Kerberos page.
Support for link based sharing was withdrawn from File Director 2020.3.
Refer to the user help for SMTP configuration.
Syslog Server
Monitoring software enables you to exploit the syslog stream from your appliance and monitor the health of your File Director cluster in real time. This is strongly recommended and enables performance issues or risks to be identified early.
By default File Director uses Transmission Control Protocol (TCP) to output syslogs and this is the recommended setting. User Datagram Protocol (UDP) can be selected as an alternative (2021.3 and later). Note that UDP is less reliable. In the case of a configuration or network problem, any traffic sent via UDP is lost immediately and without notification whereas under TCP data is spooled and resent when the issue is resolved.
Ivanti provides a set of open source tools for your use including a set of customizable dashboards freely available from Ivanti Marketplace.
- Select Configuration > Advanced and scroll down to the Syslog Server section of the screen.
- Enter the IP address of the remote syslog server and click Update.
Secure Shell (SSH) Access
Note the SSH section was added to the File Director web console in 2019.3, previously it was accessible via the VM console only.
Administrators may have requirements to access the File Director appliance over SSH connection. There are two user accounts that can be used for that purpose:
•The support account provides access to the File Director’s command line interface (CLI) which is a small set of commands used for troubleshooting and diagnostics.
•The service_user account provides non-privileged access to the underlying OS shell and enables you to, for example, perform an authenticated vulnerability scan against the appliance. Access to this account requires key-based authentication, password authentication is not allowed. You can generate a private and public key pair using the web console.
Enable / disable SSH access
SSH access is enabled or disabled via a simple checkbox. By default it is disabled.
•Select the Enable access over SSH checkbox, then click Update.
•To disable SSH access, clear the Enable access over SSH checkbox, then click Update.
Confirmation that SSH access has been updated is displayed.
Once enabled, administrators can log on using the support account and gain access to the CLI. For further information about commands available see File Director Command Line Interface.
Utilize the service_user account
To utilize the service_user account you will need to generate and deploy a public and private key pair.
1.Click Generate Authentication Key.
A public and private key pair are generated. The public key is automatically added to the trusted keys in your appliance. The private key is displayed within the SSH Access dialog.
2.Copy the private key and use it to configure the device you require to connect via SSH.
Private keys are not stored on the appliance for later retrieval. If you lose the key or wish to replace it, click Generate Authentication Key to generate a new one. Whenever a new key pair is generated, the previous keys are invalidated.
Note; when upgrading to File Director 2021.3 existing users of the SSH service account will need to re-generate the SSH keys to continue its use.
Web Proxy Server
File Director can be configured to use a web proxy for external services connections such as OneDrive, Google Drive and Box for example. If your proxy service requires a trusted root certificate, this can be installed from the SSL certificates screen. Refer to the Trusted Root Certificate Authorities.
If using a proxy server, enter the URL and authenticating user name and password. Enter the server URL in the format: http(s)://server_address:port.
If no web proxy server is in use leave this section empty.
Note that proxy details are not validated when entered, and when you have made a change to the server configuration you are advised to confirm there are no errors:
•From the File Director Web Admin home page, check the status screen for any issues
• Test the connection to ensure user map points are online and available to users.