Configuring DFS content site

Distributed File System (DFS) allows administrators access to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces. DFS uses CIFS protocol.

Prerequisites

• Standalone Sentry 8.0.1 or later is supported.
• Standalone Sentry 8.5.0 or later is required for create, upload, and delete (CUD) operations for files and folders.
• Ivanti EPMM 9.0.0.0 or later is supported.
• Verify that you have Standalone Sentry set up for AppTunnel. DFS traffic must be tunneled through Standalone Sentry.

Kerberos authentication, context headers, server-side proxy, and ATC are not supported for tunneling to DFS servers.

• Verify that the necessary SCEP or Certificate setting is created. You will reference the SCEP or Certificate setting when you create the AppTunnel rule in the Docs@Work configuration.

Configuration tasks summary

The following configuration tasks are required. These tasks are done in the Ivanti EPMM Admin Portal.

1. Enable DFS in Standalone Sentry settings. See Enabling DFS.
2. Configure an AppTunnel service for a CIFS repository in Standalone Sentry settings. See Configuring an AppTunnel service for DFS.
3. Configure AppTunnel rules and DFS content site in Docs@Work configuration. See Configuring AppTunnel rules and DFS site in the Ivanti Docs@Work setting.

Enabling DFS

1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, select the check box for Enable DFS.

Configuring an AppTunnel service for DFS

1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, under Services, click + to add a new service.
4. Use the following guidelines to configure a tunnel service:

Item	Description
Service Name	The Service Name is used in the Docs@Work configuration for setting up tunneling to the content repository. Enter one of the following: •A unique name for the service that Docs@Work accesses. One or more of your internal app servers provide the service. You list the servers in the Server List field. •The service name must begin with CIFS_. •A service name cannot contain these characters: 'space' \ ; * ? < > " |. •<CIFS_ANY> •Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based or DFS content server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based or DFS content server contains wildcards for tunneling, such as *.myCompany.com. •The order of the Service Name entries does not matter. •Do not select <ANY>, TCP_ANY>, <IP_ANY>, or <IP_ANY_WP8.1> for tunneling to DFS.
Server Auth	Select Pass Through The Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to DFS. Kerberos for DFS content servers is not supported. Only basic authentication is supported for DFS.
Server List	The Server List field is not applicable when the service name is <CIFS_ANY>. Enter the DFS server’s host name or IP address (usually an internal host name or IP address). Include the port number on the DFS server that Standalone Sentry can access. Example: fs1.companyname.com:445 You can enter multiple servers. Depending on the Global Configuration settings for the Sentry, either round-robin or priority distribution is used to load balance the servers. Separate each server name with a semicolon. Example: fs1.companyname.com:445;fs2.companyname.com:445
TLS Enabled	Not applicable for app tunnel to DFS.
Proxy/ATC	Not applicable for app tunnel to DFS.
Server SPN List	Not applicable for app tunnel to DFS.

5. Click Save.

Configuring AppTunnel rules and DFS site in the Ivanti Docs@Work setting

1. In the Admin Portal, go to Policies & Configs > Configurations.
2. Select the Docs@Work configuration and click Edit.

3. In the AppTunnel Rules section, use the following guidelines to add an AppTunnel rule for CIFS repository:

Item	Description
AppTunnel Rules Configure AppTunnel rules settings for Docs@Work. When Docs@Work tries to connect to the URL configured here, Standalone Sentry creates a tunnel to the content server. To add an AppTunnel entry, click + . To delete an AppTunnel entry, click - .
Sentry	Select the Standalone Sentry on which you configured the AppTunnel service. The drop-down list contains all Standalone Sentrys that are configured to support AppTunnel.
Service	Select an AppTunnel Service Name from the drop-down list. This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified Sentry.
URL Wildcard	Enter one of the following: •a content server’s hostname Example: cifs-windows.yourcompany.com •if the Service Name is <CIFS_ANY>, you can enter a hostname with wildcards. The wildcard character is *. Example: *.yourcompanyname.com If you want finer granularity regarding what requests Standalone Sentry tunnels, configure multiple AppTunnel rows. The Sentry and Service fields that you specify in this AppTunnel row determine the target content server. •A hostname with wildcards works only with the service <CIFS_ANY>. Unlike services with specific service names, these services do not have associated app servers. The Standalone Sentry tunnels the data to the URL specified in the app. •Ivanti recommends that you carefully consider how you use wildcards. For example, do not use just * for the URL. •The order of these AppTunnel rows matters. If you specify more than one AppTunnel row, the first row that matches the hostname requested is chosen. That row determines the Standalone Sentry and Service to use for tunneling. Do not include a URI scheme, such as http:// or https:/, in this field.
Port	Enter the port number that Docs@Work can request. Typically, the port number is 445.
Identity Certificate	Select the Certificate or the SCEP profile that you created for devices to present to the Standalone Sentry that supports app tunneling.

4. In the Content Sites section, enter the following information:

Item	Description
Name	Enter a name for the content site. This name will be displayed on the device.
URL	Enter a valid URL for the DFS. Both domain name and IP address are supported. A valid URL must start with http:// or https://. Format example: https://resolvablehostname:445/URL Variables: You can enter a valid URL with variables for the content site. Variables in the protocol or the hostname are not supported. See also, Configuring DFS content site. Examples with variables: \\$USER_CUSTOM1$ Format of DFS URL with userid: https://resolvablehostname:445/users/$USERID$ •LDAP or AD integration is required for using variables. •If the Site URL is invalid, it will not be distributed to users.
Domain	Select CIFS from the drop-down list.
Subdomain	Select NetworkDrive from the drop-down list.
Authentication	Select if the device has to authenticate to the server. Only basic authentication is supported.
Published Site	Select to designate the site as a Published site.

5. Click Save.
6. Select the Docs@Work configuration.
7. Click More Actions > Apply To Label.
8. Select the appropriate labels to which you want to apply the configuration.
9. Click Apply.

Configuring an AppTunnel service

You create an AppTunnel service in Standalone Sentry as part of the AppTunnel setup required to tunnel traffic to content repositories. CIFS traffic must be tunneled through Standalone Sentry.

Before you begin

Ensure that you have a Standalone Sentry that is set up for AppTunnel and the necessary device authentication is also configured. See “Configuring Standalone Sentry for app tunneling” in the Ivanti Sentry Guide for Ivanti EPMM.

Procedure

1. In the Admin Portal, go to Services > Sentry.
2. Edit the entry for the Standalone Sentry that supports AppTunnel.
3. In the App Tunneling Configuration section, under Services, click + to add a new service.
4. Use the following guidelines to configure a tunnel service:

Item	Description
Service Name	The Service Name is used in the Docs@Work configuration for setting up tunneling to the content repository. Enter one of the following:
	•A unique name for the service that the AppConnect app on the device accesses. One or more of your internal app servers provide the service. You list the servers in the Server List field. For example, some possible service names are: •SharePoint •Human Resources A service name cannot contain these characters: 'space' \ ; * ? < > " |. Special prefixes: •For app tunnels that point to CIFS-based content servers, the service name must begin with CIFS_.
	•<ANY> Select <ANY> to allow tunneling to any URL that the app requests. Typically, you select <ANY> if an AppConnect app’s app configuration specifies a URL with wildcards for tunneling, such as *.myCompany.com. The Sentry tunnels the data for any URL request that the app makes that matches the URL with wildcards. The Sentry tunnels the data to the app server that has the URL that the app specified. The Server List field is therefore not applicable when the Service Name is <ANY>. For example, consider when the app requests URL myAppServer.mycompany.com, which matches *.mycompany.com in the app configuration. The Sentry tunnels the data to myAppServer.myCompany.com. Web@Work typically uses the <ANY> service, so that it can browse to any of your internal servers. Do not select the <ANY> option for tunneling to CIFS-based content servers, Office 365, Box, and Dropbox. For CIFS-based content servers, select <CIFS_ANY>.
	•<CIFS_ANY> Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based content server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based content server contains wildcards for tunneling, such as *.myCompany.com. The order of the Service Name entries does not matter.
Server Auth	Select the authentication scheme for the Standalone Sentry to use to authenticate the user to the app server: •Pass Through The Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the app server. •Kerberos The Sentry uses Kerberos constrained delegation (KCD). KCD supports Single Sign On (SSO). SSO means that the device user does not have to enter any credentials when the AppConnect app accesses the app server. The Kerberos option is only available if you selected Identity Certificate for Device Authentication.
Server List	Enter the app server’s host name or IP address (usually an internal host name or IP address). Include the port number on the app server that the Sentry can access. Example: sharepoint1.companyname.com:443 Acceptable characters in a host name are letters, digits, and a hyphen. The name must begin with a letter or digit. You can enter multiple servers. The Sentry uses a round-robin distribution to load balance the servers. That is, it sets up the first tunnel with the first app server, the next with the next app server, and so on. Separate each server name with a semicolon. Example: sharepoint1.companyname.com:443;sharepoint2.companyname.com:443 The Server List field is not applicable when the service name is <ANY> or <CIFS_ANY>.
TLS Enabled	Select TLS Enabled if the app servers listed in the Server List field require SSL. This option is not applicable when the service name is <ANY> or <CIFS_ANY>. Although port 443 is typically used for https and requires SSL, the app server can use other port numbers requiring SSL.
Proxy/ATC	Select if you want to direct the AppTunnel service traffic through the proxy server. You must also have configured Server-side Proxy or Advanced Traffic Control (ATC).
Server SPN List	Enter the Service Principal Name (SPN) for each server, separated by semicolons. For example: sharepoint1.company.com;sharepoint2.company.com. The Server SPN List applies only when the Service Name is not <ANY> and the Server Auth is Kerberos. If each server in the Server List has the same name as its SPN, you can leave the Server SPN List empty. However, if you include a Server SPN List, the number of SPNs listed must equal the number of servers listed in the Server List. The first server in the Server List corresponds to the first SPN in the Server SPN List, the second server in the Server List corresponds to the second server in the Server SPN List, and so on. When the Service Name is <ANY> and the Server Auth is Kerberos, the Standalone Sentry assumes that the SPN is the same as the server name received from the device.

5. Click Save.

Related topics

For more information on configuring AppTunnel, advanced traffic control, and AppTunnel rules, see “Configuring an AppTunnel service” in the AppConnect for Android App Developers Guide and Tunnel for Android Guide.

Configuring AppTunnel rules

Create AppTunnel rules in the Docs@Work configuration as part of an AppTunnel setup required to tunnel traffic to content repositories. When Docs@Work tries to connect to the URL configured in AppTunnel Rules, Standalone Sentry creates an AppTunnel to the content server.

• Ivanti strongly recommends that you do not configure AppTunnel rules with '*' in the URL. Docs@Work may not be able to activate the license for the embedded editor, impacting viewing and editing functionality.
• Standalone Sentry does not support tunneling traffic to Office 365, Box, and Dropbox. Therefore, if you are configuring access to Office 365, Box, or Dropbox, do not use URL patterns (example: *) to configure the AppTunnel traffic rules.

Before you begin

Ensure the following:

•Standalone Sentry is configured for AppTunnel.

•An AppTunnel service is configured in Standalone Sentry. See Configuring an AppTunnel service.

Procedure

1.

In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2.

Select for the Docs@Work configuration you want to add AppTunnel rules.

3.

Click on Edit.

4.

In the AppTunnel Rules section click on Add+.

5.

Use the following guidelines to create an AppTunnel rule:

 

Item	Description
AppTunnel Rules
Sentry	Select the Standalone Sentry that you want to tunnel the URLs listed in this AppTunnel entry. The drop-down list contains all Standalone Sentrys that are configured to support AppTunnel.
Service	Select a Service Name from the drop-down list. This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified Sentry.
URL Wildcard	Enter one of the following: •a content server’s hostname Example: finance.yourcompany.com •a hostname with wildcards. The wildcard character is *. Example: *.yourcompanyname.com If you want finer granularity regarding what requests the Standalone Sentry tunnels, configure multiple AppTunnel rows.
URL Wildcard	The Sentry and Service fields that you specify in the AppTunnel row determine the target content server.   •A hostname with wildcards works only with the service <ANY> or <CIFS_ANY>. Unlike services with specific service names, these services do not have associated app servers. The Standalone Sentry tunnels the data to the app server that has the URL that the app specified. •The order of these AppTunnel rows matters. If you specify more than one AppTunnel row, the first row that matches the hostname requested is chosen. That row determines the Standalone Sentry and Service to use for tunneling. •Do not include a URI scheme, such as http:// or https:/, in this field. •If you are directing Office 365, Box or Dropbox traffic through an AppTunnel, do not use URLs with wildcards. Tunneling traffic through Standalone Sentry is not supported for Box, and Dropbox •Docs@Work data is tunneled only if the Docs@Work request matches the hostname in the URL Wildcard field and the port number specified in the Port field.
Port	Enter the port number that Docs@Work requests to access. App data is tunneled only if the app’s request matches the hostname in the URL Wildcard field and this port number. If a port number is not configured, for http and https traffic, the default port is used. The default port used for http is 80 and the default port used for https is 443.
Identity Certificate	Select the Certificate or the SCEP profile that you created for devices to present to the Standalone Sentry that supports app tunneling.