Windows File Bookmarks

Creating Windows File Bookmarks

You can use two different methods to create Windows file bookmarks:

•Create bookmarks through existing resource profiles (recommended) - When you select this method, the system automatically populates the bookmark with key parameters (such as the primary server and share) using settings from the resource profile. Additionally, while you are creating the associated resource profile, the system guides you through the process of creating any required policies to enable access to the bookmark.

•Create standard bookmarks - When you select this option, you must manually enter all bookmark parameters during configuration. Additionally, you must enable access to the file browsing at the role level and create resource policies that enable access to the servers defined in the bookmark.

You can create Windows bookmarks that appear on the welcome page for users mapped to this role. You can insert the user's username in the URL path to provide quick access to the user's network directories.

When users are browsing files on a DFS server, the DFS server uses the site configuration data stored in Active Directory to return DFS referrals to the system in the right order. Referrals to closer servers are put higher in the list than referrals to servers that are farther away. Clients try referrals in the order in which they are received. If a request comes from a client which resides in a subnet which is not in this list, the server will not know where the client is coming from and will return the list of referrals to the customer in an arbitrary order. This could potentially cause the DFS requests from the system (acting as the client in this case) to access a server much farther away. In turn, this could cause serious delays, especially if the system attempts to access a server which is unreachable from the subnet which the system resides in. If the system is installed on a subnet which is not in the DFS server's list, the DFS administrator may use the "Active Directory Sites and Services" tool on the domain controller to add the system's subnet to the appropriate site.

Creating Advanced Bookmarks to Windows Resources

Information in this topic is provided for backwards compatibility. We recommend that you configure access to Windows shares and directories through resource profiles instead, since they provide a simpler, more unified configuration method.

To create a bookmark to a Windows resource:

1.In the admin console, choose Users > User Roles > Role Name > Files > Windows Bookmarks.

2.Click New Bookmark and then browse to or enter the server and share name. Specify a path to further restrict access. If you want to insert the user's username, enter <username> at the appropriate place in the path. For information about additional system variables and attributes that you can include in the bookmark. If you specify a name and description for the bookmark, this information displays on the home page instead of the server/share.

You may not bookmark a Windows server. You must specify both the server and share name.

Make sure to enter a unique server and path in this field. If you create two bookmarks that contain the same concatenated server and path string, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

3.For Appearance, choose either:

•Appear as bookmark on homepage and in file browsing - if you want the bookmark to appear both on a user's welcome page and when browsing network files.

•Appear in file browsing - only if you want the bookmark to appear only when browsing network files.

4.For Access, click Enable auto-allow access to this bookmark if you want the system to automatically create a corresponding Windows Access resource policy. Note that this functionality applies only to role bookmarks and not bookmarks created by users. Next, select:

•Read - write access to enable users to save files on the server. Note that users cannot upload files greater than 500 MB to the server.

•Include sub-folders - to enable users to view files in directories below the specified bookmark path.

You may not see the Auto-allow option if you are using a new installation or if an administrator hides the option.

5.Click Save Changes or Save + New to add another.

Creating Windows Bookmarks that Map to LDAP Servers

To create a bookmark that automatically maps to a user's LDAP home directory:

1.Create an LDAP server instance.

2.Add the LDAP attribute homeDirectory to the Server Catalog.

3.Configure a realm and bind LDAP as the authentication server.

4.Configure role-mapping rules, as needed.

5.Create a Windows bookmark. During configuration, specify <userAttr.homeDirectory> in the bookmark.

6.Click Save Changes.

Defining General Windows File Browsing Options

To specify general Windows file browsing options:

1.In the admin console, choose Users > User Roles > Role Name > Files > Options.

2.Under Windows Network Files, specify which options to enable for users:

•User can browse network file shares - If enabled, users can view and create bookmarks to resources on available Windows file shares.

•User can add bookmarks - If enabled, users can view and create bookmarks to resources on available Windows file shares.

3.Click Save Changes.

Writing a File Resource Policy

When you enable the File access feature for a role, you need to create resource policies that specify which Windows resources a user may access, as well as the encoding to use when communicating with Windows and NFS file shares. When a user makes a file request, the system evaluates the resource policies corresponding to the request, such as Windows access resource policies for a request to fetch an MS Word document (.doc file). After matching a user's request to a resource listed in a relevant policy, the system performs the action specified for the resource.

You can create resource policies through the standard interface (as described in this section) or through resource profiles (recommended method).

When writing a File resource policy, you need to supply key information:

•Resources - A resource policy must specify one or more resources to which the policy applies. When writing a File policy, you need to specify File servers or specific shares.

•Roles - A resource policy must specify the roles to which it applies. When a user makes a request, the system determines what policies apply to the role and then evaluates those policies that correspond to the request.

•Actions - Each type of resource policy performs a certain action, which is either to allow or deny a resource or to perform or not perform some function, such as allow a user to write to a directory. You can also write detailed rules that apply more conditions to a user request.

The system engine that evaluates resource policies requires that the resources listed in a policy's Resources list follow a canonical format.

Windows File Resources Canonical Format

Information in this section is provided for backwards compatibility. We recommend that you configure access to Windows file servers through resource profiles instead, since they provide a simpler, more unified configuration method.

When writing a resource policy for a Windows file resource, you need to understand the following canonical format.

\\server[\share[\path]]

The three components are:

•Server (required) - Possible values:

•Hostname - The system variable <username> may be used.

•IP address - The IP address needs to be in the format: a.b.c.d

•Share (optional) - If the share is missing, then star (*) is assumed, meaning ALL paths match. The system variable <username> is allowed.

•Path (optional) - Special characters allowed include:

*	Matches any character
%	Matches any character except slash (/)
?	Matches exactly one character

If the path is missing, then slash (/) is assumed, meaning only top-level folders are matched. For example:

\\%.danastreet.net\share\<username>\*

\\pulsesecure.net\dana\*

\\10.11.0.10\share\web\*

\\10.11.254.227\public\%.doc

Writing a Windows Access Resource Policy

Information in this topic is provided for backwards compatibility. We recommend that you configure access to Windows file servers through resource profiles instead, since they provide a simpler, more unified configuration method.

To write a Windows access resource policy:

1.In the admin console, choose Users > Resource Policies > Files > Access > Windows.

2.On the Windows File Access Policies page, click New Policy.

3.Enter a name to label this policy (required) and a description of the policy. (optional)

4.In the Resources section, specify the resources to which this policy applies.

5.In the Roles section, specify:

•Policy applies to ALL roles -To apply this policy to all users.

•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

•Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

6.In the Action section, specify:

•Allow access - To grant access to the resources specified in the Resources list. Check Read-only to prevent users from saving files on the server.

•Deny access -To deny access to the resources specified in the Resources list.

•Use Detailed Rules - To specify one or more detailed rules for this policy.

7.Click Save Changes.

8.On the Windows File Access Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a policy's (or a detailed rule's) Resource list, it performs the specified action and stops processing policies.

If you want to write a File resource policy that enables you to specify credentials to submit to a file server when a user request matches a resource in the Resource list, you can use the following procedure to do so. You can also configure the system to prompt users for credentials.

Writing a Windows SSO Resource Policy

To write a Windows credentials resource policy:

1.In the admin console, choose Users > Resource Policies > Files > SSO > Windows.

2.On the Windows Credentials Policies page, click New Policy.

3.Enter a name to label this policy (required) and a description of the policy. (optional)

4.In the Resources section, specify the resources to which this policy applies.

5.In the Roles section, specify:

•Policy applies to ALL roles - To apply this policy to all users.

•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

6.In the Action section, specify the action to take when a resource requires credentials:

•Use System Credentials - If the system has stored credentials for the specified user and resource in its cache, it submits the stored credentials. If the stored credentials fail or if no stored credentials exist for that user, the system prompts for new credentials and stores the new credentials.

•Use Specific Credentials - You specify static credentials that the system submits to resources. The file browsing server maintains the connections open to a server\share so connecting to a different folder on the same share using a different account may not work reliably. If the specified credentials fail, the system may submit alternative credentials. Note that the system masks the password you enter here with asterisks.

•Prompt for user credentials - The system intermediates the share challenge by presenting an authentication challenge the first time a user attempts to access the share. The user enters the credentials and the credentials are stored in the system. If the credentials later fail, the system again prompts the user for their credentials.

•Use Detailed Rules - To specify one or more detailed rules for this policy.

7.Click Save Changes.

Writing a Windows Compression Resource Policy

Information in this section is provided for backwards compatibility. We recommend that you configure compression through resource profiles instead, since they provide a simpler, more unified configuration method.

Compression policies specify which types of file data to compress when you enable GZIP compression through the Maintenance > System > Options page of the admin console.

The system comes pre-equipped with two file compression policies (*:*/*) which compress all applicable file data. You may enable these policies through the Resource Policies > Files > Compression pages of the admin console.

To write a Windows file compression resource policy:

1.In the admin console, choose Resource Policies > Files > Compression.

2.Select the Windows tab.

3.Click New Policy.

4.Enter a name to label this policy (required) and a description of the policy. (optional)

5.In the Resources section, specify the resources to which this policy applies.

6.In the Roles section, specify:

•Policy applies to ALL roles - To apply this policy to all users.

•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

7.In the Action section, specify:

•Compress - Compress the supported content types from the specified resource.

•Do not compress - Do not compress the supported content types from the specified resource.

•Use Detailed Rules - Select this option to specify one or more detailed rules for this policy.

8.Click Save Changes.

Defining General File Writing Options

You can specify File resource options that apply to your File resource policies. When you enable a File resource policy option, the system compiles a list of hostnames specified in the Resources field of each File resource policy. The system then applies the enabled options to this comprehensive list of hostnames.

To specify resource options for Windows file servers:

1.In the admin console, choose Users > Resource Policies > Files > Options.

2.Select:

•IP based matching for Hostname based policy resources - The system looks up the IP address corresponding to each hostname specified in a File resource policy. When a user tries to access a server by specifying an IP address rather than the hostname, the system compares the IP to its cached list of IP addresses to determine if a hostname matches an IP. If there is a match, then the system accepts the match as a policy match and applies the action specified for the resource policy.

This option does not apply to hostnames that include wildcards and parameters.

•Case sensitive matching for the Path component in File resources - Require users to enter a case-sensitive path component.

•Encoding - Select the encoding to use when communicating with Windows and NFS file shares.

•Use NTLM v1, NTLM v1 will be used for all NTLM negotiations - Select this option to use only NTLM V1 for file share authentication.

•Use NTLM v2, NTLM v2 will be used for all NTLM negotiations - Select this option to use only NTLM V2 for file share authentication.

•Number of NTLM authentication protocol variant attempts - Controls the number of login attempts while doing SSO, Select "Low" if you are seeing account lockout issues.

3.Click Save Changes.