Deployment Guide - 400 Bad Request [PDF]

Deployment guide

Orchestria Active Policy Management Version 6.0

Copyrights Copyright ©2001-2008 Orchestria Limited. All rights reserved. US Patent 7,333,956. Other US and international patents granted or pending. “Orchestria” and the conductor device are registered trademarks of Orchestria Corporation. Copyright in and ownership of this manual is and shall at all times remain in Orchestria. No part of this manual may be reproduced without the prior written permission of Orchestria and the contents of this manual are and shall remain confidential. The delivery of this manual shall in no circumstances imply that the information contained herein about Orchestria Active Policy Management (APM) is in the public domain. Accordingly, disclosure of the contents of this manual or any part thereof to a third party will constitute a breach of the confidentiality provisions of any agreement for the use of Orchestria APM. Optional Content Search and Agent technology used under license from and Copyright ©2007 FAST Search and Transfer International AS. Outside In® Content Access Copyright ©1991, 2007 Oracle Corporation.

Disclaimer Every effort has been made to ensure that this document accurately describes the operation of Orchestria APM. However, Orchestria does not accept any responsibility for the consequences of any discrepancies between the description of Orchestria APM contained in this manual and the Orchestria APM system as implemented. Orchestria also reserves the right to make amendments to the contents of this manual from time to time to reflect changes made to the specification of Orchestria APM or for any other reason.

Trademarks Altiris and RapidInstall are registered trademarks of Altiris, Inc. BlackBerry is a trademark of Research In Motion Limited. Bloomberg is a registered trademark of Bloomberg LP. Centera and CentraStar are trademarks of EMC Corporation. Citrix is a registered trademark of Citrix Systems, Inc. Enterprise Vault is a registered trademark of Symantec Corporation. FaceTime is a registered trademark of FaceTime Communications, Inc. FAST is a trademark of Fast Search and Transfer ASA. IBM, DB2, Domino, Lotus Notes and Notes are registered trademarks of IBM Corporation. IM Manager is trademark of IMlogic, Inc. Iron Mountain is a registered trademark of Iron Mountain, Inc. Linux is a registered trademark of Linus Torvalds. Microsoft, Windows, Internet Explorer and Outlook are trademarks or registered trademarks of Microsoft Corporation. Oracle is a registered trademark of Oracle Corporation. Parlano and MindAlign are registered trademarks of Parlano, Inc. Red Hat is a trademark of Red Hat, Inc. Sendmail is a trademark of Sendmail, Inc. SnapLock,

To this:

userName="SYSTEM"

This change ensures that the IIS 5.x process runs using the LocalSystem account, which has the system privileges required by the iConsole servers. i You do not need to change the default account for IIS version 6 and higher.

Chapter 5 iConsole

77

Kerberos authentication Applicable if the application server and front-end Web server are on separate machines.

The iConsole uses Microsoft's Kerberos Authentication to allow the credentials of the user accessing the iConsole to be passed to the CMS for logon (either for direct use if using Orchestria APM single sign-on functionality (see page 105), or to record the native user name being used to access the CMS), using Windows Delegation. For this process to work if the iConsole front-end server and application server are on separate machines, you mst adhere to the following requirements: 1

The iConsole servers must be in the same Active Directory domain. If the value for WebServiceMachine is not the Fully Qualified Domain Name (FQDN), then the front-end machine must be trusted for Delegation. For details, see the Microsoft TechNet article ‘Allow a computer to be trusted for delegation’. The URL for this article is: http://www.microsoft.com/technet/prodtechnol/ windowsserver2003/library/ServerHelp/ b207ee9c-a055-43f7-b9be-20599b694a31.mspx

2

You must configure the Microsoft Internet Information Services (IIS) version 6 Application Pool to run as the Network Service account. This is the default configuration.

3

Kerberos must be correctly configured. Check the Windows System Event log for errors. See the next section for details.

4

Internet Explorer on the user's machine must have the Enable Integrated Windows Authentication (requires restart) setting enabled. This is the default setting in most configurations of Internet Explorer.

If you do not adhere to these requirements, this can result in the error ‘You are not authorized to connect to the Orchestria iConsole’, with a 401 error code. Is Kerberos active? To check whether Kerberos is active on an iConsole server, run a netdom command: Syntax

netdom verify /d: Example

netdom verify /d:unipraxis.com ux-hardy-as i netdom is not installed by default, but is available from support.cab in the \Support\Tools folder on your Windows distribution media.

If Kerberos is active, this command generates a confirmation, such as: The secure channel from UX-HARDY-AS to the domain UNIPRAXIS.COM has been verified. The connection is with the machine \\UX-SRVR.UNIPRAXIS.COM. The command completed successfully. if Kerberos is not active, check for Kerberos entries in the Security event log in Windows Event Viewer. The most common local problem is timing; the server clock must be within five minutes of the domain controller clock. Other Kerberos problems typically affect the entire domain or require domain administrator permissions. For example, if Kerberos cannot authenticate a user because their account has become corrupt in Active Directory, the account must be reset on the domain controller.

78

Orchestria Active Policy Management Deployment guide

Browser host machine The iConsole is a browser-based application. These requirements apply to the browser host machine. Internet Explorer: You need to run the iConsole in Microsoft Internet Explorer 6 or 7. Outlook: When browsing search results, if a reviewer wants to view a copy of an actual e-mail (that is, they want to open a downloaded .msg file), the browser host machine also needs Microsoft Outlook 2003, or 2007. i If Outlook is not available, the reviewer can still save the downloaded .msg file.

Version check utility: Wgncheck.exe Wgncheck.exe detects the file version of various software components (for example, Microsoft Windows Installer and Internet Explorer), compares these local versions against the minimum version supported by Orchestria APM, and displays the results for each component. Find this utility in the \Win32\Support folder on the Orchestria APM distribution media. For usage instructions, please refer to support.htm, also in the \Win32\Support folder.

Chapter 5 iConsole

79

Set up SMTP e-mail From the iConsole reviewers can send e-mails to colleagues, alerting them to messages or issues that require their attention. These e-mails are referred to as ‘audit e-mails’. To allow iConsole users to send audit e-mails, you must configure the front-end Web server so it can connect to an SMTP server (that is, a machine that can deliver SMTP e-mails).

Enable the SMTP Service The SMTP Service allows the local machine to deliver SMTP e-mails. Typically, the front-end Web server points to an existing, remote SMTP server, but if required you can enable the SMTP service locally. 1

On the host machine for the front-end Web server, ensure that you are logged on with local administrator rights.

2

Open the Windows Components Wizard. This is available from the Add or Remove Programs applet.

3

Select Internet Information Services (IIS) and click Details to display the IIS subcomponents.

4

Select the SMTP Service subcomponent and click OK to return to the Windows Components Wizard. This service supports the transfer of e-mails.

i To determine the identity of the sender for audit e-mails, see page 91.

Configure the SMTPServer registry value If the SMTP service is not being used on the local server, you must edit the registry on the front-end Web server to point to a remote SMTP server. To do this, locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Orchestria \Active Policy Management \CurrentVersion\Web Within this registry key, edit the following value: SMTPServer SMTPServer Type: REG_MULTI_SZ AutoGenerate... validation=” /> Note that the validation parameter can be set to any encryption algorithm, such as SHA1 or 3-DES.

5.1 In Cluster Administrator, take the cluster offline. 5.2 Restart IIS on all nodes. 5.3 Bring the cluster back online.

Chapter 5 iConsole

99

Improving iConsole performance i These improvements do not apply to search

2

performance, which is dependent on how the CMS method="post" runat="server">

102

Orchestria Active Policy Management Deployment guide

URL query string logon method

Enabling additional security

This logon method uses http get and passes a user's Orchestria APM account credentials to the iConsole in the form of a URL query string.

To enable these additional security measures: 1

However, this logon method is only suitable for iConsole deployments that hide the browser Address bar. This is because the user's name and password are appended to the iConsole URL in the Address bar and are therefore potentially visible to other users. To enable this method: 1

Locate the following registry key on the front-end Web server: HKEY_LOCAL_MACHINE\SOFTWARE\Orchestria \Active Policy Management \CurrentVersion\Web

Locate the following registry key on the front-end Web server: HKEY_LOCAL_MACHINE\SOFTWARE\Orchestria \Active Policy Management \CurrentVersion\Web

2

Within this registry key, set the following REG_DWORD registry value to 1: EnforceEncryptedLogon

! If encryption enforcement is applied, then the POST form variable supplied with the Web form logon method

2

Within this registry key, set the following registry value to 1: AllowURLLogon

i For full implementation details, please contact the

must be encrypted. If it is not, then the logon fails.

Setting the security timeout To enable and configure the optional timeout, you need to configure the following registry values: EnforceLogonTimestamp

Orchestria service desk—see page 23.

Type: REG_DWORD

Further security measures In addition to SSL support, Orchestria APM also enables you to encrypt HTML POST form variables using either ‘Triple DES’ (. Backslash prefixes are needed to ensure the double quotes are handled correctly. Double quotes: You must enclose the entire parameter value in "double quotes" if the value contains a space. In the example below, the target group for imported users is ‘LDAP users’: /wr "LDAP Users"

/%1%=" And:

pp"{?%untilEnd%}":"/%1%" Prepends the search string with a forward slash '/' Where %1% is the extracted string from the search text.

158

Orchestria Active Policy Management Deployment guide

9. Object storage

chapter 9

Object storage T

his chapter describes the principal methods used for storing event attribute of the tag identifies the e-mail address that you want to store as the event participant in the CMS attribute of the tag identifies the Orchestria APM user account whose policy you want to apply to all scanned files. See page 268 for syntax details. If the policy participant is not specified, or the user account does not exist, policy engines apply the Default Policy for Files (defined in policy engines’ machine policy—see page 183). i For further details about mapping file events to Orchestria APM users, see the ‘Event Participants’ technical note, available from the Orchestria service desk—see page 23.

i Not applicable to Microsoft SharePoint items.

You can configure your > You can configure wgnpol.exe to read the original policy name from this comment in an exported policy file. To do this, you need to replace the policy name with an asterisk (*) in the command line operation. For example, to import the Sales.xml policy file back into its original group, run: wgnpol import * -f Sales.xml

509

Users and groups When specifying the account name for a user or group, please note the following: If the top level user group:

` Has not been renamed (by default, 'Users'), type usermaster to specify its policy.

` Has been renamed (for example, to 'All Unipraxis users'), you specify its policy by typing its new name in the normal way. The policy path root level is the management group of the CMS logon account. When you run wgnpol.exe, you must provide a logon account for the CMS. Wgnpol.exe takes the management group defined for this account as the root level of the policy path. Machines To specify an account name for a machine, use the details in the table below: For a

Type

Common client

machinecommonclient

Common gateway

machinecommongateway

CMS

Utility machine

510

Orchestria Active Policy Management Deployment guide

[Options] The options supported in wgnpol.exe command line operations are listed in the table below. For example wgnpol.exe commands, see: Command

Description

-a

Specifies automatic CMS logon. That is, wgnpol.exe uses the cached credentials for an Orchestria APM user account (if available) to log on automatically to the CMS.

-c

For export operations only. This specifies that the complete policy is exported to a file, including all settings and folders inherited from a parent policy. If this parameter is omitted, wgnpol.exe only exports a sparse policy. That is, it only exports those settings and folders that have been directly modified in the specified policy. Any settings and folders that were inherited unchanged from a parent policy are not exported to the target file.

-o

For import operations only. This specifies that complete policies (that is, those previously exported using -c) are included in the import operation.

-e

For implist operations only. Specifies that any duplicated list items are omitted from the import operation. Only 'exact matches' are omitted. Duplicate matching is case-sensitive.

-f

Specifies the path and file name to import or export to. Not valid for copy operations.

-m

For export operations only. This specifies that multiple policies for the selected group and all its subgroups are exported to a file. This includes the master policy. File names for each subgroup policy include a policy ID in them to ensure that filenames remain constant across multiple exports.

-b

For export operations using -m only. Specifies that unmodified (blank) policies are not exported.

-s

Specifies the name or IP address of the machine on which to operate. If you omit this option, wgnpol.exe defaults to the local machine.

-u

Specifies the user name for the Orchestria APM account that you want to use to log on to the CMS. If you omit this option, wgnpol.exe prompts for a user name.

-p

Specifies the password for the Orchestria APM account that you want to use to log on to the CMS. If you omit this option, wgnpol.exe prompts for a password.

-v

Specifies 'verbose' (fully detailed) output. This may be useful if, for example, you want to output operation details to a logfile.

-w

For implist operations only. Specifies how many data columns (the data 'width') you want to import from the source spreadsheet or CSV file. For example, -w 3 specifies that the first three fields in each line of a CSV file (or the first three columns in a spreadsheet) are imported to the target list setting. In the CSV extract below, the three e-mail addresses but not the "Equities Research" value will be imported into the policy list. [email protected],[email protected],[email protected],"EquitiesResearch"

-? or -h

Displays usage instructions.

Chapter 24 Technical information

or For implist or impsetting operations, you must specify the target policy setting that will receive the imported items. There are three alternative methods for specifying the target setting: Reserved keywords: For outgoing e-mails, the reserved keywords searchtext1, searchtext2 and searchtext3 refer respectively to the Included Search Text list setting in the Search Text 1, 2 and 3 control triggers. Policy path based on folder and setting display names: In the Orchestria APM Policy Editor screen, the status bar shows the policy path of the folder or setting currently selected, based on the folder and setting display names (the names shown in the policy tree, not the underlying XML node names). You can use these display names to specify the target setting for an import operation. Policy path based on XML node names: You can use the XML node names within policy files to specify a setting.

Wgnpol.exe examples Example wgnpol.exe commands are shown in the following subsections: Wgnpol.exe does not recognize the backslash \ as a policy path separator. You must therefore use forward slashes /. For example, "North America/Sales". However, backslashes are permissible if part of a user name. For example, "unipraxis\lyndasteel".

Export a policy Unless stated otherwise, these command line operation examples all export policies to a file called sales.xml. To export the policy for user unipraxis\lyndasteel from the machine CL-TAYLOR to a file called lyndasteel.xml, run: wgnpol export unipraxis\lyndasteel -s CL-TAYLOR -f lyndasteel.xml

511

To export the policy for user unipraxis\lyndasteel, logging on to the CMS as Orchestria APM user unipraxis\spencerrimmel (whose password is 19apm77), to a file called lyndasteel.xml, run: wgnpol export unipraxis\lyndasteel -u "unipraxis\spencerrimmel" -p 19apm77 -f lyndasteel.xml If the top level user group has not been renamed, run this command to export the policy for the North American Sales group: wgnpol export "usermaster/north america/sales" -f sales.xml If the top level user group has been renamed (to 'All Unipraxis Users'), run this command to export the policy for the North American Sales group: wgnpol export "all unipraxis users /north america/sales" -f sales.xml If you log on to the CMS using an account that has /North America as its management group, run this command to export the policy for the North American Sales group: wgnpol export "north america/sales" -f sales.xml Or even just: wgnpol export "sales" -f sales.xml To export the policy for the gateway GW-CHICO to a file called new_gateway.xml, run: wgnpol export GW-CHICO -f new_gateway.xml

512

Orchestria Active Policy Management Deployment guide

To export all policies for user group 'All Unipraxis Users' and each of its subgroups to new files based on the name hierarchy.xml, run: wgnpol export "All Unipraxis Users" -f hierarchy.xml -m To export only the policies for user group 'All Unipraxis Users' and its subgroups, that have been edited, run: wgnpol export "All Unipraxis Users" -f hierarchy.xml -m -b

Import a policy To import the policy for user unipraxis\lyndasteel from a file called lyndasteel.xml, run: wgnpol import unipraxis\lsteel -f lsteel.xml If the top level user group has not been renamed, run this command to import the policy for the North American Direct Marketing group from a file called new_dirmarketing.xml, run: wgnpol import "usermaster/north america /direct marketing" -f new_dirmarketing.xml To import a machine policy to the common gateway policy from a file called new_gateway.xml, run: wgnpol import machinecommongateway -f new_client.xml

Import a policy list Reserved keywords: To import the first two fields in each record of the source file keynames.csv to the Included Search Text setting in the Search Text 2 control trigger for the policy of user unipraxis\lyndasteel, run this command: wgnpol implist unipraxis\lsteel searchtext2 "keynames.csv" /w 2 /e /v /s CMS-HARDY /a Policy path based on folder and setting display names: To import the first four fields in each record of the source file keywords.csv to the Included Search Text setting in the Search Text 1 control trigger for the policy of user unipraxis\lyndasteel, run this command: wgnpol implist unipraxis\lsteel "Control/outgoing e-mails/control triggers/search text 1/included search text" "keywords.csv" /w 4 /e /v /s CMS-HARDY /a

Copy a policy If you log on to the CMS using an account that has /North America as its management group, run this command to copy a group policy from North America/ Sales to North America/Direct Marketing: wgnpol copy "sales" "direct marketing" To copy a machine policy from UNI-TAYLOR to the common client policy, run: wgnpol copy UNI-TAYLOR machinecommonclient To copy a machine policy from GW-GROUCHO to GW-CHICO, logging on to the CMS as Orchestria APM user unipraxis\srimmel (whose password is 19apm77), run: wgnpol copy GW-GROUCHO GW-CHICO -u "unipraxis\srimmel" -p 19apm77

Chapter 24 Technical information

513

Version details

Change a policy setting

To check the assigned version of the common client policy, run this command:

To change the Intervention setting in a control action to 'Warn' and enforce the change, run this command:

wgnpol version machinecommonclient To check the assigned version of policy for user unipraxis\lyndasteel, run this command: wgnpol version unipraxis\lyndasteel If the top level user group has been renamed (to 'All Unipraxis Users'), run this command to check the policy version for the North American Sales group:

wgnpol impsetting unipraxis\lsteel "Control/Outgoing E-mails/Control Actions/Control Action 1/Intervention" intervention.csv Where intervention.csv has the following content: warn,enforce

Enable a trigger wgnpol version "all unipraxis users /north america/sales"

To enable and hide a Control trigger, run this command: wgnpol impsetting unipraxis\lsteel "Control/Outgoing E-mails/Control Triggers/Search Text 1" enable.csv Where enable.csv has the following content: enable,hide

514

Orchestria Active Policy Management Deployment guide

Replication holding cache A replication holding cache is used to store captured or imported events that failed to replicate successfully to a parent server. If a parent server is unable to store a replicated event for any reason, it reports the failure back to the child machine which writes an entry for the ‘failed’ event to the replication holding cache.

Managing the cache

By default, the child machine will attempt to resend events in the cache three times. After that, cached events remain in the cache until you manually delete them or reset the cache (that is, restore them to the main replication queue). If required, you can reset the retry limit—see below.

X Dump the cache contents

Likewise, as a safeguard against serious or persistent replication failures, the holding cache has a maximum event threshold which, if exceeded, causes the local infrastructure to be suspended. This means, for example, that an import operation is suspended if the CMS is unable to store events arriving from an Event Import server. By default, this threshold is set to 100 events. To reset this threshold, see below. i When you reset the cache on suspended machines, the machines are automatically resumed—see page 515.

Cache configuration To override the default number of replication retries for failed events defaults, or to change the cache’s maximum event threshold: 1

Add the following parameters to startup.properties on each child machine—find this file in the \system subfolder of the Orchestria APM installation folder. For example, to specify five retries and a 200 event cache limit, add these parameters: rep.retryThreshold=5 rep.cacheSuspendThreshold=200

2

After editing startup.properties, restart the local Orchestria APM infrastructure—see page 488.

If replication failures occur repeatedly, you need to examine the events in the holding cache to determine and resolve the cause of the failures. You can then either reset or clear the cache.

To dump the contents of the cache to a text file, run the following command. Cached events are output to CacheData.txt in the \System subfolder of the Orchestria APM installation folder. wgninfra -exec wigan/infrastruct/ replication/NetworkMonitor DumpHoldingCacheData CacheData.txt

X Clear the holding cache To clear the replication cache (that is, delete the cached events), run the following command: wgninfra -exec wigan/infrastruct/ replication/NetworkMonitor ManageHoldingCacheData delete Where and are event identifiers in the cache dump file. All events within the specified range of identifiers will be deleted. To delete all events in the cache, specify the identifiers for the top and bottom rows in the dump file (that is, the first and last events in the cache).

X Reset the holding cache After diagnosing and resolving a replication problem, you can reset the cache. That is, you can move cached events back to the main replication queue for re-sending to the parent server. Orchestria APM provides methods to do this manually and automatically—see page 515.

Chapter 24 Technical information

515

Reset the holding cache When you reset the holding cache, cached events are moved back to the main replication queue for re-sending to the parent server. You typically reset the holding cache after diagnosing and resolving a replication problem.

To schedule automatic cache resets, you edit the following settings in the \Replication policy folder of the local machine policy:

You can manually reset the holding cache. You can also set up scheduled operations to automatically reset the cache at regular intervals. Note that scheduled cache resets on suspended machines will automatically resume the machine (if the suspension was cache-related).

This setting specifies how often (in days) the replication holding cache is reset. Defaults to 3.

Manually reset the holding cache To do this, run the following command: wgninfra -exec wigan/infrastruct/ replication/NetworkMonitor ManageHoldingCacheData reset

Replication Holding Cache Reset Frequency:

Setting this value to zero enables the holding cache to be reset more than once per day with the Reset Time setting controlling the time (in minutes) between resets. i Setting both the Reset Time and Reset Frequency values to zero prevents holding cache entries from being reset.

Replication Holding Cache Reset Time This setting is dependent on the value of the Reset Frequency. That is, if the Reset Frequency setting is:

` zero, then this setting is the number of minutes Where and are event identifiers in the cache dump file. All events within the specified range of identifiers will be reset. To reset all events in the cache, specify the identifiers for the top and bottom rows in the dump file (that is, the first and last events in the cache). You can also configure the local machine policy to automatically reset the holding cache at scheduled intervals—see the next section.

between cache resets. Defaults to 180 (minutes).

` non-zero, then this setting represents the number of minutes from midnight at which the replication holding cache is reset. For example, to schedule a reset for 9:00pm, enter 1260 (that is, 21 x 60). The reset will run at this time on each day that a reset is scheduled. Defaults to 180 (3:00am). i Setting both the Reset Time and Reset Frequency values to zero prevents holding cache entries from being reset.

Automatically reset the holding cache In some situations, it is not practical to manually reset the holding cache on every machine that requires it. For this reason, Orchestria APM allows you to schedule operations to automatically reset the holding cache. For example, a blob (Binary Large Object) file is quarantined by antivirus software on a client machine. Here, the maximum number of retries (fresh attempts to replicate the quarantined event) will be quickly used up. After diagnosing the problem by checking the log files on the parent server, the only intervention required from the Orchestria APM administrator is to remove the blob file from quarantine; the scheduled cache reset will then automatically return the blob file to the main replication queue.

Automatically resume suspended machines on scheduled cache reset To streamline machine administration, if you reset the holding cache on a suspended child machine, the infrastructure on that machine is automatically resumed if it was suspended because its maximum event threshold had been exceeded.

This ensures, for example, that scheduled automatic cache resets are indeed fully automatic and require no manual intervention. i If you manually reset the cache on a suspended machine, you must also manually resume the infrastructure on that machine.

516

Orchestria Active Policy Management Deployment guide

Copy Orchestria APM log entries to Windows logs Orchestria APM provides two optional mechanisms for writing log entries to a local Windows event log (accessible through the Windows Event Viewer). This enables you to use third party monitoring and alerting software such as Microsoft Operations Manager (MOM) to notify your administrators when an Orchestria APM error occurs, for example, by forwarding the error message to pagers or sending an e-mail alert.

Registry change for non-infrastructure Orchestria APM log files For Orchestria APM logfiles that are not maintained by the infrastructure (for example, the iConsole, Event Import and Universal Adapter logs) you must edit the registry if you want to copy Orchestria APM log entries to the local Windows Application log. Specifically, you need to modify a value in the following registry key: HKEY_LOCAL_MACHINE\Software\Orchestria \Active Policy Management \CurrentVersion\Logging

But be aware that the Windows logging level is limited by the level already defined for the Orchestria APM logfile. You cannot write more information to the Windows log than is written to the Orchestria APM log. For example, if the iConsole LogLevel registry value is set to 1 (see page 96), only errors are written to the Orchestria APM logfile. This means the iConsole can also only write errors to the Windows log (EventLogLevel is effectively limited to 1). Similarly, if the equivalent Event Import parameter Engine.LogLevel is set to 2, import errors and warnings are written to the Orchestria APM logfile and can also be written to the Windows log file (that is, EventLogLevel can also be set to 2). Lost connection between iConsole servers i Be aware that if there is a connection failure between the iConsole application server and frontend Web server, Orchestria APM log entries are automatically written to the local Windows log file on the front-end Web server, regardless of how

Within this registry key, edit the following value: EventLogLevel

EventLogLevel is configured. This precaution is vital for diagnosing such connection failures.

EventLogLevel Type: REG_DWORD Data: Defaults to 0. This determines whether or not Orchestria APM log entries are also written to the local Windows Application log. The default value of zero disables Windows logging. That is, log entries are not written to the Windows log. If you specify a non-zero value, entries are written to the Windows log. The supported logging levels are: 0 Disable Windows logging 1 Errors only 2 Errors and warnings 3 As 2, plus informational and status messages

Machine policy configuration for infrastructure-maintained log files For log files maintained by the Orchestria APM infrastructure (for example, the Activity, Replication and System logs), you can edit the Write to Windows Event Log setting in the local machine policy to ensure that Orchestria APM log entries are copied to the local Windows event log. For details about the necessary policy changes, see the Administrator guide; search the index for ‘Windows event logs’.

Chapter 24 Technical information

517

Orchestria APM installations on 64-bit machines Orchestria APM components are typically 32-bit applications. Currently, the sole exception is the Exchange 2007 server agent, which is a 64-bit application (because Exchange Server 2007 itself requires a 64-bit operating system and hardware).

Exchange 2007 server agent and policy engine hub You can only install the Exchange 2007 server agent on 64-bit machines. However, when you install the server agent, a 32-bit policy engine hub (PE hub) is also installed automatically. This has implications for the location of the installation folders, registry keys, log files, and performance counters (see page 518). Indeed, these implications apply equally if you install any 32-bit Orchestria APM component (such as a policy engine) on a 64-bit machine. See below for details. i Typically, 32-bit applications or components will run on 64-bit systems in 32-bit compatibility mode.

Installation folder On 64-bit machines, 32-bit applications are installed to their own ‘32-bit’ installation folder. So while the 64-bit Exchange 2007 server agent is installed to a subfolder below the \Program Files folder, 32-bit components such as the PE hub are installed below \Program Files (x86). My Computer Local Disk (C:) Program Files Orchestria Active Policy Management

1

Program Files (x86) Orchestria Active Policy Management

Orchestria APM installation folders, 64-bit machines 1 Exchange 2007 server agent installation folder. 2 PE hub installation folder.

2

Registry keys When 32-bit applications such as the PE hub are installed on 64-bit machines, any associated registry keys are created in their own ‘32-bit’ subkey. So while registry values for the Exchange 2007 server agent are created in the \SOFTWARE\Orchestria subkey, registry values for the PE hub are created in the \SOFTWARE\Wow6432Node\Orchestria subkey. My Computer HKEY_LOCAL_MACHINE SOFTWARE Orchestria Active Policy Management CurrentVersion

1

Wow6432Node Orchestria Active Policy Management CurrentVersion

2

Orchestria APM registry keys, 64-bit machines 1 Exchange 2007 server agent registry key. 2 PE hub registry key. i Why ‘WOW64’? On a 64-bit Windows operating system, there is an emulation of a 32-bit operating system called ‘Windows on Windows 64’, or WOW64.

518

Orchestria Active Policy Management Deployment guide

Log files

Performance counters

In Orchestria APM 6.0, log files are written to the \data\log subfolder of the Windows All Users profile—see the Administrator guide; search the index for ‘logfiles’. This means, therefore, that on a 64-bit machine, log files for both the Exchange 2007 server agent and the PE hub are in the same location

On a 64-bit machine, there are two instances of the Performance applet (perfmon.exe). Find these in:

But in Orchestria APM 5.0 and earlier releases, log files are written to the \system\data\log subfolder in the Orchestria APM installation folder. Consequently, on a 64-bit machine log files for the Exchange 2007 server agent and the 32-bit PE hub are written to different locations—see the previous ‘Installation folder’ section for details.

C:\Windows\System32: This is the main System folder for the 64-bit operating system. The Performance applet in this folder can only display Orchestria APM performance counters for the Exchange 2007 server agent. (The folder name, an apparent misnomer, is a legacy of the folder naming scheme in earlier Windows operating systems.) C:\Windows\SysWOW64: The Performance applet in this folder can display Orchestria APM performance counters for both the Exchange 2007 server agent and the hub For simplicity, we recommend that you use this instance of the Performance applet. My Computer Local Disk (C:) WINDOWS System32

1

SysWOW64

2

Performance utility, 64-bit machines 1 Only performance counters for the Exchange 2007 server agent are available via the Performance applet in this folder. 2 Performance counters for both the Exchange 2007 server agent and PE hub are available via the Performance applet in this folder.

25. Known issues

chapter 25

Known issues T

his chapter describes various known deployment issues. These include policy engine upgrades, troubleshooting e-mail server agents, support for Far Eastern characters, and IM Import issues. For details, see: General deployment, page 519. Policy engines, page 520. Far Eastern characters, page 521. E-mail server agents, page 522. Event Import, page 524. IM Import, page 526. Quarantine Manager, page 527. Windows XP and 2003, page 528. iConsole, page 529.

Contact us If you need to contact us, please refer to page 23.

General deployment Stopping or starting the infrastructure without rebooting If you need to stop or restart the Orchestria APM infrastructure, you can do so using the wgninfra service. Run the following commands: Stop infrastructure:

net stop wgninfra

Restart infrastructure:

net start wgninfra

520

Orchestria Active Policy Management Deployment guide

Do not install to encrypted folders Do not install Orchestria APM to an encrypted folder or file system. This also applies to your CMS data folder (see page 33, step 6). i For SQL Server users, you must also ensure that the \Data folder is not compressed. See the Database guide.

Laptop users and dial-up connections Laptop users who normally connect to the CMS using a dial-up connection may be prompted for their dial-up connection details if they subsequently connect to the CMS over a LAN. To prevent the Dial-up Connection dialog from appearing, laptop users must edit the dial-up settings in their Internet Explorer properties. To do this, they must: 1

Open Internet Options in the Control Panel.

2

Go to the Connections tab.

3

In the Dial-up Settings list, choose ‘Dial whenever a network connection is present’.

Policy engines Policy engine upgrades from Orchestria APM 3.0 When upgrading policy engines from an Orchestria APM 3.0 installation, the following policy engine files are not upgraded: wgndlook.dll, wgnpe.dll and wgnpesv.exe. In Orchestria APM 3.0, these files were installed using a batch file, not the server installation wizard. For a successful server upgrade, we therefore recommend: Either uninstall Orchestria APM 3.0 before installing Orchestria APM 3.1 or later. Or directly upgrade to Orchestria APM 3.1 or later from version 3.0, but then use Add or Remove Programs to manually update the policy engine using the Orchestria APM server installation wizard. When the wizard launches: 1 In the Program Maintenance screen, choose Modify. 2 In the Custom Setup screen, select the Policy Engine feature. 3 In the final wizard screen, click Install to begin the file transfer.

Chapter 25 Known issues

521

Far Eastern characters Note the limitations on using Far Eastern characters in installation paths and computer names, and displaying these characters in Orchestria APM consoles (page 521).

Do not use Far Eastern characters in installation paths Orchestria APM cannot handle installation paths that contain Far Eastern characters. If you install Content Services components to a non-default location, the target path must not include folders whose names contain Far Eastern characters!

Computer names with Far Eastern characters Orchestria APM does not support computers with names that contain Far Eastern characters. If you try to install Orchestria APM on these computers, the installation fails. However, you can install Orchestria APM on computers running Far Eastern versions of Windows if the computer name only contains Roman-based ('English') characters.

Displaying Far Eastern characters Orchestria APM consoles can display captured or imported events and user names that contain strings of Far Eastern characters. But first you must set up your console machines and (if required) your Oracle database to provide Unicode support. Client machines: You need to implement Unicode support on all Orchestria APM client machines that are likely to capture e-mails and other events containing Unicode characters (for example, Far Eastern text). You must also implement Unicode support on all client machines running an Orchestria APM console and which are likely to display events or user names that contain Unicode characters. To do this, you need to edit the startup.properties file. For details, see page 50. Oracle database: If your Orchestria APM installation uses an Oracle database, you must also set up the database for Orchestria APM to use UTF-8 encoding for the DBMS code page. For details, see the Database guide. i There is no equivalent requirement for SQL Server databases. SQL Server databases automatically support Unicode characters.

522

Orchestria Active Policy Management Deployment guide

E-mail server agents Failure to generate e-mail events

Is wgnemno.dll registered as an add-in?

If the Exchange server agent fails to generate e-mail events, the following questions can help you to diagnose the problem.

Applies to the Domino sever agent only. Confirm that the following line has been added to notes.ini on the Domino host server. Find this file in the same folder as the Domino executables, typically \Lotus\Domino.

Has a policy engine been activated? Use Process Explorer (from www.sysinternals.com) to ensure that a wgnpesv.exe service is running on the policy engine host machine and using the correct user account—see Specify a PE domain user’ on page 179. If it is not: Has the policy engine service been set to run as the correct named user? Have the same credentials been assigned to the policy engine hub? Have the policy engines been defined and configured correctly in the hub registry? Does the NT System or Application event log on either machine contain relevant information? Check the policy engine hub log file.

Has a policy engine stopped working? To force the policy engine hub to disconnect and reconnect to a policy engine, remove the policy engine from the ActivePolicyEngines registry value (see page 198) then add it again. i For the Exchange server agent, if you need to restart the policy engine hub, you must first stop the Internet Services (see ‘Uninstalling policy engines and e-mail server agents’ on page 186).

Is e-mail address mapping set up correctly? Check the machine policy settings on the policy engine host machine—see page 181. Check that the UserSpecificAddrPattern registry value is correctly configured with a pattern match for the e-mail addresses you want to detect— see page 198.

EXTMGR_ADDINS=wgnemno.dll If this line is not present, manually add this line and restart Domino.

Unable to expand distribution lists with hidden membership Applies to the Exchange sever agent only. The fix for enabling a policy engine to expand hidden distribution lists depends on which version of Exchange Server you are using.

Fix for Exchange Server 2000 or later If a distribution list in Exchange’s Global Address list has been configured to hide list members, policy engines will be unable to expand these distribution lists to identify and apply policy triggers to individual recipients. If you want policy engines to expand these distribution lists, you must ensure that the policy engine service account belongs to a group whose members have the necessary permissions to expand ‘hidden membership’ distribution lists. i The logon account for the policy engine service (the ‘PE domain user’) is described on page 179.

Chapter 25 Known issues

523

Multiple notifications in response to a single e-mail When an e-mail activates a control trigger, the sender of the e-mail can sometimes receive multiple warning or notification messages.

5 E-mail sender

This can occur if an e-mail is sent, via an e-mail server with no server agent installed, to multiple recipients whose accounts are hosted on multiple e-mail servers. In this situation, either of the following scenarios can result in multiple notification messages being sent:

1

The e-mail servers hosting the various recipients’ mailboxes each have a server agent installed. Policy is not applied to the e-mail until it reaches the server agents on subsequent e-mail servers. This example is shown opposite. The e-mail servers hosting the various recipients’ mailboxes are Exchange Servers that also host their own journals. There will then be multiple copies of the original e-mail, one in each journal on the recipient mailbox servers, plus one in the journal on the sender’s mailbox server. Policy is applied to each of these instances. To avoid either of the above, we recommend that you install server agents on all server machines in the Orchestria APM enterprise.

1a

4

4

2

3 2a

2a

2b

3b

2c

3c

Multiple notification messages 1 A user sends an e-mail and it transits through the e-mail server (1a), undetected. The recipients’ mailboxes (2b and 3b) are on two separate Exchange servers (2a and 3a). 2 and 3 An instance of the e-mail arrives at each e-mail server. Each instance is detected by an e-mail server agent (2c and 3c) and triggers a warning notification. 4 Each e-mail server agent then sends a warning message to the sender. 5 The user receives multiple notification messages in response to a single e-mail.

524

Orchestria Active Policy Management Deployment guide

Event Import Imported e-mail timestamps are truncated

Cannot access an Exchange mailbox

When importing e-mails using Outlook 2003 in Cached Exchange mode, Microsoft truncates the timestamps for e-mail events. That is, the timestamps are rounded down to the nearest minute. Orchestria APM then uses this timestamp to record when the event was captured, as shown in the table below:

When importing from an Exchange mailbox, the import operation may occasionally fail and report a ‘no user identifier available’ error. This is because the user account that the Orchestria APM Event Import service is logging on as does not have access to the mailbox. To check whether this user has the necessary permissions to open the mailbox:

Actual time sent

Capture date

2005-05-27 16:29:09.201

2005-05-27 16:29:00

2005-05-27 16:29:30.413

2005-05-27 16:29:00

2005-05-27 16:29:51.952

2005-05-27 16:29:00

As you can see in the example above, each e-mail was actually sent at a different time, but the capture date for each event is identical. The inaccuracy of this data could have an impact on other Orchestria APM features, such as filtering by capture date.

1

Log on to Microsoft Outlook using the same user account as currently used by the Event Import service.

2

In Outlook, try to open the mailbox you want to import.

3

If this is unsuccessful, you may need to either:

` Assign the necessary permissions to the current user.

` Change the logon user that the service is using to be the same user account as the mailbox. 4

If step 2 is successful, then the access rights of the current user are not the problem in this case.

Chapter 25 Known issues

525

Cannot import unparented e-mails from a Notes database

NSF import and ‘End MIME to CD Conversion’ messages

When importing e-mails from Lotus Notes NSF files, be aware that the ‘source folder’ import parameters will fail to detect ‘unparented’ e-mails. These are e-mails which are not contained in a folder within a Notes database (that is, a NSF file). This normally only occurs if the e-mails are stored in a database that is not based on the standard e-mail template.

Before using wgnimp.exe from a command to import .NSF files, you need to adjust the logging level for the local Notes client. Failure to do so can cause multiple redundant ‘End MIME to CD Conversion’ messages to be output to screen when you run the import operation. To adjust the Notes logging level, add the following line to notes.ini on the Event Import host server:.

The import parameters that require the source e-mails to be contained in folders are: NSF.FolderName NSF.FailedMessageFolder See pages 392 to 393 for details. In practice, this mainly affects e-mails that have been moved to the ‘failure’ folder following an unsuccessful import attempt (where the failure folder is defined by the NSF.FailedMessageFolder parameter). It could also affect e-mails in an NSF file with a flat folder structure. For example, this could apply to a subset of e-mails that have moved to a different NSF file for reporting or administrative purposes. You can still import unparented e-mails, but the parameters specified above will not work. Instead, you can only use the NSF.DominoFileName parameter (see page 390) to locate the source e-mails.

converter_log_level=10 After adding this line, you will need to restart any local Notes application and any local .NSF Event Import operations.

526

Orchestria Active Policy Management Deployment guide

IM Import Bloomberg IM dump files are in US ASCII format

Format requirement for imported attachments

Bloomberg IM dump files are in US ASCII format, but can contain data captured from terminals in other languages such as German and Japanese. In this cases, archived IM conversations cannot be restored to their original language because no code page information is available to IMFrontEnd.exe.

The specification for the IB Unified format does not explicitly refer to attachments, but our analysis has determined that attachments are referenced by an 'Attachment:' entry in the message header. IM Import uses this header entry to import attachments. However, because this header entry is undocumented, it could change in the future, possibly preventing attachment files from being imported into Orchestria APM.

Identifying conversation participants If IM Import detects inconsistent formatting in Bloomberg IM dump files, it attempts to handle these inconsistencies but inevitably some minor anomalous formatting can occur. For example, Event Import may be unable to identify the full list of participants and so fail to create conversation events for these users.

Timestamps in IB Unified dump files are in EST All events in the CMS database are stored in UTC time, but IB Unified dump files record events in EST. However, IMFrontEnd.exe is unable to reliably and universally convert EST times to UTC because the dump file data does not contain time zone information to enable it to calculate daylight saving adjustments. Instead, IMFrontEnd.exe assumes that it is running in the same time zone as the Bloomberg server that generated the IB Unified dump file and converts EST times to UTC on this basis.

Increase size of .CNV cache to improve import performance For IM certain dump files, IMFrontEnd.exe performance can be significantly improved by increasing the size of the .CNV file cache. To do this, you need to raise the value of the MaxFiles parameter—see page 425. As IMFrontEnd.exe processes a dump file, it needs to continually open and write to the relevant .CNV file. But for certain dump file formats, especially MindAlign, the internal structure of the dump file requires that individual .CNV files need to be continually reopened and updated, rather than being generated and closed in a single operation. For these dump file formats, the comments that collectively make up an individual IM conversation, and which must be written to a single .CNV file, are not aggregated but occur throughout the dump file. This means that as IMFrontEnd.exe sequentially processes the dump file, it needs to continually open and close the relevant .CNV files. These file operations account for a high proportion of the total dump file processing time, so increasing the number of cached .CNV files can substantially reduce the processing overhead.

Chapter 25 Known issues

‘More recipients’ entries are ignored Some messages include the text 'Note: More recipients' in their header. These entries are undefined in the format specification and currently disregarded by IM Import. Therefore, they do not appear in imported IM conversations.

Anomalous Join and Leave chat room actions When reviewing an IM conversation in the Data Management console, participants may occasionally appear to join (or leave) chat rooms twice with no intervening 'leave' (or 'join') action. This is caused by inconsistent handling of these participant actions in Instant Bloomberg dump files.

Mismatch between participants information When display names in the 'Join' and 'Says' actions do not match exactly, the name variant that cannot be mapped to an Orchestria APM user is included in the participants list, but no IM event is created for that user.

527

Quarantine Manager Encrypted e-mails decrypted when released from quarantine Applies only to encrypted e-mails captured by the Outlook or Notes client agents. Be aware that if an Orchestria APM client agent intercepts and quarantines an encrypted e-mail, when the e-mail is released from quarantine by a reviewer it will be forwarded unencrypted to the intended recipient(s). This is because Orchestria APM always stores copies of e-mails in clear text (that is, unencrypted).

Do not quarantine encrypted e-mails captured by server agents We strongly recommend that you do not configure policy to quarantine encrypted e-mails detected by the Exchange or Domino server agents. This is because these encrypted e-mails are not decrypted by Orchestria APM. This means they cannot be read by a reviewer if quarantined, and may not be readable by the recipients if released from quarantine.

528

Orchestria Active Policy Management Deployment guide

Windows XP and 2003 RDM, EAS and Windows 2003 This is a test you can run to confirm that Orchestria APM console users can retrieve e-mails archived in the Zantaz Exchange Archive Solution (EAS). 1

On the Remote Data Manager (RDM) server, ensure that you are logged on to Windows with the same logon account as that used by the Orchestria APM infrastructure service (wgninfra.exe).

2

Open Internet Explorer and use the following URL to browse to EAS: http:///EAS_APP /easweb.dll?ServerGetMsg&msgid= &serverID= &compressed=0

Firewall configuration on Windows XP SP2 and 2003 SP1 Turn off ‘Don’t allow exceptions’ For Windows XP SP2 and Windows 2003 SP1, if the Windows Firewall is turned on the Orchestria APM installation wizard automatically registers the Orchestria APM infrastructure as a firewall exception. This enables data to replicate unhindered through the firewall between Orchestria APM machines. However, this automatic configuration requires the firewall setting ‘Don’t allow exceptions’ to be turned off on the target machine—see the warning below. i By default, the firewall is turned on for Windows XP SP2 and off for Windows 2003 SP1.

where:

! If ‘Don’t allow exceptions’ is on, the Windows

` is the name or IP address of

Firewall allows no firewall exceptions, including the

the EAS IIS server.

Orchestria APM infrastructure. This means that the

` is the numerical EAS message ID to be

client machine will be unable to contact its parent

retrieved.

` is the numerical ID of the EAS server

server. As a consequence, the client machine will be unable to receive any user or machine policies. This effectively paralyzes any Orchestria APM agents on

containing that message.

the client machine so they are unable to monitor,

If Internet Explorer can retrieve a .MSG file from EAS in this way without being prompted for Windows credentials, then it will also be possible for RDM to do so.

capture or control users’ e-mail or Web activity.

Chapter 25 Known issues

529

iConsole HTTP 404 error when browsing to the iConsole URL If users get an HTTP 404 error (‘page cannot be found’) when trying to browse to iConsole, you need to check that the required IIS Web Service extensions are registered and allowed:

! If only .NET Framework 2.0 is installed on the

Orchestria iConsole

host machine, the iConsole installation wizard will

Unable to download or forward original .msg file Applies to Microsoft IIS 5.x only. If the iConsole application server uses IIS 5.x, attempts by reviewers to download e-mails can result in errors: When using the Download E-mail feature

to

download an event’s original .msg file, the user gets a ‘Unable to retrieve mail message’ error. When trying to send an audit e-mail with the original message attached, the user gets a ‘Unable to send mail’ error. The reason for both error messages is the same. In order for IIS 5.x to use MAPI services on the application server, the local IWAM_ user must have local administrator rights. To assign these rights:

2

Open the Computer Management applet. This is available from the My Computer applet. Browse to Local Users and Groups:

2.1 Open the Groups folder, right-click Administrator and choose Properties.

2.2 In the Properties dialog, add the user IWAM_ to the Administrator group. 3

The iConsole front-end Web server and application server both require .NET Framework 1.1 SP1, but they support .NET Framework 2.0 too if it is also running on the host machine. (Note that .NET Framework 1.1 SP1 and 2.0 are designed to co-exist.)

ASP.NET v1.1.4322

If either have been prohibited, you must set their status to ‘Allowed’ to enable users to browse to the iConsole.

1

Support for .NET Framework 2.0

Restart the IIS service.

detect this and stop the installation.

The iConsole installation wizard detects when both .NET Framework 1.1 SP1 and 2.0 are running on the host server and configures IIS accordingly. However, if IIS has been reconfigured, you may need to amend the properties of the iConsole virtual directories after installing an iConsole server. Specifically, if .NET Framework 2.0 or 3.0 have been set to be the default ASP.NET provider for all virtual directories, you must reset .NET Framework 1.1 to be the provider for the Orchestria and WgnWebService virtual directories. (This can happen if, for example, the .Net Framework 2.0 or 3.0 automatic update has been installed.) To do this, reinstall Web.msi (the iConsole installation source image) and choose Repair. This will automatically reconfigure the Orchestria and WgnWebService virtual directories. To verify this change, go to the ASP.NET tab and confirm that the ASP.NET version is 1.1.4322 (this tab is only shown when multiple versions of .NET Framework are installed). i These requirements apply to IIS 6.x only. The iConsole may support .Net Framework 2.0 with IIS 5.x, but this has not been tested.

530

Orchestria Active Policy Management Deployment guide

Unable to send audit e-mails Applies to Microsoft IIS 5.x only. If the iConsole application server uses IIS 5.x, users can encounter the following error messages when trying to send audit e-mails. SMTP server not running / Connection not configured correctly; The transport failed to connect to the server. Relay not configured correctly; The server rejected one or more recipient addresses. The server response was: 550 5.7.1. Unable to relay for [email protected]. These errors occur if the SMTP server is not running or the connection is not configured correctly. F Typically, an audit e-mail contains the original .msg file as an attachment. If this is the case, and the e-mail failed to send, users will encounter the following error message on trying to resend the same e-mail:

Problem with multiple iConsoles on the same client machine A configuration setting in Internet Explorer can cause unexpected behavior if multiple iConsole instances are running simultaneously on the same client machine. Specifically, a local registry value can cause all iConsole instances to share the same browser session. For example, if you have two iConsoles open in separate windows on the same machine, each connecting to a different CMS, this problem can inadvertently cause the second iConsole to reconnect to the CMS specified in the first iConsole. If an iConsole user experiences this sort of problem, we recommend that you check the registry on the relevant host machine: 1

HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion \Explorer\BrowseNewProcess

System.Reflection.TargetInvocationException: The reason for this is because when the iConsole sends an e-mail with an attachment, it creates a temporary file for the attachment which is then deleted when the e-mail is sent. If the SMTP server is not running or the connection is not configured correctly, the temporary file is not deleted and the e-mail cannot be sent. To enable the iConsole to send audit e-mails with or without the original .msg file, you must first ensure that the SMTP server is correctly configured and running and then restart IIS. For SMTP configuration details, see page 79.

Locate the following registry key on the iConsole host machine (that is, the browser host machine—see page 78):

2

Within this \BrowseNewProcess subkey, you need to edit the following value: BrowseNewProcess You must ensure this registry value is set to Yes for correct iConsole operation. i By default, this registry value is not present in the registry, but its operation defaults to Yes. Therefore you do not need to add this value if it is absent; you only need to set it to Yes if it is present and already set to No.

Index

Index A B C D E F G H

I

0—9 404 error, iConsole, 529 64-bit machines, 517 8.3 file names, disabling, 30

J K L M N O P Q R S T U V W X Y Z address mask, for iConsole audit emails, 93

archive acknowledgements, for XML metadata extractor, 472

Administration console client installation feature, 54 server installation wizard, 32

archive integration, 287 integration models, 289 EMC EmailXtender, 330 IBM DB2 CommonStore for Domino, 314 for Exchange, 305 ingestion methods, 292 Iron Mountain, 332 supported versions, 288 Symantec Enterprise Vault, 295 ZANTAZ Digital Safe, 323 ZANTAZ EAS, 293

/a parameter, for msiexec.exe, 489

administrative installation and Group Policy, 59 performing, 485

abandoned events Event Import, 356

administrative privileges selecting, 49

Account Import, 123 command files format notes, 148 machines, 152 users, 145 command line import, 134 Secure Sockets Layer, 135 data files, 125 e-mail address synchronization, 123 import methods, 124 import sources, 124 LDAP, importing from, 124 log files, 125 parameter files, 136 required privileges, 125 wizard, 126

Adminquiet.mst transform applying, 65

A

advertisements and SMS, 64 allow bulk session management, administrative privilege, 179 annotation, in imported command files See comments anonymous access, for iConsole, 100 API details, for External Agent, 342 API registry values, for External Agent, 345 Application Integration, 54 EnableAppmon.mst transform, 488 application server, for iConsole, 71, 530 connect to multiple CMSs, 82 requirements, 74

Active Directory Account Import source, 124 iConsole audit e-mails, 93

application, for iConsole, 529

address mapping See e-mail address mapping

A B C D E F G H

I

attachments for Bloomberg messages, importing, 368 audit e-mails for iConsole address mask, 93 configuring, 91 excluding from policy, 91 setting up SMTP e-mail, 79 audit feature in iConsole setting up, 91 authentication certificates Digital Safe integration, 324 Iron Mountain integration, 333 secure private tunnel, 118 iConsole, anonymous access, 100 slow iConsole authentication, 99 SQL Server accounts, 36

J K L M N O P Q R S T U V W X Y Z

532

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

B

tested configuration, 70 Client File System Agent, 278 deployment overview, 280 flow chart, 279 machine policy, 280 settings, machine policy, 281 user policy, 282

backups, CMS, 481 baseline image, for snapshot deployment, 67 BB2email.exe, 435 architecture diagram, 432 extracting attachments, 436 installing, 435 parameters, 439

Client File System Agent Integration, 54 client integration, 54

BBMAIL import operations attachment archives, 368 parameters, 396

client machines, 53 disk space, 25 features, available for installation, 54 importing, 53 installation command line deployment, 57 Group Policy, 59 manual deployment, 55 SMS operations, 63 snapshot operations, 66 Msiexec.exe, 57 operating system, 25 requirements, 25 types of installation, 55

before you start See postdeployment tasks Bloomberg messages converting to EML e-mails, 435 importing, 368 browser integration, 24, 25, 27 bulk session management, administrative privilege, 179

C cache, for replication failures, 514 Cached Exchange mode, Outlook 2003, 524

Client Print System Agent, 283 deployment, 285 flow chart, 284 registry changes, 286 user policy, 285

Centera integration, 160 policy settings, 163, 170 setting up, 163 centralized applications, integrating with, 70

Client Print System Agent Integration, 54

certificates Digital Safe integration, 324 Iron Mountain integration, 333 installing, 334 secure private tunnel, 118

Client.msi command line operations, 57 GPO installation package, 60 SMS distribution package, 63 ClientLockDown.mst transform command line installations, 57 GPO installations, 61 SMS installations, 63

CFSA See Client File System Agent Chinese characters See Unicode characters Citrix integrating with centralized applications, 70

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z

ClientLockDown.vbs script, 487 clock synchronization, 47

I

cloning, See snapshot deployment clustered Exchange servers, 244 clustered iConsole servers, 97 CMS backing up, 481 disk space, 24 installing, 33 manual operations, 33 name resolution, 30 policy, configuring, 44 profiles exporting, 500 importing, 500 resetting, 500 requirements, 24 storage connectors, 31 temporary object store, 159 unattended installations, 39 CNV files cache size, 526 generating, 417 Cnv2email.exe, 433 architecture diagram, 432 parameters, 439 code, installation, 43 command files Account Import format notes, 148 machines, 152 users, 145 machines, importing example file, 153 users, importing example file 1, 150 example file 2, 151 command line deployment client machines, 57 CMSs, 39 Msiexec.exe options, 489 Setup.ini, and client machines, 58 comments

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

in Event Import configuration files, 369 in imported command files machine accounts, 152 user accounts, 147 common client policy, 47 common gateway policy, 47 CommonStore See IBM DB2 CommonStore Complete installations, 55 compliance release mailbox creating for interactive warnings, 228 configuration file, for Event Import example, 369 predefined templates, 368 Connectivity screen, 55 consoles administration console client machines, 54 CMS, 32 console-only installations, 41 iConsole, 71 preventing installation, 487

J K L M N O P Q R S T U V W X Y Z

Data ONTAP, 170

conversion expressions IM participant IDs, 428 LDAP attributes, importing, 154

deadlock detection, on policy engines, 182

counters (performance), for policy engines and hubs, 186, 201, 230

content agents, 448

D

FAST-based, 449, 450 deployment log entries, 456 document processors, 456 installation, 451 multi node deployment, 452 services, assigning to nodes, 452 single-node deployment, 453 uninstalling, 459 wigan collection, 456 host server requirements, 27 installation overview, 448 installation wizards content.msi, FAST-based, 457 server.msi, 458 post-deployment tasks, 460 silos, 461 testing the indexer, 460 uninstalling manual uninstallation, 498 content.msi, FAST-based, 457

copying policies, 507

contact details, 23 content database definition, 448 purge parameters, 463 purging, 463

CPSA See Client Print System Agent

content indexer utility, 448 changing job filter settings, 460 service logon account, 459 testing, 460

CreateParentNameTransform.vbs script, 486

CreateParentName.mst transform command line installations, 57 generating from a VBS script, 486

Data At Rest triggers, 256 data files, Account Import, 125 Data folder backing up, 481 CMS, 34 Data Management console client installation feature, 54 server installation wizard, 32 Data Source settings, 63 database accounts, 35 databases backing up and restoring, 481 Database Type screen installing gateways, 34 supported versions, 24 date synchronization, 47 dead messages, and Domino server agent, 244

default group See default user group Default Policy for Files setting, 183 FSA scanned files, 250 default user group Account Import, specifying, 145 configuring policy for, 48 default.pingports setting, 503 default.rmiports setting, 503 default.serverports setting, 504

Content Manager, IBM DB2 integration, 165 setting up, 167 content proxy server, 448

credentials account, setting, 497 database infrastructure account, 35 LDAP, importing from, 126 policy engines, 179

DHCP warning, 407

content purge, 448

Custom installation, 55

dial-up connections, 520

device lists, for Client File System Agent, 281 diagnostic registry values, for email server agents, 222 Digital Safe adapter configuring, 328 host server, 325

content searches, 447 content services, 447

A B C D E F G H

533

I

J K L M N O P Q R S T U V W X Y Z

534

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z

installing, 326

configuration, 214 dead messages, 244 deployment, 191, 213 diagnostic registry values, 222 installing, 192, 214 log files, 186, 202, 230 Notes client agent, using with, 243 registry values, 217 created automatically, 218 created manually, 222 requirements, 26, 191, 213 troubleshooting, 522 turn on e-mail integration, 225 uninstalling, 202, 231

Digital Safe integration, 323 configuring, 327 deployment procedure, 325 Digital Safe adapter, 324 installing, 325 wgnzds.dll, 324 direct mode, Import Policy, 206 DisableAutostart.vbs script, 486 disk space free space calculation, 46 free space management, 46 requirements, 24 disk-imaging, See snapshot deployment

downloaded e-mails for iConsole setting file format, 95

distribution lists, and Event Import, 389 hidden membership, 522

dump files Bloomberg messages, importing, 368 replication holding cache, 514

Distribution Points, 64 DNS CMS name resolution, 30 multiple domains, and e-mail server agents, 243

E

document processor guidelines, for FAST content services, 456

e folder, backing up CMS, 482 EAS import parameters, 397 integration, 293 RDM setup, 351

documentation, 32 DoD deletion, 251 domain user for Exchange or Domino integration, 179 for Quarantine Manager, 110

eFaxes, detecting, 438 e-mail address mapping Event Import, 356 FAQs, 480 features using it, 479 overview, 477 policy engines, configuring, 177

domains, and e-mail server agents, 243 Domino importing user details from, 124 integration with, 212 MIME configuration, 215

e-mail archive integration, 287 supported versions, 288

Domino integration PE domain user, 179

e-mail distribution lists, and Event Import, 389 hidden membership, 522

Domino server agent architecture diagram, 176

A B C D E F G H

e-mail integration, 25

I

enable on Exchange or Domino server, 225 server side versus client side, 212 e-mail notifications, for iConsole, 79 e-mail triggers disabling for Import Policy, 203 EmailClientOptions.mst transform registry values, 487 EmailXtender integration, 330 embedded IM events, 421, 437 EMC Centera integration, 160 policy settings, 163, 170 setting up, 163 EMC EmailXtender integration, 330 RDM setup, 351 EML e-mails architecture diagram, 432 converted from Bloomberg e-mails, 435 CNV files, 433 detecting embedded IM and Bloomberg data, 437 EML import parameters, 395 EnableAppmon.mst transform command line installations, 57 generating from a VBS script, 488 GPO installations, 61 SMS installations, 63 encryption do not install to encrypted folders, 520 iConsole clusters, 98 Quarantine Manager, 527 End MIME to CD Conversion messages, and NSF import, 525 enterprise mode, installation option, 55 Enterprise Server, installing CMS and gateways, 31 Enterprise Vault integration, 295 configuring, 299

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

deployment procedure, 297 installing, 297 RDM, 304 turning on, 304

J K L M N O P Q R S T U V W X Y Z requirements, 26, 359 running import operations, 361 service, 362 multiple instances, 364 startup type, 362 troubleshooting, 524

envelope journaling, support for, 358 error level, for free disk space, 46

event metadata, extracting, 472

EV integration See Enterprise Vault

event queues, on policy engine hub, 188

EV server agent, 295 registering with Enterprise Vault, 298

events, purging, 45

event display, for iConsole, 85

EVL files, and RCI failures, 367

Event Import configuring for Import Policy, 210

Exchange Archive Server See EAS

event timeouts, for iConsole, 84

Exchange mailboxes cannot access, 524

Event Import utility abandoned events, 356 account synchronization, 356, 480 configuration file example, 369 parameters, 370 predefined templates, 368 distribution lists, e-mail sent to, 389 hidden membership, 522 Exchange mailboxes cannot access, 524 importing from, 358 filtering import operations, 357 identifying e-mail owners, 356 ignored e-mails, 356 import failures, 366 import types, 365 installation feature, 31 installing, 361 log files, 366 logon requirements CMS, 360 wgnimp.exe, 360 wgnimpsv.exe, 360 overview, 359 network diagram, 355 parameters, 370–415

A B C D E F G H

535

Exchange Server clustered servers, 244 Exchange Server 2007, 212 64-bit machines, 517 import failures, 367 import parameters, 386 integration with, 212 Exchange server agent 64-bit machines, 517 architecture diagram, 176 clustered servers, integration with, 244 configuration, 214 deployment, 191, 213 diagnostic registry values, 222 installing, 192, 214 interactive warnings, 226 log files, 202, 230 monitoring, 230 Outlook client agent, using with, 243 registry values, 217 created automatically, 218 created manually, 222 for interactive warnings, 221 requirements, 26, 191, 213

setting up interactive warnings, 228 troubleshooting, 522 turn on e-mail integration, 225 uninstalling, 202, 231 Executive console client installation feature, 54 server installation wizard, 32 exporting CMS profiles, 500 policies, 507 expressions See conversion expressions External Agent API, 342 deployment diagram, 293, 330 disable 8.3 file names, 342 EAS integration requirements, 343 EMC EmailXtender integration requirements, 343 host machine requirements, 342 installing, 343 overview, 342 registry values, 345 manual values, 346 Socket API, installing, 343 External Sender policy setting, 182 ExternalSender user account, 38 extraction jobs, for Universal Extractor, 469

F failure to import events, 366 failure to replicate events, 514 Far Eastern characters computer names, 521 displaying, 521 installation paths, 521 FAST-based content services, See content services features

I

J K L M N O P Q R S T U V W X Y Z

536

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z purging the scanned file database, 265 requirements, 253 scanning jobs, 263 smart tags, 250 triggers, 256 uninstalling, 276

client installation features, 54 server installation features, 31 file handling import parameters, 383 file hashes, 251 file import parameters, 404 file names, 8.3 format, 30 File Scanning Agent See FSA filtering event import operations, 357

G gateway servers, 30 importing, 30 requirements, 24

firewall configuration, 504 policy engines, 528 Windows 2003 SP1, 528 Windows XP SP2, 528

ghosting or ghost imaging, See snapshot deployment

follow-up snapshots, 68

global preferences in iConsole setting up, 103

logon method, iConsole, 101 formats, for IM Import dump files, 419

global sender, for iConsole audit emails, 92

free disk space calculation of, 46 management of, 46

GPO, installation package, 60 Group Policy deployment instructions, 60 Group Policy Object See GPO overview, 59

front-end Web server, for iConsole, 71 non-default TCP port, 90 requirements, 74 virtual directory, renaming, 85

groups, importing, 123

H

FSA, 247, 248 architecture, 252 associating files with users, 250 configuration, 257 deployment, 253 Microsoft SharePoint, 261 example job file, 266 Exchange Public Folders, 249 FAQs, 275 FSA domain user, 254 installing, 255 job syntax, 268 log files, 265 Microsoft SharePoint, 249, 262 NIST database, installing, 254 policy applied to scanned files, 249

A B C D E F G H

hashes, 251 hidden membership distribution lists, 522 HideConsole.mst transform, 487 holding cache, for replication failures, 514 hub mode, Import Policy, 207 hub See policy engine hub under "p"

I /i parameter, 489 IBM DB2 CommonStore

I

for Exchange configuration, 308, 317 deployment tasks, 306, 315 installation, 306, 315 IBM DB2 CommonStore integration for Domino, 314 for Exchange, 305 IBM DB2 Content Manager integration, 165 setting up, 167 logging, 169 iConsole, 71 anonymous access, 100 application server, 71, 530 connect to multiple CMSs, 82 IIS 5.x, 529 architecture diagram, 72 audit e-mails configuring sender, 91 excluding from policy, 91 audit feature, setting up, 91 authentication and anonymous access, 100 authentication problems, 99 backing up search files, 105 connects to wrong CMS, 530 downloaded e-mails setting file format, 95 event display, configuring, 85 event timeouts, 84 front-end Web server, 71 front-end Web server TCP port, 90 global preferences setting up, 103 HTTP 404 error, 529 improving performance, 99 installing, 80 Kerberos authentication, 77 LDAP directory, 93 logging registry values, 96 logon credentials, hiding, 101 mask, for e-mail addresses, 93

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

IM networks, assigning, 420 EML e-mails, 437 IMFrontEnd.exe, 417 See also IM Import IMlogic dump files, configuring, 429 import failures, 367 Import Policy, 203 architecture diagrams, 205 direct mode, 206 disabling triggers, 203 Event Import parameter, 377 hub mode, 207 parameters and registry values, 210 requirements, 26

IE See Microsoft Internet Explorer ignored e-mails, in import operations, 356

import.ini configuring for Import Policy, 210 continuous event import, 362 example file, 369

IIS iConsole, 90 IIS 5.x, 529 iConsole, special requirements, 75, 530 policy engine hub, stopping, 200 RDM requirements, 349

importing client machines, 53 CMS profiles, 500 e-mails into the CMS, 359 events from remote CMS, 408 failures, Event Import, 366 files, 404

IM conversations embedded in EML e-mails, 437 importing, 417

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z IM Import, 418 CNV files, 417 converting to EML e-mails, 433 configuring, 417 embedded IM events, 421 IM network, assigning, 420 IMlogic dump files, configuring, 429 installing, 422 parameters Event Import, 398 IMFrontEnd.ini, 423 participant IDs, 420 requirements, 422 supported formats, 419 troubleshooting, 526

multiple browsers open on same machine, 530 multiple CMSs, connecting to, 82 .NET Framework 1.1 SP1, 75 .NET Framework 2.0, 529 Network Load Balancing, 97 participant display, configuring, 86 post-deployment tasks, 81 pre-authentication, 99 registry values, 73 requirements, 27, 74 search results, configuring, 88 searches, backing up, 105 searches, installing custom searches, 104 default searches, 82 searches, setting up, 105 security, 90 security, and anonymous access, 100 session timeouts, 83 setting up SMTP e-mail, 79 setting up SQL search support, 105 starting up, 103 troubleshooting, 529 virtual directories, 85 Web Service timeouts, 84

I

537

gateways, 30 import types, Event Import, 365 machines, 152 policies, 507 type of import operation, 373 users and groups, 123 infrastructure installation feature, 54 stopping and restarting, 488, 519 wgninfra, usage, 519 wgninfra.exe, usage, 488 ingestion methods, for archive integration, 292 install.sh, Milter MTA agent, 236 installation code, 43 installation features client machines, 54 servers, 31 installation package, GPO, 60 installation types, for clients, 55 installation wizard client machines, 55 CMS, gateways or utility machines, 33 e-mail server agents, 192, 214 FSA, 255 INSTALLDIR variable, 490 instances, of Event Import service, 364 integration applications, 54 client agents, 54 Client File System Agent, 54 Client Print System Agent, 54 e-mail archives, 287 EMC Centera, 160 policy settings, 163, 170 setting up, 163 EMC EmailXtender, 330 Enterprise Vault, 295

J K L M N O P Q R S T U V W X Y Z

538

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I J

IBM DB2 CommonStore for Domino, 314 for Exchange, 305 IBM DB2 Content Manager, 165 setting up, 167 ingestion methods, 292 Internet Explorer, 54 Iron Mountain, 332 Lotus Notes, 54 models, 289 NetApp SnapLock, 170 Outlook, 54 Postfix, 232 Sendmail, 232 third party archives, versions of, 288 Windows Explorer, 54 ZANTAZ Digital Safe, 323 ZANTAZ EAS, 293

iConsole, 96 write entries to Windows log, 516 policy engine hub, 186, 202, 230 Quarantine Manager, 112 Windows log, writing to, 516

Japanese characters See Unicode characters Jet Database Engine standalone installations, 505

K Kerberos, requirements for iConsole, 77 known issues, 519 Korean characters See Unicode characters

L l, 186 laptop users dial-up connections, 520 firewall configuration, 504

interactive warnings Exchange Server, 226 setting up on Exchange server, 228

LDAP directory, 124 cached logon credentials, 134 iConsole audit e-mails, 93 importing from, 123 modifying imported values, 154 multiple value attributes, importing, 144 writing multiple LDAP values to a single user attribute, 144

Internal E-mail Address Pattern policy setting, 183 Internet Explorer See Microsoft Internet Explorer iQ.Suite integration, 288 Iron Mountain adapter configuring, 339 host server, 337 installing, 337

legacy data, and multiple object stores, 159 license files, after installing, 43

Iron Mountain integration, 332 configuring, 338 deployment procedure, 336 installing, 337 Iron Mountain adapter, 333 wgnirm.dll, 333

Linux requirements, Milter MTA agent, 234 log files Account Import, 125 Domino server agent, 186, 202, 230 Event Import, 366 Exchange server agent, 202, 230 FSA, 265 IBM DB2 Content Manager, 169

ISS SMTP agent, 245

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z

I

logon credentials, hiding in iConsole, 101 logon requirements for Event Import CMS, 360 wgnimp.exe, 360 wgnimpsv.exe, 360 Lotus Notes centralized applications, integrating with, 70 importing from, 359 integration feature, 54 NSF import parameters, 390 troubleshooting, 525 requirements, 25

M machine policy configuring CFSA, 280 CMS, 44 common policies, 47 event purging, 45 free disk space, 46 policy engines, 181 machines, importing, 152 mailboxes, cannot access, 524 maintaining policy engines, 186 management console client machines, 54 CMS, 32 console-only installations, 41 management groups assigning, 49

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

import operations, 146 manual deployment to client machines, 55 manuals See documentation mapping See e-mail address mapping

Milter MTA agent, 232 architecture, 233 configuring, 238 enabling and disabling, 242 installing, 236 Milter user, creating, 234 policy limitations, 232 requirements, 234 stopping and starting, 242 uninstalling, 242 wgnmilter.conf file, 238

mask See address mask master encryption key backing up, 482 restoring, 483 memory, for client machines, 25 Microsoft Exchange, 212 envelope journaling, 358 importing e-mails from, 358 PE domain user, 179 required user accounts, 179 server agent See Exchange server agent under "E" Exchange 2007, 212 64-bit machines, 517 Internet Explorer dial-up settings, 520 integration feature, 54 known issue with multiple iConsoles, 530 requirements client machines, 25, 27 servers, 24 Internet Information Services See IIS under "I" Outlook Cached Exchange mode in Outlook 2003, 524 EmailClientOptions.mst transform, 487 integration feature, 54 requirements, 25 turning off browser integration, 491 Systems Management Server See SMS

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z Windows Explorer integration, 54 turning off browser integration, 491 Microsoft SharePoint Connector installing, 261

Mandatory Assignment, SMS, 65

MIME configuration, for Domino servers, 215 minimum retention period, for imported events, 376 mobile client machines, firewall configuration, 504 models, of archive integration, 289 push from archive, 289 push to archive (direct), 290 push to archive (via mailbox), 291 Msicu.exe and Msicuu.exe, for manual uninstallations, 499 Msiexec.exe administrative installation, 485 client machines, 57 command line options, 489 database variables, 492 general variables, 490 SMS, 63

I

539

multiple domains, and e-mail server agents, 243 multiple instances, of Event Import service, 364

N NAS device CMS data folder, 34 NBA, import parameter, 406 .NET Framework, for iConsole requires 1.1 SP1, 75 support for 2.0, 529 NetApp SnapLock integration, 170 Network Boundary Agent See NBA Network Load Balancing, for iConsole, 97 network, impact on, 28 network-attached storage CMS data folder, 34 new client machines importing, 152 gateways, importing, 152 groups importing, 123 importing in command files, 145 users importing, 123 importing in command files, 145 NIST database, 251 installing, 254 Notes See Lotus Notes notes.ini logging level, adjusting, 525

Msizap.exe, for manual uninstallations, 499

notification e-mails See audit emails

multiple CMSs, connecting iConsoles to, 82

NSF import parameters, 390 suppressing log messages, 525

J K L M N O P Q R S T U V W X Y Z

540

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

importing from a CSV file, 146

unparented e-mails, 525 NtfsDisable8dot3NameCreation registry value, 30

parameter, 489 paths for groups, in CSV files for Account Import wizard, 149

O

PE connector See Remote PE Connector

object storage multiple object stores, 159 temporary, 171 data location, 173 third party solutions, 159

PE domain user, 179 Import Policy, used by, 208 Log on as Batch Job privilege, 193 policy engine hub service, 192

operating systems client machines, 25 CMS and gateways, 24 content services machines, 27 External Agent API machines, 27

perfmon counters See performance counters performance counters policy, 518 policy engines and hubs, 186, 201, 230

Oracle privileges for UE, 469 service identifier (SID), 34 supported versions, 24

policies copying, 507 exporting, 507 importing, 507 version checking with wgnpol.exe, 507

Organizational Unit See OU OU removing clients, 61 selecting, 60 Outlook See Microsoft Outlook

policy engine hub 64-bit machines, installing on, 517 architecture diagram, 176, 188 configuration, 193 deployment, 191, 213 flow chart, 190 installing, 192, 214 log files, 186, 202, 230 monitoring, 186, 201, 230 registry values, 193, 194 requirements hardware and software, 26 PE domain user, 191, 213 specifying queues, 189 stopping, 200 uninstalling, 202, 231

P package, SMS, 63 parameter file, Account Import example, 143 parameters Account Import, 136–143 Event Import, 370–415 IMFrontEnd.ini, 423 Milter MTA agent, 238 Msiexec.exe, 489 XML metadata extractor, 473 participant display, for iConsole, 86 participant IDs, and IM Import, 420 conversion parameters, 428 passwords

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z

I

policy engine proxy, performance counter, 201 policy engines architecture diagram, 176 configuring, 181 deployment, 177 firewall configuration, 528 hub See policy engine hub under "p" installation feature, 31 installing, 180 machine policy settings, 181 maintaining, 186 monitoring, 186, 201, 230 registry values, 184 requirements, 26, 178 service logon properties, 180 standby and active, 177 uninstalling, 186 upgrade issue, 520 user accounts, 179 Policy on Print See Client Print System Agent Policy on Save See Client File System Agent port numbers allocating, 502 iConsole clusters, 98 post-deployment tasks, 43 content services, 460 iConsole, 81 Postfix integration, 232 configuring, 234 installing, 236 turning on, 238, 242 pre-authentication iConsole, 99 primary administrator, 37, 43 Primary User database account, 35 privileges Account Import requirements, 125

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

PST import parameters, 394 purging events, 45 WgnFDSPurge examples, 466

registry values Domino server agent, 217 created automatically, 218 created manually, 222 EmailClientOptions.mst transform, 487 Exchange server agent, 217 created automatically, 218 created manually, 222 for interactive warnings, 221 External Agent API, 345 iConsole, 73 audit e-mails excluding from policy, 91 senders, 91 downloaded e-mails file format, 95 event display, 85 event timeout, 84 logging, 96 participant display, 86 results handling, 88 session timeout, 83 Web Service timeout, 84 policy engine hub, 193, 194 flow chart, 190 policy engines, 184 Quarantine Manager, 113 Socket API, 347

purging indexed events, 463 command line parameters, 463 purging the FSA scanned file database, 265 "push from archive" integration model, 289 "push to archive (direct)" integration model, 290 "push to archive (via mailbox)" integration model, 291

Q /qn and /qb, Msiexec.exe silent operations, 489 QM domain user, 110 Quarantine Manager, 107 architecture diagram, 108 configuring, 112 e-mail release procedure, 115 encrypted e-mails, 527 installing, 112 log files, 112 QM domain user, 110 registry values, 113 server installation wizard, 31 timed-out e-mails, 115 troubleshooting, 527

relay, IIS SMTP, 245 remote CMS import import failures, 367 parameters, 408 scheduling import jobs, 363

queues, on policy engine hub, 188

R

remote data folders, specifying, 33

RAM, for client machines, 25

Remote Data Manager See RDM

RCI See remote CMS import

Remote PE Connector

RDM

A B C D E F G H

J K L M N O P Q R S T U V W X Y Z configuration, 352 deployment diagram, 293, 330 installation, 349 installation feature, 31 multiple RDM support, 352 post-installation tasks, 351

selecting, 49 product code command line uninstallations, 58 SMS uninstallations, 64

I

541

configuration, 209 installation feature, 31 replication holding cache, 514 requirements (hardware and software) client machines, 25 CMS, 24 databases, 24 Domino server agent, 26 Enterprise Vault integration, 27 Event Import machines, 26, 359 Exchange server agent, 26 External Agent API host machine, 342 FAST-based content services, 27, 450 FSA, 253 gateway servers, 24 iConsole, 27, 74 Import Policy, 26 Iron Mountain integration, 27 policy engine hub, 26 policy engines, 26 silos, for FAST content services, 461 UE, 469 utility machines, 24 reset the replication holding cache, 515 restoring CMS, 483 results cache, for iConsole, 88 retention period, for imported events, 376 RIP files, See snapshot deployment router configuration, 504

S scanned file database, 251 scanning jobs, FSA, 263 example job file, 266

J K L M N O P Q R S T U V W X Y Z

542

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

excluded files, 248 FAQs, 275 job syntax, 268 purging, 265 scheduling, 265

J K L M N O P Q R S T U V W X Y Z server.msi content services, 458

SMTP Relay agent See IIS SMTP agent

server-side warnings, 226

SnapLock integration, 170

service desk URL, 23

snapshot deployment, 66 considerations, 69 follow-up installations, 68

session timeouts, for iConsole, 83

scheduled deployment, SMS, 65 scheduled silo creation, 462

SetParentName.mst transform GPO installations, 60

scheduling import jobs, 363

Setup Type screen, 55

Schema Owner database account, 35

Setup.exe, and command line deployment, 58

search index, 448 migrating documents to silos, 461 purging, 463

Setup.ini file command line deployment, 58 snapshot deployment, 66

Search User database account, 35

SEV integration See Enterprise Vault

searches, for iConsole backing up, 105 custom searches, 104 default searches, 82 event display configuration, 85 participant display configuration, 86 results cache configuration, 88 setting up, 105

short file names, disabling, 30 silent operations Msiexec.exe options /qn and /qb, 489 SMS uninstallation, 65 silos, for FAST nodes, 461 creating, 465 creating and removing, 462

secure private tunnel, 117 certificate management, 118 configuring, 118, 121 example startup.properties files, 122

single node deployments, FAST, 451 single sign-on, 105 size bands, for event queues, 188 smart tags, 296 registry keys, 301 registry subkeys, 303

Secure Sockets Layer Account Import command line import, 135 sender, iConsole audit e-mails, 92

SMS deployment instructions, 63 distribution package, 63 mandatory assignment, 65 overview, 62 program, 63

Sendmail integration, 232 configuring, 235 installing, 236 policy limitations, 232 requirements, 234 sendmail.mc file, 235 socket connection, specifying, 235 turning on, 238, 242 uninstalling, 242

A B C D E F G H

SMSQuietUninstall.mst transform generating from a VBS script, 488 silent uninstallations, 65 SMTP e-mail, setting up for iConsole, 79

I

Socket API configuring, 347 installing, 180, 343 Sendmail and Postfix integration, 234 source image See administrative installation SPT See secure private tunnel SQL Server database name, default CMS installations, 35 multiple instances CMS installations, 35, 255 supported version, 24 SQL Server authentication, 36 SSL authentication Digital Safe, 324 iConsole, 90 Iron Mountain, 333 SSL certificates Digital Safe integration, 324 Iron Mountain integration, 333 SSO See single sign-on SSW See server-side warnings standalone installations, 505 disallowing, 506 Jet database, 505 standalone mode, 55 standby policy engines, 177 startup.properties file UDP and TCP ports, 502 UTF-8 character encoding, 50 sticky sessions See Network Load Balancing subnets, multiple, 53

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z

Sun ONE Directory Server, 124

time synchronization, 47

suspended machines, and exceeded holding cache, 514 automatically resume, 515

timeouts, for iConsole events, 84 results cache, 88 sessions, 83 Web Service, 84

Symantec Enterprise Vault See Enterprise Vault syntax administrative installation, 485 client machines installation, 57 uninstallation, 58 CMS installations, unattended, 39 FSA scanning jobs, 268 master encryption key exporting, 482 re-importing, 483 Msiexec.exe operations, 489 stopping and restarting the infrastructure, 488

timestamps, 524 transform files, 486 ClientLockDown.mst, 487 command line installations, 57 GPO installations, 61 SMS installations, 63 CreateParentName.mst, 486 command line installations, 57 DisableAutostart.mst, 486 EmailClientOptions.mst, 487 EnableAppmon.mst, 488 command line installations, 57 GPO installations, 61 SMS installations, 63 HideConsole.mst, 487 SetParentName.mst GPO installations, 60 SMSQuietUninstall.mst, 488 SMS installations, 63 SMS uninstallations, 65 TRANSFORMS variable, 490 with setup.ini, 66

system logs, needed when contacting the service desk, 23

T tablespace, for database accounts, 36 TCP/IP ports, allocating customizing, 502 iConsole, 90

troubleshooting See known issues trusted applications, for Client File System Agent, 281

Templates, Event Import installation feature, 31

tunnel, secure private, 118

temporary object store, 171 data location, 173

type parameter, for Event Import, 373

Terminal Services centralized applications, integrating with, 70 Lotus Notes, 70 utility machine installations, 38

Typical installations, 55

time stamping for events, 47 truncated times, 524

UE See Universal Extractor

A B C D E F G H

U UDP ports, allocating, 502 unattended installations CMSs, 39

I

543

Unicode characters computer names, 521 displaying, 521 general configuration, 50 installation paths, 521 uninstallation client machines, 56 command line, 58 Group Policy, 61 manually, 498 SMS, 65 CMS, 40 manually, 498 content services FAST-based, 459 manual uninstallation, 498 Domino server agent, 202, 231 Exchange server agent, 202, 231 FSA, 276 gateway servers, 40 manually, 498 manual (if Windows Installer fails to uninstall), 498 policy engine hub, 202, 231 policy engines, 186 Universal Adapter Digital Safe integration configuring, 327 installation, 326 IBM DB2 CommonStore integration installing, 306, 315 Iron Mountain integration configuring, 338 installing, 337 Universal Extractor, 469 example job definition, 471 parameters for XML metadata extractor, 473 requirements, 469 XML metadata extractor, 472 XML schema for job definitions, 470

J K L M N O P Q R S T U V W X Y Z

544

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z

Unknown Internal Sender policy setting, 182

version numbers, of policies checking with wgnpol.exe, 507

WGNDISALLOWSTANDALONE variable, 506

unknown users LDAP import operations, 133 policy engine handling, 38

ViewState encryption, for iConsole clusters, 98

WgnFDSPurge.exe, 463

virtual directories, for iConsole, 85 anonymous access, 100

UnknownInternalSender user account, 38 unparented Notes e-mails, 525

W

upgrading, 28 policy engines, known issue, 520

W2K3 machines See Windows 2003 machines

USB devices, for Client File System Agent, 281

warning level, for free disk space, 46

user accounts Account Import, 123 for policy engines, 179

Web console See iConsole Web farms See Network Load Balancing

User Filter machine policy setting, 357

Web Service timeouts, for iConsole, 84

user groups, default policy, 48

WGNADMINPASSWORD variable, 490

user import operations See Account Import

WGNADMINUSERNAME variable, 490 wgncheck.exe, 78

user policy configuring CFSA, 282 CPSA, 285 users, importing, 123

wgncred.exe, 497 WGNDATA variable, 493 WGNDATABASEIPPORT variable, 493

wgnimp.exe overview, 359 running, 361 wgnimpsv.exe startup type, 362 wgninfra service, 519 wgninfra.exe, usage, 488 wgninfra.out logfile, needed when contacting the service desk, 23 wgnirm.dll, 333 wgnmgmt.exe master encryption key restoring, 483 wgnmgmt.exe (Windows) master encryption key backing up, 482 wgnmilter.conf parameters, 238 WGNNOEXPLORER variable, 491 WGNNOOUTLOOKBROWSER variable, 491

UTF-8 character encoding client machines, 50

WGNDATABASEPASSWORD variable, 494

utility machines, 30 before installing, 30 requirements, 24 Terminal Services installations, 38

WGNPARENTSERVERNAME variable summary, 490 with misiexec.exe, 57 with setup.ini, 58

WGNDATABASESERVER variable, 493

wgnpol.exe, 507

WGNDATABASESERVICENAME variable, 493

Wgnrdi.dll, 342

V

WGNDBSEARCHUSERNAME variable, 494

WGNDATABASENAME variable, 493

WGNDATABASETYPE variable, 493 WGNDATABASEUSERNAME variable, 493

variables LDAP attribute conversion expressions, 155 Msiexec.exe database, 492 general, 490 Version check utility, 78

A B C D E F G H

WGNDEFAULTUSERGROUPPATH variable before you start, 48 description, 491 WGNDELETEDATABASE variable, 490

I

Wgnrdm.dll, 349, 351, 352 WGNSERVERTYPE variable, 490 wgnsev.dll overview, 295 WgnTask.exe utility, 469 wgnzds.dll, 324 Windows 2003 machines SP1 firewall, 528 Windows Event Viewer, and iConsole log entries, 516 Windows Explorer integration, 54

J K L M N O P Q R S T U V W X Y Z

Index

A B C D E F G H

545

I

J K L M N O P Q R S T U V W X Y Z

I

J K L M N O P Q R S T U V W X Y Z

turning off browser integration, 491 Windows Installer Cleanup utilities, 499 removing, 499 version requirement client machines, 25 CMS and gateways, 24 Windows XP and 2003 troubleshooting, 528 Windows XP machines SP2 firewall, 528 WINS, and CMS name resolution, 30 wraps or wrappers, See snapshot deployment

X /x parameter, Msiexec.exe, 489 x-headers Domino configuration, 215 EML e-mails, 437 XML dump files, for Bloomberg messages, 368 XML metadata extractor (UE module), 472 XML schema for UE job definitions, 470 XP machines See Windows XP machines

Z ZANTAZ Digital Safe, 323 EAS, 293

A B C D E F G H

546

Orchestria Active Policy Management Deployment guide

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z

A B C D E F G H

I

J K L M N O P Q R S T U V W X Y Z