Cluster Administration

The Basics

To access your Cluster Administration features, log in to the Web Portal on the server. The description in this guide assumes that you are logged in as the Master Administrator (aka., Cluster Administrator). Some of the options listed may not be available if you are logged in with other privileges. In this document, the Triofox is also referred to simply as Cluster Server.

Tip
The Web Portal URL is the DNS name of the server, the IP address, or the local host (http://localhost) when you are in the server console.

Note
At the bottom of the login screen, you will find version information that tells you which version you have installed.

Login and Manage

After you log in to the web portal as a Cluster Administrator, you are in the dashboard.

As a Cluster Administrator, you can also see the total number of normal users in the system, the total number of guest users, the number of groups, assigned licenses, devices, and created roles.

Published Shares

In this section you can browse your published shares. Click Manage to view details of published shares.

Content

Here you can find files and folders within the published shares.

Access Control

Allowed Users

You can add users and groups in the Allowed Users section.

External Sharing

With this setting you can see which folders and files have been shared and control access to them.

Folder Permission

You can browse to different subfolders and set the folder permission. The folder permissions defined here represent the Cluster Server side of the permission.

If you are using the native Active Directory/NTFS permission of a file server, you do not need to define permissions here.

Note
You can think of the permissions as two different gates that control access to files and folders. The first gate is defined here as "Cluster Server Folder Permission". After this permission check, there is another check at the file server level (the NTFS permission).

In practice, this is usually done one way or another. If you have chosen to use NTFS natively, you can leave the permission settings here blank and undefined.

Settings

Here you can change the settings for your published shares.

Protection & Disaster Recovery

Versioning

In-place versioning can be enabled here.

Advanced Security Controls

Here you can find some settings for advanced security controls. You can disable external sharing, disable offline access, or hide folders for which users do not have permission.

Access Policy

On this tab you can enable an access policy.

Client Access Policies

Define custom access policies to restrict or allow access based on the location of the device. For example, a company may want to allow access from the Internet only for Windows clients and Web clients. IT can configure policies to allow or deny client access from the following locations:

• Access from the internet
• Access from local network
• Access from Anywhere
• Access from customer-defined networks
• Deny access from customer defined networks

The above policies for allowing and denying client access can be configured for the following clients:

web client, web management, windows client, mac client, mobile client.

Share Access Policy

IT can also prevent data loss and data leakage of important company confidential shares by configuring "Share Access Policies" for external users who are not employees of the company. Again, IT can configure allow or deny shares access policies from the following locations:

• Access from the internet
• Access from local network
• Access from Anywhere
• Access from customer-defined networks
• Deny access from customer defined networks

The above allow and deny share access policies can be configured with the following conditions:

• Visible
• Permissions to list files
• Permissions to read files
• Permissions to create or update files and folders
• Permissions to delete files and folders
• Secure data room

Activities

Here you can see activities for shares.

Disaster Recovery

You can restore the team folder to a previous date by "Local Versioning", or restore files from a "Cloud Backup".

File Servers

Connect Your File Server

Depending on where your file server is located, there are several ways to connect it.

The file server may be on the same local area network (LAN) as the Triofox server. In this case, the direct network share connection is the best. This is usually combined with setting up a direct LDAP connection to Active Directory.

The file server can also be remote, away from the Triofox server and at the customer's premise. In this case, it is recommended to use a file server agent. The file server agent is installed on the file server and is able to connect to the customer's Active Directory and synchronize both folder contents and Active Directory over HTTPS. In this case, the user interface displays "Proxied AD User" to indicate that the Active Directory user or group originated from the file server agent.

The best way to start using a file server agent is to add a file server via the web portal.

Devices

The cluster administrator can look at the devices that have the client agent software installed and connected in the specific user.

Here you can find the settings for the device management.

Requiring approval for device access

Disabled by default. When a user attempts to log in from a new device via native client applications, the connection will be rejected until the cluster admin approves the new device. Approval can be done via the "Client Device Manager".

Enable auto-install of Outlook Plugin

Disabled by default. The Cluster Server Windows desktop client comes with an Outlook plug-in. If this option is enabled, the Outlook plugin will be enabled upon client startup.

Create a shortcut in the documents library

Enabled by default. This is a convenient feature to add a link to documents library to the cloud drive.

Create shortcut on desktop

Enabled by default. Same as above but the shortcut is on the desktop.

Users

Normal User

Normal users can be added here:

If you have Active Directory, these are normally the users in Active Directory.

Native User

• These are the users that are manually created with an email.

AD User

• These are the users that are imported from Active Directory via LDAP.

Proxied AD User

• These are the users that are imported from Server Agent, where the file server agent is remote and away from the Cluster Server at the customer's site. The customer's Active Directory domain is also remote, and the file server itself (where server agent is installed) is in the remote Active Directory.

An admin can view a user's file and folder list.

Guest Users

Guest users are users who do not have a home directory. The only folder they have is "Files Shared with Me". So, they rely on other "Normal User" to share files and folders with them before they can do anything. If no one shares anything with a guest user, the guest user will not have any read/write permissions to any folder.

The main reason for the existence of guest users is to provide a secure way for external users to collaborate and edit documents.

Group Manager

If you have Active Directory integration, you will use the Active Directory group instead of using Group Manager here. This group manager allows you to easily create a group of users. It's not as complicated as Active Directory (such as supporting nested groups), but it makes it easy for non-Active Directory users. This is native Cluster group. In the product, you can also see the AD group in the user selection interface and the Proxied AD group in the user-related interface. The AD group and the Proxied AD group are not the same as the group mentioned here.

You can add new groups by clicking the Groups tab.

Click "Create New Group" icon at the top to create a new group, then set the "Group Name", click the icons at the top right to add users, and then click "Apply" to finish.

Role Manager

The Role Manager is used for role-based management. For example, you can assign read-only permissions to some users. You can also set specific group policies for certain groups of users. More and more policy elements are added to the Role Manager, so that the Role Manager can be used not only to manage user roles, but also to define policy elements for users.

There are 3 different sections when creating a role:

• Sharing

• Policies

• Assigned Users/Groups

Create New Role

You can define areas in the Role Manager and assign them to a role.

Policies

Additional policies for the role.

Assigned Users/Groups

After the content of the role is all set, users and groups can be assigned to a role.

Reports

Upload Report

The Upload Report tab shows you graphs for all uploads that have occurred in the last sixty minutes, 24 hours, 30 days, and a full week.

Storage Statistics

Storage Statistics gives you a quick overview of the overall storage statistics, the file type distribution pie charts, and the users who have used the most storage so far.

Active Users

Active Users show the activity of users on the web portal. The Active Users report does not include users from the Windows client or other native clients, as these users are more persistent (always there). To access this report, click the Active Users section in the panel near the top of the screen.

Guest Users

Other reports are also available, such as Guest Users, which are users who do not have their own directory, but are invited to participate in some shared folders and files.

Node Performace

You can use the Node Performance to check out the worker node health and the database health.

Last Reported

You should see that this field contains small numbers like 6 seconds or 10 seconds. If you see a number like "3 hours ago", it means that the node is not reporting the health.

Total Requests Processed

This number should be as large as possible. This number is a cumulative number since the last restart of the service. The larger the number, the more stable the service is. If you have multiple worker nodes, you should see the total number of requests evenly distributed among the worker nodes.

Request Executing

You want to keep this number as small as possible. This refers to the number of requests that are concurrently executing on the server. In general, a number less than 100 is normal. Greater than 100 is abnormal. Anything greater than 20 needs to be investigated.

Last Request Time

You should keep this number as small as possible. It is the number of milliseconds for the last request. In general, numbers smaller than 3000 or 5000 are normal, i.e. less than 3-5 seconds.

Pending Change Notification

For files and folders that are changed, a change notification is written to the database. In general, the queue for pending changes should be kept as short as possible.

Active Node Request

These are the clients that contact the server. Normally they are for reporting purposes only.

Pending Change Polling

These are the clients out there polling to see whether there are files and folders that have been changed. As a rule, the smaller the better.

Active Clients

For reporting purpose.

Pending Dir Request(H)

The pending directory listing calls from the remote clients to the Cluster Server. This is the high priority queue.

Pending Dir Request(L)

The pending directory listing calls from the remote clients to the Cluster Server. This is the low priority queue.

Note
If you do not see the Node Performance report, check the Internal URL setting of each worker node.

Under Reports, you can view the upload graphs and storage statistics.

Bandwidth Usage

This shows the overall bandwidth usage statistics as well as more granular tenant and user level statistics.

System Diagnostic Report

Click the "Start System Scan To Generate Report" button to generate system diagnostic report.

An example of a system diagnostic report is shown below.

Audit Trace

This is an example of an audit trace.

Settings

In the Settings, the administrator can enable/disable some features, such as Active Directory, 2-Step Verification (MFA), Single Sign-On, Ransomware Protection. And there are also many other options that can be configured.

Active Directory

If the Active Directory is in the local area network (LAN), LDAP can be used to connect to the Active Directory. There are several cases here,

• Sometimes you want the user account to be automatically provisioned so that it is easy for the administrator.

• Sometimes you want the user account to be limited to a specific AD group, but still automatically provision the user's account when the users are in the AD group.

• Sometimes you want the user account to be limited to a specific Organization Unit.

AD account auto provision

This option can be found in Settings - > Active Directory.

As long as the “Don't allow user auto-creation” is unchecked, Active Directory users will be allowed to go to the web portal and log in. The first time the user logs in, the Triofox account will be automatically provisioned.

AD account auto provision, limiting to Organization Unit

The organization unit field can be used to further restrict the Active Directory user account to be provisioned automatically.

The format of the organization unit is the OU's distinguishedName minus the DC suffix.

For example, the following OU's property is: distinguishedName => DC=tsys,DC=gladinet,DC=com

AD account auto provision, limiting to a specific AD group

From the user manager, you can import the AD group and the users in the AD group will be able to get the account automatically provisioned.

Single Sign-on

Single Sign on via SAML is a per-cluster setting.

File Locking

File Locking is another critical component to ensure that users' changes are not overwritten by each other. Here you can enable or disable all file locking options.

Notifications

Notifications is a critical component to ensure that users have control over what they can do with their notifications.

SharePoint Online Integration

Under "SharePoint Online Integration" you can integrate your SharePoint Online with Triofox.

User Account & Security

Under "User Account & Security" you can control the security of the Tenant Administrators, the User Accounts, and the Password Policy. Next to that you can see the settings for Access Control, Security, Home Directory, and Azure AD integration.

2-Step Verification

Enforce 2-step verification will force the users to set up 2-step verification via Google Authenticator, Microsoft Authenticator, Amazon MFA, or any other app that supports the same 2-step verification algorithm.

Ransomware Protection

Triofox adds ransomware protection and an automatic alert mechanism to your file servers. It continuously monitors all Triofox clients for unusual activity and automatically shuts them down if it detects a possible attack.

You can enable ransomware protection by clicking Settings.

Data Leak Protection

Under "Data Leak Protection" you can control the Client Access Policy, Sharing, Watermarks, Shared Objects, and DLP Events.

Personal Home Drive

Under "Personal Home Drive", you can enable access to your own personal drive aside from Triofox.

Clients & Applications

Under "Clients & Applications" you can integrate Office 365, change the Default Document Viewer settings, Client Settings, Web Portal Settings, and Native Client Settings.

Folder & Storage

In the "Folders & Storage" section, you can change all the settings for your storage and folders. For example, Retention Policy and Folder Permissions.

Files and Folder Permission

If your files and folders are located on a file server on the same local area network (LAN) as the Triofox server, it is best to delegate 100% of the file and folder permission to the NTFS permission.

If you are not using native NTFS permission. For example, if you use cloud storage services such as Amazon S3 or OpenStack Swift, you can use the Triofox folder permission.

Client Downloads

In this section you can find all Clients for download.