Planning and Architecture for Office Groove Server 2007 Microsoft Corporation Published: June 2007 Author: Office IT and Servers User Assistance (o12ITdx@microsoft.com) Editor : Office IT and Servers User Assistance (o12ITdx@microsoft.com) Abstract This book describes Groove Server capabilities, summarizes the architecture of the Groove client-server system, and provides the basis for planning a Groove deployment in an enterprise environment. The audience for this book includes IT professionals, infrastructure specialists, and business decision makers responsible for designing and implementing software-based collaboration systems. The content in this book is a copy of selected content in the Office Groove Server Technical Library (http://go.microsoft.com/fwlink/?LinkId=93923) as of the publication date above. For the most current content, see the technical library on the Web. 1 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. 2 The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 3 Contents Introduction to Planning and Architecture for Office Groove Server 2007 .................................... 9 I. Overview of the Office Groove System ...................................................................................... 10 The Groove Solution .................................................................................................................. 11 Groove Client and Server Functionality ..................................................................................... 14 Groove Client Functionality .................................................................................................... 15 Groove Server Manager Functionality.................................................................................... 17 Groove Audit Functionality ..................................................................................................... 24 Groove Server Relay Functionality ......................................................................................... 24 Device Presence Detection ........................................................................................................ 28 Groove Server Data Bridge Functionality ............................................................................... 33 Server Backup ............................................................................................................................ 37 Identity Management ................................................................................................................ 37 II. Groove Server 2007 Architecture .............................................................................................. 39 Groove Client Architecture ........................................................................................................ 39 Groove Server Manager Architecture ........................................................................................ 39 Website Component of Groove Manager .............................................................................. 42 Database Component of Groove Manager ............................................................................ 44 Corporate Directory Integration ............................................................................................. 45 Groove Audit Service .............................................................................................................. 45 Groove Manager Communications Protocols ........................................................................ 46 Groove Server Relay Architecture.............................................................................................. 47 Message Queue Databases..................................................................................................... 49 5 Database Management Utilities ............................................................................................. 49 Groove Relay Configuration Control Panel Applet ................................................................. 50 Groove Relay Administrative Web Interface .......................................................................... 50 Groove Relay Communications Protocols .............................................................................. 51 Groove Server Data Bridge Architecture ................................................................................... 53 Groove Data Bridge Application ............................................................................................. 54 Groove Data Bridge Account .................................................................................................. 55 Managed Groove Data Bridge Identities ................................................................................ 56 Web Services API .................................................................................................................... 56 Groove Data Bridge Protocol Support .................................................................................... 56 III. Groove Protocol Support .......................................................................................................... 58 IV. Summary of Groove Port Configurations ................................................................................. 64 Public Internet to Perimeter Network .................................................................................... 64 Perimeter Network to Public Internet .................................................................................... 65 Perimeter Network to Perimeter Network............................................................................. 66 Private Intranet to Perimeter Network .................................................................................. 66 Private Intranet to Public Internet.......................................................................................... 68 V. Groove Site Planning Conditions and Requirements ................................................................ 69 Network Planning for Groove .................................................................................................... 70 Network Topology for Groove ................................................................................................ 70 Network Requirements for Groove ........................................................................................ 73 Groove Bandwidth Usage ....................................................................................................... 75 Network-Level Security........................................................................................................... 76 Capacity Planning for Groove .................................................................................................... 77 6 Groove User Base Planning .................................................................................................... 77 Groove Manager Capacity ...................................................................................................... 80 Groove Relay Capacity ............................................................................................................ 82 Failure Contingencies and Disaster Recovery for Groove.......................................................... 85 Groove Manager Site Planning ............................................................................................... 86 Groove Relay Site Planning ..................................................................................................... 91 Groove Data Bridge Site Planning........................................................................................... 98 7 Introduction to Planning and Architecture for Office Groove Server 2007 Understanding system capabilities and architecture is an essential prerequisite to any enterprise-wide system deployment. This book provides important background and base line information on the key server and client components that comprise a Groove collaboration system, laying a foundation for deployment planning. It also addresses discusses capacity planning, network topology, and addressing failure contingencies. Server-specific sections, cover these issues in the context of the Manager, Relay, and optional Data Bridge components a Groove installation. 9 I. Overview of the Office Groove System Microsoft® Office Groove® Server 2007 is a Windows-based software package that provides comprehensive services for managing Microsoft Office Groove. Office Groove Server 2007 contains three components: Groove Server Manager, Groove Server Relay, and Groove Server Data Bridge, any of which can be installed on Windows servers in a corporate network. Microsoft® Office Groove®, in its simplest form, allows two or more people to share and synchronize data on their PCs using a variety of productivity tools. Using a Groove workspace on their PCs, information workers can collaborate in real time. Members of a workspace may work interactively to assemble information, discuss plans, schedule meetings, track results, jointly produce reports, store files, and converse through online chat or instant messages. Additionally, team members may perform tasks offline and then synchronize the results with others when they go back online. When a project is finished, they can archive their work by linking to an Office SharePoint site. To sustain communications in the dynamic and increasingly diverse conditions of today's networks, Groove Relay servers are employed which provide data store-and-forwarding, message fanout, device presence detection, and other services that enable timely information exchange regardless of corporate firewalls, weak communications links, internet traffic conditions, or client online/offline status. In a managed Groove environment, enterprises can obtain dedicated relay support by installing Groove Server 2007 onsite, or they can employ Groove Enterprise Services to avoid the burden of server administration and maintenance. Groove Server 2007 supplies organizations with onsite Groove Server Manager and Groove Server Relay functionality, providing Groove management and relay services, respectively. It also offers the optional Groove Server Data Bridge to integrate Groove workspace backup service into your system. Groove Server Manager (Groove Manager henceforth) component of Office Groove Server enables administrative control of Groove clients. Groove administrators and clients communicate with Groove Manager via its Web site, which provides both an administrative interface and a base for client contact. The site’s administrative Web interface allows for server management, and allows domain administrators to govern Groove usage via the distribution of policies and relay server assignments. 10 This section describes how Groove addresses the challenges of remote collaboration, providing conceptual information about Groove client-server operation which can then be used as a foundation for planning a deployment. Designed for IT professionals responsible for managing collaboration software, this document set also presents important considerations for deployment so that, upon completion, readers should have a sufficient understanding of the Office Groove environment to develop an optimal deployment plan for their organization, as described in Deployment for Office Groove Server 2007. In this section: The Groove Solution Groove Client and Server Functionality The Groove Solution The full capability of Groove tools and components can be exercised on just two user machines directly connected over a local area network (LAN). Figure 1-1 illustrates this simple Groove setup. Figure 1-1. Peer-to-Peer Groove But outside a LAN, other factors disrupt the real-time flow of information between users. Corporate firewalls may block transmissions, data can be unaccountably lost, slow internet connections can hinder transmissions, external events can cause outages, and users in different time zones may be online at different times. As more people collaborate, the impact of external conditions becomes more apparent. Each user's context and the environmental conditions affecting the internet as a whole challenge the effectiveness of direct peer-to-peer interaction. To sustain successful communications among peers in this dynamic environment, Groove employs relay servers that enable timely information exchange regardless of corporate firewalls, weak communications links, internet traffic conditions, or client online/offline status. In a managed Groove environment, enterprises can obtain dedicated relay support by installing 11 Groove Relay and Groove Manager servers onsite, or they can employ Groove Enterprises Services to avoid the burden of server administration and maintenance. The Groove clients and supporting servers employ a suite of proprietary and public protocols to enable PC communications in a wide range of network settings. While Groove software is designed to allow individual users to securely collaborate over the Internet, businesses require a higher level of control and management over software use. IT departments in an organization must meet corporate productivity objectives while working within the constraints of budgets and policies that affect numerous aspects of software usage, including network bandwidth availability, data integrity, and the security of corporate resources. The Groove Manager installed onsite at an enterprise or procured via Groove Enterprise Services addresses this level of management. The Groove Manager or Enterprise Services allows administrators to oversee Groove operation. Using a browser-accessed interface, they can define Groove usage and security policies in accordance with organizational requirements, provision users with dedicated relay support, and monitor Groove activity. For large organizations with a substantial software infrastructure already in place, Groove can be integrated with other corporate applications and servers, via the Groove Server Data Bridge. The Groove Data Bridge is an enhanced, server-level version of the Groove client that accepts Web services calls from other applications on behalf of managed Groove clients. The following table summarizes the capabilities offered by Groove's enterprise servers and services: Servers and Services Functionality Groove Server Manager Enables in-house administrators to configure and monitor Groove Manager servers that host Groove management domains. Administrators populate domains with Groove user information, register onsite Groove Relay servers, set Groove usage policies, schedule user account backups, and oversee user activity via Groove Manager administrative Web pages. Onsite installations of Groove Manager also support the following: 12 Servers and Services Functionality Integration with onsite LDAP directory servers, including Active Directory, enabling import of user information from an in-house database to Groove Manager. Automatic Groove account configuration. Groove client auditing, enabled by a separate Groove Manager installation, configured for client auditing. Groove Server Relay Enables enterprise administrators to configure and monitor onsite Groove Relay servers in conjunction with onsite Groove Manager servers. Onsite relay servers provide the same cross-firewall navigation, store and forward, device discovery, and transmission fanout support as hosted relays, but in an in-house managed environment. Administrators control relay security and availability; for instance, locating relays within a private network if necessary, and installing redundant servers to provide failover. Groove Enterprise Services Provides Manager and Relay services that allow administrators to set Groove usage policies, schedule account backups, and oversee Groove user activity, without the overhead of server maintenance. Note that LDAP integration, automatic account configuration, and Groove Auditing are not available via Groove Enterprise Services. Groove Data Bridge Enables administrators to integrate legacy systems into Groove via specific Groove Web 13 Servers and Services Functionality Services. Figure 1-2 shows the basic layout of Groove clients and servers. Figure 1-2 Groove Installation with Supporting Servers See Also: Overview of the Office Groove System Groove Client and Server Functionality The combined functionality of Groove clients and servers provides a comprehensive set of capabilities and tools for establishing and managing collaboration in an enterprise. Groove client and relay servers enable virtual peer communication, while the Groove Manager provides for Groove administration and monitoring, as discussed in the following section. In this section: Groove Client Functionality 14 Groove Server Manager Functionality Groove Audit Functionality Groove Server Relay Functionality Groove Server Data Bridge Functionality Groove Client Functionality The Microsoft Office Groove client application provides all the functionality that supports peerto-peer collaboration when peers are directly connected. In order to collaborate, Groove users invite each other to workspaces - virtual meeting rooms where they can jointly assemble information, discuss plans, share files, write reports, design forms, manage meetings, schedule events, exchange messages, and perform other tasks as a team. Groove is installed either as part of a Microsoft Office installation or as a standalone Office application. Users enter a standard product key and, in a managed environment, an account configuration code, to start the installation process and create an account. Collaboration begins when one Groove user sends a workspace invitation to another. To do this, a Groove user must first find the intended peer on the network. In an enterprise, a Groove user can perform a contact search of the enterprise directory, local area network, or public directory until Groove returns a match. Finding peers outside the local network usually involves exchanging initial Groove contact information via e-mail or a Groove invitation directed to an e-mail address. When a Groove user receives and accepts a Groove workspace invitation, the workspace is sent to the user’s PC. Once the workspace arrives, the recipient simply opens it to see other workspace members, be seen by them, and use workspace tools. A Groove user can be active (logged into Groove) at any time in any Groove workspace of which the user is a member. Groove allows both online and offline use, synchronizing data dynamically while collaborators are online and synchronizing whenever an offline user comes back online. When an offline user reconnects, Groove automatically adds offline updates and additions to the workspace. For example, while flying home from a meeting, a user might add responses to several discussion entries. When the user next connects to the Internet, all the offline responses are automatically added and shared with all other members of the Groove workspace. Similarly, all updates added to the workspace by other members since the user went offline are added to the user’s copy of the workspace as soon as the user connects. Key features of Microsoft Office Groove include: 15 Online collaboration workspaces - Groove workspaces contain tool sets that allow invited users to jointly plan, schedule, design, and execute all phases of a project. The number of members that can work productively in a Groove workspace is limited primarily by site hardware, network setup, and usage patterns and practices. Typically, Groove workspaces accommodate teams of up to 100 users. Instant messaging - Instant voice or text messages, and invitations to Groove workspaces provide direct access to Groove contacts. In addition, text messaging via Office Communicator or Microsoft Network (MSN) Messenger is supported for any Groove contact who is also running Communicator or Messenger. Integration with Microsoft SharePoint – Groove SharePoint Files Tool is an enhanced version of Groove Files Tool; it allows users to interact with and synchronize content between Groove and SharePoint document libraries. File sharing - Secure environment for sharing files among fellow collaborators. Groove file sharing supports the following: Immediate access to latest file versions Offline file editing Bandwidth optimization (only changes to files are exchanged) Rich standard tools - Standard workspace tools allow users to accomplish common desktop tasks related to sharing content of all types and work together on ad hoc tasks, ongoing projects and meetings. Standard workspace tools include Files, Discussion, Calendar, Notepad, Sketchpad, Pictures, and Meetings. Customizable tools - Groove Forms and Groove InfoPath Forms tools provide a tool development interface for designing and deploying Groove custom tools. With the Forms tool, application developers work entirely within Groove to create and lay out all design objects such as forms, fields and views. With the InfoPath Forms tool, application developers use Microsoft InfoPath templates as the basis of their tool designs, import these templates into Groove, and then enhance the tool design in Groove. Developers can use the Groove application program interface (API) to build scripted features custom tools created with the Groove Forms tool, and can use Web Services in custom tools created with the Groove Forms or Groove InfoPath Forms tools. 16 Built-in security - Groove avoids storing user data on remote servers that may be insecure and over which administrators have no control. Instead, user data is transmitted directly to workspace members and stored on member PCs. Groove automatically and securely distributes and saves data that group members produce during their interactions. All communications are private, as they take place only among workspace members. The content of all Groove messages is encrypted. See Also: Groove Client and Server Functionality Overview of the Office Groove System Groove Server Manager Functionality The Microsoft® Office Groove® Server 2007 Manager is a Web-based application for managing Microsoft Office Groove. The Office Groove Server 2007 Manager runs on servers installed at an enterprise site. Enterprises can also procure comparable functionality via Microsoft Office Groove Enterprise Services. Groove clients and administrators communicate with the Groove Server Manager Web site via respective interfaces. The client interface allows the Groove application to access policies and designated relay servers, and to report Groove usage statistics. Managed Groove clients poll the management server periodically (generally, every 5 hours) for updates to member identity information, policies, relay provisioning, and to report statistics. This periodic contact is the primary mechanism by which all information is transferred between Groove Manager servers and the Groove client software. Groove Manager servers do not initiate client communications. However, Groove Manager servers do contact relay servers to convey managed user relay assignments. The administrative interface, secured by its underlying IIS configuration, allows administrators to perform the following tasks for a defined management domain: Assemble Groove users (utilizing onsite corporate directories if integrated with an onsite Groove Manager). Define Groove usage and security policies, including account backup scheduling. Provision Groove users with Groove Relays (the Groove Relay component of an onsite Office Groove Server or comparable functionality accessed via Groove Enterprise Services). 17 View Groove event reports. Audit Groove client activities (if the Groove Manager, with the Audit option, is installed onsite). In addition, by publishing user information to an enterprise Groove directory, Groove Manager enables authorized Groove users to find each other easily and safely. By comparison, in an unmanaged environment, once Groove is installed and an account created, private users are free to publish their contact information, assume passwords, and communicate with whomever they choose, unhindered by centralized usage policies and other corporate security measures. Public Groove relay servers handle cross-firewall communication, offline work, and message distribution for these users. With the Groove Manager application installed onsite, administrators can manage the server as well as Groove users and devices enrolled in management domains. With Microsoft-hosted Groove Enterprise Services, enterprise administrators manage only Groove users and devices within a management domain. Groove Manager server-level administration involves the following tasks, performed from the Groove Manager administrative Web interface. Server-Level Tasks Description Defining administrator roles As a recommended added security level, administrators can enable a Role Based Access Control (RBAC) for the Groove Manager, limiting Groove Manager administrative rights to specific administrators defined on the system. Defining management domains The Groove Manager supplies an initial domain, to which server administrators can create additional domains. Once the management sever is configured with management domains, domain administrators can add users to the domain and provision them. 18 Server-Level Tasks Description Monitoring Groove Manager server events, via the audit log The Groove Manager logs server events (such as the addition of a new administrator) to an audit log report, accessible from the serverlevel Reports tab of the administrative Web interface. Integrating LDAP directories with an onsite Groove Manager The Groove Manager administrative interface allows server administrators to import user information from directory server organizational units (OUs) into the Groove Manager, automating the process of adding Groove identities to a management domain. Administrators can depend on the Groove Manager to accomplish major tasks essential to managing Groove use on a corporate scale, as described in the following section. In this article: Groove Administration Server Administration Domain Group Management Policy Distribution Relay Provisioning Groove User Management LDAP Directory Integration Groove Device Management Groove Account Backup User Verification Password Reset and Data Recovery 19 Groove Usage Monitoring Groove Administration In an enterprise where IT administrators manage software distribution and use, Groove operations are most effectively managed via onsite Groove Servers or Microsoft-hosted Groove Enterprise Services. Groove Server Manager and Relay, or Enterprise Services, help IT administrators standardize Groove deployment and maintain reliable ongoing Groove communications across their workforce network and beyond to remote associates and contributors. The basic unit of Groove management is a management domain, a named organizational unit, such as Contoso Corporation, where an administrator assembles Groove users, policies, and relay servers. A domain configured on an onsite server or accessed through Groove Enterprise Services, allows designated administrators to manage and monitor Groove user activities within the domain. An onsite Groove Manager provides for two basic levels of administration: server administration and domain administration. Both levels of administrators can conduct their respective tasks through the Groove Manager administrative Web interface. The primary server administrator defines administrative roles and domains, and configures any corporate directory servers, laying the foundation for domain management. Groove Enterprise Services allows immediate administrative access to a Groove Manager domain, which can be managed without the added overhead of server management. Server Administration When Groove servers are installed onsite at an organization, administrators can access serverlevel pages on the Groove Manager administrative Web site, where administrators can set initial administrative roles, create management domains, integrate an onsite LDAP directory with Groove Manager, and monitor server activity, as follows: Administrator role-setting – The server Roles pages allow organizations to entrust high-level server and domain administration only to selected individuals. Once the initiating administrator has enabled role-based access control (RBAC) for the Groove Manager administrative Web site, qualified server administrators and domain-level administrators can be assigned as needed. Roles defined for each administrator determine which administrators are responsible for which server-level or domain-level tasks. 20 Domain creation – An initial Groove management domain is created during initial Groove Manager setup, after which the server administrator can create additional domains for different Groove collaboration teams. Once a domain is configured, it houses Groove user groups, policy templates, and relay server sets, as defined by domain administrators. Directory integration – If an LDAP-compatible directory server of user information is available in-house, server administrators can integrate an LDAP directory with Groove Manager to efficiently import user information into Groove Manager domains. If Active Directory databases are used, LDAP integration also gives access to the automatic Groove account configuration feature that facilitates Groove client deployment. Server monitoring – Server Reports pages display a log of server-level activity (such as creation of a new domain or addition of a new relay server set) within a defined date range. Domain Group Management Domains are defined at the server-level and then may be assigned to individual domain administrators. The domain administrator defines the Groove users, policy templates, and relay server sets that will comprise a given domain. Administrators can also divide a domain into subgroups of Groove users. Specific Groove policy templates and relay sets can then be applied to specific domain groups and subgroups, as an organization’s management practices require. In smaller organizations, creating subgroups in a domain can be a practical alternative to creating multiple domains on a server to reflect an organization’s structure. Policy Distribution Administrators configure a domain or domain group for user management by defining policies that affect all users in a management domain group. Identity-based policies apply to managed member identities, regardless of what device the identity is running on. Identity policies control how domain members interact with Groove, including: Scheduling of account backups Publication of user information Relations with non-domain users Device-based policies, such as access password rules and the allowance of multiple accounts, apply to all identities on the managed device. 21 Relay Provisioning Groove Relay servers must be registered with Groove Manager. Administrators register onsite relay servers with a domain via the Groove Manager administrative Web site. If multiple relay servers are installed onsite, administrators can provision managed users with a sequence of relay servers, to provide relay redundancy and fallback. For information about Groove Relay server management and operation, see the Groove Relay Administrator’s Guide that accompanies the Groove Server Relay application. For information about Groove Relay provisioning, see the online Help that accompanies the Groove Server Manager application. Groove Enterprise Services handles relay registration and provisioning, so administration of relay servers is not required. Groove User Management Administrators populate management domain groups with user identity information by entering the information manually, uploading it from an .xml or .csv file, or importing it from an onsite LDAP directory that has been integrated with Groove Manager, as described in LDAP Directory Integration. Once members are defined in the domain, configuration codes are distributed to each of them, for entry into Groove. Configuration codes enable users to configure their managed Groove accounts and identities. Managed identities are Groove Manager domain members. As such, they gain access to domain relay servers and are subject to identity policies that control Groove account backups, vCard publication, identity verification, and other identity-based aspects of Groove operation. LDAP Directory Integration The integration of an onsite LDAP directory with an onsite Groove Manager enables the automatic association of enterprise users with Groove Manager domain members and the import of user information to a Groove Manager domain. In addition, if Groove Manager is integrated with an Active Directory database and configured to utilize automatic account configuration, once Groove is installed on user machines, the full rank of Groove users can set up their accounts by simply starting Groove and setting a log-in password; no entry of a configuration code is required. Note that directory integration is not available for Groove Enterprise Services. 22 Groove Device Management Managing devices allows the distribution of client and security policies to devices via the management domain of which the device user is a member. These policies control password creation, Messenger integration, and other device-dependent aspects of Groove operation. Devices running Groove must be registered with a domain on the management server in order to be managed and subject to device policies. Domain administrators can set an identity policy that automatically registers user devices with a domain when a user configures a Groove account or logs into Groove, or they can register user devices explicitly by setting device management registry values via downloaded device registry key that is available from the Groove Manager Device Policy template pages. Groove Account Backup Administrators can schedule automatic Groove account backup for members of a selected domain by setting a domain identity policy. Backed-up information includes user contacts, the user's Groove workspace list, identities and contact information, and domain management settings. User Verification A project team often involves a diverse assembly of project leaders, in-house contributors, and external partners and consultants. When access to confidential information by unauthorized personnel is a concern, administrators can set identity policies that govern the interaction of managed users with others outside their organization. Restrictive policies can be used in conjunction with a domain property that enables cross-certification between domains, allowing external users in the cross-certified users to participate in workspaces along with internal domain members. Password Reset and Data Recovery If a managed user forgets a Groove password or is removed from a management domain, domain administrators may need to reset the user's password or access the user's Groove data. To prepare for this eventuality, domain administrators can set identity policies for resetting unknown or forgotten user passwords. 23 Groove Usage Monitoring When a managed identity exists on a Groove client, the Groove software periodically reports statistics on Groove usage to the Groove Manager, providing information about managed user activities, workspaces, and Groove tools being used. Administrators can view domain reports via the Groove Manager administrative Web site. See Also: Groove Client and Server Functionality Overview of the Office Groove System Groove Audit Functionality Groove client auditing is an option available with an onsite Groove Manager. Installed on a separate, dedicated server, the Groove Audit feature enables administrators to oversee Groove activities on client devices. Auditable activities include workspace events (such as member additions) and tool events (such as file creation and deletion). Groove auditing is not available with Groove Enterprise Services. See Also: Groove Client and Server Functionality Overview of the Office Groove System Groove Server Relay Functionality Whenever possible, Groove transmits data directly from peer to peer, sending out individual packets of data from one Microsoft Office Groove user to another. However, when firewalls and proxy devices block this direct communication, Groove Relay servers provide a way for peer transmissions to navigate these obstacles and reach their destinations. When data is addressed to a peer that cannot be reached directly (because the user is offline, for example), the relay’s store and forward service enables otherwise inaccessible peers to receive timely data. When conditions call for a relatively large amount of data to be sent to a number of Groove users, Groove Relay fans out data transmission, reducing the amount of data an individual user sends across the network. 24 Any of the data types transmitted by Groove clients can be transported or stored by the Groove Relay, including: Workspace and contact information, addressed to a specific device, identity, and workspace (device-targeted messages). Instant messages and workspace invitations, addressed to a specific identity (identitytargeted messages). The Groove Relay only accepts Groove client and Groove Manager server transmissions; it does not initiate them. Groove clients and Groove Manager servers connect to Groove Relay servers to deposit and receive messages and data. The Office Groove Server 2007 Relay application runs as a Windows service on a Windows server machine. Administrators manage Groove Relay servers via the Groove Relay configuration control panel applet, the administrative Web interface, and the Groove Manager server with which the Groove Relay cooperates. Microsoft hosts relay servers for Groove users around the world. For managed enterprise installations of Groove, organizations can install their own Groove servers to run Manager and Relay operations in-house. Or they can engage Groove Enterprise Services which provide an interface Groove management and relay infrastructure without the overhead of maintaining Groove servers. The following section discusses key aspects of relay functionality. In this article: Message Flow Firewall Transparency Disconnected Operation Device Presence Detection Fanout Relay Client Provisioning via Groove Manager Groove Client Support Multi-Relay Installation 25 Message Flow Relay servers operate between Groove clients, enabling peer communications even when security devices, network conditions, and system down time impede successful information exchange. Relay servers enable message transmission under these conditions in three stages, accepting messages from Groove clients, storing messages temporarily, then dispatching messages when their target clients contact the Groove Relay for updates. Messages are dispatched to recipients over the same client port used for the initial relay contact, and the relay enlists whatever protocols are necessary to allow messages through the ports that are open on the recipient’s network. Each Groove user has an assigned Groove Relay server or sequence of Groove Relay servers, which is noted in the user’s identity (contact or vCard) information. Groove Relay registration occurs when users log in to Microsoft Office Groove for the first time, or, in the case of managed users, when they become members of a domain defined on the Groove Manager to point to specific Groove Relay servers. When a Groove user sends a message across the Internet to a Groove contact that cannot be accessed directly, the Groove client software seeks the Groove Relay specified in the intended recipient’s contact information. It then contacts the target relay and deposits the message in a queue associated with the recipient. When the intended recipient next contacts the assigned Groove Relay server for updates, it retrieves the message from the queue. The following process occurs every time a Groove user (UserA) sends a message or workspace update to a peer (UserB) via the Groove Relay: 1. Groove UserA sends an instant message or a workspace update to a Groove Relay server associated with UserB. 2. The Groove Relay queues the message for UserB. 3. UserB contacts the Groove Relay to collect any messages. 4. The Groove Relay authenticates UserB and returns User A’s instant message or workspace update to UserB. If the message is an instant message or workspace invitation, it is deposited on the first device found that UserB is logged into. If the message is a workspace update, it is deposited on the device specified in the relay queue entry. 26 Figure 1 presents a basic Groove Relay setup for an enterprise with Groove users located at two sites. Figure 1. Basic Groove Relay Server Configuration Firewall Transparency Ideally, Groove communicates via its preferred and most efficient protocol - Simple Symmetric Transfer Protocol (SSTP) over port 2492. To support the transmission of Groove messages across firewalls that block port 2492 but allow HTTP traffic over port 80, Groove Relay encapsulates SSTP commands and messages within an HTTP data stream. Encapsulating SSTP involves wrapping each SSTP transmission, along with additional header information, in the body of an HTTP message. The additional header information allows compliance with SSTP delivery semantics. In this way, SSTP messages reach the target client over port 80. Similarly, if firewalls block these ports but allow traffic over port 443, Groove Relay can transmit SSTP messages using the HTTP Connect method to enable communications over port 443. 27 Figure 2 shows how the Groove Relay enables LAN endpoints behind firewalls to communicate over the Internet. Normally, the LAN IP addresses and protected locations of these endpoints would prevent them from recognizing each other. the Groove Relay overcomes this condition by acting as an intermediary. Figure 2. Device Discovery Disconnected Operation The Groove Relay provides store-and-forward services to collect and forward messages for Groove clients regardless of their connection state. Messages are held in queues until the relay is contacted by the Groove clients to whom the messages are targeted. This asynchronous communication enables continued operations among Groove collaborators even when some peers are offline. Device Presence Detection Groove Relay uses WAN Device Presence Protocol (DPP) to determine a device’s online status and the list of active Internet Protocol (IP) addresses for that device. This device presence (or ‘awareness’) service uses a publish-and-subscribe approach to making other Groove users aware of the online/offline presence of other users. 28 Fanout Groove expedites communications when transmitting large amounts of data, or when transmitting over a slow network link, by employing the relay’s fanout capability. Fanout is a process for conveying a stream of data from a Groove client to the Groove Relay for replication and distribution to recipients, applicable when a Groove user adds a file to a workspace, sends a workspace invitation, or updates a workspace with multiple members. The fanout process spans Groove clients and Groove Relay servers. The Groove client begins the process by grouping messages according to the target relay of the various recipients. It then determines if fanout should be applied, based on a complex algorithm that involves the fanout capability of the sender’s device, the number of recipients, the amount of data being sent, and the sender’s line speed, among other factors. If fanout is merited, the client sends a single copy to each of the identified Groove Relay servers. Groove Relay servers function like multi-cast routers, distributing copies of the message to each of the recipients. This process helps maximize the efficiency of communications links and minimizes bandwidth usage. This basic functionality, known as multi-drop fanout, is shown in Figure 3 below. Single-hop fanout extends the multi-drop functionality to encompass multiple Groove Relay servers. When Groove resolves the fanout algorithm in favor of fanout, Groove sends a single copy of a message to the local home Groove Relay server which then groups copies of the message by recipient relay and distributes message copies to target users’ Groove Relay servers. This process, known as single-hop fanout, is shown in Figure 4 below. Note that single-hop fanout messages are not queued on the sender’s home Groove Relay server; they are sent to and stored on the target Groove Relay, or if the target Groove Relay is down, fanout messages are stored on the sending client device. When fanout is not in effect, Groove sends a single message addressed to multiple recipients just as it would send multiple messages to multiple recipients, issuing separate transmissions for each copy of the message, whether a Groove Relay server is called for or not, as shown in Figure 5 below. Figure 3. Multi-Drop Fanout 29 Figure 4. Single-Hop Fanout 30 Figure 5. Groove Relay Transmission without Fanout 31 Relay Client Provisioning Via Groove Manager Insert section body here. The Groove Manager, installed on a separate server device at your site, provides an administrative interface for provisioning Groove users to specific Groove Relay servers. From the Groove Manager server, the following administrative actions can be performed on Groove Relay servers: Registering a Groove Relay server, or series of Groove Relay servers, with the Groove Manager. Assigning Groove clients to a Groove Relay server or a series of Groove Relay servers via their domain membership. Setting relay message retention time. Purging individual user message queues. The Groove Manager communicates with the Groove Relay via the Simple Object Access Protocol (SOAP). The Groove Manager always initiates communication with the Groove Relay (the Groove Relay does not initiate communication with the Groove Manager). 32 For information about managing your onsite (managed) Groove Relay via the Groove Manager, see the online Help that accompanies the Groove Manager component of the Groove Server. Groove Client Support Groove clients must have access to a Groove Relay server in order to fully utilize Groove. By default, unmanaged users are automatically assigned to a publicly hosted relay server when they install Groove and create an identity. Managed users, defined by an onsite Groove Manager, gain their Groove Relay assignments from their management domain. When a client device contacts the assigned Groove Relay server for the first time, a key exchange occurs between the client device and the Groove Relay, providing initial user authentication. The client has then registered with that Groove Relay server. Client keys are stored in a database located on the Groove Relay. Groove clients are always assigned to specific relays; they are never directed to Groove Relay servers at random. A key exchange is always involved. In an enterprise environment, administrators assign users to Groove Relay servers using the Groove Manager, located on a separate server machine from the relays. Multi-Relay Installation Multi-relay installations enable more scalable relay support for a large client base and provide redundancy in case of equipment failure. Using the Groove Manager Web interface, administrators can assign multiple Groove Relay servers to a domain and prioritize them for use by domain members. When a Groove client sends data to a domain member that has access to multiple relay servers, the client attempts delivery to the first relay in the series, and if the server is down, it attempts delivery to the next Groove Relay server in the series, and so on. See Also: Groove Client and Server Functionality Overview of the Office Groove System Groove Server Data Bridge Functionality The Groove Data Bridge facilitates integration between Groove clients and third-party applications used by an organization. This is accomplished through the use of administratordefined Data Bridge identities that integrate third-party software, located anywhere on the 33 network, with information contained in Groove workspaces. These specialized identities merge seamlessly into service-oriented architectures (SOAs). Groove Data Bridge-based operations gain access to Groove workspaces via the specialized identities which can be invited to workspaces. Workspaces that contain a Groove Data Bridge identity are then present on the Groove Data Bridge device. Once resident on a Groove Data Bridge server, a Groove workspace inherits a rich set of platform Web services that process XML-based calls from external applications in the data center. In this way, the Groove Data Bridge functions as a data access tier, moderating data and process integration between Groove workspaces and other applications and processes. The following section describes the operation and main administrative capabilities of the Groove Data Bridge. In this article: Operation Server Management Server Backup Identity Management Workspace Management Workspace Archiving Message Tracking Event Monitoring Operation The Groove Data Bridge runs on a computer at a company site, from which it hosts identities that server administrators define and manage through the Data Bridge administrative interface. A Groove Data Bridge identity exposes a set of Web Services that allow data and process integration between Groove workspaces and other software and systems in an enterprise IT network. Groove Web Services APIs support CRUD (create, read, update, delete) operations. By programming to Groove Web Services on the Data Bridge server, developers can build applications that integrate Groove workspaces with an organization’s external databases and 34 applications, such as SharePoint sites, BizTalk®, SQL databases, Windows Workflow Foundation, and other Web services, including custom Windows .NET services. Data flow between the external software and Groove Data Bridge can be uni-directional or bi-directional. Building a Groove Data Bridge system to moderate data exchange between Groove users and other enterprise applications involves three high-level tasks: Writing a Web services program to direct data interchange from an external database or other application. Creating a structure of Groove Files, Forms, and Calendar tools (the three Web servicesenabled tools) that will handle the transfer of Groove workspace data. Creating one or more Groove Data Bridge identities to field Web services calls from an external program on behalf of Groove users who participate in a designated workspace. Like user identities, Groove Data Bridge identities appear in workspaces of which they are members and in user contact lists, and they have associated contact (vCard) properties. Groove users can invite a Data Bridge identity into a workspace or join a space of which a Data Bridge identity is a member. Performing integration operations through a Groove Data Bridge identity originating from a Data Bridge server has the following advantages over the option of direct client-side integration: Groove Data Bridge identities provide always-available, scalable, single-point integration. Single-point integration, as opposed to multi-point integration where transactions from multiple Groove client devices are exchanged with central servers, is an advantage if a task requires resources that are not available to all devices and if a single point for coordinating Groove with an external database or application is desirable. The Figure 1 below illustrates the difference between a single-point Groove Data Bridge configuration and a multi-point configuration. Integration tasks can run automatically without requiring user action. Integration tasks can be optimized to efficiently handle large amounts of data or serve many Groove workspaces. Figure 1. Single Pint and Multi-point Integration 35 Server Management Server management options are available from the Groove Data Bridge administrative interface. The main server window displays the current online/offline status of the server and Web services and allows administrators to manage a server contact list. Using menu options, 36 administrators can perform other server-based tasks, such as changing the Groove Data Bridge password, backing up the server account, or closing the password-protected administrative window to allow the server to run in the background. The Groove Data Bridge reports events to the Windows Event Log and Performance Monitor, allowing administrators to use these tools to monitor server health. Server Backup The Groove Data Bridge backup option allows server administrators to schedule automatic backup of Groove Data Bridge server account data. Backed up data consists of core account data, including server configuration details and a list of workspaces on the server; it does not include workspace data (which is recoverable by using Groove’s inherent workspace fetch capability). Administrators can then use the Data Bridge installer to restore the backed-up account if necessary. Identity Management Server administrators can create Groove Data Bridge identities via the administrative interface. An identity performs tasks in a Groove workspace, guided by a set of Web services. The identity may be invited to a workspace or may be programmatically driven to create its own workspace to which users may be invited. You can create a single identity to handle a rich set of Web services, or you can create separate identities with specific objects. Identity management options are available from the Groove Data Bridge administrative interface, where an administrator can edit identity contact properties, configure invitation processing, and add Groove identities to the server contacts list. Workspace Management The Groove Data Bridge administrative interface enables you to view the list of workspaces of which a Groove Data Bridge identity is a member, along with the identity’s role and status in each workspace. This information is maintained and reported separately for each Groove Data Bridge identity. Workspace Archiving Enabling the workspace archiving feature for an identity allows administrators to schedule data archiving for all workspaces of which the identity is a member. Archived workspaces are static 37 copies of the data in the original workspaces. Administrators can use the archived copy of the data to restore workspace data by downloading a specific .gsa file from its stored location to a client device, then using the Groove’s built-in workspace fetching capability to complete the space restoration process. This type of workspace restoration is particularly useful when an identity is the sole workspace member and the workspace is lost, or when a file or other data is damaged or lost and a previous workspace version containing the correct data is needed. Message Tracking Groove Instant Messages and invitations, received or sent by Groove Data Bridge identities, are listed in the Groove Data Bridge administrative interface. All invitations, processed and unprocessed, are included in the message list with their status indicated. If a Data Bridge identity is configured for manual invitation acceptance, administrators can accept invitations from the message list. Event Monitoring Administrators can monitor Groove Data Bridge server activity using the Windows Event Viewer. Reported events include server shut downs and restarts, as well as identity-level events, such as new identity creation. Windows Performance monitoring tools provide server performance statistics, tracing, and other server information. See Also: Groove Client and Server Functionality Overview of the Office Groove System 38 II. Groove Server 2007 Architecture All Groove components and tools reside on the Groove client computer, making end users and their devices the mainstay of Groove communications. Groove relay servers are also integral components of the Groove system, sustaining connectivity when direct client connection is not possible or feasible. In organizations that require centralized administration to help secure, facilitate, and monitor collaboration software, Groove Manager servers play an overriding role in the system. This section introduces the main components of Groove client-server architecture. In this section: Groove Client Architecture Groove Server Manager Architecture Groove Server Relay Architecture Groove Server Data Bridge Architecture Groove Client Architecture From a high level, Groove consists of a workspace manager with a set of tools, a contacts manager, a message manager, and a communications manager. All Groove's components and tools, user account information and user data reside on client PCs. Groove’s preferred protocol for client-to-client and client-to-relay communication is its native Simple Symmetric Transmission Protocol (SSTP), though HTTP is also supported. For detailed information about Groove client architecture, see the Groove Platform Overview in the Developer's Reference Guide available at: http://www.microsoft.com/downloads/details.aspx?FamilyID=BAA487E9-E1B9-4A10-BEEA1FD906B77F92&displaylang=en Groove Server Manager Architecture Groove Manager is a server application that provides a centralized environment for managing Groove client usage in an enterprise. It is part of the Office Groove Server product that includes 39 two interdependent applications: Groove Manager and Groove Relay, as well as the optional Groove Data Bridge. Each Groove Manager installation involves at least one Internet Information Service (IIS) front end which supports the Web-accessed administrative interface and client SOAP interface, and a SQL Server back end which stores most of the data. These servers may be installed and operated by an enterprise, or equivalent management and relay services can be engaged through Microsoft-hosted Groove Enterprise Services. Figure 1, below, shows the relationships between management (IIS and SQL) servers, supporting relay servers, and Groove clients. 40 41 Organizations that maintain corporate directories of employee information,can integrate these directories with Groove Manager, adding another component to the system. In addition, some enterprises may want to install the Groove auditing application for closer monitoring of Groove activities. This section provides more information about the required and optional components of a Groove management system. In this section: Website Component of Groove Manager Database Component of Groove Manager Corporate Directory Integration Groove Audit Service Groove Manager Communications Protocols Website Component of Groove Manager The interactive portion of the Groove Manager is its Web site, built on a Windows IIS server. The IIS login procedures in place at an enterprise secure the site. The Web site can be accessed by one of the following two interfaces: Administrative Interface Client Interface Administrative Interface The administrative Web interface, created during Groove Manager installation on the IIS server, enables server administrators to manage Groove Manager operation and Groove usage in their organizations. While this interface relies on the underlying security configured in IIS by the site administrator, a built-in role-based access control system offers an additional level of security. From the administrative Web interface, secured by its underlying IIS configuration, administrators can perform the following server-level tasks: Create management domains. Define administrative roles. 42 Monitor server events. Integrate an onsite LDAP directory server with an onsite Groove Manager. Note Microsoft Office Groove Enterprise Services provides an alternative to an onsite Groove Manager installation, enabling the same domain-level administration as that provided by an onsite Groove Manager, without the added over-head of maintaining the Groove Manager servers. The Groove Manager server administration interface consists of the following major elements: Management Domains - Collections of Groove users, policy templates, and relay server sets. Administrative roles - Administrative roles and permissions, defined by Groove Manager administrators as part of the Groove Manager Role Based Access Control (RBAC) system. When RBAC is enabled, administrators determine who can access which parts of the Groove Manager administrative Web interface. Reports - Server-wide audit log of Groove Manager events. Corporate directory support - Corporate directory server definitions for integrating user information with the Groove Manager, if an LDAP server directory is installed onsite at an enterprise. Directory integration requires an onsite Groove Manager server; it does not apply to Groove Enterprise Services. Once management domains are configured in the Groove Manager, administrators can access domain Web pages, as well as directory integration pages (to use enterprise directories for adding user information to a domain), role-setting pages, and Groove Manager event reports. Domain pages allow administrators to manage Groove users and devices, provisioning them with Groove Relay servers and enforcing Groove usage policies. Management domain administration does not require server-level permissions and is usually assigned to domain administrators. The Groove Enterprise Services package presents only this domain portion of the Groove Manager interface. For detailed information about the domain management portion of the administrative interface, see the Groove Manager Domain Administration portion of the Help. Client Interface The Groove Manager’s SOAP-based client interface allows the Groove client application to access the Groove Manager server for identity and device policies and relay assignments, and to 43 report Groove-related events. Groove clients access the Groove Manager via an Internetaccessible Simple Object Access Protocol (SOAP) interface on the Groove Manager. The Groove Manager does not initiate communications with Groove clients, but responds to requests from client devices. Clients contact the Groove Manager at periodic intervals (generally every five hours) for the latest polices, and relay server assignments. This periodic contact is the primary mechanism by which all information is exchanged between the Groove Manager and the Groove client software. Groove Relay servers facilitate Groove peer communications at various levels, including storing and forwarding messages, enabling firewall navigation, and overcoming network discontinuities. As part of a managed Groove environment, specific Groove Relay servers - installed onsite as part of the Groove Server or procured through Groove Enterprise Services - must be registered with the Groove Manager. For more information about the role of Groove Relay servers in a managed Groove installation, see the Groove Relay Administrator’s Guide, included with the Groove Relay component of the Groove Server. See Also: Groove Server Manager Architecture Groove Server 2007 Architecture Database Component of Groove Manager Groove Manager stores all data, including user account and device information, in a Microsoft SQL Server database. The local IIS/Groove Manager server is not used for data storage. Server administrators can use SQL-compatible reporting tools to create customized Groove usage reports from the Groove Manager information stored in SQL views. If the Groove client auditing option is part of the installation, the same SQL server can support Groove auditing as well as other Groove Manager activities. See Also: Groove Server Manager Architecture Groove Server 2007 Architecture 44 Corporate Directory Integration An existing corporate directory server of employee information can automate the process of adding Groove identities to a Groove Manager domain by allowing administrators to import existing data instead of re-entering it manually. Administrators of onsite Groove Manager servers can use the Groove Manager user interface to integrate with a corporate Lightweight Directory Access Protocol (LDAP) server of employee information and import users directly from the organizational unit (OU) containers on the directory server into Groove Manager. Once a corporate directory has been defined on Groove Manager, administrators can also take advantage of automated Groove account configuration and domain migration features that depend on a Groove Manager-LDAP directory connection. See Also: Groove Server Manager Architecture Groove Server 2007 Architecture Groove Audit Service The Groove Audit service is an optional feature installation, provided with Groove Manager. This service, installed on a dedicated machine, is the audit data collection point for Groove tool and member events that take place on Groove clients registered with a management domain. Like its parent Groove Manager, it relies on SQL databases for storage. Domain administrators use a device policy defined in Groove Manager to schedule client audits and select the type of events to be audited. Groove Auditing consists of four parts: A Groove client-side audit log which securely collects Groove user events into an encrypted file. The Groove client-side Audit Service which secures the audit log for upload to the Audit Server. The Audit Server software which collects and decrypts the log data, then stores it in a SQL server database. A Groove Manager device policy that defines what data should be audited on devices within a management domain. 45 Groove audit logs are immediately encrypted on clients upon event creation, and are decrypted only after arrival at the audit server, affording a highly secure auditing environment. In addition, NTFS permissions are used to prevent tampering with the logs and the Audit Service by unauthorized personnel. See Also: Groove Server Manager Architecture Groove Server 2007 Architecture Groove Manager Communications Protocols Groove Manager is a Web application and utilizes various Web-compatible protocols, primarily HyperText Transfer Protocol (HTTP), to process Groove administrative input and client requests through its Web site. Administrators interact with the Groove Manager using a browser to access its administrative Web site. Groove clients communicate with the Groove Manager by sending XML-based Simple Object Access Protocol (SOAP) requests over HTTP to which the Groove Manager responds. The Groove Manager never initiates connections with Groove clients. The Groove Manager also uses SOAP to communicate with any Groove Relay servers that it is managing. SOAP exchanges with Groove Relay servers are always initiated by the Groove Manager. To communicate with the SQL server which stores all Groove Manager data, the Groove Manager uses Microsoft’s OLE DB data access specification. To communicate with any LDAPbased directory servers that the Groove Manager is configured to support, the Groove Manager uses Lightweight Directory Access Protocol (LDAP). The following table summarizes Groove Manager protocols: Groove Server and Client Protocols Listening Ports Used Purpose SSTP over Hypertext Transfer Protocol (HTTP) Port 80 Used by Groove clients, and Groove Relay servers. Supports HTTP encapsulation of SSTP. Simple Object Access Protocol Port 80 Used by Groove Manager to listen to client SOAP requests 46 Groove Server and Client Protocols Listening Ports Used (SOAP) Open Database Connectivity (ODBC) Purpose and to communicate with Groove Relay servers. Port 1433 (typically) Inbound on SQL database server. Used by Groove Manager to contact the SQL database server. Outbound from Groove Manager to SQL database server port 1433 (typically). LDAP Port 389 (typically) Used by Groove Manager to integrate with optional LDAPbased directory server. Simple Message Transfer Protocol (SMTP) Port 25 Used by a Groove API, called by the Groove Manager, to forward e-mail containing Groove account configuration codes to a mail host for sending to Groove clients. See Also: Groove Server Manager Architecture Groove Server 2007 Architecture Groove Server Relay Architecture Relay servers are vital components of a Groove environment, enabling communications even when direct peer exchanges are impeded by firewalls, offline devices, network failures, and slow connections. The Groove Relay server application, available with Office Groove Server or through Groove Enterprise Services, is an enterprise-ready version of the public relays. Like its publicly accessed counterpart, Groove Relay provides message handling software to sustain collaboration regardless of client online status and data transport conditions. 47 In managed environments, Groove Relay servers are registered with a Groove Manager server and added to management domains by domain administrators. If multiple Groove Relay servers are installed onsite, administrators can define secondary relays to backup primary servers associated with the domain. Multiple Groove Relays offer a level of redundancy and fault tolerance. The relay’s message handling software provides a large part of relay functionality, enabling message store services and optimizing data transmissions across the network. Groove clients contact relays to collect stored messages, executing the last step of the 'store and forward' functionality enabled by the relay. Other important Groove Relay constituents are as follows: Transactional database system that stores basic user information, including authentication keys and identity information, queues of Groove device-targeted messages (updates to Groove workspaces), and queues of identity-targeted messages (instant messages and invitations). Set of utilities that facilitates management and cleanup tasks. For example, administrators can use one of these utilities to rebuild queues in the event of a disk failure. Specialized Windows control panel applet that allows administrators to configure Groove Relay servers installed onsite. This is where administrators define the Groove Relay name, and public and private keys used to authenticate communications with Groove clients. Web-based administrative interface that provides access to relay server statistics and aids for monitoring and maintaining relay database queues. The Groove Relay 2007 runs on a Windows Server 2003 (or later) machine, and supports x64 (64-bit) architecture. The following sections discuss the key elements of Groove Relay software architecture. In this section: Message Queue Databases Database Management Utilities Groove Relay Configuration Control Panel Applet Groove Relay Administrative Web Interface 48 Groove Relay Communications Protocols Message Queue Databases The Groove Relay utilizes a transactional database system that stores basic user information (including authentication keys and identity information), queues of Groove device-targeted messages (updates to Groove workspaces), and queues of identity-targeted messages (instant messages and invitations). The size of these queues changes continuously as Groove clients deposit (enqueue) and retrieve (dequeue) messages. All Groove message queues reside in a series of database files in the Data subdirectories of the Groove Relay installation directory. User identity information, authentication keys, and other ‘metadata’ reside in another set of database files also under the Data directory. The Groove Relay creates these databases at startup, if they are not already present. It also preallocates a number of Data files (Extents). The database system also creates transaction log files that are used to maintain the integrity of the Groove Relay databases in the event of system failure. The Groove Relay depends on these log files to recover message queues and other related databases when restarting after an outage. See Also: Groove Server 2007 Architecture Database Management Utilities The Groove Relay clears transaction logs and purges old message queues automatically. In addition, it provides utilities that enable Groove Relay administrators to manually perform other relay queue management tasks. These utilities include the following: RQExport/RQImport - Allows server administrators to save and restore databases when necessary FFQBackup - Allows server administrators to ‘mirror’ all or selected queued data to another disk volume or another system. FFQRebuild - Allows server administrators to rebuild queued data after a catastrophic failure, such as disk failure. 49 In addition, the Groove Relay administrative interface enables administrators to start queue purge and compress cycles, as well as to generate detailed queue report files. See Also: Groove Server 2007 Architecture Groove Relay Configuration Control Panel Applet The Groove Relay server, which is installed as a Windows service, provides a control panel applet for configuring the Groove Relay. Changes to configuration settings take effect when the Groove Relay is next restarted. From the applet’s configuration windows, administrators can configure various relay parameters, including the following: Defining Groove Relay public and private keys for enabling communications with Groove clients. Defining SOAP keys for enabling communications with the Groove Manager. Limiting SSTP message sizes. Enabling/disabling the logging of diagnostic information collected to enhance the reliability of the Groove Relay over time. See Also: Groove Server 2007 Architecture Groove Relay Administrative Web Interface The Groove Relay provides an administrative interface accessible by browser whenever the Groove Relay is running. From the site, administrators can do the following: View statistics that help monitor Groove Relay health. Examine device, identity, and queue information. Generate reports. 50 Manually purge and compress data queues, as necessary. (The Groove Relay clears transaction logs and purges old message queues automatically.) See Also: Groove Server 2007 Architecture Groove Relay Communications Protocols The Groove Relay is implemented as a multi-protocol server platform. Among the supported protocols, Groove’s native Simple Symmetric Transmission Protocol (SSTP) across a TCP (port 2492) connection is the preferred protocol for Groove client-to-relay connections. If port 2492 is blocked by a firewall, Groove clients can also establish SSTP connections to a Groove Relay server over Secure Socket Layer (SSL) port 443. If port 443 is also blocked, Groove clients can encapsulate SSTP within HTTP, and connect to Groove Relay servers over port 80. However, these port 80 connections are less efficient, as the encapsulation and connection management of the HTTP connections results in significant overhead. Groove clients can also communicate with Groove Relay servers across proxies using port 443 or HTTP port 80. To detect client online and offline status, relays also support Groove’s WAN Device Presence Protocol (DPP). Like the Groove client, Groove Relay depend on SSTP for processing Groove messages, including Groove instant messages, workspace invitations, and workspace updates. SSTP is designed to augment standard transport protocols, such as TCP and UDP, with features such as multiplexed messaging to multiple devices over a single connection, efficient streaming of large messages, and application detection of connection outages. SSTP operates over TCP on the Internet Assigned Numbers Authority (IANA)-assigned port 2492. It supports bi-directional applicationlevel connections between two machines. All Groove workspace updates, instant messages, and presence notifications involve Groove application-level protocols and are sent as SSTP messages. The following table describes how the Groove Relay utilizes various protocols: Relay Protocols Usage Simple Symmetric Transport Protocol (SSTP) via TCP over port 2492 Used to transport Groove messages. WAN Device Presence Protocol (DPP) over SSTP Inbound port 2492 supports: Groove message queues for identity and device targeted messages 51 Relay Protocols Usage Fanout of SSTP message streams to multiple identities on the same Groove Relay server Device and user authentication for dequeuing SSTP messages WAN device presence detection (WAN DPP) Outbound port supports: Single-hop fanout SSTP over port 443 Used to transport messages when SSTP transmissions over port 2492 are blocked by firewalls or for transmissions from Groove clients via proxies that support the HTTP Connect method. Inbound port 443 supports: HTTP Connect handshake for SSTP messages from Groove clients Firewall transparency (via HTTP Connect method) SSTP over Hypertext Transfer Protocol (HTTP) port 80 Used to transport messages when direct SSTP transmissions are blocked by firewalls. Inbound port 80 supports: HTTP encapsulation of SSTP messages from Groove clients Firewall transparency (via HTTP) HTTP over administrative port 8010 Used to access Groove Relay administrative 52 Relay Protocols Usage Web pages. Inbound port 8010 supports: Groove Relay administrative Web pages. Simple Object Access Protocol (SOAP) over port 8009 Used to transmit Groove Relay administrative settings from the Groove Manager to the Groove Relay. Inbound port 8009 supports: Groove Relay administration from the Web-based Groove Manager See Also: Groove Server 2007 Architecture Groove Server Data Bridge Architecture Groove Data Bridge is a server application that facilitates interaction between Groove clients and external databases or other applications. Groove Data Bridge hosts administrator-defined identities that enable Groove to field XML calls from external applications or processes, allowing data exchange and integration between Groove and other systems, such as SharePoint® sites and SQL databases. Groove Web Services mediates these exchanges. Groove Data Bridge includes a built-in Groove workspace backup system and provides a Windows-based administrative interface for configuring and monitoring data bridge integration services. As a component of the Microsoft Office Groove Server, the Groove Data Bridge is a robust mechanism for spanning application environments, and integrating Groove data and processes with those of other applications, such as SharePoint sites. This section briefly describes its architecture. In this section: Groove Data Bridge Application 53 Managed Groove Data Bridge Identities Web Services API Groove Data Bridge Protocol Support Groove Data Bridge Application The Data Bridge server application shares many of the qualities of a Groove client. It relies on an underlying Microsoft Office Groove application, communicates with Groove peers using the same Groove peer protocols, and hosts identities that participate in workspaces. Groove Web Services enable the development and deployment of integration solutions that take advantage of services-oriented architectures (SOAs). The integration logic resides outside of Groove Data Bridge processes. For example, an external archiving program may retrieve data from a Groove Files tool for storage in a library maintained on a SharePoint site. The Data Bridge identity processes Web services calls from the custom retrieval program and mediates data exchange between the SharePoint site and Groove workspaces of which it is a member. The custom integration program resides on the retrieval application server. Figure 1, below, shows the key components of a Groove Data Bridge-guided system: Figure 1. Groove Data Bridge Identity Mediating Between Workspace and External Applications 54 See Also: Groove Server Data Bridge Architecture Groove Server 2007 Architecture Groove Data Bridge Account The Groove Data Bridge runs on a dedicated Windows server. Each Data Bridge server hosts at least one identity - comparable to a Groove user identity - that facilitates interaction between Groove workspaces and external applications through a services-oriented architecture. A Groove Data Bridge account is a special Groove account that covers all the integration identities that the server hosts. Unlike a Groove account, a Data Bridge account cannot be active on more than one device at a time.The server administrator creates an account after launching Groove Data Bridge for the first time. See Also: Groove Server Data Bridge Architecture 55 Groove Server 2007 Architecture Managed Groove Data Bridge Identities A Groove Data Bridge identity is a server-based equivalent to a user identity, acquiring Groove workspace membership via Groove client invitations or programmatically. Groove Data Bridge identities are defined by Groove Data Bridge server administrators and, unlike other member identities, are not associated with users on client devices. Instead, these identities reside on Data Bridge servers, where they are driven by Web services calls from external programs to perform specific data integration tasks on behalf of Groove clients. As such, a Data Bridge identity mediates data exchange between other applications, such as SharePoint sites or SQL databases, and Groove client workspaces that contain Web services-ready tools (currently the Files, Forms, and Calendar tools). See Also: Groove Server Data Bridge Architecture Groove Server 2007 Architecture Web Services API Integration tasks are defined in external programs that utilize the Groove Web Services Application Programming Interface (API) enabled on the Data Bridge server. Through a Groove Data Bridge identity, the program exposes a set of Web services that involve data integration between Groove workspaces and other applications. In this way, Groove Data Bridge is an always-available data access tier that enables integration access to Groove workspaces through Groove Web Services. See Also: Groove Server Data Bridge Architecture Groove Server 2007 Architecture Groove Data Bridge Protocol Support Like the Groove client, Groove Data Bridge utilizes both Simple Symmetrical Transmission Protocol (SSTP) and Hyper-Text Transfer Protocol (HTTP). Ports 2492 and 80 support SSTP and HTTP, respectively. The following table describes the use of these protocols. 56 Protocols Descriptions Default Inbound Ports Simple Symmetrical Transmission Protocol (SSTP) A Groove protocol, used by 2492/TCP (registered with Groove clients and the Groove IETF) Data Bridge for communication. This protocol allows for the fastest message transmission. HyperText Transfer Protocol (HTTP) A broadly used protocol used by 80 many applications, including Groove clients and Groove Relay servers when direct SSTP transmission is blocked by firewalls. Local Area Network Device Presence Protocol (LAN DPP) A Groove protocol (based on the User Datagram Protocol UDP) used by Groove clients on a Local Area Network (LAN). 1211/UDP Supports Groove device presence detection, enabling clients on a LAN to find each other via globally unique identifiers (GUIDs) associated with each device’s dynamic Internet Protocol (IP) address. Standard XML-based Protocols used by external protocols, such as Simple applications to communicate Object Access Protocol (SOAP) with Groove Data Bridge. Incoming SOAP over HTTP port 9080 See Also: Groove Server Data Bridge Architecture Groove Server 2007 Architecture 57 III. Groove Protocol Support Groove clients and servers utilize several transport and application-layer protocols to sustain communications under a wide range of network conditions. This chapter provides a high-level description of how the leading protocols are used. Groove's Simple Symmetric Transmission Protocol (SSTP) is the primary protocol of client-toclient and client-to-server communication. But if SSTP port 2492/TCP is unavailable, Groove clients can establish SSTP connections in other ways. For example, if a firewall blocks 2492/TCP outbound connections, Groove Clients can establish SSTP connections to relay servers over port 443/TCP. If a firewall also blocks port 443/TCP, SSTP can be encapsulated within standard HTTP over port 80/TCP. Connections across HTTP, however, are less efficient because of the increased overhead of encapsulation and HTTP connections. Groove Manager, as a Web application, processes Hyper Text Transfer Protocol (HTTP) requests from Groove clients and from an administrative browser interface. Groove clients communicate with the Groove Manager server by sending Simple Object Access Protocol (SOAP) requests over HTTP to which the Groove Manager responds. Groove Manager also uses SOAP to communicate with any relay servers that are registered with it. SOAP exchanges with the relay server are always initiated by the Groove Manager. Neither the Groove Manager nor the Groove Relay initiates connections with Groove clients. Groove Relay supports multiple protocols to maintain communications among Groove users when client devices cannot contact each other directly. Foremost is Groove’s native SSTP over port 2492/TCP which relay servers use for processing Groove messages, including instant messages, Groove workspace invitations, and workspace updates. However, Groove Relay employs other ports and HTTP to allow messages to traverse firewalls when a Groove user is behind a firewall that blocks native SSTP communications. Like Groove clients, Groove Data Bridge uses SSTP to communicate with directly-connected Groove clients. Its transactions with external applications utilize SOAP. Figure 3-1 introduces firewalls to the simple client-to-client topology shown in The The Groove Solution, and, to represent an enterprise deployment, includes Groove Manager and Data Bridge servers. Figure 3-1. Groove Installation with Supporting Servers and Firewalls 58 Under some conditions, Groove clients connect to relay servers across proxy servers. As with browser connections across proxies, various ports can be specified for the local client-to-proxy connection. When communicating across a proxy, Groove clients can use SSTP over port 443/TCP using the HTTP Connect method. Alternatively, HTTP encapsulated SSTP may be transacted as standard HTTP Long-lived, HTTP Keep-alive, or HTTP polling over port 80/TCP, if supported by the proxy server. Groove clients also depend on the LAN and WAN Device Presence Protocol (DPP). LAN DPP is a Groove application-layer protocol carried by User Datagram Protocol (UDP). LAN DPP allows clients to find each other on a LAN subnet publishing their presence information and monitoring device presence information for identities in their contact lists. WAN DPP is an application-layer protocol supported by Groove Relay and carried by Groove’s SSTP. WAN DPP allows clients to find each other across the wide area network by publishing and subscribing to device presence information maintained on relay servers. The Groove client and servers supported protocols are summarized in the following table: Groove Server and Client Protocols Functions Listening Ports Used Simple Symmetric Transport Used by Groove clients and relay servers to transport Port 2492/TCP: 59 Protocol (SSTP) Groove messages. Inbound on Groove Relay. Supports: Inbound on Groove clients. Message queues for user identity and device targeted messages. Outbound from Groove clients to Groove Relay and clients. Fanout of SSTP message streams to multiple identities and multiple Groove Relays. Outbound from Groove Relay to Groove Relay. Device and user authentication for dequeueing SSTP messages. Wide Area Network Device Presence Protocol (WAN DPP) SSTP over Hypertext Transfer Protocol (HTTP) port 80 Used by Groove clients and Groove Relay to transport messages when direct SSTP is blocked by firewalls. Supports: Port 80/TCP: Inbound on Groove Relay Outbound from Groove clients to Groove Relay. Firewall transparency through HTTP encapsulation of SSTP datagrams. SSTP over port 443 Used by Groove clients and Groove Relay to transport messages when native SSTP transmissions are blocked by firewalls and for proxies that support the HTTP Connect method. Simple Object Access Protocol Used by Groove clients to (SOAP) over port 80 communicate with Groove Manager. Port 443/TCP: Inbound on Groove Relay. Outbound from Groove clients to Groove Relay. Port 80/TCP: Inbound on Groove Manager. 60 Outbound from Groove client to Groove Manager. Outbound from Groove Data Bridge to Groove Manager. SOAP over port 8009 Used by Groove Manager to contact Groove Relay. Port 80/TCP: Inbound on Groove Relay. Outbound from Groove Manager to Groove Relay. SOAP over port 9080 HTTP over port 8010 MS-SQL Tabular Data Stream (TDS) encapsulated in TCP Used by Groove Data Bridge to receive XML calls from external applications. Port 9080/TCP: Supports Groove Relay administrative Web pages. Port 8010/TCP: Inbound on Groove Data Bridge to receive requests from external applications. Inbound on Groove Relay. Used by Groove Manager front- Port 1433/TCP (typically): end IIS server to contact backInbound on SQL database end SQL server. server. Outbound from Groove Manager IIS server to SQL server. Lightweight Directory Access Protocol (LDAP) Used by Groove Manager to integrate with optional LDAPbased directory server. Port 389/TCP (typically): Inbound on LDAP directory server. Outbound from Groove Manager IIS server to LDAP directory server. Local Area Network Device Used by Groove clients on a Port 1211/UDP: 61 Presence Protocol (LAN DPP) LAN subnet. Inbound on Groove clients. Supports Groove device presence detection, enabling clients on a LAN to find each other. Outbound from Groove clients to Groove client. Wide Area Network Device Used by Groove clients and Presence Protocol (WAN DPP) relay servers to WAN device presence detection. Groove application-layer protocol over SSTP. Rendezvous Protocol (RVP) Used by Groove clients to support user presence information. Groove application-layer protocol over SSTP. IM protocol Used by Groove clients to support instant messaging. Groove application-layer protocol over SSTP. Workspace protocol Used by Groove clients to support data synchronization. Groove application-layer protocol over SSTP. Simple Mail Transfer Protocol (SMTP) Used by a Microsoft virtual SMTP server and called by Groove Manager, to send email containing account configuration codes or account backup files to a mail host for delivery to Groove users. Port 25/TCP: Inbound on mail host. Outbound from Groove Manager IIS front-end servers. Figure 3-2 illustrates the interaction between Groove Manager and Groove Relay servers, and Groove clients. See Summary of Groove Port Configurations for a table of port configurations in the context of various protocols. Figure 3-2. Interaction of Groove Servers and Clients 62 63 IV. Summary of Groove Port Configurations The following tables present sample port configurations to support Groove systems in the presence of firewalls. The IP addresses and hostnames used are for example only. In this section: Public Internet to Perimeter Network Perimeter Network to Public Internet Perimeter Network to Perimeter Network Private Intranet to Perimeter Network Private Intranet to Public Internet Public Internet to Perimeter Network Host IP DestinationZone Host IP Protocol port Purpose Internet * * Perimeter Network mn10 167.10.159.20 HTTP – 80/TCP Groove Manager HTTP/SOAP communications Internet * * Perimeter Network rn8 167.10.159.18 SSTP – 2492/TCP Groove Relay SSTP communications Internet * * Perimeter Network rn8 167.10.159.18 SSTP – 443/TCP Groove Relay SSTP communications Internet * * Perimeter Network rn8 167.10.159.18 HTTP – 80/TCP Groove Relay HTTP encapsulated Source Zone 64 Host IP DestinationZone Host IP Protocol port Purpose Source Zone SSTP communications Internet * * Perimeter Network rn9 167.10.159.19 SSTP – 2492/TCP Groove Relay SSTP communications Internet * * Perimeter Network rn9 167.10.159.19 SSTP – 443/TCP Groove Relay SSTP communications Internet * * Perimeter Network rn9 167.10.159.19 HTTP – 80/TCP Groove Relay HTTP encapsulated SSTP communications Perimeter Network to Public Internet Source Zone Host IP Destination Host IP Protocol port Purpose Zone Perimeter Network mn8 167.10.159.18 Internet * * SSTP – 2492/TCP Groove Relay SSTP communications Perimeter Network mn9 167.10.159.19 Internet * * SSTP – 2492/TCP Groove Relay SSTP communications 65 Perimeter Network to Perimeter Network Source Zone Host IP Destinatio n Host IP Protocol port Purpose Zone Perimete mn1 r 0 NetworkA 167.10.159.2 0 Perimete rly1 r 0 NetworkA 167.10.159.2 5 HTTP – 8009/TC P Groove Relay HTTP/SOAP communication s Perimete mn1 r 0 NetworkA 167.10.159.2 0 Perimete rly1 r 1 NetworkA 167.10.159.2 6 HTTP – 8009/TC P Groove Relay HTTP/SOAP communication s Perimete Mn1 r 0 NetworkA 167.10.159.2 0 Perimete mail r NetworkB 167.11.159.5 0 SMTP25/TCP E-mail SMTP communication s Private Intranet to Perimeter Network Source Zone Host IP Intranet * * Intranet * Intranet * Destination Host IP Protocol port Purpose Perimeter Network mn10 167.10.159.20 HTTP – 80/TCP Groove Manager HTTP/SOAP communications * Perimeter Network mn10 167.10.159.20 RDP-TCP – Microsoft 3389/TCP Remote Desktop communications * Perimeter Network rn8 167.10.159.18 SSTP – 2492/TCP Zone Groove Relay SSTP 66 Source Zone Host IP Destination Host IP Protocol port Purpose Zone communications Intranet * * Perimeter Network rn8 167.10.159.18 SSTP – 443/TCP Groove Relay SSTP communications Intranet * * Perimeter Network rn8 167.10.159.18 HTTP – 80/TCP Groove Relay HTTP encapsulated SSTP communications Intranet * * Perimeter Network rn8 167.10.159.18 HTTP – 8010/TCP Groove Relay Admin HTTP communications Intranet * * Perimeter Network rn8 167.10.159.18 RDP-TCP – Microsoft 3389/TCP Remote Desktop communications Intranet * * Perimeter Network rn9 167.10.159.19 SSTP – 2492/TCP Groove Relay SSTP communications Intranet * * Perimeter Network rn9 167.10.159.19 SSTP – 443/TCP Groove Relay SSTP communications Intranet * * Perimeter Network rn9 167.10.159.19 HTTP – 80/TCP Groove Relay HTTP encapsulated SSTP communications Intranet * * Perimeter Network rn9 167.10.159.19 HTTP – 8010/TCP Groove Relay Admin HTTP 67 Source Zone Host IP Destination Host IP Protocol port Purpose Zone communications Intranet * * Perimeter Network rn9 167.10.159.19 RDP-TCP – Microsoft 3389/TCP Remote Desktop communications Private Intranet to Public Internet Source Zone Host IP Destination Host IP Protocol port Purpose Zone Intranet * * Internet * * SSTP – 2492/TCP Groove SSTP communications Intranet * * Internet * * SSTP – 443/TCP Groove SSTP communications Intranet * * Internet * * HTTP – 80/TCP Groove HTTP encapsulated SSTP communications. Groove Manager HTTP/SOAP communications 68 V. Groove Site Planning Conditions and Requirements The issues discussed in this chapter are intended to help you determine how to best deploy Groove software at your site so you can meet your current and foreseeable collaboration needs. Some of the topics addressed are especially relevant if you are considering incorporating onsite Groove servers into your managed Groove environment. Others, such as Network Planning and Capacity Planning, provide applicable information, regardless of your Groove management context. Successful deployment involves understanding basic Groove requirements and assessing the network management requirements of your site. Key questions to consider include: How does Groove affect your network? How does Groove interact with proxies, firewalls, and other similar devices on your network, what network port requirements does Groove have, and how does Groove affect network bandwidth? See Network Planning for Groove for some answers. How many Groove users do you need to support and what hardware will you need to manage them? See Capacity Planning for Groove for a discussion of these issues. What emergency outages can you anticipate and prepare for? What system failover measures are already in-place? See Failure Contingencies and Disaster Recovery for Groove for a discussion of emergency preparedness. Each company contends with unique administrative, technical, and environmental issues in setting up and maintaining its communications network, but the general conditions discussed here are likely to arise at any site. This section addresses important decision points. In this section: Network Planning for Groove Capacity Planning for Groove Failure Contingencies and Disaster Recovery for Groove Groove Manager Site Planning 69 Groove Relay Site Planning Groove Data Bridge Site Planning Network Planning for Groove This section discusses how a Groove deployment fits within existing network topologies and cites specific requirements. In this section: Network Topology for Groove Network Requirements for Groove Groove Bandwidth Usage Network Topology for Groove One of the biggest IT challenges is setting up network devices and configurations that enable efficient information exchange without jeopardizing the security of corporate data. Often conflicts arise that upset any hard-gained balance. Groove mitigates these problems. Aware of other devices and configurations on the network, Groove is designed to work within any communication constraints they present while maintaining the security of its transactions. For example, when firewall configurations block preferred SSTP communications, Groove clients attempt to access relay servers using HTTP. In addition, Groove maintains "business as usual" in the context of a wide range of communications tools and features. For example, despite the various bandwidth rates and latencies that characterize Internet traffic, Groove attempts to optimize communications and maintain timely delivery of information. Table 1-1, below, summarizes Groove's responses to various network and browser configurations. Table 1-2, below, lists some of the tools and features with which Groove cooperates seamlessly. Table 1-1. Impact of Network and Browser Configurations on Groove 70 Network and Browser Configurations Groove Responses TCP port restrictions Direct Groove client communication depends on Groove's TCP-based Simple Symmetric Transfer Protocol (SSTP) over port 2492/TCP. When native SSTP ports are not available, Groove encapsulates SSTP messages in HTTP and client communications occur via Groove relay servers over HTTP port 80. Proxy configurations In a proxy environment, when SSTP ports are not available, Groove clients can communicate via HTTP proxies over any port specified in the browser, including ports other than 80/TCP. HTTP proxy caching HTTP proxy settings can place additional limits on communications. For example, proxies generally cache data before transmitting. Although optimal Groove communications is based on real-time transmissions, Groove is resilient to this caching. Auto-detection configuration When auto-detection is enabled for browsers in a proxy environment, the associated Dynamic Host Configuration Protocol (DHCP) configuration includes URLs for scripts that contain information about intranet hosts and proxies. Groove clients can read the information in these scripts to locate appropriate proxies and communicate across them to target relay servers, which then forward client messages to the intended Groove recipients. Auto-configuration scripts Web browser configurations often include URLs for Java scripts that include information about conditional proxy seeking. Groove clients can read the information in these 71 Network and Browser Configurations Groove Responses scripts to locate proxies and communicate across them to target relay servers, which then forward client messages to the intended Groove recipients. Proxy authentication (Basic Authentication, NT LAN Manager) Proxy devices often use authentication protocols that require login information when clients attempt to connect. Groove clients support Basic Authentication and NTLM proxy authentications by displaying a dialog box requesting authentication information at connection time, thereby enabling communication through the proxy. Firewall settings, including Network Address Translation (NAT) When firewall configurations block SSTP communications, Groove clients attempt to access relay servers using HTTP. Domain Name System (DNS) Publically resolvable, registered DNS names are used for Groove Manager and Groove Relay servers. Virtual Private Networks (VPN) Groove operates across VPNs, providing that relay servers are accessible over the VPNs. Table 1-2. Real-World Tools and Features with which Groove Cooperates Communications Tools and Features Groove Responses Dial-on-demand routers Groove requires a persistent connection, which on-demand routers do not normally provide. Therefore, Groove may force the router to stay dialed-up as long as Groove is running. Dial-up, pay-to-use services (such as in hotels and airports), and Network Interface Card These services acquire a temporary (transient) IP address while the connection is up. Groove 72 Communications Tools and Features Groove Responses (NIC) insertions/removals supports such configurations. Sociable communications Groove runs in the background as an icon in the system tray along with other Windows applications sharing the network resources. When sharing bandwidth with other applications, Groove attempts to optimize its bandwidth use. Suspend/resume Most laptops support a sleep mode, for example when the lid is closed. Groove resumes after suspension, without requiring system shut down. Various bandwidth rates and latencies Groove is designed to accommodate differences in bandwidth rates and high latencies. Though affected by these conditions, it attempts to optimize communications. Communications errors Groove is designed to accommodate communications errors (short breaks in service caused by storms or network events). Virtual Private Network (VPN) and Virtual Network Connection (VNC) communications Groove co-exists with these links but does not depend on them. See Also: Network Planning for Groove Network Requirements for Groove This table describes general network interface requirements for a Groove installation. Device Ports Open Groove client Inbound/Outbound port 2492/TCP – Allows 73 Device Ports Open real-time client-to-client communications via Groove's Simple Symmetric Transfer Protocol (SSTP) and client-to-relay-to-client communications via Groove Relay servers. Inbound/Outbound port 1211/UDP – Allows real-time client-to-client communications via Groove’s Local Area Network Device Presence Protocol (LAN DPP). Outbound ports (80/TCP) – Allows client-torelay-to-client communications via Groove Relay servers. Also allows SOAP communications with Groove Manager. Outbound port 443/TCP – Allows client-torelay-to-client communications via Groove Relay servers. Groove Manager Inbound port 80/TCP - Receives Simple Object Access Protocol (SOAP) requests from Groove clients over HTTP. Outbound port 8009/TCP – Sends SOAP messages to Groove Relay. Outbound port 25/TCP - For sending SMTP email containing account configuration codes to Groove users. Outbound port 389/TCP – For importing and synchronizing member identities with LDAP directory. Groove Relay Inbound ports 80/TCP, 443/TCP, or 2492/TCP Receives messages from Groove clients via HTTP or Groove's SSTP. 74 Device Ports Open Outbound port 2492/TCP – For relay-to-relay single hop fanout. Inbound port 8009/TCP - Receives SOAP requests from Groove Manager. Inbound port 8010/TCP - Supports browser requests for administrative statistics. Corresponding ports on firewalls and related devices must allow communications across the above ports for transmissions to (and from) Groove Relay servers. See Also: Network Planning for Groove Groove Bandwidth Usage When installed as recommended, a Groove system of clients and servers does not measurably disrupt network performance and compares with most currently available browser or platformbased communications products in terms of bandwidth consumption. This section discusses Groove's bandwidth usage patterns, and subsequent sections discuss the hardware and configuration recommendations that best support it. Understanding how Groove uses bandwidth will help you anticipate any network adjustments that may be necessary. Groove bandwidth usage depends on several variables, including network configuration, and the amount and type of data being transmitted over the wire. While these factors vary among sites, the bandwidth usage results from Microsoft experience and testing provide a useful baseline. For example, bandwidth usage has been monitored under conditions where Groove is being used heavily in a workspace with fifty members and each member of the workspace sends, on average, approximately 350 bytes/second over the network during a typical workday. Results from this level of Groove activity show that Groove bandwidth utilization increases linearly as the number of members in Groove workspaces increases (assuming a user-to-device ratio of approximately 1:2). 75 Whenever possible, Groove transmits data directly from client to client, sending individual packets of data to each workspace member. When data is addressed to a client that cannot be reached directly (because the user is offline, behind a firewall, or on a weak internet link, for example), Groove sends data via relay servers, and via fanout as needed for more efficient distribution. Whether data is transferred through relay servers or not, bandwidth utilization relative to the number of users in a workspace remains linear (see Figure 1, below), facilitating the task of predicting Groove bandwidth use once the application is online. Note that because relay servers are designed for expedient bandwidth use, total bandwidth use under conditions of high traffic is often less when relay servers assist in message transmission. Figure 1. Groove Client/Relay Bandwidth Usage See Also: Network Planning for Groove Network-Level Security A basic form of security for Internet transmissions is the blocking or filtering of data from unknown or suspect sources. One way to accomplish this is by restricting the number of open communications ports on the server, limiting inbound transmissions to those protocols supported by the few open ports. Firewalls are often used to implement these restrictions. For example, you could locate a Groove Manager server in a perimeter network (sometimes called a 76 perimeter security zone), behind a firewall that allows only TCP inbound traffic over port 80; this would limit inbound transmissions to HTTP traffic only. This would allow Groove client-toGroove Manager and other HTTP communications while blocking other transmissions using nonHTTP protocols. How you implement security measures at your site depends largely on your company's specific security requirements, the software you use, and on your existing network topology. See 'Recommended Best Practices' in Groove Site Preparation, for important guidance. See Also: Network Planning for Groove Groove Site Planning Conditions and Requirements Capacity Planning for Groove To anticipate and plan for any large-scale software deployment, you need to know the size and location of your intended user population, as well as anticipated bandwidth consumption. The range of Groove enterprise services and servers that you engage depends largely on these factors. The section below discusses Groove client and server capacities. In this section: Groove User Base Planning Groove Manager Capacity Groove Relay Capacity Groove User Base Planning Knowing the current and projected size of your Groove client base, along with the estimated daily bandwidth usage per user, is essential for planning an enterprise-wide Groove installation that will operate smoothly from the start and over the long term. Larger enterprises will have additional planning considerations. In small businesses (of less than 100 users), minimal planning is involved, mostly centering on establishing the number and usage level of target Groove users, as discussed in the server capacity sections below. The network and security configurations already in place at your site to 77 support Internet access and e-mail should generally be sufficient for Groove, regardless of whether users collaborate under the same roof or across the globe. When hundreds or thousands of users require collaboration support, and when corporate consultants, partners, or customers are involved as well as employees, close consideration of how you intend to manage such collaboration is necessary. An effective management framework should allow you to accomplish the following: Centrally configure Groove accounts. Set Groove password entry requirements. Manage Groove activity at both the user and device level. Identify trusted collaborators outside a domain. Integrate Groove user information with corporate directories. Schedule automatic backup of Groove user accounts. Provision users with relay services that help ensure uninterrupted collaboration. Monitor user activity and project work to ensure productive use of Groove. Audit Groove client events to help ensure proper use. Integrate corporate applications and data with Groove. Back up Groove workspaces. The following Groove server applications and services can help you achieve these ends with maximum ease, as summarized in the following table: Office Groove Server and Groove Enterprise Services Capabilities Groove Server 2007 Manager, installed onsite (requires separate Groove Server Relay installation) Enables and facilitates centralized administrative control over Groove use, including: *Also available as Groove Enterprise Services, which includes Manager and Relay hosted by a Microsoft data center. Automatically configuring Groove on client devices. 78 Office Groove Server and Groove Enterprise Services Capabilities Setting password creation rules. Enforcing managed Groove use. Establishing trusted users across management domains. Scheduling automatic Groove account backup. Enabling Groove password and data recovery. Integrating corporate user directories with Groove user identity information. Monitoring Groove use. Auditing Groove client activity. Groove Server 2007 Relay, installed onsite (requires separate Groove Server Manager installation) Enables relay server provisioning to managed users, providing the following communication services: *Also available as Groove Enterprise Services, which includes Manager and Relay hosted by a Microsoft data center. Data storage and forwarding, to support online/offline collaboration. Wide-area network (WAN) presence detection. Data fanout to expedite message delivery in conditions of high network traffic. Cross-firewall communications. Groove Server 2007 Data Bridge Integrates Groove with Microsoft SQL databases and other corporate applications via Groove Web services; includes built-in mechanism for backing up managed Groove 79 Office Groove Server and Groove Enterprise Services Capabilities user workspaces. See Also: Capacity Planning for Groove Groove Manager Capacity Office Groove Server 2007 Manager enables comprehensive oversight of Groove usage. In planning how to incorporate Groove Manager into your network, consider your company's usage statistics, bandwidth requirements, and what hardware/software is necessary to support those conditions. The number of users that Groove Manager can support largely depends on the hardware configuration of the Internet Information Service (IIS) and SQL servers that comprise a Groove Manager installation. Monitor Groove and Groove Manager performance to consider if and when additional hardware or software may be necessary. For the SQL server back end, plan on 6 MB of storage per managed Groove user, including space for account backup. Typically, one Groove Manager/IIS front end server can support approximately 20,000 users, when installed according to product instructions. Additional Groove Manager front ends are necessary to support a larger user population. Larger-scale implementations can leverage the scalability of the underlying IIS and SQL platforms. In most cases, multiple load-balanced IIS front-end servers can share a common SQL back end. The following specifications are based on an average deployment in a mid-sized company and can provide a reference point for planning your Groove Manager deployment. Hardware/Software Projected Load Hardware Load Balancer – 1 each 12,000 Groove users online IIS Front End – 2 each (for redundancy) 36,000 Groove user identities configured Dual 64-bit processors, 2.4 GHz, 4 GB RAM Single disk controller, NICs, and write-caching 80 Hardware/Software Projected Load hardware RAID 36 GB RAID disk array Windows Server 2003 x64 SQL Back End – 1 each Dual 64-bit processors, 2.4 GHz, 4 GB RAM Multiple disk controllers, NICs, and writecaching hardware RAID 800 GB RAID disk array Windows Server 2003 x64 SQL Server 2005 If Groove Manager is deployed with the Audit option enabled, allow at least one dedicated SQL server for every 1500 users. Additional server support is necessary if the option to audit files is in place. The following table provides estimates for the number of Groove Manager servers necessary to support a given number of Groove users: Groove Users Minimum Groove Manager Front End/IIS Servers Groove Manager Back End/SQL Servers 1,000 1 1 2,000 1 1 5,000 1 1 10,000 1 1 20,000 1 1 40,000 2 1 81 Groove Users Minimum Groove Manager Front End/IIS Servers Groove Manager Back End/SQL Servers 60,000 3 1 See Also: Groove Relay Capacity Installing Office Groove Server 2007 Relay at your site ensures relay availability to your Groove users and places all relay management within the control of your server administrators. If you decide to secure and manage dedicated relays, plan on supporting no more than 18,000 Groove users on a single relay server. However, actual limitations on relay capacity may vary and you should monitor Groove client and relay performance to determine when additional server hardware or software may be necessary. If your organization supports a global network of users, to maximize the performance of your relay equipment, try to locate your relay servers in close proximity to your main communities of users. The increased network "hop" count necessary to support data transmissions from Groove clients to distant relays degrades network performance. The following specifications are based on an average deployment in a mid-sized company and can provide a reference point for planning a Groove Relay deployment. Hardware/Software Projected Load for Community of 36,000 Groove Users Dual 64-bit processors, 2.4 GHz, 8 GB RAM 12,000 users provisioned to a Groove Relay server and online Multiple disk controllers (one dedicated controller for the relay’s data volume and zero- 30,000 connected Groove devices to-one additional controller for operating Maximum bandwidth of 8 MB/concurrent system volumes) user/day Multiple NICs, and write-caching hardware RAID 450-GB RAID disk array for relay data Windows Server 2003 x64 82 The chart above describes an organization with a community of 36,000 Groove users. In this scenario, all 36,000 users are provisioned to the relay server with the assumption that no more than 33% of the provisioned users will be online at any time. About 12,000 provisioned users are online and connected concurrently. The 30,000 connected devices include the devices of users provisioned to this relay server and online, as well as the devices of other collaborating users provisioned to other Relays. Note that the ratio of online Groove users to devices connected to the relay server varies depending on usage patterns. Typically clients provisioned to other relays connect to a Groove Relay server in order to enqueue data for clients that are provisioned to that relay. The connected devices for non-provisioned users consume some relay resources, although substantially fewer resources than for a provisioned and online user. Therefore, the number of provisioned and online users connecting to a relay server is usually substantially less than the total number of connecting devices. The ratio for provisioned online users to connected devices online is typically between 1:2 and 1:5, but can be as high as 1:20 or more. The ratio also depends on secondary relay server assignments. Each secondary relay assignment also constitutes a connection to the secondary relay. Keep this in mind when planning relay capacity. Each Groove Relay may support up to approximately 15,000 provisioned and online users. The total number of provisioned users - online and offline – is typically greater, depending on the ratio of online to offline users. Additional relay servers are needed to support larger user populations or to meet redundancy requirements. This section presents specific aspects of relay capacity planning. In this article: Relay Bandwidth Usage Relay RAM Relay CPU Relay Disk Space Relay Hard Disk Controller 83 Relay Bandwidth Usage Approximately 8 megabytes (MB) of data may pass through the relay server per user per day, based on average-use tests. Therefore, an environment of 15,000 provisioned and online Groove users would generate about 120 gigabytes (GB) of traffic per day, or about 1.4 MB/second. The amount of data directed to a Groove Relay server depends on the amount of data being sent in each transmission, communications speed, whether clients are behind firewalls, and the state of client connections. Relay RAM Tests on a standard-configuration show that a Groove Relay server uses about 1.5 gigabytes of memory to support approximately 12,000 connected devices. In the case of a mid-sized company (described above), with 30,000 connected devices, 8 GB of memory would be required. At least 2 GB of memory should be reserved for file system cache for proper operation of the relay. Relay CPU Groove Relay is optimized for a dual 64-bit processor configuration with 2.4 GHZ speed or greater. Dual-core dual processor configurations are also supported. Relay Disk Space The disk space required to support a client population varies, depending on Groove client usage patterns. Client populations that are routinely offline for days or weeks at a time require more relay disk space because data must be stored while clients are offline. In a typical mixed client population, a client may use approximately up to 10 MB of disk space per day, assuming a 30day purge interval. The total necessary disk space will vary with the configured purge interval. Therefore, a community of about 36,000 Groove users will consume least 360 GB of disk storage on the data drive. Relay Hard Disk Controller Groove Relays place a high demand on disk input/output (I/O). Write caching is critical to supporting the high I/O demand of a Groove Relay. The Groove Relay installation kit includes a utility called DBWriteTest.exe that can be run to assess the performance viability of a disk subsystem. DBWriteTest exercises the relay server’s controller and drive subsystems. A relay server configured for 12,000 online users requires DBWriteTest results of approximately 2 84 MB/second or greater. In addition, your hardware RAID should be configured to enable a system to survive catastrophic failure of a disk drive with minimal down time and data loss. The rate at which the hard-disk controller transfers data from the processor to the hard disk depends on the type of controller. Microsoft average-use tests show that adding 100 Groove users to the system typically increases the amount of data written to or read from the relay server hard disk by about 50,000 bytes/second. This suggests that 12,000 users online would best be supported by a Groove Relay with a write-caching hardware RAID controller and minimum raw disk I/O capacity of 6 MB/second. Typically, this requires a high-performance controller with 10,000-to-15,000-rpm drives. See Also: Capacity Planning for Groove Failure Contingencies and Disaster Recovery for Groove As with any server installation, total system failure is a possible scenario that should be addressed at the outset during deployment planning. Possible causes and anticipated effects should both be assessed during the site design phase so that disaster avoidance and recovery can be built-in to site topology and operating practices. Since Groove is designed to run in a wide range of environmental and network settings, the possible context of system failure depends largely on conditions unique to a given site and is, therefore, beyond the scope of this guide. But a recovery path can be recommended. IT departments charged with providing comprehensive full-function Groove services to a large corporation can best establish a recovery path by setting up multiple data centers with procedures and standby servers slated for immediate promotion into operation in the event of failure. Minimally, protect your data and the server operating system from the effects of component failure, and prepare Groove Server installations for failure recovery, as follows: Groove Manager - Groove Manager IIS and SQL server machines should be equipped with reliable, fault tolerant hardware and redundant hard drives, or other fault-tolerant technology, such as clustering, multiple IIS front ends, and fault-tolerant network load balancing. Schedule frequent backups of the Groove Manager database on the SQL backend server. 85 Groove Relay – Groove Relay servers should be equipped with reliable, fault-tolerant hardware and redundant hardware. A redundant multi-relay installation can further reduce the risk of interrupted or slowed communications within your Groove network. Using Groove Manager, administrators can provision redundant Groove Relay servers to members of a management domain. If the primary relay server is inaccessible for a provisioned member, the Groove client will use the next relay server in the list. In the event of disk failure, you can use the Groove Relay’s FFQBackup and FFQRebuild utilities and procedures to reconstruct the relay server databases. Groove Data Bridge - Groove Data Bridge servers should be equipped with fault-tolerant hardware and redundant hard drives. See Also: Groove Site Planning Conditions and Requirements Groove Manager Site Planning The Groove Server Manager is a Web-based application for managing Groove clients. As a component of the Microsoft Office Groove Server 2007 installed on your corporate network, the Groove Server Manager (subsequently called Groove Manager) enables server control, as well as administrative oversight of Groove user and device activity. As an alternative, you can access Groove Manager functionality by engaging Microsoft Office Groove Enterprise Services, which allows you to manage Groove users and devices without the overhead of managing the server. This section summarizes site planning issues and best practices to consider when setting up the Groove Manager server application at your site. In this section: Network Requirements for Groove Manager Capacity Planning for Groove Manager Recommended Best Practices for Groove Manager Failure Contingencies for Groove Manager 86 Network Requirements for Groove Manager Inbound port 2492 must be open on all Groove client devices in order to enable peer-to-peer communications. The Groove Manager has the following network interface requirements: Inbound TCP port 80 must be open in order to receive Simple Object Access Protocol (SOAP) requests from Groove clients over HTTP. Inbound SSL port 443 must be open to support Secure Socket Layer protection of the Groove Manager administrative Web pages. Outbound TCP ports must be open in order to send messages to the Groove Relay TCP port 8009 (for version 3.1 or earlier Groove Relay servers). Outbound SMTP port to the defined Smart Host must be open in order to send e-mail with account configuration and account restoration codes to Groove users (TCP port 25). See Also: Groove Manager Site Planning Groove Site Planning Conditions and Requirements Capacity Planning for Groove Manager One Groove Manager device typically supports up to 10,000 Groove users, with the hardware configuration recommended for a standard installation. A second Groove Manager is generally recommended to support a larger user base. Larger-scale implementations, with additional RAM and disk storage capacity, can leverage the scalability of the underlying IIS and SQL platforms. When Groove is being used heavily in a workspace with fifty members, each member of the workspace sends, on average, approximately 350 bytes/second over the network during a typical workday. The number of users that your system can support largely depends on the hardware configuration of the Internet Information Service (IIS) and SQL servers that comprise the Groove Manager installation. Monitor Groove and Groove Manager performance to consider if and when additional hardware or software may be necessary. For the SQL server, in an environment of approximately 5 transactions per user per hour, plan on 6 MB of storage per managed Groove user, including space for account backup. See Also: 87 Groove Manager Site Planning Groove Site Planning Conditions and Requirements Recommended Best Practices for Groove Manager The location of specific Groove Manager and Relay devices at your site is largely governed by the performance and security objectives at your organization, as well as on the location and distribution of users with respect to your network topology. Work with your Microsoft Office Groove representative to determine how to implement a Groove Manager configuration that accommodates the Groove user base at your site. In administering a Groove Manager, follow the best practices generally recommended for hosting an Internet server. For helpful information on this topic, review the Microsoft security Web site by clicking here. The following basic measures can help promote a reliable and secure installation: Control network access to the Groove Manager Web pages, as described in Controlling Network Access to the Groove Manager Web Site. Install the management software on a clean stand-alone Windows 2003 machine. Do not try to install a Groove Manager on a domain controller or a machine where Groove is running. Doing so will cause the install process to fail. To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the Groove Manager on a machine with redundant hard drive capability, typically a hardware RAID (software RAIDs provide protection for data only, not the operating system). Consider installing the latest Critical Update Package and Security Rollup on all servers. Review available information about any Windows server security vulnerabilities, and address them as needed at your site. For information about Windows security, see the Microsoft Windows Security Web pages, click here. Also see the Microsoft Technet Security site, by clicking here. Proxy or firewall devices may be used to control transmissions and allow access only to those ports necessary for Groove transmissions. 88 Locate the Groove Manager in a perimeter network (also known as screened subnet) to afford relative security while allowing managed external Groove users to access the Groove Manager from the internet. Similarly, locate any Groove Relay devices in a perimeter network for security and to allow other Groove users to contact your managed users. Figure 2 shows an example of a typical Groove Manager setup. If your site plan includes multiple Groove Manager devices, install the administrative portion of the Web site on a secure server, separate from the server supporting the client-accessible portion of the site. The SQL server is typically shared by multiple Groove Manager devices. Consult a Microsoft Office Groove technician for information about multiple-server installations. Further secure the Groove Manager administrative Web pages by enabling Secure Socket Layer (SSL) encryption and setting the server SSL port to 443. For more information about SSL, refer to the Microsoft MSDN Web site by clicking here. Further protect the Groove Manager administrative Web pages with Windows or other login authentication. If using Basic Authentication, where passwords are transmitted over the network without encryption, make sure to enable SSL. To help secure distribution of Groove account configuration codes to your users, use one of the following methods: Utilize the Groove Manager's automatic account configuration option. Use an existing secure communication channel to distribute codes (employing securityenhanced e-mail or e-mail over a trusted local area network, for instance). Manually distribute account configuration codes. Make sure to keep labeled copies of any certificates, private keys, and passwords you use in a known secure location, such as on disk in a locked cabinet or in a directory on a secure private network. You may need access to these old certificates or private keys in the future for example, if you need to recover client data but the client has an older version of the data recovery certificate. Establish administrative roles which govern physical access to Groove Manager machines, access to server-level controls, and access to management domain controls. 89 To allow for Groove account restoration when needed (to replace a damaged account, for example), ensure that the identity policy that schedules Groove account backups is enabled. See Also: Groove Manager Site Planning Groove Site Planning Conditions and Requirements Failure Contingencies for Groove Manager To protect your data and the server operating system from the effects of component failure, the Groove Manager IIS and SQL server machines should be equipped with reliable redundant harddrive capability, or other fault-tolerant technology, such as clustering. As with any server 90 installation, the possibility of total server failure is also a concern. To address this risk, you want to consider an additional Groove Manager to provide backup in the event that your initial installation fails. See Also: Groove Manager Site Planning Groove Site Planning Conditions and Requirements Groove Relay Site Planning Many factors affect where and how you should position Groove Relay servers at your site. How many Groove users you intend to support, where your users are located geographically, your company’s security policies, how a Groove Relay server will interact with other nodes on your system, and existing network topology are some of the issues you should address before bringing the Groove Relay and its supporting Groove Manager online in your organization. While the guidelines and best practices cited in this guide are recommended for optimizing the effectiveness of your installation, the specific conditions at your site will drive most of the decisions about Groove Relay server placement on your network. You must install a Groove Manager at your site in order to manage your onsite Groove Relay servers. See the Help that accompanies the Groove Manager component of the Microsoft Office Groove Server for specific information about Groove Manager site planning. In this section: Network Requirements for Groove Relay Capacity Planning for Groove Relay Best Practices for Groove Relay Groove Relay Server Failover See Also: Groove Site Planning Conditions and Requirements Network Requirements for Groove Relay The Groove Relay requires specific inbound ports to be open for client and Groove Manager transmissions. Required or recommended ports on the Groove Relay server are: 91 Inbound port 2492 must be open for SSTP transmissions from Groove clients. Inbound port 80 must be open for SSTP over HTTP transmissions from Groove clients. Inbound port 443 must be open for SSTP transmissions from clients via proxies that support the HTTP Connect method (and for SSTP client transmissions that can directly access the Groove Relay via SSL port 443 but not 2492). Inbound port 8009 must be open on interfaces that the Groove Manager accesses to send transactions to the Groove Relay. The Groove Manager server sends these transactions using the Simple Object Access Protocol (SOAP). Outbound port 2492 must be open for single-hop transmissions between Groove Relay servers. Optionally, if the Groove Relay is behind a firewall, the firewall’s outbound port 80 may be open for HTTP traffic, so that the Groove Relay can communicate status information to Microsoft as part of its Customer Experience Improvement (CEIP) program. The corresponding ports on firewalls and related devices must allow communications across these ports for transmissions to and from Groove Relay servers. In addition, DNS access must be enabled for Domain Name Service (DNS) lookup traffic. The server uses DNS to locate other Groove Relay servers and to communicate with Groove Manager servers. See Also: Groove Relay Site Planning Groove Site Planning Conditions and Requirements Capacity Planning for Groove Relay Approximately 8 megabytes (MB) of data may pass through the Groove Relay server per user per day, based on average usage tests. In this case, 15,000 concurrent Groove users, would generate about 120 gigabytes (GB) of data per day. The amount of data directed to the Groove Relay depends on the amount of data being sent in each transmission, communications speed, whether clients are behind firewalls, and the state of client connections. Plan on supporting a community of no more than 12,000 to 18,000 Groove users on a single Groove Relay server. However, actual relay capacity may be lower, and you should monitor 92 Groove client and relay performance to determine when additional hardware or software may be necessary. Work with your Microsoft Support representative to determine how to implement a relay configuration that accommodates Groove client traffic at your site. See Also: Groove Relay Site Planning Groove Site Planning Conditions and Requirements Best Practices for Groove Relay The location of specific Groove Relay servers at your site is largely governed by your security constraints. How you address these requirements ultimately depends on your network setup and objectives. As a general guideline, the objective is to logically locate the Groove Relay on your network to allow the minimum number of Internet protocols through while meeting user demand. Figure 6 shows a network configuration that is suitable in typical corporate environments. Figure 6. Typical Groove Relay Setup in a Perimeter Zone 93 The following basic measures can help assure a reliable and secure installation: Locate the Groove Relay in a perimeter network (also known as screened subnet), or on an internal/external network boundary to provide basic relay security. When configuring a proxy server in a Groove Relay environment, place TCP/443, and TCP/80 near the top of the protocol list, if the order affects the efficiency of the proxy server. The Groove client tries these protocols, in this order: 2492, 443, 80. Configure your external network interface cards to filter all but inbound TCP/IP traffic on ports 2492, 443, and 80. 94 Port 8009 should be open for transmissions from the Groove Manager but assigned to a network interface card connected to a private internal network. Consider blocking inbound port 8009 on the Groove Relay external interface unless your Groove Manager is configured to access the Groove Relay over an external interface (on the Groove Relay server). Port 8010, used for browser access to Groove Relay administrative pages, is restricted to localhost by default. Remote administrative access is prohibited by default. Because Groove Relay currently supports basic authentication (Base64 encoding) but not Secure Socket Layer (SSL) encryption, retaining this default configuration is recommended. Disable Windows Active Directory and other Windows services, as these impact relay performance. The Groove Relay utilizes the services of the Groove Manager instead of Active Directory services; Groove Manager provides integration with Active Directory. As a general guideline, install the operating system platform and Groove Relay software on a clean machine. Do not try to install a Groove Relay on a domain controller, on a Web server such as IIS, or on a machine with any client server application. Do not install the Groove Relay on a machine where Groove is running. To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install the Groove Relay on a machine with redundant hard drive capability, typically a hardware RAID configuration. Also, provide backup power via an uninterruptable power supply (UPS). Installing anti-virus software on the Groove Relay machine can significantly impede relay performance. When installing and configuring anti-virus software, disable Real-Time protection on the Data directories. Configure your firewall and proxy ports to support your Groove client and Groove Relay installations. Groove operates with the security infrastructure of many WAN configurations, and within the constraints of firewalls, while assuring secure peer communications via the Groove Relay. Where firewalls prevent direct peer-to-peer network communications between devices, the Groove Relay creates a virtual peer-to-peer communications path between the devices. The following are some sample scenarios. Figure 7 shows a scenario where devices A and B are on different networks, each protected by a firewall. Both firewalls are configured to allow outbound connections over ports 2492, 80, and 443, while blocking all inbound connections. In this scenario, devices A and B cannot 95 establish peer-to-peer connections to each other because of the firewall policies. They can, however, establish port 2492 connections to a Groove Relay server. The result is that Groove communication occurs via the Groove Relay; clients will connect to the Groove Relay over SSTP on port 2492. Another firewall configuration, with a more restrictive setup than shown in Figure 7, demonstrates the Groove Relay’s protocol encapsulation scheme. Company networks often include firewalls that allow outbound connectivity to port 80 only. When SSTP outbound connections fail over ports 2492 or 443, the Groove client encapsulates SSTP within HTTP and reattempts the connection over port 80. 96 See Also: Groove Relay Site Planning Groove Site Planning Conditions and Requirements Groove Relay Server Failover In the unlikely event of Groove Relay failure, a multi-relay installation can reduce the risk of interrupted or slowed communications within your Groove network. Using the Groove Manager, administrators can prioritize Groove Relay servers assigned to a management domain. Managed Groove identities in the domain are then directed to a series of Groove Relays. If one relay is inaccessible for handling a message from a managed identity in the domain, the Groove client will contact the next relay in the list and attempt to queue the message on that relay. In the event of disk failure, you can use the Groove Relay’s FFQBackup and FFQRebuild utilities to reconstruct databases, as described in the book, ‘Operations for Groove Server Relay’. 97 In addition, to protect your data and the server operating system from the effects of component failure, the relay and Groove Manager machines should be equipped with reliable redundant hard-drive capability, or other fault-tolerant technology. See Also: Groove Relay Site Planning Groove Site Planning Conditions and Requirements Groove Data Bridge Site Planning While site planning issues depend largely on your company's specific performance and security requirements, attention to certain basic issues at the outset can help you determine how best to incorporate Microsoft Office Groove Data Bridge at your site now and in the future. In order to set up your network to gain the most from onsite Groove Data Bridge servers, you should address the following basic questions: How many Groove users and workspaces do you need to support with Groove Data Bridge? This question affects what hardware is necessary to support a Groove Data Bridge server with the necessary bandwidth at an acceptable performance level. What are your security requirements? For example, do you want to limit external access to HTTP only? These questions affect where you locate Groove Data Bridge servers on your network and what protocols you need to support. What are your disaster recovery requirements? For example, what system outages can you anticipate, and what are your acceptable limits for system outage or downtime? The following sections address these questions and related issues. In this section: Network Requirements for Groove Data Bridge Capacity Planning for Groove Data Bridge Recommended Best Practices for Groove Data Bridge Failure Contingencies for Groove Data Bridge 98 Network Requirements for Groove Data Bridge Before installing a Groove Data Bridge server, you must prepare your site to support Groove Data Bridge identities that will reside on the Data Bridge server and participate in Groove workspaces. Since Groove Data Bridge is part of the Microsoft Office Groove Server offering, you will also need to consider its position in the interconnected environment of Groove Manager servers, Groove Relay servers, and Groove clients. However, the scope of this Help specifically addresses the Groove Data Bridge. Groove Data Bridge servers have the following minimum network requirements: Inbound port 2492 should be open for Simple Symmetric Transfer Protocol (SSTP) inbound transmissions from Microsoft Office Groove clients. Inbound port 9080 should be open for external applications making XML/SOAP-based calls to Groove Data Bridge. Outbound SSTP port should be open for SSTP transmissions to Microsoft Office Groove clients. Outbound HTTP port must be open for communications with Groove Relay servers. The corresponding ports on firewalls and related devices must also be available for transmissions to the Data Bridge server. Other factors, while they may have some impact on Groove Data Bridge operation, are primarily driven by your company’s existing network setup and requirements. For example, you should consider bandwidth availability within your company’s network as well as your security requirements in order to determine how many Groove users the Data Bridge servers will support, and where to locate Groove Data Bridge servers at your site. How you address these requirements ultimately depends on your specific network capacity and objectives. See Also: Groove Data Bridge Site Planning Groove Site Planning Conditions and Requirements 99 Capacity Planning for Groove Data Bridge The Groove Data Bridge has as its core the Microsoft Office Groove client platform. Therefore, the bandwidth usage and capacity characteristics of Groove clients in an enterprise can provide a foundation for planning your Groove Data Bridge installation. Groove bandwidth utilization increases linearly as the number of members in a workspace increases. Whenever possible, Groove transmits data directly from peer to peer, sending out individual packets of data to each space member. When data is addressed to a peer that cannot be reached directly (because the user is offline, behind a firewall, or on a weak internet link, for example), Groove sends data to Groove Relay servers for replication and distribution, or fan-out. Whether data is transferred through Groove Relay servers or not, bandwidth utilization relative to the number of users in a workspace remains linear but fanout reduces actual bandwidth usage. In planning how to incorporate Groove Data Bridge into your network, you should consider how many Data Bridge servers you need to regulate the work load. Discuss your company’s usage scenario (for example, how many users you anticipate supporting with an onsite server and how many bytes of data they typically transmit per day) with your Microsoft Groove representative to determine how best to allocate your Groove Data Bridge server setup and when to consider expansion. See Also: Groove Data Bridge Site Planning Groove Site Planning Conditions and Requirements Recommended Best Practices for Groove Data Bridge In managing Groove Data Bridge, follow all the best practices generally recommended for hosting an Internet server. The following is a useful URL: http://www.microsoft.com/technet/security/default.mspx In addition, make sure to consider the following: To facilitate system setup in a managed environment, install your Groove Data Bridge and client devices after installing the Groove Manager. To help secure your Groove Data Bridge setup, observe the following guidelines: 100 Locate the Data Bridge server and any external applications that integrate to Groove Data Bridge through Groove Web Services on a private network or in a perimeter network (also known as screened subnet). Install the Data Bridge server as an auto-start Windows service with the Remember password option selected, reducing vulnerability by minimizing server logins. If you do not run Groove Data Bridge as an auto-start Windows service, disable the Remember password option. Install the Groove Data Bridge software on a clean machine. Do not try to install Groove Data Bridge on a domain controller, a Web server (such as IIS), or a machine where Groove is or has ever been installed. To protect the operating system and data from damage or loss as a result of hardware component failure, make sure to install Groove Data Bridge on a machine with redundant hard drive capability, typically a hardware RAID 1 or greater (software RAIDs provide protection for data only, not the operating system). Install the Groove Data Bridge server in a private network. See Figure 3 for a suggested basic setup. 101 See Also: Groove Data Bridge Site Planning Groove Site Planning Conditions and Requirements Failure Contingencies for Groove Data Bridge Groove Data Bridge 2007 provides tools that can help you recover from unplanned outages that may result in data loss. Using the Data Bridge administrative interface, you can schedule backups of your Groove Data Bridge account, allowing you to save identities, the workspace list, and properties associated with the server account. In the event of account damage or loss, you can then use the Groove Data Bridge Install Wizard to restore your account, choosing from a succession of accounts retained on the server. Once your account is recovered, you can fetch workspaces onto the server from other workspace members. One of the most important and simplest precautions you can take to avoid data loss or other consequences of component failure is to back up the Groove Data Bridge Data directory regularly (daily or at least weekly), using a third-party backup tool. You can then restore the server from the backup in the event of severe failure. Back up the Data directory only when the Groove Data Bridge server is NOT running, as data captured by the external backup facility during operation can be incomplete or inconsistent, and the restored data may not result in a functioning server. Note that any data generated after the last full backup is lost unless workspaces can be fetched from other members who were not affected by the failure. To protect your data and the server operating system from the effects of component failure, the Groove Data Bridge machine should be equipped with reliable redundant hard-drive capability. As with any server installation, you are probably also concerned about total server failure. Ideally, to address this risk, you would operate Groove Data Bridge in a cluster environment where additional servers could be installed to provide failover support. Since Groove Data Bridge server clustering is not yet available, the only comparable alternative is a resourceintensive one: to invest in a separate Data Bridge server unit that can be set up to take over Groove Data Bridge services if the primary machine fails. See Also: Groove Data Bridge Site Planning Groove Site Planning Conditions and Requirements 102