Planning and Architecture for Office Groove Server
2007
Microsoft Corporation
Published: June 2007
Author: Office IT and Servers User Assistance (o12ITdx@microsoft.com)
Editor : Office IT and Servers User Assistance (o12ITdx@microsoft.com)
Abstract
This book describes Groove Server capabilities, summarizes the architecture of the Groove
client-server system, and provides the basis for planning a Groove deployment in an enterprise
environment. The audience for this book includes IT professionals, infrastructure specialists, and
business decision makers responsible for designing and implementing software-based
collaboration systems.
The content in this book is a copy of selected content in the Office Groove Server Technical
Library (http://go.microsoft.com/fwlink/?LinkId=93923) as of the publication date above. For
the most current content, see the technical library on the Web.
1
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced
into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook,
PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
2
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
3
Contents
Introduction to Planning and Architecture for Office Groove Server 2007 .................................... 9
I. Overview of the Office Groove System ...................................................................................... 10
The Groove Solution .................................................................................................................. 11
Groove Client and Server Functionality ..................................................................................... 14
Groove Client Functionality .................................................................................................... 15
Groove Server Manager Functionality.................................................................................... 17
Groove Audit Functionality ..................................................................................................... 24
Groove Server Relay Functionality ......................................................................................... 24
Device Presence Detection ........................................................................................................ 28
Groove Server Data Bridge Functionality ............................................................................... 33
Server Backup ............................................................................................................................ 37
Identity Management ................................................................................................................ 37
II. Groove Server 2007 Architecture .............................................................................................. 39
Groove Client Architecture ........................................................................................................ 39
Groove Server Manager Architecture ........................................................................................ 39
Website Component of Groove Manager .............................................................................. 42
Database Component of Groove Manager ............................................................................ 44
Corporate Directory Integration ............................................................................................. 45
Groove Audit Service .............................................................................................................. 45
Groove Manager Communications Protocols ........................................................................ 46
Groove Server Relay Architecture.............................................................................................. 47
Message Queue Databases..................................................................................................... 49
5
Database Management Utilities ............................................................................................. 49
Groove Relay Configuration Control Panel Applet ................................................................. 50
Groove Relay Administrative Web Interface .......................................................................... 50
Groove Relay Communications Protocols .............................................................................. 51
Groove Server Data Bridge Architecture ................................................................................... 53
Groove Data Bridge Application ............................................................................................. 54
Groove Data Bridge Account .................................................................................................. 55
Managed Groove Data Bridge Identities ................................................................................ 56
Web Services API .................................................................................................................... 56
Groove Data Bridge Protocol Support .................................................................................... 56
III. Groove Protocol Support .......................................................................................................... 58
IV. Summary of Groove Port Configurations ................................................................................. 64
Public Internet to Perimeter Network .................................................................................... 64
Perimeter Network to Public Internet .................................................................................... 65
Perimeter Network to Perimeter Network............................................................................. 66
Private Intranet to Perimeter Network .................................................................................. 66
Private Intranet to Public Internet.......................................................................................... 68
V. Groove Site Planning Conditions and Requirements ................................................................ 69
Network Planning for Groove .................................................................................................... 70
Network Topology for Groove ................................................................................................ 70
Network Requirements for Groove ........................................................................................ 73
Groove Bandwidth Usage ....................................................................................................... 75
Network-Level Security........................................................................................................... 76
Capacity Planning for Groove .................................................................................................... 77
6
Groove User Base Planning .................................................................................................... 77
Groove Manager Capacity ...................................................................................................... 80
Groove Relay Capacity ............................................................................................................ 82
Failure Contingencies and Disaster Recovery for Groove.......................................................... 85
Groove Manager Site Planning ............................................................................................... 86
Groove Relay Site Planning ..................................................................................................... 91
Groove Data Bridge Site Planning........................................................................................... 98
7
Introduction to Planning and Architecture for Office
Groove Server 2007
Understanding system capabilities and architecture is an essential prerequisite to any
enterprise-wide system deployment. This book provides important background and base line
information on the key server and client components that comprise a Groove collaboration
system, laying a foundation for deployment planning. It also addresses discusses capacity
planning, network topology, and addressing failure contingencies. Server-specific sections, cover
these issues in the context of the Manager, Relay, and optional Data Bridge components a
Groove installation.
9
I. Overview of the Office Groove System
Microsoft® Office Groove® Server 2007 is a Windows-based software package that provides
comprehensive services for managing Microsoft Office Groove. Office Groove Server 2007
contains three components: Groove Server Manager, Groove Server Relay, and Groove Server
Data Bridge, any of which can be installed on Windows servers in a corporate network.
Microsoft® Office Groove®, in its simplest form, allows two or more people to share and
synchronize data on their PCs using a variety of productivity tools. Using a Groove workspace on
their PCs, information workers can collaborate in real time. Members of a workspace may work
interactively to assemble information, discuss plans, schedule meetings, track results, jointly
produce reports, store files, and converse through online chat or instant messages. Additionally,
team members may perform tasks offline and then synchronize the results with others when
they go back online. When a project is finished, they can archive their work by linking to an
Office SharePoint site.
To sustain communications in the dynamic and increasingly diverse conditions of today's
networks, Groove Relay servers are employed which provide data store-and-forwarding,
message fanout, device presence detection, and other services that enable timely information
exchange regardless of corporate firewalls, weak communications links, internet traffic
conditions, or client online/offline status. In a managed Groove environment, enterprises can
obtain dedicated relay support by installing Groove Server 2007 onsite, or they can employ
Groove Enterprise Services to avoid the burden of server administration and maintenance.
Groove Server 2007 supplies organizations with onsite Groove Server Manager and Groove
Server Relay functionality, providing Groove management and relay services, respectively. It also
offers the optional Groove Server Data Bridge to integrate Groove workspace backup service
into your system.
Groove Server Manager (Groove Manager henceforth) component of Office Groove Server
enables administrative control of Groove clients. Groove administrators and clients
communicate with Groove Manager via its Web site, which provides both an administrative
interface and a base for client contact. The site’s administrative Web interface allows for server
management, and allows domain administrators to govern Groove usage via the distribution of
policies and relay server assignments.
10
This section describes how Groove addresses the challenges of remote collaboration, providing
conceptual information about Groove client-server operation which can then be used as a
foundation for planning a deployment. Designed for IT professionals responsible for managing
collaboration software, this document set also presents important considerations for
deployment so that, upon completion, readers should have a sufficient understanding of the
Office Groove environment to develop an optimal deployment plan for their organization, as
described in Deployment for Office Groove Server 2007.
In this section:
The Groove Solution
Groove Client and Server Functionality
The Groove Solution
The full capability of Groove tools and components can be exercised on just two user machines
directly connected over a local area network (LAN). Figure 1-1 illustrates this simple Groove
setup.
Figure 1-1. Peer-to-Peer Groove
But outside a LAN, other factors disrupt the real-time flow of information between users.
Corporate firewalls may block transmissions, data can be unaccountably lost, slow internet
connections can hinder transmissions, external events can cause outages, and users in different
time zones may be online at different times. As more people collaborate, the impact of external
conditions becomes more apparent. Each user's context and the environmental conditions
affecting the internet as a whole challenge the effectiveness of direct peer-to-peer interaction.
To sustain successful communications among peers in this dynamic environment, Groove
employs relay servers that enable timely information exchange regardless of corporate firewalls,
weak communications links, internet traffic conditions, or client online/offline status. In a
managed Groove environment, enterprises can obtain dedicated relay support by installing
11
Groove Relay and Groove Manager servers onsite, or they can employ Groove Enterprises
Services to avoid the burden of server administration and maintenance. The Groove clients and
supporting servers employ a suite of proprietary and public protocols to enable PC
communications in a wide range of network settings.
While Groove software is designed to allow individual users to securely collaborate over the
Internet, businesses require a higher level of control and management over software use. IT
departments in an organization must meet corporate productivity objectives while working
within the constraints of budgets and policies that affect numerous aspects of software usage,
including network bandwidth availability, data integrity, and the security of corporate resources.
The Groove Manager installed onsite at an enterprise or procured via Groove Enterprise
Services addresses this level of management. The Groove Manager or Enterprise Services allows
administrators to oversee Groove operation. Using a browser-accessed interface, they can
define Groove usage and security policies in accordance with organizational requirements,
provision users with dedicated relay support, and monitor Groove activity.
For large organizations with a substantial software infrastructure already in place, Groove can
be integrated with other corporate applications and servers, via the Groove Server Data Bridge.
The Groove Data Bridge is an enhanced, server-level version of the Groove client that accepts
Web services calls from other applications on behalf of managed Groove clients.
The following table summarizes the capabilities offered by Groove's enterprise servers and
services:
Servers and Services
Functionality
Groove Server Manager
Enables in-house administrators to configure
and monitor Groove Manager servers that host
Groove management domains. Administrators
populate domains with Groove user
information, register onsite Groove Relay
servers, set Groove usage policies, schedule
user account backups, and oversee user
activity via Groove Manager administrative
Web pages.
Onsite installations of Groove Manager also
support the following:
12
Servers and Services
Functionality
Integration with onsite LDAP directory
servers, including Active Directory,
enabling import of user information from
an in-house database to Groove Manager.
Automatic Groove account configuration.
Groove client auditing, enabled by a
separate Groove Manager installation,
configured for client auditing.
Groove Server Relay
Enables enterprise administrators to configure
and monitor onsite Groove Relay servers in
conjunction with onsite Groove Manager
servers. Onsite relay servers provide the same
cross-firewall navigation, store and forward,
device discovery, and transmission fanout
support as hosted relays, but in an in-house
managed environment. Administrators control
relay security and availability; for instance,
locating relays within a private network if
necessary, and installing redundant servers to
provide failover.
Groove Enterprise Services
Provides Manager and Relay services that
allow administrators to set Groove usage
policies, schedule account backups, and
oversee Groove user activity, without the
overhead of server maintenance.
Note that LDAP integration, automatic account
configuration, and Groove Auditing are not
available via Groove Enterprise Services.
Groove Data Bridge
Enables administrators to integrate legacy
systems into Groove via specific Groove Web
13
Servers and Services
Functionality
Services.
Figure 1-2 shows the basic layout of Groove clients and servers.
Figure 1-2 Groove Installation with Supporting Servers
See Also:
Overview of the Office Groove System
Groove Client and Server Functionality
The combined functionality of Groove clients and servers provides a comprehensive set of
capabilities and tools for establishing and managing collaboration in an enterprise. Groove client
and relay servers enable virtual peer communication, while the Groove Manager provides for
Groove administration and monitoring, as discussed in the following section.
In this section:
Groove Client Functionality
14
Groove Server Manager Functionality
Groove Audit Functionality
Groove Server Relay Functionality
Groove Server Data Bridge Functionality
Groove Client Functionality
The Microsoft Office Groove client application provides all the functionality that supports peerto-peer collaboration when peers are directly connected. In order to collaborate, Groove users
invite each other to workspaces - virtual meeting rooms where they can jointly assemble
information, discuss plans, share files, write reports, design forms, manage meetings, schedule
events, exchange messages, and perform other tasks as a team.
Groove is installed either as part of a Microsoft Office installation or as a standalone Office
application. Users enter a standard product key and, in a managed environment, an account
configuration code, to start the installation process and create an account. Collaboration begins
when one Groove user sends a workspace invitation to another. To do this, a Groove user must
first find the intended peer on the network. In an enterprise, a Groove user can perform a
contact search of the enterprise directory, local area network, or public directory until Groove
returns a match. Finding peers outside the local network usually involves exchanging initial
Groove contact information via e-mail or a Groove invitation directed to an e-mail address.
When a Groove user receives and accepts a Groove workspace invitation, the workspace is sent
to the user’s PC. Once the workspace arrives, the recipient simply opens it to see other
workspace members, be seen by them, and use workspace tools.
A Groove user can be active (logged into Groove) at any time in any Groove workspace of which
the user is a member. Groove allows both online and offline use, synchronizing data dynamically
while collaborators are online and synchronizing whenever an offline user comes back online.
When an offline user reconnects, Groove automatically adds offline updates and additions to
the workspace. For example, while flying home from a meeting, a user might add responses to
several discussion entries. When the user next connects to the Internet, all the offline responses
are automatically added and shared with all other members of the Groove workspace. Similarly,
all updates added to the workspace by other members since the user went offline are added to
the user’s copy of the workspace as soon as the user connects.
Key features of Microsoft Office Groove include:
15
Online collaboration workspaces - Groove workspaces contain tool sets that allow invited
users to jointly plan, schedule, design, and execute all phases of a project. The number of
members that can work productively in a Groove workspace is limited primarily by site
hardware, network setup, and usage patterns and practices. Typically, Groove workspaces
accommodate teams of up to 100 users.
Instant messaging - Instant voice or text messages, and invitations to Groove workspaces
provide direct access to Groove contacts. In addition, text messaging via Office
Communicator or Microsoft Network (MSN) Messenger is supported for any Groove contact
who is also running Communicator or Messenger.
Integration with Microsoft SharePoint – Groove SharePoint Files Tool is an enhanced version
of Groove Files Tool; it allows users to interact with and synchronize content between
Groove and SharePoint document libraries.
File sharing - Secure environment for sharing files among fellow collaborators. Groove file
sharing supports the following:
Immediate access to latest file versions
Offline file editing
Bandwidth optimization (only changes to files are exchanged)
Rich standard tools - Standard workspace tools allow users to accomplish common desktop
tasks related to sharing content of all types and work together on ad hoc tasks, ongoing
projects and meetings. Standard workspace tools include Files, Discussion, Calendar,
Notepad, Sketchpad, Pictures, and Meetings.
Customizable tools - Groove Forms and Groove InfoPath Forms tools provide a tool
development interface for designing and deploying Groove custom tools. With the Forms
tool, application developers work entirely within Groove to create and lay out all design
objects such as forms, fields and views. With the InfoPath Forms tool, application
developers use Microsoft InfoPath templates as the basis of their tool designs, import these
templates into Groove, and then enhance the tool design in Groove. Developers can use the
Groove application program interface (API) to build scripted features custom tools created
with the Groove Forms tool, and can use Web Services in custom tools created with the
Groove Forms or Groove InfoPath Forms tools.
16
Built-in security - Groove avoids storing user data on remote servers that may be insecure
and over which administrators have no control. Instead, user data is transmitted directly to
workspace members and stored on member PCs. Groove automatically and securely
distributes and saves data that group members produce during their interactions. All
communications are private, as they take place only among workspace members. The
content of all Groove messages is encrypted.
See Also:
Groove Client and Server Functionality
Overview of the Office Groove System
Groove Server Manager Functionality
The Microsoft® Office Groove® Server 2007 Manager is a Web-based application for managing
Microsoft Office Groove. The Office Groove Server 2007 Manager runs on servers installed at an
enterprise site. Enterprises can also procure comparable functionality via Microsoft Office
Groove Enterprise Services.
Groove clients and administrators communicate with the Groove Server Manager Web site via
respective interfaces. The client interface allows the Groove application to access policies and
designated relay servers, and to report Groove usage statistics. Managed Groove clients poll the
management server periodically (generally, every 5 hours) for updates to member identity
information, policies, relay provisioning, and to report statistics. This periodic contact is the
primary mechanism by which all information is transferred between Groove Manager servers
and the Groove client software. Groove Manager servers do not initiate client communications.
However, Groove Manager servers do contact relay servers to convey managed user relay
assignments.
The administrative interface, secured by its underlying IIS configuration, allows administrators to
perform the following tasks for a defined management domain:
Assemble Groove users (utilizing onsite corporate directories if integrated with an onsite
Groove Manager).
Define Groove usage and security policies, including account backup scheduling.
Provision Groove users with Groove Relays (the Groove Relay component of an onsite Office
Groove Server or comparable functionality accessed via Groove Enterprise Services).
17
View Groove event reports.
Audit Groove client activities (if the Groove Manager, with the Audit option, is installed
onsite).
In addition, by publishing user information to an enterprise Groove directory, Groove Manager
enables authorized Groove users to find each other easily and safely.
By comparison, in an unmanaged environment, once Groove is installed and an account created,
private users are free to publish their contact information, assume passwords, and
communicate with whomever they choose, unhindered by centralized usage policies and other
corporate security measures. Public Groove relay servers handle cross-firewall communication,
offline work, and message distribution for these users.
With the Groove Manager application installed onsite, administrators can manage the server as
well as Groove users and devices enrolled in management domains. With Microsoft-hosted
Groove Enterprise Services, enterprise administrators manage only Groove users and devices
within a management domain.
Groove Manager server-level administration involves the following tasks, performed from the
Groove Manager administrative Web interface.
Server-Level Tasks
Description
Defining administrator roles
As a recommended added security level,
administrators can enable a Role Based Access
Control (RBAC) for the Groove Manager,
limiting Groove Manager administrative rights
to specific administrators defined on the
system.
Defining management domains
The Groove Manager supplies an initial
domain, to which server administrators can
create additional domains. Once the
management sever is configured with
management domains, domain administrators
can add users to the domain and provision
them.
18
Server-Level Tasks
Description
Monitoring Groove Manager server events, via
the audit log
The Groove Manager logs server events (such
as the addition of a new administrator) to an
audit log report, accessible from the serverlevel Reports tab of the administrative Web
interface.
Integrating LDAP directories with an onsite
Groove Manager
The Groove Manager administrative interface
allows server administrators to import user
information from directory server
organizational units (OUs) into the Groove
Manager, automating the process of adding
Groove identities to a management domain.
Administrators can depend on the Groove Manager to accomplish major tasks essential to
managing Groove use on a corporate scale, as described in the following section.
In this article:
Groove Administration
Server Administration
Domain Group Management
Policy Distribution
Relay Provisioning
Groove User Management
LDAP Directory Integration
Groove Device Management
Groove Account Backup
User Verification
Password Reset and Data Recovery
19
Groove Usage Monitoring
Groove Administration
In an enterprise where IT administrators manage software distribution and use, Groove
operations are most effectively managed via onsite Groove Servers or Microsoft-hosted Groove
Enterprise Services. Groove Server Manager and Relay, or Enterprise Services, help IT
administrators standardize Groove deployment and maintain reliable ongoing Groove
communications across their workforce network and beyond to remote associates and
contributors.
The basic unit of Groove management is a management domain, a named organizational unit,
such as Contoso Corporation, where an administrator assembles Groove users, policies, and
relay servers. A domain configured on an onsite server or accessed through Groove Enterprise
Services, allows designated administrators to manage and monitor Groove user activities within
the domain.
An onsite Groove Manager provides for two basic levels of administration: server administration
and domain administration. Both levels of administrators can conduct their respective tasks
through the Groove Manager administrative Web interface. The primary server administrator
defines administrative roles and domains, and configures any corporate directory servers, laying
the foundation for domain management.
Groove Enterprise Services allows immediate administrative access to a Groove Manager
domain, which can be managed without the added overhead of server management.
Server Administration
When Groove servers are installed onsite at an organization, administrators can access serverlevel pages on the Groove Manager administrative Web site, where administrators can set initial
administrative roles, create management domains, integrate an onsite LDAP directory with
Groove Manager, and monitor server activity, as follows:
Administrator role-setting – The server Roles pages allow organizations to entrust high-level
server and domain administration only to selected individuals. Once the initiating
administrator has enabled role-based access control (RBAC) for the Groove Manager
administrative Web site, qualified server administrators and domain-level administrators
can be assigned as needed. Roles defined for each administrator determine which
administrators are responsible for which server-level or domain-level tasks.
20
Domain creation – An initial Groove management domain is created during initial Groove
Manager setup, after which the server administrator can create additional domains for
different Groove collaboration teams. Once a domain is configured, it houses Groove user
groups, policy templates, and relay server sets, as defined by domain administrators.
Directory integration – If an LDAP-compatible directory server of user information is
available in-house, server administrators can integrate an LDAP directory with Groove
Manager to efficiently import user information into Groove Manager domains. If Active
Directory databases are used, LDAP integration also gives access to the automatic Groove
account configuration feature that facilitates Groove client deployment.
Server monitoring – Server Reports pages display a log of server-level activity (such as
creation of a new domain or addition of a new relay server set) within a defined date range.
Domain Group Management
Domains are defined at the server-level and then may be assigned to individual domain
administrators. The domain administrator defines the Groove users, policy templates, and relay
server sets that will comprise a given domain. Administrators can also divide a domain into
subgroups of Groove users. Specific Groove policy templates and relay sets can then be applied
to specific domain groups and subgroups, as an organization’s management practices require.
In smaller organizations, creating subgroups in a domain can be a practical alternative to
creating multiple domains on a server to reflect an organization’s structure.
Policy Distribution
Administrators configure a domain or domain group for user management by defining policies
that affect all users in a management domain group. Identity-based policies apply to managed
member identities, regardless of what device the identity is running on. Identity policies control
how domain members interact with Groove, including:
Scheduling of account backups
Publication of user information
Relations with non-domain users
Device-based policies, such as access password rules and the allowance of multiple accounts,
apply to all identities on the managed device.
21
Relay Provisioning
Groove Relay servers must be registered with Groove Manager. Administrators register onsite
relay servers with a domain via the Groove Manager administrative Web site. If multiple relay
servers are installed onsite, administrators can provision managed users with a sequence of
relay servers, to provide relay redundancy and fallback.
For information about Groove Relay server management and operation, see the Groove Relay
Administrator’s Guide that accompanies the Groove Server Relay application. For information
about Groove Relay provisioning, see the online Help that accompanies the Groove Server
Manager application.
Groove Enterprise Services handles relay registration and provisioning, so administration of
relay servers is not required.
Groove User Management
Administrators populate management domain groups with user identity information by entering
the information manually, uploading it from an .xml or .csv file, or importing it from an onsite
LDAP directory that has been integrated with Groove Manager, as described in LDAP Directory
Integration. Once members are defined in the domain, configuration codes are distributed to
each of them, for entry into Groove. Configuration codes enable users to configure their
managed Groove accounts and identities.
Managed identities are Groove Manager domain members. As such, they gain access to domain
relay servers and are subject to identity policies that control Groove account backups, vCard
publication, identity verification, and other identity-based aspects of Groove operation.
LDAP Directory Integration
The integration of an onsite LDAP directory with an onsite Groove Manager enables the
automatic association of enterprise users with Groove Manager domain members and the
import of user information to a Groove Manager domain. In addition, if Groove Manager is
integrated with an Active Directory database and configured to utilize automatic account
configuration, once Groove is installed on user machines, the full rank of Groove users can set
up their accounts by simply starting Groove and setting a log-in password; no entry of a
configuration code is required.
Note that directory integration is not available for Groove Enterprise Services.
22
Groove Device Management
Managing devices allows the distribution of client and security policies to devices via the
management domain of which the device user is a member. These policies control password
creation, Messenger integration, and other device-dependent aspects of Groove operation.
Devices running Groove must be registered with a domain on the management server in order
to be managed and subject to device policies. Domain administrators can set an identity policy
that automatically registers user devices with a domain when a user configures a Groove
account or logs into Groove, or they can register user devices explicitly by setting device
management registry values via downloaded device registry key that is available from the
Groove Manager Device Policy template pages.
Groove Account Backup
Administrators can schedule automatic Groove account backup for members of a selected
domain by setting a domain identity policy. Backed-up information includes user contacts, the
user's Groove workspace list, identities and contact information, and domain management
settings.
User Verification
A project team often involves a diverse assembly of project leaders, in-house contributors, and
external partners and consultants. When access to confidential information by unauthorized
personnel is a concern, administrators can set identity policies that govern the interaction of
managed users with others outside their organization. Restrictive policies can be used in
conjunction with a domain property that enables cross-certification between domains, allowing
external users in the cross-certified users to participate in workspaces along with internal
domain members.
Password Reset and Data Recovery
If a managed user forgets a Groove password or is removed from a management domain,
domain administrators may need to reset the user's password or access the user's Groove data.
To prepare for this eventuality, domain administrators can set identity policies for resetting
unknown or forgotten user passwords.
23
Groove Usage Monitoring
When a managed identity exists on a Groove client, the Groove software periodically reports
statistics on Groove usage to the Groove Manager, providing information about managed user
activities, workspaces, and Groove tools being used. Administrators can view domain reports via
the Groove Manager administrative Web site.
See Also:
Groove Client and Server Functionality
Overview of the Office Groove System
Groove Audit Functionality
Groove client auditing is an option available with an onsite Groove Manager. Installed on a
separate, dedicated server, the Groove Audit feature enables administrators to oversee Groove
activities on client devices. Auditable activities include workspace events (such as member
additions) and tool events (such as file creation and deletion).
Groove auditing is not available with Groove Enterprise Services.
See Also:
Groove Client and Server Functionality
Overview of the Office Groove System
Groove Server Relay Functionality
Whenever possible, Groove transmits data directly from peer to peer, sending out individual
packets of data from one Microsoft Office Groove user to another. However, when firewalls and
proxy devices block this direct communication, Groove Relay servers provide a way for peer
transmissions to navigate these obstacles and reach their destinations. When data is addressed
to a peer that cannot be reached directly (because the user is offline, for example), the relay’s
store and forward service enables otherwise inaccessible peers to receive timely data. When
conditions call for a relatively large amount of data to be sent to a number of Groove users,
Groove Relay fans out data transmission, reducing the amount of data an individual user sends
across the network.
24
Any of the data types transmitted by Groove clients can be transported or stored by the Groove
Relay, including:
Workspace and contact information, addressed to a specific device, identity, and workspace
(device-targeted messages).
Instant messages and workspace invitations, addressed to a specific identity (identitytargeted messages).
The Groove Relay only accepts Groove client and Groove Manager server transmissions; it does
not initiate them. Groove clients and Groove Manager servers connect to Groove Relay servers
to deposit and receive messages and data.
The Office Groove Server 2007 Relay application runs as a Windows service on a Windows
server machine. Administrators manage Groove Relay servers via the Groove Relay
configuration control panel applet, the administrative Web interface, and the Groove Manager
server with which the Groove Relay cooperates.
Microsoft hosts relay servers for Groove users around the world. For managed enterprise
installations of Groove, organizations can install their own Groove servers to run Manager and
Relay operations in-house. Or they can engage Groove Enterprise Services which provide an
interface Groove management and relay infrastructure without the overhead of maintaining
Groove servers.
The following section discusses key aspects of relay functionality.
In this article:
Message Flow
Firewall Transparency
Disconnected Operation
Device Presence Detection
Fanout
Relay Client Provisioning via Groove Manager
Groove Client Support
Multi-Relay Installation
25
Message Flow
Relay servers operate between Groove clients, enabling peer communications even when
security devices, network conditions, and system down time impede successful information
exchange. Relay servers enable message transmission under these conditions in three stages,
accepting messages from Groove clients, storing messages temporarily, then dispatching
messages when their target clients contact the Groove Relay for updates. Messages are
dispatched to recipients over the same client port used for the initial relay contact, and the relay
enlists whatever protocols are necessary to allow messages through the ports that are open on
the recipient’s network.
Each Groove user has an assigned Groove Relay server or sequence of Groove Relay servers,
which is noted in the user’s identity (contact or vCard) information. Groove Relay registration
occurs when users log in to Microsoft Office Groove for the first time, or, in the case of managed
users, when they become members of a domain defined on the Groove Manager to point to
specific Groove Relay servers.
When a Groove user sends a message across the Internet to a Groove contact that cannot be
accessed directly, the Groove client software seeks the Groove Relay specified in the intended
recipient’s contact information. It then contacts the target relay and deposits the message in a
queue associated with the recipient. When the intended recipient next contacts the assigned
Groove Relay server for updates, it retrieves the message from the queue.
The following process occurs every time a Groove user (UserA) sends a message or workspace
update to a peer (UserB) via the Groove Relay:
1. Groove UserA sends an instant message or a workspace update to a Groove Relay server
associated with UserB.
2. The Groove Relay queues the message for UserB.
3. UserB contacts the Groove Relay to collect any messages.
4. The Groove Relay authenticates UserB and returns User A’s instant message or workspace
update to UserB.
If the message is an instant message or workspace invitation, it is deposited on the first
device found that UserB is logged into. If the message is a workspace update, it is deposited
on the device specified in the relay queue entry.
26
Figure 1 presents a basic Groove Relay setup for an enterprise with Groove users located at two
sites.
Figure 1. Basic Groove Relay Server Configuration
Firewall Transparency
Ideally, Groove communicates via its preferred and most efficient protocol - Simple Symmetric
Transfer Protocol (SSTP) over port 2492. To support the transmission of Groove messages across
firewalls that block port 2492 but allow HTTP traffic over port 80, Groove Relay encapsulates
SSTP commands and messages within an HTTP data stream. Encapsulating SSTP involves
wrapping each SSTP transmission, along with additional header information, in the body of an
HTTP message. The additional header information allows compliance with SSTP delivery
semantics. In this way, SSTP messages reach the target client over port 80. Similarly, if firewalls
block these ports but allow traffic over port 443, Groove Relay can transmit SSTP messages
using the HTTP Connect method to enable communications over port 443.
27
Figure 2 shows how the Groove Relay enables LAN endpoints behind firewalls to communicate
over the Internet. Normally, the LAN IP addresses and protected locations of these endpoints
would prevent them from recognizing each other. the Groove Relay overcomes this condition by
acting as an intermediary.
Figure 2. Device Discovery
Disconnected Operation
The Groove Relay provides store-and-forward services to collect and forward messages for
Groove clients regardless of their connection state. Messages are held in queues until the relay
is contacted by the Groove clients to whom the messages are targeted. This asynchronous
communication enables continued operations among Groove collaborators even when some
peers are offline.
Device Presence Detection
Groove Relay uses WAN Device Presence Protocol (DPP) to determine a device’s online status
and the list of active Internet Protocol (IP) addresses for that device. This device presence (or
‘awareness’) service uses a publish-and-subscribe approach to making other Groove users aware
of the online/offline presence of other users.
28
Fanout
Groove expedites communications when transmitting large amounts of data, or when
transmitting over a slow network link, by employing the relay’s fanout capability. Fanout is a
process for conveying a stream of data from a Groove client to the Groove Relay for replication
and distribution to recipients, applicable when a Groove user adds a file to a workspace, sends a
workspace invitation, or updates a workspace with multiple members.
The fanout process spans Groove clients and Groove Relay servers. The Groove client begins the
process by grouping messages according to the target relay of the various recipients. It then
determines if fanout should be applied, based on a complex algorithm that involves the fanout
capability of the sender’s device, the number of recipients, the amount of data being sent, and
the sender’s line speed, among other factors. If fanout is merited, the client sends a single copy
to each of the identified Groove Relay servers. Groove Relay servers function like multi-cast
routers, distributing copies of the message to each of the recipients. This process helps
maximize the efficiency of communications links and minimizes bandwidth usage. This basic
functionality, known as multi-drop fanout, is shown in Figure 3 below.
Single-hop fanout extends the multi-drop functionality to encompass multiple Groove Relay
servers. When Groove resolves the fanout algorithm in favor of fanout, Groove sends a single
copy of a message to the local home Groove Relay server which then groups copies of the
message by recipient relay and distributes message copies to target users’ Groove Relay servers.
This process, known as single-hop fanout, is shown in Figure 4 below. Note that single-hop
fanout messages are not queued on the sender’s home Groove Relay server; they are sent to
and stored on the target Groove Relay, or if the target Groove Relay is down, fanout messages
are stored on the sending client device.
When fanout is not in effect, Groove sends a single message addressed to multiple recipients
just as it would send multiple messages to multiple recipients, issuing separate transmissions for
each copy of the message, whether a Groove Relay server is called for or not, as shown in Figure
5 below.
Figure 3. Multi-Drop Fanout
29
Figure 4. Single-Hop Fanout
30
Figure 5. Groove Relay Transmission without Fanout
31
Relay Client Provisioning Via Groove Manager
Insert section body here. The Groove Manager, installed on a separate server device at your
site, provides an administrative interface for provisioning Groove users to specific Groove Relay
servers. From the Groove Manager server, the following administrative actions can be
performed on Groove Relay servers:
Registering a Groove Relay server, or series of Groove Relay servers, with the Groove
Manager.
Assigning Groove clients to a Groove Relay server or a series of Groove Relay servers via
their domain membership.
Setting relay message retention time.
Purging individual user message queues.
The Groove Manager communicates with the Groove Relay via the Simple Object Access
Protocol (SOAP). The Groove Manager always initiates communication with the Groove Relay
(the Groove Relay does not initiate communication with the Groove Manager).
32
For information about managing your onsite (managed) Groove Relay via the Groove Manager,
see the online Help that accompanies the Groove Manager component of the Groove Server.
Groove Client Support
Groove clients must have access to a Groove Relay server in order to fully utilize Groove. By
default, unmanaged users are automatically assigned to a publicly hosted relay server when
they install Groove and create an identity. Managed users, defined by an onsite Groove
Manager, gain their Groove Relay assignments from their management domain.
When a client device contacts the assigned Groove Relay server for the first time, a key
exchange occurs between the client device and the Groove Relay, providing initial user
authentication. The client has then registered with that Groove Relay server. Client keys are
stored in a database located on the Groove Relay. Groove clients are always assigned to specific
relays; they are never directed to Groove Relay servers at random. A key exchange is always
involved. In an enterprise environment, administrators assign users to Groove Relay servers
using the Groove Manager, located on a separate server machine from the relays.
Multi-Relay Installation
Multi-relay installations enable more scalable relay support for a large client base and provide
redundancy in case of equipment failure. Using the Groove Manager Web interface,
administrators can assign multiple Groove Relay servers to a domain and prioritize them for use
by domain members. When a Groove client sends data to a domain member that has access to
multiple relay servers, the client attempts delivery to the first relay in the series, and if the
server is down, it attempts delivery to the next Groove Relay server in the series, and so on.
See Also:
Groove Client and Server Functionality
Overview of the Office Groove System
Groove Server Data Bridge Functionality
The Groove Data Bridge facilitates integration between Groove clients and third-party
applications used by an organization. This is accomplished through the use of administratordefined Data Bridge identities that integrate third-party software, located anywhere on the
33
network, with information contained in Groove workspaces. These specialized identities merge
seamlessly into service-oriented architectures (SOAs).
Groove Data Bridge-based operations gain access to Groove workspaces via the specialized
identities which can be invited to workspaces. Workspaces that contain a Groove Data Bridge
identity are then present on the Groove Data Bridge device. Once resident on a Groove Data
Bridge server, a Groove workspace inherits a rich set of platform Web services that process
XML-based calls from external applications in the data center. In this way, the Groove Data
Bridge functions as a data access tier, moderating data and process integration between Groove
workspaces and other applications and processes.
The following section describes the operation and main administrative capabilities of the Groove
Data Bridge.
In this article:
Operation
Server Management
Server Backup
Identity Management
Workspace Management
Workspace Archiving
Message Tracking
Event Monitoring
Operation
The Groove Data Bridge runs on a computer at a company site, from which it hosts identities
that server administrators define and manage through the Data Bridge administrative interface.
A Groove Data Bridge identity exposes a set of Web Services that allow data and process
integration between Groove workspaces and other software and systems in an enterprise IT
network. Groove Web Services APIs support CRUD (create, read, update, delete) operations. By
programming to Groove Web Services on the Data Bridge server, developers can build
applications that integrate Groove workspaces with an organization’s external databases and
34
applications, such as SharePoint sites, BizTalk®, SQL databases, Windows Workflow Foundation,
and other Web services, including custom Windows .NET services. Data flow between the
external software and Groove Data Bridge can be uni-directional or bi-directional.
Building a Groove Data Bridge system to moderate data exchange between Groove users and
other enterprise applications involves three high-level tasks:
Writing a Web services program to direct data interchange from an external database or
other application.
Creating a structure of Groove Files, Forms, and Calendar tools (the three Web servicesenabled tools) that will handle the transfer of Groove workspace data.
Creating one or more Groove Data Bridge identities to field Web services calls from an
external program on behalf of Groove users who participate in a designated workspace.
Like user identities, Groove Data Bridge identities appear in workspaces of which they are
members and in user contact lists, and they have associated contact (vCard) properties. Groove
users can invite a Data Bridge identity into a workspace or join a space of which a Data Bridge
identity is a member. Performing integration operations through a Groove Data Bridge identity
originating from a Data Bridge server has the following advantages over the option of direct
client-side integration:
Groove Data Bridge identities provide always-available, scalable, single-point integration.
Single-point integration, as opposed to multi-point integration where transactions from
multiple Groove client devices are exchanged with central servers, is an advantage if a task
requires resources that are not available to all devices and if a single point for coordinating
Groove with an external database or application is desirable. The Figure 1 below illustrates
the difference between a single-point Groove Data Bridge configuration and a multi-point
configuration.
Integration tasks can run automatically without requiring user action.
Integration tasks can be optimized to efficiently handle large amounts of data or serve many
Groove workspaces.
Figure 1. Single Pint and Multi-point Integration
35
Server Management
Server management options are available from the Groove Data Bridge administrative interface.
The main server window displays the current online/offline status of the server and Web
services and allows administrators to manage a server contact list. Using menu options,
36
administrators can perform other server-based tasks, such as changing the Groove Data Bridge
password, backing up the server account, or closing the password-protected administrative
window to allow the server to run in the background.
The Groove Data Bridge reports events to the Windows Event Log and Performance Monitor,
allowing administrators to use these tools to monitor server health.
Server Backup
The Groove Data Bridge backup option allows server administrators to schedule automatic
backup of Groove Data Bridge server account data. Backed up data consists of core account
data, including server configuration details and a list of workspaces on the server; it does not
include workspace data (which is recoverable by using Groove’s inherent workspace fetch
capability). Administrators can then use the Data Bridge installer to restore the backed-up
account if necessary.
Identity Management
Server administrators can create Groove Data Bridge identities via the administrative interface.
An identity performs tasks in a Groove workspace, guided by a set of Web services. The identity
may be invited to a workspace or may be programmatically driven to create its own workspace
to which users may be invited. You can create a single identity to handle a rich set of Web
services, or you can create separate identities with specific objects.
Identity management options are available from the Groove Data Bridge administrative
interface, where an administrator can edit identity contact properties, configure invitation
processing, and add Groove identities to the server contacts list.
Workspace Management
The Groove Data Bridge administrative interface enables you to view the list of workspaces of
which a Groove Data Bridge identity is a member, along with the identity’s role and status in
each workspace. This information is maintained and reported separately for each Groove Data
Bridge identity.
Workspace Archiving
Enabling the workspace archiving feature for an identity allows administrators to schedule data
archiving for all workspaces of which the identity is a member. Archived workspaces are static
37
copies of the data in the original workspaces. Administrators can use the archived copy of the
data to restore workspace data by downloading a specific .gsa file from its stored location to a
client device, then using the Groove’s built-in workspace fetching capability to complete the
space restoration process. This type of workspace restoration is particularly useful when an
identity is the sole workspace member and the workspace is lost, or when a file or other data is
damaged or lost and a previous workspace version containing the correct data is needed.
Message Tracking
Groove Instant Messages and invitations, received or sent by Groove Data Bridge identities, are
listed in the Groove Data Bridge administrative interface. All invitations, processed and
unprocessed, are included in the message list with their status indicated. If a Data Bridge
identity is configured for manual invitation acceptance, administrators can accept invitations
from the message list.
Event Monitoring
Administrators can monitor Groove Data Bridge server activity using the Windows Event Viewer.
Reported events include server shut downs and restarts, as well as identity-level events, such as
new identity creation. Windows Performance monitoring tools provide server performance
statistics, tracing, and other server information.
See Also:
Groove Client and Server Functionality
Overview of the Office Groove System
38
II. Groove Server 2007 Architecture
All Groove components and tools reside on the Groove client computer, making end users and
their devices the mainstay of Groove communications. Groove relay servers are also integral
components of the Groove system, sustaining connectivity when direct client connection is not
possible or feasible. In organizations that require centralized administration to help secure,
facilitate, and monitor collaboration software, Groove Manager servers play an overriding role
in the system.
This section introduces the main components of Groove client-server architecture.
In this section:
Groove Client Architecture
Groove Server Manager Architecture
Groove Server Relay Architecture
Groove Server Data Bridge Architecture
Groove Client Architecture
From a high level, Groove consists of a workspace manager with a set of tools, a contacts
manager, a message manager, and a communications manager. All Groove's components and
tools, user account information and user data reside on client PCs. Groove’s preferred protocol
for client-to-client and client-to-relay communication is its native Simple Symmetric
Transmission Protocol (SSTP), though HTTP is also supported.
For detailed information about Groove client architecture, see the Groove Platform Overview in
the Developer's Reference Guide available at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=BAA487E9-E1B9-4A10-BEEA1FD906B77F92&displaylang=en
Groove Server Manager Architecture
Groove Manager is a server application that provides a centralized environment for managing
Groove client usage in an enterprise. It is part of the Office Groove Server product that includes
39
two interdependent applications: Groove Manager and Groove Relay, as well as the optional
Groove Data Bridge.
Each Groove Manager installation involves at least one Internet Information Service (IIS) front
end which supports the Web-accessed administrative interface and client SOAP interface, and a
SQL Server back end which stores most of the data. These servers may be installed and operated
by an enterprise, or equivalent management and relay services can be engaged through
Microsoft-hosted Groove Enterprise Services.
Figure 1, below, shows the relationships between management (IIS and SQL) servers, supporting
relay servers, and Groove clients.
40
41
Organizations that maintain corporate directories of employee information,can integrate these
directories with Groove Manager, adding another component to the system. In addition, some
enterprises may want to install the Groove auditing application for closer monitoring of Groove
activities. This section provides more information about the required and optional components
of a Groove management system.
In this section:
Website Component of Groove Manager
Database Component of Groove Manager
Corporate Directory Integration
Groove Audit Service
Groove Manager Communications Protocols
Website Component of Groove Manager
The interactive portion of the Groove Manager is its Web site, built on a Windows IIS server. The
IIS login procedures in place at an enterprise secure the site. The Web site can be accessed by
one of the following two interfaces:
Administrative Interface
Client Interface
Administrative Interface
The administrative Web interface, created during Groove Manager installation on the IIS server,
enables server administrators to manage Groove Manager operation and Groove usage in their
organizations. While this interface relies on the underlying security configured in IIS by the site
administrator, a built-in role-based access control system offers an additional level of security.
From the administrative Web interface, secured by its underlying IIS configuration,
administrators can perform the following server-level tasks:
Create management domains.
Define administrative roles.
42
Monitor server events.
Integrate an onsite LDAP directory server with an onsite Groove Manager.
Note Microsoft Office Groove Enterprise Services provides an alternative to an onsite Groove
Manager installation, enabling the same domain-level administration as that provided by an
onsite Groove Manager, without the added over-head of maintaining the Groove Manager
servers.
The Groove Manager server administration interface consists of the following major elements:
Management Domains - Collections of Groove users, policy templates, and relay server sets.
Administrative roles - Administrative roles and permissions, defined by Groove Manager
administrators as part of the Groove Manager Role Based Access Control (RBAC) system.
When RBAC is enabled, administrators determine who can access which parts of the Groove
Manager administrative Web interface.
Reports - Server-wide audit log of Groove Manager events.
Corporate directory support - Corporate directory server definitions for integrating user
information with the Groove Manager, if an LDAP server directory is installed onsite at an
enterprise. Directory integration requires an onsite Groove Manager server; it does not
apply to Groove Enterprise Services.
Once management domains are configured in the Groove Manager, administrators can access
domain Web pages, as well as directory integration pages (to use enterprise directories for
adding user information to a domain), role-setting pages, and Groove Manager event reports.
Domain pages allow administrators to manage Groove users and devices, provisioning them
with Groove Relay servers and enforcing Groove usage policies.
Management domain administration does not require server-level permissions and is usually
assigned to domain administrators. The Groove Enterprise Services package presents only this
domain portion of the Groove Manager interface. For detailed information about the domain
management portion of the administrative interface, see the Groove Manager Domain
Administration portion of the Help.
Client Interface
The Groove Manager’s SOAP-based client interface allows the Groove client application to
access the Groove Manager server for identity and device policies and relay assignments, and to
43
report Groove-related events. Groove clients access the Groove Manager via an Internetaccessible Simple Object Access Protocol (SOAP) interface on the Groove Manager. The Groove
Manager does not initiate communications with Groove clients, but responds to requests from
client devices.
Clients contact the Groove Manager at periodic intervals (generally every five hours) for the
latest polices, and relay server assignments. This periodic contact is the primary mechanism by
which all information is exchanged between the Groove Manager and the Groove client
software.
Groove Relay servers facilitate Groove peer communications at various levels, including storing
and forwarding messages, enabling firewall navigation, and overcoming network discontinuities.
As part of a managed Groove environment, specific Groove Relay servers - installed onsite as
part of the Groove Server or procured through Groove Enterprise Services - must be registered
with the Groove Manager. For more information about the role of Groove Relay servers in a
managed Groove installation, see the Groove Relay Administrator’s Guide, included with the
Groove Relay component of the Groove Server.
See Also:
Groove Server Manager Architecture
Groove Server 2007 Architecture
Database Component of Groove Manager
Groove Manager stores all data, including user account and device information, in a Microsoft
SQL Server database. The local IIS/Groove Manager server is not used for data storage. Server
administrators can use SQL-compatible reporting tools to create customized Groove usage
reports from the Groove Manager information stored in SQL views. If the Groove client auditing
option is part of the installation, the same SQL server can support Groove auditing as well as
other Groove Manager activities.
See Also:
Groove Server Manager Architecture
Groove Server 2007 Architecture
44
Corporate Directory Integration
An existing corporate directory server of employee information can automate the process of
adding Groove identities to a Groove Manager domain by allowing administrators to import
existing data instead of re-entering it manually. Administrators of onsite Groove Manager
servers can use the Groove Manager user interface to integrate with a corporate Lightweight
Directory Access Protocol (LDAP) server of employee information and import users directly from
the organizational unit (OU) containers on the directory server into Groove Manager. Once a
corporate directory has been defined on Groove Manager, administrators can also take
advantage of automated Groove account configuration and domain migration features that
depend on a Groove Manager-LDAP directory connection.
See Also:
Groove Server Manager Architecture
Groove Server 2007 Architecture
Groove Audit Service
The Groove Audit service is an optional feature installation, provided with Groove Manager. This
service, installed on a dedicated machine, is the audit data collection point for Groove tool and
member events that take place on Groove clients registered with a management domain. Like
its parent Groove Manager, it relies on SQL databases for storage. Domain administrators use a
device policy defined in Groove Manager to schedule client audits and select the type of events
to be audited.
Groove Auditing consists of four parts:
A Groove client-side audit log which securely collects Groove user events into an encrypted
file.
The Groove client-side Audit Service which secures the audit log for upload to the Audit
Server.
The Audit Server software which collects and decrypts the log data, then stores it in a SQL
server database.
A Groove Manager device policy that defines what data should be audited on devices within
a management domain.
45
Groove audit logs are immediately encrypted on clients upon event creation, and are decrypted
only after arrival at the audit server, affording a highly secure auditing environment. In addition,
NTFS permissions are used to prevent tampering with the logs and the Audit Service by
unauthorized personnel.
See Also:
Groove Server Manager Architecture
Groove Server 2007 Architecture
Groove Manager Communications Protocols
Groove Manager is a Web application and utilizes various Web-compatible protocols, primarily
HyperText Transfer Protocol (HTTP), to process Groove administrative input and client requests
through its Web site. Administrators interact with the Groove Manager using a browser to
access its administrative Web site. Groove clients communicate with the Groove Manager by
sending XML-based Simple Object Access Protocol (SOAP) requests over HTTP to which the
Groove Manager responds. The Groove Manager never initiates connections with Groove
clients.
The Groove Manager also uses SOAP to communicate with any Groove Relay servers that it is
managing. SOAP exchanges with Groove Relay servers are always initiated by the Groove
Manager.
To communicate with the SQL server which stores all Groove Manager data, the Groove
Manager uses Microsoft’s OLE DB data access specification. To communicate with any LDAPbased directory servers that the Groove Manager is configured to support, the Groove Manager
uses Lightweight Directory Access Protocol (LDAP).
The following table summarizes Groove Manager protocols:
Groove Server and Client Protocols
Listening Ports Used
Purpose
SSTP over Hypertext Transfer
Protocol (HTTP)
Port 80
Used by Groove clients, and
Groove Relay servers. Supports
HTTP encapsulation of SSTP.
Simple Object Access Protocol
Port 80
Used by Groove Manager to
listen to client SOAP requests
46
Groove Server and Client Protocols
Listening Ports Used
(SOAP)
Open Database Connectivity
(ODBC)
Purpose
and to communicate with
Groove Relay servers.
Port 1433 (typically)
Inbound on SQL database
server.
Used by Groove Manager to
contact the SQL database
server.
Outbound from Groove
Manager to SQL database
server port 1433 (typically).
LDAP
Port 389 (typically)
Used by Groove Manager to
integrate with optional LDAPbased directory server.
Simple Message Transfer
Protocol (SMTP)
Port 25
Used by a Groove API, called by
the Groove Manager, to
forward e-mail containing
Groove account configuration
codes to a mail host for
sending to Groove clients.
See Also:
Groove Server Manager Architecture
Groove Server 2007 Architecture
Groove Server Relay Architecture
Relay servers are vital components of a Groove environment, enabling communications even
when direct peer exchanges are impeded by firewalls, offline devices, network failures, and slow
connections. The Groove Relay server application, available with Office Groove Server or
through Groove Enterprise Services, is an enterprise-ready version of the public relays. Like its
publicly accessed counterpart, Groove Relay provides message handling software to sustain
collaboration regardless of client online status and data transport conditions.
47
In managed environments, Groove Relay servers are registered with a Groove Manager server
and added to management domains by domain administrators. If multiple Groove Relay servers
are installed onsite, administrators can define secondary relays to backup primary servers
associated with the domain. Multiple Groove Relays offer a level of redundancy and fault
tolerance.
The relay’s message handling software provides a large part of relay functionality, enabling
message store services and optimizing data transmissions across the network. Groove clients
contact relays to collect stored messages, executing the last step of the 'store and forward'
functionality enabled by the relay.
Other important Groove Relay constituents are as follows:
Transactional database system that stores basic user information, including authentication
keys and identity information, queues of Groove device-targeted messages (updates to
Groove workspaces), and queues of identity-targeted messages (instant messages and
invitations).
Set of utilities that facilitates management and cleanup tasks. For example, administrators
can use one of these utilities to rebuild queues in the event of a disk failure.
Specialized Windows control panel applet that allows administrators to configure Groove
Relay servers installed onsite. This is where administrators define the Groove Relay name,
and public and private keys used to authenticate communications with Groove clients.
Web-based administrative interface that provides access to relay server statistics and aids
for monitoring and maintaining relay database queues.
The Groove Relay 2007 runs on a Windows Server 2003 (or later) machine, and supports x64
(64-bit) architecture.
The following sections discuss the key elements of Groove Relay software architecture.
In this section:
Message Queue Databases
Database Management Utilities
Groove Relay Configuration Control Panel Applet
Groove Relay Administrative Web Interface
48
Groove Relay Communications Protocols
Message Queue Databases
The Groove Relay utilizes a transactional database system that stores basic user information
(including authentication keys and identity information), queues of Groove device-targeted
messages (updates to Groove workspaces), and queues of identity-targeted messages (instant
messages and invitations). The size of these queues changes continuously as Groove clients
deposit (enqueue) and retrieve (dequeue) messages.
All Groove message queues reside in a series of database files in the Data subdirectories of the
Groove Relay installation directory. User identity information, authentication keys, and other
‘metadata’ reside in another set of database files also under the Data directory.
The Groove Relay creates these databases at startup, if they are not already present. It also preallocates a number of Data files (Extents). The database system also creates transaction log files
that are used to maintain the integrity of the Groove Relay databases in the event of system
failure. The Groove Relay depends on these log files to recover message queues and other
related databases when restarting after an outage.
See Also:
Groove Server 2007 Architecture
Database Management Utilities
The Groove Relay clears transaction logs and purges old message queues automatically. In
addition, it provides utilities that enable Groove Relay administrators to manually perform other
relay queue management tasks. These utilities include the following:
RQExport/RQImport - Allows server administrators to save and restore databases when
necessary
FFQBackup - Allows server administrators to ‘mirror’ all or selected queued data to another
disk volume or another system.
FFQRebuild - Allows server administrators to rebuild queued data after a catastrophic
failure, such as disk failure.
49
In addition, the Groove Relay administrative interface enables administrators to start queue
purge and compress cycles, as well as to generate detailed queue report files.
See Also:
Groove Server 2007 Architecture
Groove Relay Configuration Control Panel Applet
The Groove Relay server, which is installed as a Windows service, provides a control panel
applet for configuring the Groove Relay. Changes to configuration settings take effect when the
Groove Relay is next restarted.
From the applet’s configuration windows, administrators can configure various relay
parameters, including the following:
Defining Groove Relay public and private keys for enabling communications with Groove
clients.
Defining SOAP keys for enabling communications with the Groove Manager.
Limiting SSTP message sizes.
Enabling/disabling the logging of diagnostic information collected to enhance the reliability
of the Groove Relay over time.
See Also:
Groove Server 2007 Architecture
Groove Relay Administrative Web Interface
The Groove Relay provides an administrative interface accessible by browser whenever the
Groove Relay is running. From the site, administrators can do the following:
View statistics that help monitor Groove Relay health.
Examine device, identity, and queue information.
Generate reports.
50
Manually purge and compress data queues, as necessary. (The Groove Relay clears
transaction logs and purges old message queues automatically.)
See Also:
Groove Server 2007 Architecture
Groove Relay Communications Protocols
The Groove Relay is implemented as a multi-protocol server platform. Among the supported
protocols, Groove’s native Simple Symmetric Transmission Protocol (SSTP) across a TCP (port
2492) connection is the preferred protocol for Groove client-to-relay connections. If port 2492 is
blocked by a firewall, Groove clients can also establish SSTP connections to a Groove Relay
server over Secure Socket Layer (SSL) port 443. If port 443 is also blocked, Groove clients can
encapsulate SSTP within HTTP, and connect to Groove Relay servers over port 80. However,
these port 80 connections are less efficient, as the encapsulation and connection management
of the HTTP connections results in significant overhead. Groove clients can also communicate
with Groove Relay servers across proxies using port 443 or HTTP port 80. To detect client online
and offline status, relays also support Groove’s WAN Device Presence Protocol (DPP).
Like the Groove client, Groove Relay depend on SSTP for processing Groove messages, including
Groove instant messages, workspace invitations, and workspace updates. SSTP is designed to
augment standard transport protocols, such as TCP and UDP, with features such as multiplexed
messaging to multiple devices over a single connection, efficient streaming of large messages,
and application detection of connection outages. SSTP operates over TCP on the Internet
Assigned Numbers Authority (IANA)-assigned port 2492. It supports bi-directional applicationlevel connections between two machines. All Groove workspace updates, instant messages, and
presence notifications involve Groove application-level protocols and are sent as SSTP messages.
The following table describes how the Groove Relay utilizes various protocols:
Relay Protocols
Usage
Simple Symmetric Transport Protocol (SSTP)
via TCP over port 2492
Used to transport Groove messages.
WAN Device Presence Protocol (DPP) over
SSTP
Inbound port 2492 supports:
Groove message queues for identity and
device targeted messages
51
Relay Protocols
Usage
Fanout of SSTP message streams to
multiple identities on the same Groove
Relay server
Device and user authentication for
dequeuing SSTP messages
WAN device presence detection (WAN
DPP)
Outbound port supports:
Single-hop fanout
SSTP over port 443
Used to transport messages when SSTP
transmissions over port 2492 are blocked by
firewalls or for transmissions from Groove
clients via proxies that support the HTTP
Connect method.
Inbound port 443 supports:
HTTP Connect handshake for SSTP
messages from Groove clients
Firewall transparency (via HTTP Connect
method)
SSTP over Hypertext Transfer Protocol (HTTP)
port 80
Used to transport messages when direct SSTP
transmissions are blocked by firewalls.
Inbound port 80 supports:
HTTP encapsulation of SSTP messages from
Groove clients
Firewall transparency (via HTTP)
HTTP over administrative port 8010
Used to access Groove Relay administrative
52
Relay Protocols
Usage
Web pages.
Inbound port 8010 supports:
Groove Relay administrative Web pages.
Simple Object Access Protocol (SOAP) over
port 8009
Used to transmit Groove Relay administrative
settings from the Groove Manager to the
Groove Relay.
Inbound port 8009 supports:
Groove Relay administration from the
Web-based Groove Manager
See Also:
Groove Server 2007 Architecture
Groove Server Data Bridge Architecture
Groove Data Bridge is a server application that facilitates interaction between Groove clients
and external databases or other applications. Groove Data Bridge hosts administrator-defined
identities that enable Groove to field XML calls from external applications or processes, allowing
data exchange and integration between Groove and other systems, such as SharePoint® sites
and SQL databases. Groove Web Services mediates these exchanges.
Groove Data Bridge includes a built-in Groove workspace backup system and provides a
Windows-based administrative interface for configuring and monitoring data bridge integration
services.
As a component of the Microsoft Office Groove Server, the Groove Data Bridge is a robust
mechanism for spanning application environments, and integrating Groove data and processes
with those of other applications, such as SharePoint sites. This section briefly describes its
architecture.
In this section:
Groove Data Bridge Application
53
Managed Groove Data Bridge Identities
Web Services API
Groove Data Bridge Protocol Support
Groove Data Bridge Application
The Data Bridge server application shares many of the qualities of a Groove client. It relies on an
underlying Microsoft Office Groove application, communicates with Groove peers using the
same Groove peer protocols, and hosts identities that participate in workspaces.
Groove Web Services enable the development and deployment of integration solutions that
take advantage of services-oriented architectures (SOAs). The integration logic resides outside
of Groove Data Bridge processes. For example, an external archiving program may retrieve data
from a Groove Files tool for storage in a library maintained on a SharePoint site. The Data Bridge
identity processes Web services calls from the custom retrieval program and mediates data
exchange between the SharePoint site and Groove workspaces of which it is a member. The
custom integration program resides on the retrieval application server. Figure 1, below, shows
the key components of a Groove Data Bridge-guided system:
Figure 1. Groove Data Bridge Identity Mediating Between Workspace and External
Applications
54
See Also:
Groove Server Data Bridge Architecture
Groove Server 2007 Architecture
Groove Data Bridge Account
The Groove Data Bridge runs on a dedicated Windows server. Each Data Bridge server hosts at
least one identity - comparable to a Groove user identity - that facilitates interaction between
Groove workspaces and external applications through a services-oriented architecture.
A Groove Data Bridge account is a special Groove account that covers all the integration
identities that the server hosts. Unlike a Groove account, a Data Bridge account cannot be active
on more than one device at a time.The server administrator creates an account after launching
Groove Data Bridge for the first time.
See Also:
Groove Server Data Bridge Architecture
55
Groove Server 2007 Architecture
Managed Groove Data Bridge Identities
A Groove Data Bridge identity is a server-based equivalent to a user identity, acquiring Groove
workspace membership via Groove client invitations or programmatically. Groove Data Bridge
identities are defined by Groove Data Bridge server administrators and, unlike other member
identities, are not associated with users on client devices. Instead, these identities reside on
Data Bridge servers, where they are driven by Web services calls from external programs to
perform specific data integration tasks on behalf of Groove clients. As such, a Data Bridge
identity mediates data exchange between other applications, such as SharePoint sites or SQL
databases, and Groove client workspaces that contain Web services-ready tools (currently the
Files, Forms, and Calendar tools).
See Also:
Groove Server Data Bridge Architecture
Groove Server 2007 Architecture
Web Services API
Integration tasks are defined in external programs that utilize the Groove Web Services
Application Programming Interface (API) enabled on the Data Bridge server. Through a Groove
Data Bridge identity, the program exposes a set of Web services that involve data integration
between Groove workspaces and other applications. In this way, Groove Data Bridge is an
always-available data access tier that enables integration access to Groove workspaces through
Groove Web Services.
See Also:
Groove Server Data Bridge Architecture
Groove Server 2007 Architecture
Groove Data Bridge Protocol Support
Like the Groove client, Groove Data Bridge utilizes both Simple Symmetrical Transmission
Protocol (SSTP) and Hyper-Text Transfer Protocol (HTTP). Ports 2492 and 80 support SSTP and
HTTP, respectively. The following table describes the use of these protocols.
56
Protocols
Descriptions
Default Inbound Ports
Simple Symmetrical
Transmission Protocol (SSTP)
A Groove protocol, used by
2492/TCP (registered with
Groove clients and the Groove
IETF)
Data Bridge for communication.
This protocol allows for the
fastest message transmission.
HyperText Transfer Protocol
(HTTP)
A broadly used protocol used by 80
many applications, including
Groove clients and Groove
Relay servers when direct SSTP
transmission is blocked by
firewalls.
Local Area Network Device
Presence Protocol (LAN DPP)
A Groove protocol (based on
the User Datagram Protocol UDP) used by Groove clients on
a Local Area Network (LAN).
1211/UDP
Supports Groove device
presence detection, enabling
clients on a LAN to find each
other via globally unique
identifiers (GUIDs) associated
with each device’s dynamic
Internet Protocol (IP) address.
Standard XML-based
Protocols used by external
protocols, such as Simple
applications to communicate
Object Access Protocol (SOAP) with Groove Data Bridge.
Incoming SOAP over HTTP
port 9080
See Also:
Groove Server Data Bridge Architecture
Groove Server 2007 Architecture
57
III. Groove Protocol Support
Groove clients and servers utilize several transport and application-layer protocols to sustain
communications under a wide range of network conditions. This chapter provides a high-level
description of how the leading protocols are used.
Groove's Simple Symmetric Transmission Protocol (SSTP) is the primary protocol of client-toclient and client-to-server communication. But if SSTP port 2492/TCP is unavailable, Groove
clients can establish SSTP connections in other ways. For example, if a firewall blocks 2492/TCP
outbound connections, Groove Clients can establish SSTP connections to relay servers over port
443/TCP. If a firewall also blocks port 443/TCP, SSTP can be encapsulated within standard HTTP
over port 80/TCP. Connections across HTTP, however, are less efficient because of the increased
overhead of encapsulation and HTTP connections.
Groove Manager, as a Web application, processes Hyper Text Transfer Protocol (HTTP) requests
from Groove clients and from an administrative browser interface. Groove clients communicate
with the Groove Manager server by sending Simple Object Access Protocol (SOAP) requests over
HTTP to which the Groove Manager responds. Groove Manager also uses SOAP to communicate
with any relay servers that are registered with it. SOAP exchanges with the relay server are
always initiated by the Groove Manager. Neither the Groove Manager nor the Groove Relay
initiates connections with Groove clients.
Groove Relay supports multiple protocols to maintain communications among Groove users
when client devices cannot contact each other directly. Foremost is Groove’s native SSTP over
port 2492/TCP which relay servers use for processing Groove messages, including instant
messages, Groove workspace invitations, and workspace updates. However, Groove Relay
employs other ports and HTTP to allow messages to traverse firewalls when a Groove user is
behind a firewall that blocks native SSTP communications.
Like Groove clients, Groove Data Bridge uses SSTP to communicate with directly-connected
Groove clients. Its transactions with external applications utilize SOAP.
Figure 3-1 introduces firewalls to the simple client-to-client topology shown in The The Groove
Solution, and, to represent an enterprise deployment, includes Groove Manager and Data Bridge
servers.
Figure 3-1. Groove Installation with Supporting Servers and Firewalls
58
Under some conditions, Groove clients connect to relay servers across proxy servers. As with
browser connections across proxies, various ports can be specified for the local client-to-proxy
connection. When communicating across a proxy, Groove clients can use SSTP over port
443/TCP using the HTTP Connect method. Alternatively, HTTP encapsulated SSTP may be
transacted as standard HTTP Long-lived, HTTP Keep-alive, or HTTP polling over port 80/TCP, if
supported by the proxy server.
Groove clients also depend on the LAN and WAN Device Presence Protocol (DPP). LAN DPP is a
Groove application-layer protocol carried by User Datagram Protocol (UDP). LAN DPP allows
clients to find each other on a LAN subnet publishing their presence information and monitoring
device presence information for identities in their contact lists. WAN DPP is an application-layer
protocol supported by Groove Relay and carried by Groove’s SSTP. WAN DPP allows clients to
find each other across the wide area network by publishing and subscribing to device presence
information maintained on relay servers.
The Groove client and servers supported protocols are summarized in the following table:
Groove Server and Client
Protocols
Functions
Listening Ports Used
Simple Symmetric Transport
Used by Groove clients and
relay servers to transport
Port 2492/TCP:
59
Protocol (SSTP)
Groove messages.
Inbound on Groove Relay.
Supports:
Inbound on Groove clients.
Message queues for user
identity and device targeted
messages.
Outbound from Groove
clients to Groove Relay and
clients.
Fanout of SSTP message
streams to multiple identities
and multiple Groove Relays.
Outbound from Groove Relay
to Groove Relay.
Device and user authentication
for dequeueing SSTP messages.
Wide Area Network Device
Presence Protocol (WAN DPP)
SSTP over Hypertext Transfer
Protocol (HTTP) port 80
Used by Groove clients and
Groove Relay to transport
messages when direct SSTP is
blocked by firewalls.
Supports:
Port 80/TCP:
Inbound on Groove Relay
Outbound from Groove
clients to Groove Relay.
Firewall transparency through
HTTP encapsulation of SSTP
datagrams.
SSTP over port 443
Used by Groove clients and
Groove Relay to transport
messages when native SSTP
transmissions are blocked by
firewalls and for proxies that
support the HTTP Connect
method.
Simple Object Access Protocol Used by Groove clients to
(SOAP) over port 80
communicate with Groove
Manager.
Port 443/TCP:
Inbound on Groove Relay.
Outbound from Groove
clients to Groove Relay.
Port 80/TCP:
Inbound on Groove Manager.
60
Outbound from Groove client
to Groove Manager.
Outbound from Groove Data
Bridge to Groove Manager.
SOAP over port 8009
Used by Groove Manager to
contact Groove Relay.
Port 80/TCP:
Inbound on Groove Relay.
Outbound from Groove
Manager to Groove Relay.
SOAP over port 9080
HTTP over port 8010
MS-SQL Tabular Data Stream
(TDS) encapsulated in TCP
Used by Groove Data Bridge to
receive XML calls from external
applications.
Port 9080/TCP:
Supports Groove Relay
administrative Web pages.
Port 8010/TCP:
Inbound on Groove Data
Bridge to receive requests
from external applications.
Inbound on Groove Relay.
Used by Groove Manager front- Port 1433/TCP (typically):
end IIS server to contact backInbound on SQL database
end SQL server.
server.
Outbound from Groove
Manager IIS server to SQL
server.
Lightweight Directory Access
Protocol (LDAP)
Used by Groove Manager to
integrate with optional LDAPbased directory server.
Port 389/TCP (typically):
Inbound on LDAP directory
server.
Outbound from Groove
Manager IIS server to LDAP
directory server.
Local Area Network Device
Used by Groove clients on a
Port 1211/UDP:
61
Presence Protocol (LAN DPP)
LAN subnet.
Inbound on Groove clients.
Supports Groove device
presence detection, enabling
clients on a LAN to find each
other.
Outbound from Groove
clients to Groove client.
Wide Area Network Device
Used by Groove clients and
Presence Protocol (WAN DPP) relay servers to WAN device
presence detection.
Groove application-layer
protocol over SSTP.
Rendezvous Protocol (RVP)
Used by Groove clients to
support user presence
information.
Groove application-layer
protocol over SSTP.
IM protocol
Used by Groove clients to
support instant messaging.
Groove application-layer
protocol over SSTP.
Workspace protocol
Used by Groove clients to
support data synchronization.
Groove application-layer
protocol over SSTP.
Simple Mail Transfer Protocol
(SMTP)
Used by a Microsoft virtual
SMTP server and called by
Groove Manager, to send email containing account
configuration codes or account
backup files to a mail host for
delivery to Groove users.
Port 25/TCP:
Inbound on mail host.
Outbound from Groove
Manager IIS front-end
servers.
Figure 3-2 illustrates the interaction between Groove Manager and Groove Relay servers, and
Groove clients. See Summary of Groove Port Configurations for a table of port configurations in the
context of various protocols.
Figure 3-2. Interaction of Groove Servers and Clients
62
63
IV. Summary of Groove Port Configurations
The following tables present sample port configurations to support Groove systems in the
presence of firewalls. The IP addresses and hostnames used are for example only.
In this section:
Public Internet to Perimeter Network
Perimeter Network to Public Internet
Perimeter Network to Perimeter Network
Private Intranet to Perimeter Network
Private Intranet to Public Internet
Public Internet to Perimeter Network
Host
IP
DestinationZone
Host
IP
Protocol port
Purpose
Internet
*
*
Perimeter
Network
mn10
167.10.159.20
HTTP –
80/TCP
Groove Manager
HTTP/SOAP
communications
Internet
*
*
Perimeter
Network
rn8
167.10.159.18
SSTP –
2492/TCP
Groove Relay
SSTP
communications
Internet
*
*
Perimeter
Network
rn8
167.10.159.18
SSTP –
443/TCP
Groove Relay
SSTP
communications
Internet
*
*
Perimeter
Network
rn8
167.10.159.18
HTTP –
80/TCP
Groove Relay
HTTP
encapsulated
Source
Zone
64
Host
IP
DestinationZone
Host
IP
Protocol port
Purpose
Source
Zone
SSTP
communications
Internet
*
*
Perimeter
Network
rn9
167.10.159.19
SSTP –
2492/TCP
Groove Relay
SSTP
communications
Internet
*
*
Perimeter
Network
rn9
167.10.159.19
SSTP –
443/TCP
Groove Relay
SSTP
communications
Internet
*
*
Perimeter
Network
rn9
167.10.159.19
HTTP –
80/TCP
Groove Relay
HTTP
encapsulated
SSTP
communications
Perimeter Network to Public Internet
Source Zone
Host
IP
Destination
Host
IP
Protocol port
Purpose
Zone
Perimeter
Network
mn8
167.10.159.18
Internet
*
*
SSTP –
2492/TCP
Groove Relay
SSTP
communications
Perimeter
Network
mn9
167.10.159.19
Internet
*
*
SSTP –
2492/TCP
Groove Relay
SSTP
communications
65
Perimeter Network to Perimeter Network
Source
Zone
Host
IP
Destinatio
n
Host
IP
Protocol
port
Purpose
Zone
Perimete mn1
r
0
NetworkA
167.10.159.2
0
Perimete rly1
r
0
NetworkA
167.10.159.2
5
HTTP –
8009/TC
P
Groove Relay
HTTP/SOAP
communication
s
Perimete mn1
r
0
NetworkA
167.10.159.2
0
Perimete rly1
r
1
NetworkA
167.10.159.2
6
HTTP –
8009/TC
P
Groove Relay
HTTP/SOAP
communication
s
Perimete Mn1
r
0
NetworkA
167.10.159.2
0
Perimete mail
r
NetworkB
167.11.159.5
0
SMTP25/TCP
E-mail SMTP
communication
s
Private Intranet to Perimeter Network
Source
Zone
Host
IP
Intranet
*
*
Intranet
*
Intranet
*
Destination
Host
IP
Protocol port
Purpose
Perimeter
Network
mn10
167.10.159.20
HTTP –
80/TCP
Groove Manager
HTTP/SOAP
communications
*
Perimeter
Network
mn10
167.10.159.20
RDP-TCP – Microsoft
3389/TCP Remote Desktop
communications
*
Perimeter
Network
rn8
167.10.159.18
SSTP –
2492/TCP
Zone
Groove Relay
SSTP
66
Source
Zone
Host
IP
Destination
Host
IP
Protocol port
Purpose
Zone
communications
Intranet
*
*
Perimeter
Network
rn8
167.10.159.18
SSTP –
443/TCP
Groove Relay
SSTP
communications
Intranet
*
*
Perimeter
Network
rn8
167.10.159.18
HTTP –
80/TCP
Groove Relay
HTTP
encapsulated
SSTP
communications
Intranet
*
*
Perimeter
Network
rn8
167.10.159.18
HTTP –
8010/TCP
Groove Relay
Admin HTTP
communications
Intranet
*
*
Perimeter
Network
rn8
167.10.159.18
RDP-TCP – Microsoft
3389/TCP Remote Desktop
communications
Intranet
*
*
Perimeter
Network
rn9
167.10.159.19
SSTP –
2492/TCP
Groove Relay
SSTP
communications
Intranet
*
*
Perimeter
Network
rn9
167.10.159.19
SSTP –
443/TCP
Groove Relay
SSTP
communications
Intranet
*
*
Perimeter
Network
rn9
167.10.159.19
HTTP –
80/TCP
Groove Relay
HTTP
encapsulated
SSTP
communications
Intranet
*
*
Perimeter
Network
rn9
167.10.159.19
HTTP –
8010/TCP
Groove Relay
Admin HTTP
67
Source
Zone
Host
IP
Destination
Host
IP
Protocol port
Purpose
Zone
communications
Intranet
*
*
Perimeter
Network
rn9
167.10.159.19
RDP-TCP – Microsoft
3389/TCP Remote Desktop
communications
Private Intranet to Public Internet
Source Zone
Host
IP
Destination
Host
IP
Protocol port
Purpose
Zone
Intranet
*
*
Internet
*
*
SSTP –
2492/TCP
Groove SSTP
communications
Intranet
*
*
Internet
*
*
SSTP –
443/TCP
Groove SSTP
communications
Intranet
*
*
Internet
*
*
HTTP –
80/TCP
Groove HTTP
encapsulated SSTP
communications.
Groove Manager
HTTP/SOAP
communications
68
V. Groove Site Planning Conditions and
Requirements
The issues discussed in this chapter are intended to help you determine how to best deploy
Groove software at your site so you can meet your current and foreseeable collaboration needs.
Some of the topics addressed are especially relevant if you are considering incorporating onsite
Groove servers into your managed Groove environment. Others, such as Network Planning and
Capacity Planning, provide applicable information, regardless of your Groove management
context.
Successful deployment involves understanding basic Groove requirements and assessing the
network management requirements of your site. Key questions to consider include:
How does Groove affect your network? How does Groove interact with proxies, firewalls,
and other similar devices on your network, what network port requirements does Groove
have, and how does Groove affect network bandwidth? See Network Planning for Groove for
some answers.
How many Groove users do you need to support and what hardware will you need to
manage them? See Capacity Planning for Groove for a discussion of these issues.
What emergency outages can you anticipate and prepare for? What system failover
measures are already in-place? See Failure Contingencies and Disaster Recovery for Groove for a
discussion of emergency preparedness.
Each company contends with unique administrative, technical, and environmental issues in
setting up and maintaining its communications network, but the general conditions discussed
here are likely to arise at any site. This section addresses important decision points.
In this section:
Network Planning for Groove
Capacity Planning for Groove
Failure Contingencies and Disaster Recovery for Groove
Groove Manager Site Planning
69
Groove Relay Site Planning
Groove Data Bridge Site Planning
Network Planning for Groove
This section discusses how a Groove deployment fits within existing network topologies and
cites specific requirements.
In this section:
Network Topology for Groove
Network Requirements for Groove
Groove Bandwidth Usage
Network Topology for Groove
One of the biggest IT challenges is setting up network devices and configurations that enable
efficient information exchange without jeopardizing the security of corporate data. Often
conflicts arise that upset any hard-gained balance. Groove mitigates these problems. Aware of
other devices and configurations on the network, Groove is designed to work within any
communication constraints they present while maintaining the security of its transactions. For
example, when firewall configurations block preferred SSTP communications, Groove clients
attempt to access relay servers using HTTP.
In addition, Groove maintains "business as usual" in the context of a wide range of
communications tools and features. For example, despite the various bandwidth rates and
latencies that characterize Internet traffic, Groove attempts to optimize communications and
maintain timely delivery of information.
Table 1-1, below, summarizes Groove's responses to various network and browser
configurations. Table 1-2, below, lists some of the tools and features with which Groove
cooperates seamlessly.
Table 1-1. Impact of Network and Browser Configurations on Groove
70
Network and Browser Configurations
Groove Responses
TCP port restrictions
Direct Groove client communication depends
on Groove's TCP-based Simple Symmetric
Transfer Protocol (SSTP) over port 2492/TCP.
When native SSTP ports are not available,
Groove encapsulates SSTP messages in HTTP
and client communications occur via Groove
relay servers over HTTP port 80.
Proxy configurations
In a proxy environment, when SSTP ports are
not available, Groove clients can communicate
via HTTP proxies over any port specified in the
browser, including ports other than 80/TCP.
HTTP proxy caching
HTTP proxy settings can place additional limits
on communications. For example, proxies
generally cache data before transmitting.
Although optimal Groove communications is
based on real-time transmissions, Groove is
resilient to this caching.
Auto-detection configuration
When auto-detection is enabled for browsers
in a proxy environment, the associated
Dynamic Host Configuration Protocol (DHCP)
configuration includes URLs for scripts that
contain information about intranet hosts and
proxies. Groove clients can read the
information in these scripts to locate
appropriate proxies and communicate across
them to target relay servers, which then
forward client messages to the intended
Groove recipients.
Auto-configuration scripts
Web browser configurations often include
URLs for Java scripts that include information
about conditional proxy seeking. Groove
clients can read the information in these
71
Network and Browser Configurations
Groove Responses
scripts to locate proxies and communicate
across them to target relay servers, which then
forward client messages to the intended
Groove recipients.
Proxy authentication
(Basic Authentication, NT LAN Manager)
Proxy devices often use authentication
protocols that require login information when
clients attempt to connect. Groove clients
support Basic Authentication and NTLM proxy
authentications by displaying a dialog box
requesting authentication information at
connection time, thereby enabling
communication through the proxy.
Firewall settings, including Network Address
Translation (NAT)
When firewall configurations block SSTP
communications, Groove clients attempt to
access relay servers using HTTP.
Domain Name System (DNS)
Publically resolvable, registered DNS names
are used for Groove Manager and Groove
Relay servers.
Virtual Private Networks (VPN)
Groove operates across VPNs, providing that
relay servers are accessible over the VPNs.
Table 1-2. Real-World Tools and Features with which Groove Cooperates
Communications Tools and Features
Groove Responses
Dial-on-demand routers
Groove requires a persistent connection, which
on-demand routers do not normally provide.
Therefore, Groove may force the router to stay
dialed-up as long as Groove is running.
Dial-up, pay-to-use services (such as in hotels
and airports), and Network Interface Card
These services acquire a temporary (transient)
IP address while the connection is up. Groove
72
Communications Tools and Features
Groove Responses
(NIC) insertions/removals
supports such configurations.
Sociable communications
Groove runs in the background as an icon in
the system tray along with other Windows
applications sharing the network resources.
When sharing bandwidth with other
applications, Groove attempts to optimize its
bandwidth use.
Suspend/resume
Most laptops support a sleep mode, for
example when the lid is closed. Groove
resumes after suspension, without requiring
system shut down.
Various bandwidth rates and latencies
Groove is designed to accommodate
differences in bandwidth rates and high
latencies. Though affected by these conditions,
it attempts to optimize communications.
Communications errors
Groove is designed to accommodate
communications errors (short breaks in service
caused by storms or network events).
Virtual Private Network (VPN) and Virtual
Network Connection (VNC) communications
Groove co-exists with these links but does not
depend on them.
See Also:
Network Planning for Groove
Network Requirements for Groove
This table describes general network interface requirements for a Groove installation.
Device
Ports Open
Groove client
Inbound/Outbound port 2492/TCP – Allows
73
Device
Ports Open
real-time client-to-client communications via
Groove's Simple Symmetric Transfer Protocol
(SSTP) and client-to-relay-to-client
communications via Groove Relay servers.
Inbound/Outbound port 1211/UDP – Allows
real-time client-to-client communications via
Groove’s Local Area Network Device Presence
Protocol (LAN DPP).
Outbound ports (80/TCP) – Allows client-torelay-to-client communications via Groove
Relay servers. Also allows SOAP
communications with Groove Manager.
Outbound port 443/TCP – Allows client-torelay-to-client communications via Groove
Relay servers.
Groove Manager
Inbound port 80/TCP - Receives Simple Object
Access Protocol (SOAP) requests from Groove
clients over HTTP.
Outbound port 8009/TCP – Sends SOAP
messages to Groove Relay.
Outbound port 25/TCP - For sending SMTP email containing account configuration codes to
Groove users.
Outbound port 389/TCP – For importing and
synchronizing member identities with LDAP
directory.
Groove Relay
Inbound ports 80/TCP, 443/TCP, or 2492/TCP Receives messages from Groove clients via
HTTP or Groove's SSTP.
74
Device
Ports Open
Outbound port 2492/TCP – For relay-to-relay
single hop fanout.
Inbound port 8009/TCP - Receives SOAP
requests from Groove Manager.
Inbound port 8010/TCP - Supports browser
requests for administrative statistics.
Corresponding ports on firewalls and related
devices must allow communications across the
above ports for transmissions to (and from)
Groove Relay servers.
See Also:
Network Planning for Groove
Groove Bandwidth Usage
When installed as recommended, a Groove system of clients and servers does not measurably
disrupt network performance and compares with most currently available browser or platformbased communications products in terms of bandwidth consumption. This section discusses
Groove's bandwidth usage patterns, and subsequent sections discuss the hardware and
configuration recommendations that best support it. Understanding how Groove uses
bandwidth will help you anticipate any network adjustments that may be necessary.
Groove bandwidth usage depends on several variables, including network configuration, and the
amount and type of data being transmitted over the wire. While these factors vary among sites,
the bandwidth usage results from Microsoft experience and testing provide a useful baseline.
For example, bandwidth usage has been monitored under conditions where Groove is being
used heavily in a workspace with fifty members and each member of the workspace sends, on
average, approximately 350 bytes/second over the network during a typical workday. Results
from this level of Groove activity show that Groove bandwidth utilization increases linearly as
the number of members in Groove workspaces increases (assuming a user-to-device ratio of
approximately 1:2).
75
Whenever possible, Groove transmits data directly from client to client, sending individual
packets of data to each workspace member. When data is addressed to a client that cannot be
reached directly (because the user is offline, behind a firewall, or on a weak internet link, for
example), Groove sends data via relay servers, and via fanout as needed for more efficient
distribution. Whether data is transferred through relay servers or not, bandwidth utilization
relative to the number of users in a workspace remains linear (see Figure 1, below), facilitating
the task of predicting Groove bandwidth use once the application is online. Note that because
relay servers are designed for expedient bandwidth use, total bandwidth use under conditions
of high traffic is often less when relay servers assist in message transmission.
Figure 1. Groove Client/Relay Bandwidth Usage
See Also:
Network Planning for Groove
Network-Level Security
A basic form of security for Internet transmissions is the blocking or filtering of data from
unknown or suspect sources. One way to accomplish this is by restricting the number of open
communications ports on the server, limiting inbound transmissions to those protocols
supported by the few open ports. Firewalls are often used to implement these restrictions. For
example, you could locate a Groove Manager server in a perimeter network (sometimes called a
76
perimeter security zone), behind a firewall that allows only TCP inbound traffic over port 80; this
would limit inbound transmissions to HTTP traffic only. This would allow Groove client-toGroove Manager and other HTTP communications while blocking other transmissions using nonHTTP protocols.
How you implement security measures at your site depends largely on your company's specific
security requirements, the software you use, and on your existing network topology. See
'Recommended Best Practices' in Groove Site Preparation, for important guidance.
See Also:
Network Planning for Groove
Groove Site Planning Conditions and Requirements
Capacity Planning for Groove
To anticipate and plan for any large-scale software deployment, you need to know the size and
location of your intended user population, as well as anticipated bandwidth consumption. The
range of Groove enterprise services and servers that you engage depends largely on these
factors. The section below discusses Groove client and server capacities.
In this section:
Groove User Base Planning
Groove Manager Capacity
Groove Relay Capacity
Groove User Base Planning
Knowing the current and projected size of your Groove client base, along with the estimated
daily bandwidth usage per user, is essential for planning an enterprise-wide Groove installation
that will operate smoothly from the start and over the long term. Larger enterprises will have
additional planning considerations.
In small businesses (of less than 100 users), minimal planning is involved, mostly centering on
establishing the number and usage level of target Groove users, as discussed in the server
capacity sections below. The network and security configurations already in place at your site to
77
support Internet access and e-mail should generally be sufficient for Groove, regardless of
whether users collaborate under the same roof or across the globe.
When hundreds or thousands of users require collaboration support, and when corporate
consultants, partners, or customers are involved as well as employees, close consideration of
how you intend to manage such collaboration is necessary. An effective management
framework should allow you to accomplish the following:
Centrally configure Groove accounts.
Set Groove password entry requirements.
Manage Groove activity at both the user and device level.
Identify trusted collaborators outside a domain.
Integrate Groove user information with corporate directories.
Schedule automatic backup of Groove user accounts.
Provision users with relay services that help ensure uninterrupted collaboration.
Monitor user activity and project work to ensure productive use of Groove.
Audit Groove client events to help ensure proper use.
Integrate corporate applications and data with Groove.
Back up Groove workspaces.
The following Groove server applications and services can help you achieve these ends with
maximum ease, as summarized in the following table:
Office Groove Server and Groove Enterprise Services
Capabilities
Groove Server 2007 Manager, installed onsite
(requires separate Groove Server Relay
installation)
Enables and facilitates centralized
administrative control over Groove use,
including:
*Also available as Groove Enterprise Services,
which includes Manager and Relay hosted by a
Microsoft data center.
Automatically configuring Groove on client
devices.
78
Office Groove Server and Groove Enterprise Services
Capabilities
Setting password creation rules.
Enforcing managed Groove use.
Establishing trusted users across
management domains.
Scheduling automatic Groove account
backup.
Enabling Groove password and data
recovery.
Integrating corporate user directories with
Groove user identity information.
Monitoring Groove use.
Auditing Groove client activity.
Groove Server 2007 Relay, installed onsite
(requires separate Groove Server Manager
installation)
Enables relay server provisioning to managed
users, providing the following communication
services:
*Also available as Groove Enterprise Services,
which includes Manager and Relay hosted by a
Microsoft data center.
Data storage and forwarding, to support
online/offline collaboration.
Wide-area network (WAN) presence
detection.
Data fanout to expedite message delivery
in conditions of high network traffic.
Cross-firewall communications.
Groove Server 2007 Data Bridge
Integrates Groove with Microsoft SQL
databases and other corporate applications via
Groove Web services; includes built-in
mechanism for backing up managed Groove
79
Office Groove Server and Groove Enterprise Services
Capabilities
user workspaces.
See Also:
Capacity Planning for Groove
Groove Manager Capacity
Office Groove Server 2007 Manager enables comprehensive oversight of Groove usage. In
planning how to incorporate Groove Manager into your network, consider your company's
usage statistics, bandwidth requirements, and what hardware/software is necessary to support
those conditions.
The number of users that Groove Manager can support largely depends on the hardware
configuration of the Internet Information Service (IIS) and SQL servers that comprise a Groove
Manager installation. Monitor Groove and Groove Manager performance to consider if and
when additional hardware or software may be necessary. For the SQL server back end, plan on 6
MB of storage per managed Groove user, including space for account backup.
Typically, one Groove Manager/IIS front end server can support approximately 20,000 users,
when installed according to product instructions. Additional Groove Manager front ends are
necessary to support a larger user population. Larger-scale implementations can leverage the
scalability of the underlying IIS and SQL platforms. In most cases, multiple load-balanced IIS
front-end servers can share a common SQL back end.
The following specifications are based on an average deployment in a mid-sized company and
can provide a reference point for planning your Groove Manager deployment.
Hardware/Software
Projected Load
Hardware Load Balancer – 1 each
12,000 Groove users online
IIS Front End – 2 each (for redundancy)
36,000 Groove user identities configured
Dual 64-bit processors, 2.4 GHz, 4 GB RAM
Single disk controller, NICs, and write-caching
80
Hardware/Software
Projected Load
hardware RAID
36 GB RAID disk array
Windows Server 2003 x64
SQL Back End – 1 each
Dual 64-bit processors, 2.4 GHz, 4 GB RAM
Multiple disk controllers, NICs, and writecaching hardware RAID
800 GB RAID disk array
Windows Server 2003 x64
SQL Server 2005
If Groove Manager is deployed with the Audit option enabled, allow at least one dedicated SQL
server for every 1500 users. Additional server support is necessary if the option to audit files is
in place.
The following table provides estimates for the number of Groove Manager servers necessary to
support a given number of Groove users:
Groove Users
Minimum Groove Manager Front
End/IIS Servers
Groove Manager Back End/SQL
Servers
1,000
1
1
2,000
1
1
5,000
1
1
10,000
1
1
20,000
1
1
40,000
2
1
81
Groove Users
Minimum Groove Manager Front
End/IIS Servers
Groove Manager Back End/SQL
Servers
60,000
3
1
See Also:
Groove Relay Capacity
Installing Office Groove Server 2007 Relay at your site ensures relay availability to your Groove
users and places all relay management within the control of your server administrators. If you
decide to secure and manage dedicated relays, plan on supporting no more than 18,000 Groove
users on a single relay server. However, actual limitations on relay capacity may vary and you
should monitor Groove client and relay performance to determine when additional server
hardware or software may be necessary.
If your organization supports a global network of users, to maximize the performance of your
relay equipment, try to locate your relay servers in close proximity to your main communities of
users. The increased network "hop" count necessary to support data transmissions from Groove
clients to distant relays degrades network performance.
The following specifications are based on an average deployment in a mid-sized company and
can provide a reference point for planning a Groove Relay deployment.
Hardware/Software
Projected Load for Community of 36,000 Groove Users
Dual 64-bit processors, 2.4 GHz, 8 GB RAM
12,000 users provisioned to a Groove Relay
server and online
Multiple disk controllers (one dedicated
controller for the relay’s data volume and zero- 30,000 connected Groove devices
to-one additional controller for operating
Maximum bandwidth of 8 MB/concurrent
system volumes)
user/day
Multiple NICs, and write-caching hardware
RAID
450-GB RAID disk array for relay data
Windows Server 2003 x64
82
The chart above describes an organization with a community of 36,000 Groove users. In this
scenario, all 36,000 users are provisioned to the relay server with the assumption that no more
than 33% of the provisioned users will be online at any time. About 12,000 provisioned users are
online and connected concurrently. The 30,000 connected devices include the devices of users
provisioned to this relay server and online, as well as the devices of other collaborating users
provisioned to other Relays.
Note that the ratio of online Groove users to devices connected to the relay server varies
depending on usage patterns. Typically clients provisioned to other relays connect to a Groove
Relay server in order to enqueue data for clients that are provisioned to that relay. The
connected devices for non-provisioned users consume some relay resources, although
substantially fewer resources than for a provisioned and online user. Therefore, the number of
provisioned and online users connecting to a relay server is usually substantially less than the
total number of connecting devices.
The ratio for provisioned online users to connected devices online is typically between 1:2 and
1:5, but can be as high as 1:20 or more. The ratio also depends on secondary relay server
assignments. Each secondary relay assignment also constitutes a connection to the secondary
relay. Keep this in mind when planning relay capacity.
Each Groove Relay may support up to approximately 15,000 provisioned and online users. The
total number of provisioned users - online and offline – is typically greater, depending on the
ratio of online to offline users. Additional relay servers are needed to support larger user
populations or to meet redundancy requirements.
This section presents specific aspects of relay capacity planning.
In this article:
Relay Bandwidth Usage
Relay RAM
Relay CPU
Relay Disk Space
Relay Hard Disk Controller
83
Relay Bandwidth Usage
Approximately 8 megabytes (MB) of data may pass through the relay server per user per day,
based on average-use tests. Therefore, an environment of 15,000 provisioned and online
Groove users would generate about 120 gigabytes (GB) of traffic per day, or about 1.4
MB/second. The amount of data directed to a Groove Relay server depends on the amount of
data being sent in each transmission, communications speed, whether clients are behind
firewalls, and the state of client connections.
Relay RAM
Tests on a standard-configuration show that a Groove Relay server uses about 1.5 gigabytes of
memory to support approximately 12,000 connected devices. In the case of a mid-sized
company (described above), with 30,000 connected devices, 8 GB of memory would be
required. At least 2 GB of memory should be reserved for file system cache for proper operation
of the relay.
Relay CPU
Groove Relay is optimized for a dual 64-bit processor configuration with 2.4 GHZ speed or
greater. Dual-core dual processor configurations are also supported.
Relay Disk Space
The disk space required to support a client population varies, depending on Groove client usage
patterns. Client populations that are routinely offline for days or weeks at a time require more
relay disk space because data must be stored while clients are offline. In a typical mixed client
population, a client may use approximately up to 10 MB of disk space per day, assuming a 30day purge interval. The total necessary disk space will vary with the configured purge interval.
Therefore, a community of about 36,000 Groove users will consume least 360 GB of disk storage
on the data drive.
Relay Hard Disk Controller
Groove Relays place a high demand on disk input/output (I/O). Write caching is critical to
supporting the high I/O demand of a Groove Relay. The Groove Relay installation kit includes a
utility called DBWriteTest.exe that can be run to assess the performance viability of a disk
subsystem. DBWriteTest exercises the relay server’s controller and drive subsystems. A relay
server configured for 12,000 online users requires DBWriteTest results of approximately 2
84
MB/second or greater. In addition, your hardware RAID should be configured to enable a system
to survive catastrophic failure of a disk drive with minimal down time and data loss.
The rate at which the hard-disk controller transfers data from the processor to the hard disk
depends on the type of controller. Microsoft average-use tests show that adding 100 Groove
users to the system typically increases the amount of data written to or read from the relay
server hard disk by about 50,000 bytes/second. This suggests that 12,000 users online would
best be supported by a Groove Relay with a write-caching hardware RAID controller and
minimum raw disk I/O capacity of 6 MB/second. Typically, this requires a high-performance
controller with 10,000-to-15,000-rpm drives.
See Also:
Capacity Planning for Groove
Failure Contingencies and Disaster Recovery for Groove
As with any server installation, total system failure is a possible scenario that should be
addressed at the outset during deployment planning. Possible causes and anticipated effects
should both be assessed during the site design phase so that disaster avoidance and recovery
can be built-in to site topology and operating practices.
Since Groove is designed to run in a wide range of environmental and network settings, the
possible context of system failure depends largely on conditions unique to a given site and is,
therefore, beyond the scope of this guide. But a recovery path can be recommended. IT
departments charged with providing comprehensive full-function Groove services to a large
corporation can best establish a recovery path by setting up multiple data centers with
procedures and standby servers slated for immediate promotion into operation in the event of
failure.
Minimally, protect your data and the server operating system from the effects of component
failure, and prepare Groove Server installations for failure recovery, as follows:
Groove Manager - Groove Manager IIS and SQL server machines should be equipped with
reliable, fault tolerant hardware and redundant hard drives, or other fault-tolerant
technology, such as clustering, multiple IIS front ends, and fault-tolerant network load
balancing. Schedule frequent backups of the Groove Manager database on the SQL backend
server.
85
Groove Relay – Groove Relay servers should be equipped with reliable, fault-tolerant
hardware and redundant hardware. A redundant multi-relay installation can further reduce
the risk of interrupted or slowed communications within your Groove network. Using
Groove Manager, administrators can provision redundant Groove Relay servers to members
of a management domain. If the primary relay server is inaccessible for a provisioned
member, the Groove client will use the next relay server in the list. In the event of disk
failure, you can use the Groove Relay’s FFQBackup and FFQRebuild utilities and procedures
to reconstruct the relay server databases.
Groove Data Bridge - Groove Data Bridge servers should be equipped with fault-tolerant
hardware and redundant hard drives.
See Also:
Groove Site Planning Conditions and Requirements
Groove Manager Site Planning
The Groove Server Manager is a Web-based application for managing Groove clients. As a
component of the Microsoft Office Groove Server 2007 installed on your corporate network, the
Groove Server Manager (subsequently called Groove Manager) enables server control, as well as
administrative oversight of Groove user and device activity. As an alternative, you can access
Groove Manager functionality by engaging Microsoft Office Groove Enterprise Services, which
allows you to manage Groove users and devices without the overhead of managing the server.
This section summarizes site planning issues and best practices to consider when setting up the
Groove Manager server application at your site.
In this section:
Network Requirements for Groove Manager
Capacity Planning for Groove Manager
Recommended Best Practices for Groove Manager
Failure Contingencies for Groove Manager
86
Network Requirements for Groove Manager
Inbound port 2492 must be open on all Groove client devices in order to enable peer-to-peer
communications.
The Groove Manager has the following network interface requirements:
Inbound TCP port 80 must be open in order to receive Simple Object Access Protocol (SOAP)
requests from Groove clients over HTTP.
Inbound SSL port 443 must be open to support Secure Socket Layer protection of the
Groove Manager administrative Web pages.
Outbound TCP ports must be open in order to send messages to the Groove Relay TCP port
8009 (for version 3.1 or earlier Groove Relay servers).
Outbound SMTP port to the defined Smart Host must be open in order to send e-mail with
account configuration and account restoration codes to Groove users (TCP port 25).
See Also:
Groove Manager Site Planning
Groove Site Planning Conditions and Requirements
Capacity Planning for Groove Manager
One Groove Manager device typically supports up to 10,000 Groove users, with the hardware
configuration recommended for a standard installation. A second Groove Manager is generally
recommended to support a larger user base. Larger-scale implementations, with additional RAM
and disk storage capacity, can leverage the scalability of the underlying IIS and SQL platforms.
When Groove is being used heavily in a workspace with fifty members, each member of the
workspace sends, on average, approximately 350 bytes/second over the network during a
typical workday. The number of users that your system can support largely depends on the
hardware configuration of the Internet Information Service (IIS) and SQL servers that comprise
the Groove Manager installation. Monitor Groove and Groove Manager performance to
consider if and when additional hardware or software may be necessary. For the SQL server, in
an environment of approximately 5 transactions per user per hour, plan on 6 MB of storage per
managed Groove user, including space for account backup.
See Also:
87
Groove Manager Site Planning
Groove Site Planning Conditions and Requirements
Recommended Best Practices for Groove Manager
The location of specific Groove Manager and Relay devices at your site is largely governed by
the performance and security objectives at your organization, as well as on the location and
distribution of users with respect to your network topology. Work with your Microsoft Office
Groove representative to determine how to implement a Groove Manager configuration that
accommodates the Groove user base at your site.
In administering a Groove Manager, follow the best practices generally recommended for
hosting an Internet server. For helpful information on this topic, review the Microsoft security
Web site by clicking here.
The following basic measures can help promote a reliable and secure installation:
Control network access to the Groove Manager Web pages, as described in Controlling
Network Access to the Groove Manager Web Site.
Install the management software on a clean stand-alone Windows 2003 machine. Do not try
to install a Groove Manager on a domain controller or a machine where Groove is running.
Doing so will cause the install process to fail.
To protect the operating system and data from damage or loss as a result of hardware
component failure, make sure to install the Groove Manager on a machine with redundant
hard drive capability, typically a hardware RAID (software RAIDs provide protection for data
only, not the operating system).
Consider installing the latest Critical Update Package and Security Rollup on all servers.
Review available information about any Windows server security vulnerabilities, and
address them as needed at your site. For information about Windows security, see the
Microsoft Windows Security Web pages, click here.
Also see the Microsoft Technet Security site, by clicking here.
Proxy or firewall devices may be used to control transmissions and allow access only to
those ports necessary for Groove transmissions.
88
Locate the Groove Manager in a perimeter network (also known as screened subnet) to
afford relative security while allowing managed external Groove users to access the Groove
Manager from the internet. Similarly, locate any Groove Relay devices in a perimeter
network for security and to allow other Groove users to contact your managed users. Figure
2 shows an example of a typical Groove Manager setup.
If your site plan includes multiple Groove Manager devices, install the administrative portion
of the Web site on a secure server, separate from the server supporting the client-accessible
portion of the site. The SQL server is typically shared by multiple Groove Manager devices.
Consult a Microsoft Office Groove technician for information about multiple-server
installations.
Further secure the Groove Manager administrative Web pages by enabling Secure Socket
Layer (SSL) encryption and setting the server SSL port to 443. For more information about
SSL, refer to the Microsoft MSDN Web site by clicking here.
Further protect the Groove Manager administrative Web pages with Windows or other login
authentication. If using Basic Authentication, where passwords are transmitted over the
network without encryption, make sure to enable SSL.
To help secure distribution of Groove account configuration codes to your users, use one of
the following methods:
Utilize the Groove Manager's automatic account configuration option.
Use an existing secure communication channel to distribute codes (employing securityenhanced e-mail or e-mail over a trusted local area network, for instance).
Manually distribute account configuration codes.
Make sure to keep labeled copies of any certificates, private keys, and passwords you use in
a known secure location, such as on disk in a locked cabinet or in a directory on a secure
private network. You may need access to these old certificates or private keys in the future for example, if you need to recover client data but the client has an older version of the data
recovery certificate.
Establish administrative roles which govern physical access to Groove Manager machines,
access to server-level controls, and access to management domain controls.
89
To allow for Groove account restoration when needed (to replace a damaged account, for
example), ensure that the identity policy that schedules Groove account backups is enabled.
See Also:
Groove Manager Site Planning
Groove Site Planning Conditions and Requirements
Failure Contingencies for Groove Manager
To protect your data and the server operating system from the effects of component failure, the
Groove Manager IIS and SQL server machines should be equipped with reliable redundant harddrive capability, or other fault-tolerant technology, such as clustering. As with any server
90
installation, the possibility of total server failure is also a concern. To address this risk, you want
to consider an additional Groove Manager to provide backup in the event that your initial
installation fails.
See Also:
Groove Manager Site Planning
Groove Site Planning Conditions and Requirements
Groove Relay Site Planning
Many factors affect where and how you should position Groove Relay servers at your site. How
many Groove users you intend to support, where your users are located geographically, your
company’s security policies, how a Groove Relay server will interact with other nodes on your
system, and existing network topology are some of the issues you should address before
bringing the Groove Relay and its supporting Groove Manager online in your organization. While
the guidelines and best practices cited in this guide are recommended for optimizing the
effectiveness of your installation, the specific conditions at your site will drive most of the
decisions about Groove Relay server placement on your network.
You must install a Groove Manager at your site in order to manage your onsite Groove Relay
servers. See the Help that accompanies the Groove Manager component of the Microsoft Office
Groove Server for specific information about Groove Manager site planning.
In this section:
Network Requirements for Groove Relay
Capacity Planning for Groove Relay
Best Practices for Groove Relay
Groove Relay Server Failover
See Also:
Groove Site Planning Conditions and Requirements
Network Requirements for Groove Relay
The Groove Relay requires specific inbound ports to be open for client and Groove Manager
transmissions. Required or recommended ports on the Groove Relay server are:
91
Inbound port 2492 must be open for SSTP transmissions from Groove clients.
Inbound port 80 must be open for SSTP over HTTP transmissions from Groove clients.
Inbound port 443 must be open for SSTP transmissions from clients via proxies that support
the HTTP Connect method (and for SSTP client transmissions that can directly access the
Groove Relay via SSL port 443 but not 2492).
Inbound port 8009 must be open on interfaces that the Groove Manager accesses to send
transactions to the Groove Relay. The Groove Manager server sends these transactions
using the Simple Object Access Protocol (SOAP).
Outbound port 2492 must be open for single-hop transmissions between Groove Relay
servers.
Optionally, if the Groove Relay is behind a firewall, the firewall’s outbound port 80 may be
open for HTTP traffic, so that the Groove Relay can communicate status information to
Microsoft as part of its Customer Experience Improvement (CEIP) program.
The corresponding ports on firewalls and related devices must allow communications across
these ports for transmissions to and from Groove Relay servers.
In addition, DNS access must be enabled for Domain Name Service (DNS) lookup traffic. The
server uses DNS to locate other Groove Relay servers and to communicate with Groove
Manager servers.
See Also:
Groove Relay Site Planning
Groove Site Planning Conditions and Requirements
Capacity Planning for Groove Relay
Approximately 8 megabytes (MB) of data may pass through the Groove Relay server per user
per day, based on average usage tests. In this case, 15,000 concurrent Groove users, would
generate about 120 gigabytes (GB) of data per day. The amount of data directed to the Groove
Relay depends on the amount of data being sent in each transmission, communications speed,
whether clients are behind firewalls, and the state of client connections.
Plan on supporting a community of no more than 12,000 to 18,000 Groove users on a single
Groove Relay server. However, actual relay capacity may be lower, and you should monitor
92
Groove client and relay performance to determine when additional hardware or software may
be necessary. Work with your Microsoft Support representative to determine how to implement
a relay configuration that accommodates Groove client traffic at your site.
See Also:
Groove Relay Site Planning
Groove Site Planning Conditions and Requirements
Best Practices for Groove Relay
The location of specific Groove Relay servers at your site is largely governed by your security
constraints. How you address these requirements ultimately depends on your network setup
and objectives.
As a general guideline, the objective is to logically locate the Groove Relay on your network to
allow the minimum number of Internet protocols through while meeting user demand. Figure 6
shows a network configuration that is suitable in typical corporate environments.
Figure 6. Typical Groove Relay Setup in a Perimeter Zone
93
The following basic measures can help assure a reliable and secure installation:
Locate the Groove Relay in a perimeter network (also known as screened subnet), or on an
internal/external network boundary to provide basic relay security.
When configuring a proxy server in a Groove Relay environment, place TCP/443, and TCP/80
near the top of the protocol list, if the order affects the efficiency of the proxy server. The
Groove client tries these protocols, in this order: 2492, 443, 80.
Configure your external network interface cards to filter all but inbound TCP/IP traffic on
ports 2492, 443, and 80.
94
Port 8009 should be open for transmissions from the Groove Manager but assigned to a
network interface card connected to a private internal network. Consider blocking inbound
port 8009 on the Groove Relay external interface unless your Groove Manager is configured
to access the Groove Relay over an external interface (on the Groove Relay server).
Port 8010, used for browser access to Groove Relay administrative pages, is restricted to
localhost by default. Remote administrative access is prohibited by default. Because Groove
Relay currently supports basic authentication (Base64 encoding) but not Secure Socket
Layer (SSL) encryption, retaining this default configuration is recommended.
Disable Windows Active Directory and other Windows services, as these impact relay
performance. The Groove Relay utilizes the services of the Groove Manager instead of
Active Directory services; Groove Manager provides integration with Active Directory.
As a general guideline, install the operating system platform and Groove Relay software on a
clean machine. Do not try to install a Groove Relay on a domain controller, on a Web server
such as IIS, or on a machine with any client server application. Do not install the Groove
Relay on a machine where Groove is running.
To protect the operating system and data from damage or loss as a result of hardware
component failure, make sure to install the Groove Relay on a machine with redundant hard
drive capability, typically a hardware RAID configuration. Also, provide backup power via an
uninterruptable power supply (UPS).
Installing anti-virus software on the Groove Relay machine can significantly impede relay
performance. When installing and configuring anti-virus software, disable Real-Time
protection on the Data directories.
Configure your firewall and proxy ports to support your Groove client and Groove Relay
installations.
Groove operates with the security infrastructure of many WAN configurations, and within
the constraints of firewalls, while assuring secure peer communications via the Groove
Relay. Where firewalls prevent direct peer-to-peer network communications between
devices, the Groove Relay creates a virtual peer-to-peer communications path between the
devices. The following are some sample scenarios.
Figure 7 shows a scenario where devices A and B are on different networks, each protected
by a firewall. Both firewalls are configured to allow outbound connections over ports 2492,
80, and 443, while blocking all inbound connections. In this scenario, devices A and B cannot
95
establish peer-to-peer connections to each other because of the firewall policies. They can,
however, establish port 2492 connections to a Groove Relay server. The result is that
Groove communication occurs via the Groove Relay; clients will connect to the Groove Relay
over SSTP on port 2492.
Another firewall configuration, with a more restrictive setup than shown in Figure 7,
demonstrates the Groove Relay’s protocol encapsulation scheme. Company networks often
include firewalls that allow outbound connectivity to port 80 only. When SSTP outbound
connections fail over ports 2492 or 443, the Groove client encapsulates SSTP within HTTP and
reattempts the connection over port 80.
96
See Also:
Groove Relay Site Planning
Groove Site Planning Conditions and Requirements
Groove Relay Server Failover
In the unlikely event of Groove Relay failure, a multi-relay installation can reduce the risk of
interrupted or slowed communications within your Groove network. Using the Groove Manager,
administrators can prioritize Groove Relay servers assigned to a management domain. Managed
Groove identities in the domain are then directed to a series of Groove Relays. If one relay is
inaccessible for handling a message from a managed identity in the domain, the Groove client
will contact the next relay in the list and attempt to queue the message on that relay.
In the event of disk failure, you can use the Groove Relay’s FFQBackup and FFQRebuild utilities
to reconstruct databases, as described in the book, ‘Operations for Groove Server Relay’.
97
In addition, to protect your data and the server operating system from the effects of component
failure, the relay and Groove Manager machines should be equipped with reliable redundant
hard-drive capability, or other fault-tolerant technology.
See Also:
Groove Relay Site Planning
Groove Site Planning Conditions and Requirements
Groove Data Bridge Site Planning
While site planning issues depend largely on your company's specific performance and security
requirements, attention to certain basic issues at the outset can help you determine how best to
incorporate Microsoft Office Groove Data Bridge at your site now and in the future. In order to
set up your network to gain the most from onsite Groove Data Bridge servers, you should
address the following basic questions:
How many Groove users and workspaces do you need to support with Groove Data Bridge?
This question affects what hardware is necessary to support a Groove Data Bridge server
with the necessary bandwidth at an acceptable performance level.
What are your security requirements? For example, do you want to limit external access to
HTTP only? These questions affect where you locate Groove Data Bridge servers on your
network and what protocols you need to support.
What are your disaster recovery requirements? For example, what system outages can you
anticipate, and what are your acceptable limits for system outage or downtime?
The following sections address these questions and related issues.
In this section:
Network Requirements for Groove Data Bridge
Capacity Planning for Groove Data Bridge
Recommended Best Practices for Groove Data Bridge
Failure Contingencies for Groove Data Bridge
98
Network Requirements for Groove Data Bridge
Before installing a Groove Data Bridge server, you must prepare your site to support Groove
Data Bridge identities that will reside on the Data Bridge server and participate in Groove
workspaces. Since Groove Data Bridge is part of the Microsoft Office Groove Server offering, you
will also need to consider its position in the interconnected environment of Groove Manager
servers, Groove Relay servers, and Groove clients. However, the scope of this Help specifically
addresses the Groove Data Bridge.
Groove Data Bridge servers have the following minimum network requirements:
Inbound port 2492 should be open for Simple Symmetric Transfer Protocol (SSTP) inbound
transmissions from Microsoft Office Groove clients.
Inbound port 9080 should be open for external applications making XML/SOAP-based calls
to Groove Data Bridge.
Outbound SSTP port should be open for SSTP transmissions to Microsoft Office Groove
clients.
Outbound HTTP port must be open for communications with Groove Relay servers.
The corresponding ports on firewalls and related devices must also be available for
transmissions to the Data Bridge server. Other factors, while they may have some impact on
Groove Data Bridge operation, are primarily driven by your company’s existing network setup
and requirements. For example, you should consider bandwidth availability within your
company’s network as well as your security requirements in order to determine how many
Groove users the Data Bridge servers will support, and where to locate Groove Data Bridge
servers at your site. How you address these requirements ultimately depends on your specific
network capacity and objectives.
See Also:
Groove Data Bridge Site Planning
Groove Site Planning Conditions and Requirements
99
Capacity Planning for Groove Data Bridge
The Groove Data Bridge has as its core the Microsoft Office Groove client platform. Therefore,
the bandwidth usage and capacity characteristics of Groove clients in an enterprise can provide
a foundation for planning your Groove Data Bridge installation.
Groove bandwidth utilization increases linearly as the number of members in a workspace
increases. Whenever possible, Groove transmits data directly from peer to peer, sending out
individual packets of data to each space member. When data is addressed to a peer that cannot
be reached directly (because the user is offline, behind a firewall, or on a weak internet link, for
example), Groove sends data to Groove Relay servers for replication and distribution, or fan-out.
Whether data is transferred through Groove Relay servers or not, bandwidth utilization relative
to the number of users in a workspace remains linear but fanout reduces actual bandwidth
usage.
In planning how to incorporate Groove Data Bridge into your network, you should consider how
many Data Bridge servers you need to regulate the work load. Discuss your company’s usage
scenario (for example, how many users you anticipate supporting with an onsite server and how
many bytes of data they typically transmit per day) with your Microsoft Groove representative
to determine how best to allocate your Groove Data Bridge server setup and when to consider
expansion.
See Also:
Groove Data Bridge Site Planning
Groove Site Planning Conditions and Requirements
Recommended Best Practices for Groove Data Bridge
In managing Groove Data Bridge, follow all the best practices generally recommended for
hosting an Internet server. The following is a useful URL:
http://www.microsoft.com/technet/security/default.mspx
In addition, make sure to consider the following:
To facilitate system setup in a managed environment, install your Groove Data Bridge and
client devices after installing the Groove Manager.
To help secure your Groove Data Bridge setup, observe the following guidelines:
100
Locate the Data Bridge server and any external applications that integrate to Groove
Data Bridge through Groove Web Services on a private network or in a perimeter
network (also known as screened subnet).
Install the Data Bridge server as an auto-start Windows service with the Remember
password option selected, reducing vulnerability by minimizing server logins. If you do
not run Groove Data Bridge as an auto-start Windows service, disable the Remember
password option.
Install the Groove Data Bridge software on a clean machine. Do not try to install Groove
Data Bridge on a domain controller, a Web server (such as IIS), or a machine where
Groove is or has ever been installed.
To protect the operating system and data from damage or loss as a result of hardware
component failure, make sure to install Groove Data Bridge on a machine with redundant
hard drive capability, typically a hardware RAID 1 or greater (software RAIDs provide
protection for data only, not the operating system).
Install the Groove Data Bridge server in a private network. See Figure 3 for a suggested basic
setup.
101
See Also:
Groove Data Bridge Site Planning
Groove Site Planning Conditions and Requirements
Failure Contingencies for Groove Data Bridge
Groove Data Bridge 2007 provides tools that can help you recover from unplanned outages that
may result in data loss. Using the Data Bridge administrative interface, you can schedule
backups of your Groove Data Bridge account, allowing you to save identities, the workspace list,
and properties associated with the server account. In the event of account damage or loss, you
can then use the Groove Data Bridge Install Wizard to restore your account, choosing from a
succession of accounts retained on the server. Once your account is recovered, you can fetch
workspaces onto the server from other workspace members.
One of the most important and simplest precautions you can take to avoid data loss or other
consequences of component failure is to back up the Groove Data Bridge Data directory
regularly (daily or at least weekly), using a third-party backup tool. You can then restore the
server from the backup in the event of severe failure. Back up the Data directory only when the
Groove Data Bridge server is NOT running, as data captured by the external backup facility
during operation can be incomplete or inconsistent, and the restored data may not result in a
functioning server. Note that any data generated after the last full backup is lost unless
workspaces can be fetched from other members who were not affected by the failure.
To protect your data and the server operating system from the effects of component failure, the
Groove Data Bridge machine should be equipped with reliable redundant hard-drive capability.
As with any server installation, you are probably also concerned about total server failure.
Ideally, to address this risk, you would operate Groove Data Bridge in a cluster environment
where additional servers could be installed to provide failover support. Since Groove Data
Bridge server clustering is not yet available, the only comparable alternative is a resourceintensive one: to invest in a separate Data Bridge server unit that can be set up to take over
Groove Data Bridge services if the primary machine fails.
See Also:
Groove Data Bridge Site Planning
Groove Site Planning Conditions and Requirements
102
