Review best practices for Groove Server deployment
Applies to: Groove Server 2010
Topic Last Modified: 2011-09-26
Groove Server 2010 Manager and Groove Server 2010 Relay rely on Internet connections. Therefore, you should become familiar with industry best practices and your organization’s best practices for hosting an Internet server. This knowledge can serve as a foundation for developing your organization’s Microsoft SharePoint Workspace 2010 management best practices.
In this article:
Groove Server Manager deployment best practices
Groove Server Relay deployment best practices
Groove Server Manager deployment best practices
The following basic measures can help ensure a reliable and secure Groove Server Manager installation:
Install each Groove Server Manager on a clean stand-alone Windows Server system. Do not try to install Groove Server Manager on a domain controller or a computer where SharePoint Workspace is running. Doing so will cause the installation process to fail.
To help protect the operating system and your content from damage or loss as a result of hardware component failure, make sure that you install Groove Server Manager on a system with redundant hard disk drive capability, typically a hardware RAID (software RAIDs help provide protection for content only, not the operating system).
Install the latest Critical Update Package and Security Rollup on all servers.
Use proxy or firewall devices to control transmissions, limiting network access to the ports necessary for Office Groove 2007 operation and management.
Limit network access to the Groove Server Manager client and administrative Web sites to the ports required for SharePoint Workspace operations, as specified in Plan port configurations for Groove Server.
Install Groove Server Manager in a perimeter network (also known as a screened subnet) to increase security while allowing managed external Office Groove 2007 users to access the Groove Server Manager from the Internet.
If your SharePoint Workspace management system includes multiple Groove Server Manager front ends (that share a single SQL Server back end), install the administrative part of the Web site on a secure server, separate from the server supporting the client part of the site.
Enable Secure Socket Layer (SSL) encryption for the Groove Server Manager administrative Web pages and set the server SSL port to 443. For more information about SSL, refer to the Microsoft TechNet article, Managing Microsoft Certificate Services and SSL (https://go.microsoft.com/fwlink/p/?LinkID=99390&clcid=0x409).
Help protect the Groove Server Manager administrative Web pages by using Windows or other logon authentication.
Utilize one of the following methods to more safely distribute account configuration codes to SharePoint Workspace users:
Utilize the Groove Server Manager automatic account configuration capability, as described in Automate SharePoint Workspace account configuration/restoration.
Use an existing secure communication channel to distribute codes (using security-enhanced e-mail or e-mail over a trusted local area network, for example).
Manually distribute account configuration codes.
Make sure to keep labeled copies of any certificates, private keys, and passwords that you use in a known secure location, such as on disk in a locked cabinet or in a directory on a secure private network. You may need access to these old certificates or private keys in the future - for example, if you need to recover client content for a Office Groove 2007 client that has an older version of the data recovery certificate.
Control physical access to Groove Server Manager systems, and define administrative roles on Groove Server Manager to restrict access to administrative Web pages.
To support SharePoint Workspace account restoration when it is necessary (to replace a damaged account, for example), ensure that the Groove Server Manager policy for scheduling Office Groove 2007 account backups is enabled.
Install anti-virus software on Groove Server Manager systems. When installing anti-virus software, make sure that you disable Script Blocking, as script blocking can impede correct Groove Server Manager operation.
Review available information about Windows server security vulnerabilities and address them as needed at your site. For information about Windows Vista security, see the Microsoft Technet Security TechCenter at https://go.microsoft.com/fwlink/p/?LinkId=124210. Also see, TechNet library security bulletins at https://go.microsoft.com/fwlink/p/?LinkId=124625.
Groove Server Relay deployment best practices
The following basic measures can help ensure a reliable and secure Groove Server Relay installation:
Review Microsoft Windows Firewall Best Practices for Rule Authoring and API Usage at https://go.microsoft.com/fwlink/p/?LinkId=164672.
Locate the Groove Server Relay in a perimeter network (also known as screened subnet), or on an internal/external network boundary for relay security.
Install the operating system platform and Groove Server Relay software on a clean computer. Do not try to install a Groove Server Relay on a domain controller, on a Web server such as IIS, or on a computer with any client server application. Do not install the Groove Server Relay on a computer where SharePoint Workspace is running.
When configuring a proxy server in a Groove Server Relay environment, position TCP/443 and TCP/80 near the top of the protocol list, if the order affects the efficiency of the proxy server. The SharePoint Workspace client tries these protocols, in this order: 2492, 443, 80.
Configure your external network adapters to filter all except incoming TCP/IP traffic on ports 2492, 443, and 80.
Make sure that the Windows Active Directory service is not running on the Relay server. The service impedes Relay performance.
Install the Groove Server Relay on a computer with redundant hard disk drive capability (typically a hardware RAID configuration), to help protect the operating system and content from damage or loss as a result of hardware component failure. Also, provide backup power via an uninterruptable power supply (UPS).
When implementing security measures for Groove Server Relay, be aware that incorrectly configured anti-virus software on the Groove Server Relay system can significantly impede Relay server performance. When installing and configuring anti-virus software, disable Real-Time protection on the Data directories.
Review available information about Windows server security vulnerabilities and address them as needed at your site. For information about Windows Vista security, see the Microsoft Technet Security TechCenter at https://go.microsoft.com/fwlink/p/?LinkId=124210. Also see, TechNet library security bulletins at https://go.microsoft.com/fwlink/p/?LinkId=124625.