For the environments discussed in Section 14.1, Environments, the method to configure SSL options differs with iFolder versions. iFolder 3.6 does not support SSL communication, so you must use it only in a trusted environment. iFolder 3.7 and later versions do support SSL.
Table 14-1 SSL Recommendations
Environment |
SSL Support |
---|---|
Trusted |
Disable SSL to increase performance. Deselect the Configure SSL for iFolder option in YaST. |
Untrusted |
Require SSL communication. Select the Configure SSL for iFolder option in YaST. |
In addition to SSL, specifying the public URL is a must in an untrusted environment. Instead of an IP address, set the public URL to the DNS name of the server so that the client uses the DNS name to connect to the server. When the iFolder client uses the DNS name, even if the iFolder client has been moved out to a network outside the firewall, the client can still connect to the server. In this case, the server must be configured to receive the IP requests (both inside and outside the firewall) either directly or indirectly to send or receive through a configured gateway.
In a single-server configuration, 1000 users are serviced at a time, although there is no practical limit on the number of users provisioned to the server. The recommended load on a single server is 4000 provisioned users, with 1000 users serviced at a time. All 4000 users can be connected to the server but only 1000 users are active.
This scalability data is for a single dual-core processor with 4 GB RAM. If the server has more capacity, such as 4 processors with 16 GB RAM, the capacity can be scaled up based on the hardware.
A multi-server setup is best when there is a large number of users or when they are distributed across different locations. Multiple servers let you use load balancing for a large number of users, or if your users are distributed across many locations, you can provision them to the nearest iFolder server to get a better response time. This allows you to scale in an enterprise environment where there are many users who are located in different locations in the same geography and across geographies.
iFolder 3.6 must be used only in a trusted environment because there is no SSL support for it. iFolder 3.7 and later versions provide SSL support that can be disabled during configuration in a trusted environment. In this context, only the initial user login uses SSL to safeguard the credentials regardless of the server-side SSL configuration. See Section 14.2.4, Web Admin Configuration for information about the Web Admin Console features that can be used for this deployment.
The Web Administration console helps you create policies for the system as a whole or at every user/group level. For iFolder 3.7 and later versions, LDAP groups are supported.
For a single-server setup and a multi-server setup within the same location, automatic provisioning is recommended. For multiple locations, LDAP attribute-based provisioning is recommended. There is also a manual provision method in the Web Admin console that can be used to provision users to a specific server against the auto-provisioning algorithm. For more information, see Provisioning / Reprovisioning Users and LDAP Groups for iFolder
in the Novell iFolder 3.9.2 Administration Guide.
To limit the iFolder count, log in to the Web Admin console as an iFolder administrator. In the System page, enable the iFolder limit policy and set it to one. (This policy is available only in iFolder 3.7 and later versions). This ensures that only one iFolder is allowed per user, and in this case, the iFolder is the My Documents directory. For more information on policies, see Viewing and Modifying iFolder System Information
in the Novell iFolder 3.9.2 Administration Guide.
You can use the System page of the Web Admin console to manage iFolder sharing. By default, iFolder sharing is enabled. If you disable the option, the users cannot share their My Documents iFolder with other iFolder users.
The file exclusion list ensures that unwanted files are not synchronized to the server from the user copy of the iFolder. For example, you can add .mp3 in order to disable users from uploading MP3-based music files. Similarly, video files can also be excluded from synchronization, because these files are usually large and consume more bandwidth and disk space.
For iFolder version 3.6 and later, user passphrase-based encryption of iFolder is permitted. This encryption is independent of the SSL channel for communication. This encryption method ensures that the data is stored securely on the server side. In trusted environments, this might not be needed because this method of iFolder creation encrypts data on the fly and reduces the performance for data synchronization. Also, the data is not delta-synchronized in this mode, so passphrase-based encryption is not recommended for the My Documents iFolder in a trusted environment.
The Web Access server must be installed on a dedicated server setup if the number of users expected to use the Web Access console for accessing iFolders is more than 10% of the total number of users.
For better performance in a trusted environment, the Web Access Server should not be configured to use SSL for both server communication and user communication.
In untrusted environments, the Web Access Server must be configured to use SSL for both server and user communication. This ensures greater security.
This setup ensures that every user's My Documents folder is marked as iFolder and this is the only iFolder for any given user. This is similar to the iFolder 2.x setup where only one iFolder is allowed per user.
In iFolder 3.7 and later versions, you can limit the number of iFolders per user by using the Web Admin console. This ensures that you have control over the number of iFolders and the amount of data that is transferred between the servers and the clients.
Administrator: The administrator should limit the number of iFolders per user (including the Default iFolder) to one.
User: Users can use their default iFolder as My Documents during account creation and then synchronize.