Configuring file access permissions and settings in IAG

  • Article

Applies To: Intelligent Application Gateway (IAG)

After configuring Whale Communications Intelligent Application Gateway (IAG) 2007 as a domain member or with Novell NetWare, you can configure the following:

  • Configure remote users’ access to their Home folder and to mapped drives.

  • Configure the settings that determine how you log on to Novell Directories in order to gain access to Novell NetWare servers. In addition, if you wish to enable remote access to Novell NetWare servers, you need to set up authentication with Novell Directory Services (NDS).

  • Configure access to domains, servers, and shares that are exposed to remote users using File Access.

  • Make file access available to remote users by adding it to a portal trunk. If a trunk uses the default portal home page supplied with the IAG, a link to the File Access application is automatically added to the page. Note that when using a custom home page, you have to manually add the link to the page. In addition, you can optionally change the date format of files and folders, as will be viewed on remote users’ browsers. You can also configure the File Access application so that users are not presented, in the end-user interface, with a folder tree on the left pane. This prevents users from browsing to any folders other than the one defined as the application URL or its subfolders. You can customize the language definitions of the end-user pages.

Once you configure the administration settings in the File Access window, the next time you open the window, the settings remain intact. In order to configure File Access administration settings, you must be a member of the Administrators group of IAG.

Configuring remote user access to home folders and mapped drives

You can specify how remote users can access their home folder, mapped drives, and share permissions. Each time a remote user accesses mapped drives by using file access, the File Access engine runs the user’s logon script. For each new user, the operating system running on the IAG server creates and saves a user profile. By default, user profiles are not deleted from the server, including old profiles that are no longer used. This consumes disk space unnecessarily. In addition, in environments where a large number of users access mapped drives, if a 10,000 profile limit is reached, new profiles cannot be created, and new users cannot access the drives. You can manually remove user profiles.

Accessing the File Access console

To configure global file access administration settings, open the File Access console as follows.

To access the File Access window

  1. In the Configuration program, on the Admin menu, click File Access.

    The Windows’ Enter Network Password dialog box is displayed.

  2. Enter User Name and Password, then click OK.

    The network is browsed, and the File Access window is displayed, showing all the domains in the network which are accessible from the File Access host. Depending on the complexity of the network, this may take a few seconds.

Configuring access to home folders and mapped drives

Configure remote access to home folders, mapped drives as follows.

To configure home folders, mapped drives, and share permissions

  1. In the File Access console, in the left pane of the File Access window, under General, click Configuration.

    The Configuration settings are displayed in the right pane.

  2. To configure access to the Home Directory, select one of the following options:

    • Don’t Define User’s Home Directories—When this option is selected, the Home Directory is not accessible to remote users. The My Home Directory button and tree item are not displayed in the browser.

    • Use Domain Controller Settings for Home Directories—The Home Directory is accessible to remote users through a My Home Directory button and tree item. Home Directory path information is taken from the domain controller.

    • Use the Following Template for Home Directories—The Home Directory is accessible to remote users through a My Home Directory button and tree item. Home Directory path information is taken from the template you define in the text field. You can define the path to the template by using one of the two following methods:

    • Valid Universal Naming Convention path. For example: \\server\share\dir1\dir2

    • Valid Distributed File System path. For example: domain\server\share\dir1\dir2

      In either of those path types, you can use one or both of the following variables: %domain% and %username%.

      For example:

      %domain%/users/%username%

  3. Determine whether the browser displays the listing of the Home Directory each time a remote user accesses File Access. This is controlled by the setting User’s Home Directory Will be Displayed Every Time File Access is Loaded.

  4. To configure access to mapped drives, select the Show Mapped Drives check box. If the users logon script is not a batch file (.bat, .exe) or not wrapped within a batch file, enter the full path of the script engine in the Script Enginefield.

    Note

    Before you configure the mapped drives option, see Limitations of Mapped Drives and Deleting User Profiles When Using Mapped Drives.

    You can only specify one script engine type in the Script Engine field.

  5. By default, users view all the shares that you configure for File Access. If you wish users to view only the configured shares for which they have access permissions, select the Show only the shares a user is permitted to access check box.

  6. When you finish configuring users’ access to the Home Directory and mapped drives, at the top right of the File Access window, click Apply.

    Tip

    In order to configure remote users’ access to domains, servers, and shares, refer to Configuring access to domains, servers, and shares.

  7. When you finish configuring administration settings, click Close at the bottom of the File Access window.

    Once you activate the configuration, remote users’ ability to access their Home Directory, mapped drives, and the shares configured for File Access is determined according to the definitions you configured here.

Notes

When configuring mapped drives and shares, note the following:

  • File access supports the mapping of drives G and up.

  • Due to a Windows application programming interface limitation, not all environment variables are supported by the File Access option. If you use unsupported environment variables in the users logon scripts, the remote user will not be able to access the mapped drives as expected. To examine the environment variable supported for a typical user, do the following.

    To examine the environment variable supported for a typical user

    1. On the IAG server, open a command prompt, and impersonate the user by entering this command:

      runas/user:<username> cmd.exe

      Where <username> is the name entered by the user during login.

    2. In the secondary command window that opens, representing the user you defined, run the set command. The environment variables that are displayed are the variables that are supported by IAG for this user.

  • Mapped drives are defined by the users logon script, which is located in the organization’s Domain Controller, in the NETLOGON directory. File Access automatically supports batch files (.bat, .exe). For any other scripts, such as JavaScript (.js) or Microsoft Visual Basic (.vbs), you can do one of the following:

    • Wrap each script within a separate batch file.

    • During the configuration of users’ access to mapped drives, specify the script engine that will be used to run the user’s logon script, as detailed in the configuration procedure.

  • Share Permissions: users’ permissions to view configured shares, that is, whether users will view all the shares that are configured for File Access or only the shares for which they have access permissions.

  • Share permissions settings affect the share level only; they do not affect the way users view folders in a share.

Deleting user profiles when using mapped drives

Each time a remote user accesses mapped drives via File Access, the File Access engine runs the user’s logon script. For each new user, the operating system running on the IAG server creates and saves a user profile.

By default, user profiles are not deleted from the server, including old profiles that are no longer used. This consumes disk space unnecessarily. In addition, in environments where a large number of users access mapped drives, if a 10,000 profile limit is reached, new profiles cannot be created, and new users cannot access the drives.

This section describes how you can configure IAG to delete user profiles from IAG, when required. Note the following:

  • Only profiles of domain users are deleted; profiles of local users are not deleted.

  • Least recently-used profiles are deleted first.

  • Profiles of users who are currently connected to one or more mapped drives are not deleted.

To delete user profiles from IAG

  1. Access the following Custom Update folder; if it does not exist, create it:

    …\Whale-Com\e-Gap\von\conf\CustomUpdate

  2. Copy the file userProfiles.ini from this folder:

    …\Whale-Com\e-Gap\common\conf

    Place it in the Custom Update folder you accessed in step 1. If such a file already exists in the custom folder, use the existing file.

  3. Configure the parameters in the file as follows:

    • EnableProfileDelete—Determines whether user profiles are deleted from IAG or not.

    • HighWaterMark—Number of profiles above which the deletion process starts. Must be equal to or greater than the LowWaterMark parameter.

    • LowWaterMark—Number of profiles that are kept on IAG once the deletion process is complete. A minimum number of 50 profiles must remain undeleted.

    • SleepPeriod—After the number of minutes defined here, the process checks whether the HighWaterMark has been reached and deletes excessive profiles as required.

    • DoNoRemoveProfile—Defines a user profile that is not deleted. For example: DoNotRemoveProfile = MyDomain\Admin. You can configure an unlimited number of profiles that will be left out of the deletion process by configuring one DoNotRemoveProfile parameter for each profile.

Configuring logon settings Novell NetWare servers

This procedure is relevant if the network includes Novell NetWare Services and you wish to enable remote access to NetWare Servers. The settings you configure here are not related to the Novell Directory server, which you can use for authentication and authorization. In the following procedure, you determine the logon credentials that are used during the configuration of users’ access to the Novell NetWare Servers. Note that, during the configuration of the NetWare Servers, only the servers and shares that are enabled to the user with which you log on will be available in the File Access window.

To configure Novell logon settings

  1. Access the File Access window, as described in Accessing the File Access Window.

  2. In the left pane of the File Access window, under General, click Novell.

    In the right pane, the Novell Logon settings are displayed.

  3. Select one of the following options:

    • Using Windows User Name—Use the same credentials you used when you logged onto the File Access window, as described in Accessing the File Access Window.

    • Using the Following User Name and Password—Enter credentials with which to log on.

    Tip

    Make sure the credentials you assign here enable you to view all the NetWare Servers to which you wish to configure access, such as the credentials of a Novell administrator.

  4. Click Save, and then click Logon.

    The system logs you on to the Novell NetWare Services. When you configure Novell NetWare Servers, the servers and shares that are enabled to the user you define here are displayed in the File Access window.

  5. Go on to configure remote users’ access to domains, servers, and shares, as described in the procedure that follows.

    Note

    In order to log on to a different tree, enter the applicable credentials, and click Logon.

    Only one set of credentials can be saved in the Novell Logon window.

    Any time after the initial configuration, in order to modify the configuration of remote users’ access to the NetWare Servers, you need to log on to the Novell NetWare Services by using the Novell Logon window.

Configuring Novell NetWare authentication

Set up authentication for remote access to Novell NetWare servers as follows.

To enable remote access to NetWare Servers

  1. In the Configuration program, on the Admin menu, click Authentication and User/Group Servers.

  2. On the Authentication and User/Group Servers dialog box, click Add.

  3. On the Add Server dialog box, in the Type list, select Novell Directory, and then define the server. For details, click Help.

  4. When you finish defining the sever, click OK to close the Add Server dialog box.

    In the Authentication and User/Group Servers dialog box, the Novell Directory server you defined is added to the list of authentication servers.

  5. Close the Authentication and User/Group Servers dialog box.

  6. In the main window of the Configuration program, next to Advanced Trunk Configuration, click Configure to open the Advanced Trunk Configuration window.

  7. In the Authentication tab, in the top left area, click Add to the right of the Select Authentication Servers list.

  8. In the Authentication and User/Group Servers dialog box, select the server you defined in step 3, and then click Select.

    The Authentication and User/Group Servers dialog box closes. In the Authentication tab, the Novell Directory server you defined is added to the list of servers in the Authentication tab.

    Remote users' access to Novell NetWare Servers is enabled.

Configuring access to domains, servers, and shares

This section describes how you configure which domains, servers, and shares are enabled for remote access.

To configure access to domains, servers, and shares

  1. In the File Access console, in the left pane of the File Access window, under General, click Configuration. To refresh the display, click Refresh.

  2. In the right pane of the File Access window, select the domains which will be accessible to remote users through File Access, and click Apply.

    Note

    If the network includes Novell NetWare Services, the following services are available for selection in the Domains window:

    - Novell Directory Services

    - NetWare Servers

    You can use the File Access window to enable access only to NetWare Servers; you cannot enable access to Novell Directory Services through the File Access option.

  3. In the left pane of the File Access window, click Servers.

    The network is browsed. In the File Access window, all the servers in the domains you selected are displayed, arranged under their respective domains.

  4. In the right pane of the File Access window, select the servers that will be accessible to remote users through File Access, and click Apply.

  5. In the left pane of the File Access window, click Shares.

    The network is browsed. In the File Access window, all the shares that are enabled on the selected servers are displayed, arranged under their respective servers.

    Note

    If you have previously configured shares in this window to be accessible to remote users and have since clicked Apply in either the Domains or the Servers windows, all the shares in this window appear unselected, including shares that are accessible to remote users. In order to refresh the view, click Reset, and then click Refresh.

  6. In the right pane of the File Access window, select the shares which will be accessible to remote users through File Access, and click Apply.

    Note

    If there are no shares in a selected server, the text “No shares on this server” appears under that server name.

  7. When you finish configuring administration settings, click Close at the bottom of the File Access window.

    Once you activate the configuration, remote users are able to access the selected domains, servers, and shares through the File Access interface, depending on their access permissions within the organization.

Adding file access to a portal

You add the File Access application to a portal as follows:

  • Using the Add Applications Wizard. For more information, see Publishing applications in an IAG portal. If the portal trunk uses the default IAG portal home page, a link to the File Access application is automatically added to the page. Note that when using a custom home page, you have to manually add the link to the page. For more information, see Modifying the default IAG portal home page.

  • Optionally, you can change the date format of files and folders, as will be viewed on remote users’ browsers.

  • You can also configure the file access application so that users accessing files are not presented with a folder tree on the left pane. This prevents users from browsing to any folders other than the one defined as the application URL or its subfolders.

Changing date formats for file access

IAG determines the date format of files and folders that remote users view on their browsers where the File Access application is installed, not by the user’s local computer.

By default, the format is M/d/yyy. You can change the date format to d/M/yyy, as described in this section.

To change the date format of files and folders

  1. On the IAG on which the File Access application is installed, use the Registry Editor to access the following location:

    HKEY_USERS\.DEFAULT\Control Panel\International

  2. Change the Value data of SShortDate to d/M/yyy.

  3. Restart the IAG computer.

    When remote users view files and folders, the date format is the one you set here.

Hiding the folder tree

By default, the end-users’ File Access interface presents users with a folder tree in the left pane. The folder tree contains all the folders you enable in the File Access administration window. If you wish to restrict users’ access to a specific folder, you can define the path of the folder as the application URL and disable the view of the folder tree. Users can then access only the path that is defined as the application URL, including all subfolders.

This procedure describes how you hide the folder tree if the trunk you are configuring uses the default portal home page supplied with IAG. If you use a custom home page, see Modifying the default IAG portal home page.

To hide the folder tree in the end-user interface

  1. In the configuration pane of the IAG Configuration console, double-click the File Access application.

  2. On the Application Properties dialog box, click the Portal Link tab.

  3. In Application URL, enter the following, and then click OK:

    https://localhost:Auto/WhaleFileSharing/

    ?Path=< path >&ShowFolders=False

    Where path is the full path of the folder users will access.

    For example:

    https://localhost:Auto/WhaleFileSharing/

    ?Path=EUROPE/NORWAY/Bergen&ShowFolders=FalseStep 1

    Note

    Parameter names and values are case sensitive.

    Once you activate the configuration, end-users will not be presented with a tree folder in the File Access interface. In this example, when users access the File Access application, they are presented with the Bergen folder and are able to browse only this folder and its subfolders.

    Tip

    The parameter ShowFolders can also be used with a Home Directory definition. That is, users are directly presented with their Home Directory and are able to browse only the Home Directory and its subfolders.