Unix File Bookmarks

Creating UNIX File Bookmarks

You can use two different methods to create UNIX file bookmarks:

•Create bookmarks through existing resource profiles (recommended)-When you select this method, the system automatically populates the bookmark with key parameters (such as the server) using settings from the resource profile. Additionally, while you are creating the associated resource profile, the system guides you through the process of creating any required policies to enable access to the bookmark.

•Create standard bookmarks-When you select this option, you must manually enter all bookmark parameters during configuration. Additionally, you must enable access to the file browsing at the role level and create resource policies that enable access to the servers defined in the bookmark.

You can create UNIX bookmarks that appear on the welcome page for users mapped to this role. You can insert the user's username in the URL path to provide quick access to the user's network directories.

Creating Advanced Bookmarks to UNIX Resources

Information in this topic is provided for backwards compatibility. We recommend that you configure access to UNIX servers through resource profiles instead, since they provide a simpler, more unified configuration method.

You can create UNIX/NFS bookmarks that appear on the home page. You can insert the user's username in the URL path to provide quick access to the user's network directories.

To create a bookmark to a UNIX/NFS resource:

1.In the admin console, choose Users > User Roles > Role Name > Files > UNIX Bookmarks.

2.Click New Bookmark and then enter the server hostname or IP address and the path to the share. If you want to insert the user's username, enter <username> at the appropriate place in the path. If you specify a name and description for the bookmark, this information displays on the home page instead of the server/path.

Make sure to enter a unique server and path in this field. If you create two bookmarks that contain the same concatenated server and path string, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

3.For Appearance, choose either:

•Appear as bookmark on homepage and in file browsing - if you want the bookmark to appear both on a user's welcome page and when browsing network files.

•Appear in file browsing only - if you want the bookmark to appear only when browsing network files.

4.For Access, click Enable auto-allow access to this bookmark if you want to automatically create a corresponding UNIX/NFS resource policy. Note that this functionality applies only to role bookmarks and not bookmarks created by users. Next, select:

•Read-write access - to enable users to save files on the server. Note that users cannot upload files greater than 500 MB to the server.

•Include sub-folders - to enable users to view files in directories below the specified bookmark path.

You may not see the Auto-allow option if you are using a new installation or if an administrator hides the option.

5.Click Save Changes or Save + New to add another.

Defining General UNIX File Browsing Options

For NFS file browsing to work properly, you must configure a NIS server on the system before enabling NFS file browsing.

To specify general file browsing options:

1.In the admin console, choose Users > User Roles > Role Name > Files > Options.

2.Under UNIX Network Files, specify which options to enable for users:

•User can browse network file shares - If enabled, users can view and create bookmarks to resources on available UNIX file shares.

•User can add bookmarks - If enabled, users can view and create bookmarks to resources on available UNIX file shares.

•Allow automount shares - If enabled, users access to automount shares specified on a NIS server.

3.Click Save Changes.

Defining UNIX/NFS File Resource Policies

When you enable the File access feature for a role, you need to create resource policies that specify which Windows and UNIX/NFS resources a user may access, as well as the encoding to use when communicating with Windows and NFS file shares. When a user makes a file request, the system evaluates the resource policies corresponding to the request, such as Windows access resource policies for a request to fetch an MS Word document (.doc file). After matching a user's request to a resource listed in a relevant policy, the system performs the action specified for the resource.

You can create resource policies through the standard interface (as described in this section) or through resource profiles (recommended method).

When writing a File resource policy, you need to supply key information:

•Resources - A resource policy must specify one or more resources to which the policy applies. When writing a File policy, you need to specify File servers or specific shares.

•Roles - A resource policy must specify the roles to which it applies. When a user makes a request, the system determines what policies apply to the role and then evaluates those policies that correspond to the request.

•Actions - Each type of resource policy performs a certain action, which is either to allow or deny a resource or to perform or not perform some function, such as allow a user to write to a directory. You can also write detailed rules that apply more conditions to a user request.

The engine that evaluates resource policies requires that the resources listed in a policy's Resources list follow a canonical format.

Canonical Format: UNIX/NFS File Resources

When writing a resource policy for a UNIX/NFS file resource, you need to understand the following canonical format.

server[/path]

The two components are:

•Server (required) - Possible values:

•Hostname - The system variable <username> may be used.

•IP address - The IP address needs to be in the format: a.b.c.d

•Path (optional) - Special characters allowed include:

*	Matches any character
%	Matches any character except back slash (\)
?	Matches exactly one character

If the path is missing, then back slash (\) is assumed, meaning only top-level folders are matched. For example:

%.danastreet.net/share/users/<username>

*.\\pulsesecure.net\dana/*

10.11.0.10/web/*

10.11.254.227/public/%.txt

Writing UNIX/NFS Resource Policies

Information in this section is provided for backwards compatibility. We recommend that you configure access to UNIX file servers through resource profiles instead, since they provide a simpler, more unified configuration method.

To write a UNIX/NFS resource policy:

1.In the admin console, choose Users > Resource Policies > Files > Access > Unix/NFS.

2.On the UNIX/NFS File Access Policies page, click New Policy.

3.Enter a name to label this policy (required) and a description of the policy. (optional)

4.In the Resources section, specify the resources to which this policy applies.

5.In the Roles section, specify:

•Policy applies to ALL roles - To apply this policy to all users.

•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

•Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

6.In the Action section, specify:

•Allow access - To grant access to the resources specified in the Resources list. Check Read-only to prevent users from saving files on the server.

•Deny access - To deny access to the resources specified in the Resources list.

•Use Detailed Rules - To specify one or more detailed rules for this policy.

7.Click Save Changes.

8.On the UNIX/NFS File Access Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a policy's (or a detailed rule's) Resource list, it performs the specified action and stops processing policies.

Writing a UNIX/NFS Compression Resource Policy

Compression policies specify which types of file data to compress when you enable GZIP compression through the Maintenance > System > Options page of the admin console.

The system comes pre-equipped with two file compression policies (*:*/*) which compress all applicable file data. You may enable these policies through the Resource Policies > Files > Compression pages of the admin console.

To write a UNIX/NFS file compression resource policy:

1.In the admin console, choose Resource Policies > Files > Compression.

2.Select the Unix/NFS tab.

3.Click New Policy.

4.Enter a name to label this policy (required) and a description of the policy. (optional)

5.In the Resources section, specify the resources to which this policy applies.

6.In the Roles section, specify:

•Allow access - To grant access to the resources specified in the Resources list. Check Read-only to prevent users from saving files on the server.

•Deny access - To deny access to the resources specified in the Resources list.

•Use Detailed Rules - To specify one or more detailed rules for this policy.

7.In the Action section, specify:

•Compress - Compress the supported content types from the specified resource.

•Do not compress - Do not compress the supported content types from the specified resource.

•Use Detailed Rules - Select this option to specify one or more detailed rules for this policy.

8.Click Save Changes.

Defining General UNIX/NFS File Writing Options

You can specify File resource options that apply to your File resource policies. When you enable a File resource policy option, the system comp78iles a list of hostnames specified in the Resources field of each File resource policy. The system then applies the enabled options to this comprehensive list of hostnames.

To specify options for UNIX/NFS resources:

1.In the admin console, choose Users > Resource Policies > Files > Options.

2.Select:

•IP based matching for Hostname based policy resources - The system looks up the IP address corresponding to each hostname specified in a File resource policy. When a user tries to access a server by specifying an IP address rather than the hostname, the system compares the IP to its cached list of IP addresses to determine if a hostname matches an IP. If there is a match, then the system accepts the match as a policy match and applies the action specified for the resource policy.

Note This option does not apply to hostnames that include wildcards and parameters.

•Case sensitive matching for the Path component in File resources - Select this option to require users to enter a case-sensitive URL to an NFS resource. Use this option when passing username or password data in a URL.

This option does not apply to Windows servers.

•Encoding - Select the encoding to use for communicating with the Windows and NFS file shares.

•NTLM Version - Select whether to fall back to NTLM version 1 or version 2 authentication if Kerberos authentication of administrator credentials fails.

•Number of NTLM authentication protocol - Select High to allow a large number of authentication attempt to be made to the backend server. This applies only to NTLM, not basic authentication. If your server locks users out for too many failed attempts, select Low.

Many servers do not support the different NTLM protocol variant attempts when you select High. If you find that authentication is failing even though the username and password are correct, set this option to Low.

3.Click Save Changes.