Secure the Groove Server Relay installation

 

Applies to: Groove Server 2010

Topic Last Modified: 2010-01-15

This article provides information and procedures about how to improve the security of the Groove Server Relay installation. Groove Server 2010 Relay installs with Windows Firewall On and with exceptions as described in Plan port configurations for Groove Server. For added security, locate your Groove Server Relay installations in a perimeter network and restrict access to the relay administrative port as discussed in this section.

In this article:

  1. Before you begin

  2. Help secure the Groove Server Relay installation

Before you begin

Before you start this procedure, install Groove Server Relay as described in Install Groove Server 2010 Relay.

Help secure the Groove Server Relay installation

Groove Server Relay uses two administrative listener ports: port 8009 with proprietary SOAP security for Relay server management transmissions from Groove Server Manager, and port 8010 with Secure Socket Layer (SSL) encryption for browser access to the Groove Server Relay administrative Web interface. By default, both ports are bound to all network adapters, allowing Manager server access over a public network and remote access to Relay server administrative Web pages. Binding these ports to separate network adapters (NICs) so that Manager server access occurs over a private administrative network is a recommended security measure. The Relay server provides two registry string values that you can use for these port bindings, as described in the following procedure.

To help secure the Groove Server Relay installation by restricting access to Groove Server Relay administrative listener ports

  1. Address the requirements in Before you begin.

  2. Click Start, and then Run, and enter regedit.exe.

  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0\Groove\Groove Relay\Parameters

  4. To assign the SOAP port 8009 to a separate protected network adapter so that Groove Server Manager contacts the Relay server over a private protected network, use the registry editor to define a registry string value name for port 8009/TCP as follows:

    1. Right-click the port 8009 string value name: AdminGrooveSOAPInterface.

    2. Set the data string value to the IPv4 or IPv6 address of the interface to which you want to restrict the administrative port. Use the following table of sample registry entries for guidance:

      Note

      Port 8009/TCP should be configured for restricted access by Groove Server Manager.

      System Name Type Data

      IPv4

      AdminGrooveSOAPInterface

      REF_SZ

      192.128.1.1

      IPv6

      AdminGrooveSOAPInterface

      REF_SZ

      1010:3898:3030:1001:f935:f4f2:ee6a:0056

  5. To assign the SSL port 8010 to a separate network adapter so that trusted administrators can browse to Groove Server Relay administrative Web pages, define a registry string value name for port 8010/TCP as follows:

    1. Right-click the port 8010 string value name: AdminInterface.

    2. Set the string value to the IPv4 or IPv6 address of the interface to which you want to restrict the administrative port. Use the following table of sample registry entries for guidance.

      Note

      Port 8010/TCP should be configured for internal access by administrators.

      System Name Type Data

      IPv4

      AdminInterface

      REF_SZ

      192.128.1.2

      IPv6

      AdminInterface

      REF_SZ

      1010:3898:3030:1001:f935:f4f2:ee6a:0057

  6. For the registry edits to take effect, update the Administrative settings in the Groove Relay Control Panel item as follows:

    1. Open the Groove Relay Control Panel item.

    2. Click the Admin Interface tab.

    3. Choose Generate Certificate to regenerate the SSL certificate, required for the port 8010 updates.

    4. Click OK.

    5. Restart Groove Server Relay.

Test your relay server installation as described in Start and test Groove Server Relay.