Administrator s Guide

Transcription

1 Administrator s Guide Version 4.0 August 2010 Biscom, Inc. 321 Billerica Rd. Chelmsford, MA tel fax

2 Copyright 2010 Biscom, Inc. All rights reserved worldwide. Reproduction or translation of this publication (in part or whole, in any form or by any means) is forbidden without the express written permission of Biscom, Inc.

3 Notice Information furnished by BISCOM, Inc. is believed to be accurate and reliable. However, no responsibility is assumed by BISCOM, Inc. for its use, or any infringement of patents or other rights of third parties, which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of BISCOM. BISCOM reserves the right to change hardware and software at any time without notice. Information provided in this manual is subject to change without notice.

4 Table of Contents Section 1: Introduction... 9 Topics... 9 Conventions... 9 Section 2: Hardware and Software Requirements Server Hardware Operating System Server Software Database Software Linux-Specific Requirements Mail Server Client Software Installing, Uninstalling, and Upgrading Biscom Delivery Server Installing Biscom Delivery Server Installing the Web services interface Installing the Active Directory Connector Configuring the Active Directory Connector Uninstalling Biscom Delivery Server Upgrading an existing Biscom Delivery Server instance Using IIS as your Web Server on Windows Using SSL Installing SSL on IIS for Windows Installing SSL on Apache 2 for Windows Installing SSL on Apache 2 for Linux Troubleshooting SSL: Section 3: System and Application Configuration System Configuration through fds.properties Server Configuration through the Application Section 4: Encryption Module Encryption and Decryption Keys and Key Management Encryption Utility Section 5: Licenses Licenses Section 6: Starting and Stopping the Application Starting the Application Stopping the Application v

5 Section 7: Signing In for the First Time First Sign In Section 8: System and User Administration Server Information Server Configuration Server Configuration and Notification Settings Microsoft Outlook Add-in Settings (OPTIONAL) Delivery Settings Limited Sender Settings Package Settings User Settings Contact and Group Settings Sign In and Password User Registration User Interface recaptcha Image Verification Settings Manage Users Creating a New User Modifying an Existing User Inclusion and Exclusion Lists Deleting a User Importing Users Manage Users with LDAP or Active Directory Enabling Authentication Using LDAP Defining an Active Directory Authentication Source Configuring the BDS Active Directory Connector (ADC) Defining an LDAP Authentication Source The Field Mapping section is used to map the LDAP attributes to BDS. The only required field is the address.assigning Roles using Groups Viewing an Authentication Source User Registration Pending Registration Requests Completing User Activation Completing User Registration for Pre-Registered Users Section 9: Viewing Reports Users Pending delivery notifications System activity report vi

6 Monitor System Activity Sorting Reports Section 10: Compliance Compliance Role View Packages View Deliveries View Users View System Activity Section 11: Microsoft Outlook Add-in Installing the Microsoft Outlook Add-in Uninstalling the Microsoft Outlook Add-in Upgrading the Microsoft Outlook Add-in Section 12: Managing Processes Contact Synchronization Delivery Notification SMTP Input Handler System Cleanup Section 13: Application Customization Customizing Look and Feel Using your own CSS file Changing the Logo Customizing Text Labels Editing Static Messages Editing Dynamic Messages Customizing Online Help Error Pages Section 14: Backing up the Application Data Directories and Files to Back Up Restoring from a Backup Section 15: Scalability and Server Tiers Scalability Server Tiers Section 16: API Development Extending Biscom Delivery Server Section 17: Support and Troubleshooting Logs Frequently Asked Questions Appendix A: User Import File Format Import Format vii

7 User Import Appendix B: Compression Default list of compressed file extensions viii

8 Section 1: Introduction Topics This Installation Guide is written for system administrators who will be installing, configuring, and maintaining the Biscom Delivery Server application and servers. This guide is for both Windows and Linux versions; places where Windows or Linux specific information differs are noted. This guide will cover the following topics: Hardware and software requirements Installing, configuring, and customizing the application Licenses Starting and stopping the application User management Backing up the application data API development Support and troubleshooting Biscom Delivery Server (BDS) has three types of administrators: Super User, System Administrator, and User Administrator. The primary administrator, who is often the person or persons installing and setting up the system, is typically the Super User. User Administrators have the lowest level of administration, and can create and manage users. System Administrators can modify the system configuration, and Super Users control compliance users and encryption options. Conventions The following conventions are used in this guide: Italic is used for file, variable, and function names. It is also occasionally used for emphasis or to highlight key terms when they are first used or introduced. Fixed width font is used for code examples, file names, and other operating system text or commands. If punctuation and other symbols are used with this style, enter them exactly as shown. Fixed<variable> is used to show a string that contains both fixed and variable text. The variable text is usually left as a placeholder to indicate an area that the user 9

9 or administrator may customize, such as the directory location in which an application is installed. $ <command> [ param1 param2 param3 ] is used in Linux environments to indicate that a command or script should be run from a terminal window. Square brackets indicate that a parameter or additional value should be entered the vertical bar indicates that one parameter or value should be chosen. This document uses Windows file system conventions, e.g. backslashes denote directory separators. If you are using Linux, you should replace backslashes with forward slashes as appropriate. If there are significant differences in the Windows and Linux information, it will be described separately. For the purposes of this document, <BDS HOME> will be used as the location on the server where Biscom Delivery Server was installed. For example, this directory may be: Windows: C:\Program Files\Biscom Delivery Server Linux: /home/admin/bds 10

10 Section 2: Hardware and Software Requirements Server Hardware space. Biscom Delivery Server runs on Microsoft Windows Servers, and certain Linux operating systems. Minimum hardware requirements for BDS are: a machine with a Pentium 4 or higher CPU, 2 GB of RAM, and 50 GB of disk Biscom Delivery Server consists of multiple tiers that run different aspects of the application, including the Web tier, application server tier, and the back-end tier (database and file system). Each tier may be run on separate machines that may be physically located in separate areas of the network for security reasons. The Web tier must reside on a machine that is network accessible to end users who use Biscom Delivery Server through a Web browser, including those who may be external to your network. We recommend having a dedicated machine or machines for use with Biscom Delivery Server. We do not recommend installing Biscom Delivery Server on existing servers that are currently used for other applications. Operating System BDS can be installed on Microsoft Windows Server 2003, Windows Server 2008, RedHat Enterprise Linux 5, and Ubuntu VMware is also supported when running one of the operating systems listed above. Server Software You must be an administrator of the server to install Biscom Delivery Server. The BDS installer package ships with several components, including the Java Development Kit, the Apache Web server, Jakarta Tomcat Java application server, PostgreSQL database, and JK Connector. If you are performing a typical/standard installation, these components will be installed for you. The Web services interface requires a separate binary called axis2.war that needs to be installed in the web applications folder in the Java application server (Tomcat). This is required when deploying the BDS Outlook add-in, or other automation utilities that require Web services. If you enable back-end file encryption, a BDS Super User administrator must run the enctool.bat (Windows) or enctool.sh (Linux). Enctool is the encryption tool that administrators use to enable and disable encryption, and manage encryption keys. A VMware appliance is also available that has the BDS components pre-installed and configured. Database Software BDS uses a SQL database to store information about the software configuration, users, and package meta-data. Files are not stored in the database however. BDS is compatible with several database packages, including PostgreSQL 8.3, Microsoft SQL 11

11 Server 2005, and MySQL 4.1. This documentation focuses on PostgreSQL, which is the default database installed with BDS. Linux-Specific Requirements Mail Server The Linux installation script uses RPM (RedHat Package Management) to install the components make sure your Linux distribution supports RPM before starting the installation. Other distributions that are not RPM-compatible may be installed manually. Please contact Biscom technical support for further information and assistance. The JK Connector bridges the Web server and application server. Because of the differences in Linux operating systems, the connector is compiled from source for each Linux distribution. The compilation requires additional packages that are not included in the BDS distribution. The additional RPMs needed prior to installation: - gcc (for compilation requirements) - apr-devel - apr-util-devel - httpd-devel Please make sure your system has the necessary packages installed for your distribution before starting the BDS installer. BDS uses your existing mail server for notifications sent to delivery recipients as well as access notification to senders when a recipient has viewed a delivery. In order to send these notifications, BDS must have a mail server configured to send these messages. After installing BDS, you can configure the mail server on the Server Configuration page in the Web application. See the section on server configuration later in this manual for detailed instructions. Client Software Biscom Delivery Server client software includes a web browser and the Outlook Addin. The Outlook Add-in integrates with Microsoft Outlook seamlessly. Application and operating system requirements for the modules: Web client: IE 7+, Firefox 2+, and Safari 3+ browsers are supported. If you enable the Java Applet for more robust file uploads and downloads, checkpoint restart, and drag and drop support, the client desktop must have JRE 6 or higher installed. Note: Java 6 Update 20 or higher is the recommended version of JRE for clients. Note: If the user s desktop does not have the proper version of JRE installed, the user will be alerted to this on pages where the Java applet is enabled. Outlook Add-in: Microsoft Office Outlook 2003, 2007, and 2010.NET Framework

12 Installing, Uninstalling, and Upgrading Biscom Delivery Server Before you install, uninstall, or upgrade your server, make sure you are an Administrator of the system with permissions to install and run applications. Note that you should not use the installer for upgrading an existing installation. Installation may destroy data in an existing installation. See the upgrade instructions below if you are upgrading an existing installation and want to preserve any existing data. Installing Biscom Delivery Server Windows: 1. Shut down IIS or any other web servers that are currently running. Note: The Windows installer automatically installs the Apache web server. If you would like to use IIS, see the section on replacing Apache with IIS (p. 22). 2. Install the application. a. Open the directory where the installer is located, either on a CD or the download location. b. Double-click the Biscom Delivery Server installer named: bds-full-<version>.exe and click the Next button to get started. 13

13 c. Accept the Biscom Software End User License Agreement to proceed. d. Enter the directory under which to install Biscom Delivery Server. e. Select Typical or Custom configuration. i. For Typical installation: 1. Enter the values for the following: a. Application name b. Domain name c. Administrator s address 14

14 ii. For Custom installation: 1. Select the components to install (all components are selected by default). 2. Enter the values for the following (same as typical installation step): a. Application name b. Domain name c. Administrator s address 15

15 3. Enter the Web server (Apache) port if different from the default port 80. f. Click the Install button to start installing the components and the Biscom Delivery Server application. Linux: Note: Unlike the Windows installer, the Linux installer does not include a Web server. Most Linux systems already have a Web server installed. If your system does not to have a Web server pre-installed, install one before installing BDS. Apache 2.0.x compiles JK connector 1.2 to link Apache and Tomcat. Apache version 2.2 and higher can use the mod_proxy.so module to perform the redirect that the JK connector would normally handle. 1. Before starting, make sure the following are set up: a. There is a user named admin b. You have root privileges on the system you re installing to, as the installer must be run as root. 16

16 2. Obtain the file named: bds-install-<version>.tar.gz 3. Untar and unzip the file using the following command: $ tar xvfz bds-install<version>.tar.gz 4. Change directories to the newly created directory: $ cd bds-installer-<version> 5. Make sure the user you are logged in as has privileges to install software on your system. This is typically an administrator or root. 6. Run the install script: $./install.sh 7. Biscom Delivery Server will be installed to the following directories: a. Application Server: /usr/local/tomcat b. BDS HOME: /<home directory of installation user>/bds Installing the Web services interface To support the Outlook add-in and desktop client, you must install the Web services interface, axis2.war. Deploying this is as simple as copying the axis2.war file to the default web applications folder in the Java application server. For the default application server Tomcat, copy axis2.war to: Windows: <BDS installation directory>\components\tomcat- 5.5\webapps Linux: /usr/local/tomcat/webapps To test the successful deployment, from the server on which you installed BDS, start up the application server and point your browser to to ensure the Web services application is running. You should see the Apache Software Foundation logo and text indicating the axis2 application has been successfully deployed. 17

17 Installing the Active Directory Connector BDS uses a client application called the Active Directory Connector (ADC) to enable user authentication using Microsoft Active Directory. Note: The AD connector is used only when authenticating to an Active Directory server. It is not required to authenticate against an LDAP server. ADC should be installed on a Windows-based machine by a user who has the proper permissions to install a Windows service, and the service should have appropriate rights or permissions to your AD server. Typically, the ADC can be installed on the same machine on which you ve installed BDS (e.g. the application server), but it can also be installed on a machine that has the ability to connect to both the BDS machine as well as the AD server. If you are experiencing issues connecting to your AD server with the built-in connector, follow the steps below to install the ADC on your Windows machine. 1. Download the BDS AD Connector installer to the machine on which you will be installing the software. 2. Verify that this machine has access to the AD server. 3. Double-click the installer and follow the prompts. The installer will create a new service called BDSADConnector. 4. Verify that the service is installed and it has been started. If the service is stopped, start the service up. We recommend you set the Startup type to Automatic to start when the machine starts up. 5. From the machine on which you installed BDS, verify that you can connect to the AD Connector service. The default port for the AD Connector is To configure the connection, follow the instructions in the section Manage Users with LDAP or Active Directory. Configuring the Active Directory Connector The AD Connector configuration file is located in the application data folder for the user associated with running Windows services. To find the exact location of the configuration file, open the Windows Event Viewer, and look for events with BDSADConnector as the Source. Double-click to open an event and look in the description field for the directory path where the BDS AD Connector is located (it may not exist in every event, so if you do not see the directory path, open another event until you find it). Go to the Application Data directory and edit the ADConnector.conf file. If GC support is required, you must modify the ADConnector.conf file with the following: 18

18 ############ AD Connector Configuration ############ port = groupmembershipinfomode = querymode gclookupxml = <gclookup>\ < pattern= *@biscom.com >\ <extauthsrcdomain>biscom.com</extauthsrcdomain>\ <gc>biscom.com</gc>\ <galdomain>biscom</galdomain>\ </ >\ </gclookup> Note: The backslashes used in the gclookupxml property are used to denote continuation of the value on multiple lines. If you enter the value of the property on a single line, the backslashes are not needed. gclookupxml: o o o Any addresses that match the pattern specified here will use the global catalog to look up the username. The pattern supports wildcard symbols. Multiple s can be specified, and must be separated by commas. extauthsrcdomain: This must match the Authentication source name defined in the Server Configuration page in BDS. galdomain: This value must match the Domain name (short) value specified in the Manage Exchange Server connections configuration located in the Contact and Group Settings section of the Server Configuration page. Uninstalling Biscom Delivery Server Note: Uninstalling Biscom Delivery Server will remove all user data, including all packages and deliveries. Windows: Linux: 1. From the Start menu, go to the Biscom Delivery Server program group, and open the Uninstall Biscom Delivery Server application. 2. Select the components to uninstall (all components are selected by default). 3. Click the Uninstall button. The components will be shut down (if they are currently running) and uninstalled. 4. After uninstalling the application, you may be asked to reboot the system. 1. Log on as the user who installed Biscom Delivery Server initially (e.g. a user with administrator or root privileges who can add/remove software). 2. Change directories to the location you extracted the tar.gz installer. 19

19 3. Run the command: $./uninstall.sh Upgrading an existing Biscom Delivery Server instance Upgrading BDS is a non-destructive process. All data will be preserved during the upgrade, but we recommend that you perform a full backup before starting the upgrade. Upgrading BDS involves the following files and an upgrade script: bds.war: the application biscom-ds.jar: a BDS library biscom-shared.jar: a shared library axis2.war: Web services interface upgrade.bat (Windows) or upgrade.sh (Linux): a script to perform the upgrade The upgrade script is able to upgrade from any previous version to the latest version automatically. Follow the instructions below for your operating system. Note: You should back up your data before performing an upgrade, including the data directory, recycle bin directory, configuration files, custom style sheets and logos, and log files. You should also export and back up all database data. See the section below on backing up your data. Windows: 1. From your CD or from the download location, find the upgrade files. The files required for upgrading are: a. bds.war b. biscom-ds.jar c. biscom-shared.jar d. axis2.war 2. Shut down the application server (e.g. Apache Tomcat) through the Manage Services screen. Note that the Web server does not need to be shut down. 3. Delete any cached versions in the following folders under Tomcat (including the folder itself): 20

20 a. <BDS HOME>/components/tomcat-5.5/webapps/bds b. <BDS HOME>/components/tomcat-5.5/webapps/axis2 c. <BDS HOME>/components/tomcat-5.5/work/Catalina 4. In the existing installation, back up all files in the lib directory (<BDS HOME>/lib). 5. Copy the biscom-ds.jar, biscom-shared.jar, bds.war, and axi2.war to the lib directory. 6. Open a command window and go to the <BDS HOME>/tools directory. 7. Run upgrade.bat. 8. In the Manage Services screen, restart the application server. 9. Log on to the Web application and go to the System and User Administration > Server Information page and verify the version number. Linux: 1. Log on as the administrative user who initially installed the application. 2. From your CD or from the download location, find the upgrade files. The files required for upgrading are: a. bds.war b. biscom-ds.jar c. biscom-shared.jar d. axis2.war 3. Shut down the application server (e.g. Apache Tomcat): $ su <- must be logged in as root $ /etc/init.d/tomcat stop $ ps waux grep java <- check until the Tomcat process is no longer running $ exit <- exit back into the admin user which installed the application 4. Delete any cached versions in the following folders under Tomcat (including the folder itself):: $ rm -r /usr/local/tomcat/webapps/bds* $ rm -r /usr/local/tomcat/webapps/axis2* $ rm -r /usr/local/tomcat/work/catalina 5. In the existing installation, back up all files in the lib directory (<BDS HOME>/lib). 21

21 6. Copy the biscom-shared.jar and biscom-fm.jar upgrade files to the lib directory. 7. Copy the application bds.war and axis2.war to the webapps directory in Tomcat: $ cp bds.war /usr/local/tomcat/webapps $ cp axis2.war /usr/local/tomcat/webapps 8. Go to the tools directory and run the upgrade script: $ cd ~/bds/tools $./upgrade.sh 9. Restart the application server: $ su <- must be logged in as root $ /etc/init.d/tomcat start Using IIS as your Web Server on Windows On Windows servers, IIS can be used instead of Apache. Apache does not need to be uninstalled, but Apache should be shut down through the Computer Management console and startup should be set to manual so it does not start automatically when Windows starts. IIS requires a DLL that will redirect requests from the Web server to the application server. 1. Ensure that IIS is installed and running. From the web server machine, open a web browser and go to the URL and verify that the default IIS page comes up. 2. Ensure that BDS is installed and running by accessing BDS through the application server directly. Visit and verify BDS is running. Tomcat runs on port Verify that you have the following files saved in the application server configuration directory (e.g. C:\Program Files\Biscom Delivery Server\components\tomcat-5.5\conf): a. workers.properties b. uriworkermap.properties c. isapi_redirect.properties d. isapi_redirect.dll Note: The isapi_redirect.dll binary file is different for 32 and 64-bit platforms. The latest binaries can be found here: 4. Open isapi_redirect.properties and update the properties to match your local configuration (e.g. if you selected an installation directory different than the default directory, you will need to update the property values accordingly). Sample file: 22

22 # Configuration file for the Jakarta ISAPI Redirector # The path to the ISAPI Redirector Extension, # relative to the website # This must be in a virtual directory with execute # privileges extension_uri=/tomcat/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=c:\program Files\Biscom Delivery Server\components\tomcat- 5.5\logs\isapi_redirect.log # Log level (debug, info, warn, error or trace) log_level=debug # Full path to the workers.properties file worker_file=c:\program Files\Biscom Delivery Server\components\tomcat- 5.5\conf\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=c:\program Files\Biscom Delivery Server\components\tomcat- 5.5\conf\uriworkermap.properties 5. Open the IIS management program: Control Panel -> Administrative Tools - > Internet Information Services. Expand local computer -> Web Sites -> Default Web Site. 6. Create a virtual directory for the default web site: a. Right click the Default Web Site. b. Select New -> Virtual Directory. c. Click Next, enter tomcat as the alias. d. Click Next, browse to the Tomcat conf directory (that contains the isapi_redirect.dll file), click OK. e. Click Next, check the Execute checkbox. f. Click Next and finally click Finish. 7. Add an ISAPI filter for the default web site: a. Right click the Default Web Site. b. Select Properties. c. Click on the ISAPI Filters tab. d. Click Add... e. Specify tomcat as the Filter Name f. Browse and select isapi_redirect.dll in the Tomcat conf directory as the Executable g. Click OK. 23

23 h. Click OK again to close the properties. 8. Verify Directory Security settings by opening the properties for the web site: a. Select Directory Security -> Edit Authentication and Access Control. b. Make sure that anonymous access is checked, and all authenticated access checkboxes are unchecked. 9. On Windows 2003 Server, IIS has a Web Service Extensions folder. Select this folder and open the Add a new Web service extension from the rightclick menu or from the links to the left of the list of extensions. 10. Name the extension (e.g. "Tomcat"). a. Add the file isapi_redirect.dll. b. Check the Set extension status to Allowed checkbox. c. Click OK to add the extension. 11. Ensure IIS and Tomcat are running. Open a browser window and enter the URL: If everything is set correctly, the BDS sign in page should come up. 12. To troubleshoot, refer to the ISAPI log file specified in the isapi_redirect.properties file. Using SSL Biscom Delivery Server supports the use of SSL (Secure Sockets Layer) to encrypt all transmissions between the client Web browser and the Web server. When Biscom Delivery Server is installed, SSL is not installed by default. SSL must be installed and configured after Biscom Delivery Server is installed. We recommend all users to log on to Biscom Delivery Server using SSL to ensure the highest level of security. SSL installation is independent of the Biscom Delivery Server application. Refer to your Web server documentation or Certificate Authority documentation for information on obtaining and installing an SSL certificate on your Web server. The documentation reviews the steps for creating a certificate request or certificate signing request, but you must submit the request to your Certificate Authority yourself. Different CAs may have different procedures for generating a SSL certificate. Once you have received the SSL certificate, you can continue following the instructions below to install the certificate on your server. Installing SSL on IIS for Windows 1. Right click on the Web site that you are setting up to use an SSL Certificate, and select Properties. 24

24 2. Click on the Directory Security tab, then the Server Certificate button. 3. Select Create a new certificate radio button and click Next. 4. Select Prepare the request now, but send it later and click Next. 5. Enter a name for the certificate, this can be any name that is easy for you to refer to and remember. Leave the Bit length as 1024 and make sure Select cryptographic service provider (CSP) for this certificate is unchecked. 25

25 6. Enter your company s name and organizational unit, then click Next. 7. Enter the common name of the server, this will need to be the exact host name that will be assigned to the server and it will have to match the URL that is entered to visit the site (e.g. for the URL the common name is 26

26 download.biscom.com). 8. Enter the correct geographical information, then click Next. 9. The Certificate Request file will be saved to C:\certreq.txt by default. This file must be sent to a certificate authority for signing. They will send 27

27 back a file with the extension.cer. 10. After obtaining the signed.cer file from the Certificate Authority, go back to IIS on the server and right click on the Web site and click properties. 11. Click on the Directory Security tab and then the Server Certificate button. 12. Click Next. 13. Select Process the pending request and install the certificate. 14. Enter the path to the.cer file that was sent to you from the Certificate Authority. 15. Click Next. The SSL certificate should now be installed on the Web site and ready for use. If you want to strictly use the SSL protocol and not allow standard HTTP connections, in the properties of the Web site in the Directory Security tab, under Secure Communications, click the Edit button, check off Require secure channel (SSL), and then click OK. Installing SSL on Apache 2 for Windows 1. Make sure Apache is running and working on port 80 (http). 2. Update the Apache configuration file located here: <BDS HOME>/ /components/apache-2.0/conf/ssl.conf. 3. Start the Apache server and test the 443 port is working by going to the URL -- it won't be encrypted but it should show a valid web page. 4. Get OpenSSL v.1.0 or higher and generate a certificate signing request (CSR). a. Get OpenSSL here: 28

28 Go to the download section and find the appropriate version of the Win32_OpenSSL installer (e.g. 32- or 64-bit). Our example will use Apache and OpenSSL version 1.0.0a. b. Copy: bin\openssl.exe to a working directory c. Update ServerName and DocumentRoot d. Copy: openssl.cnf to the same working directory 5. Create a test certificate. a. Open a cmd window and navigate to the working directory that contains openssl.exe b. Enter command to create the CSR: openssl req -config openssl.cnf -new -out server.csr When asked for "Common Name (e.g., your website s domain name)", give the exact domain name of your web server c. Enter command to remove the passphrase: openssl rsa -in privkey.pem -out server.key d. Enter command to generate a certificate: openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365 e. Create directories: i. <BDS HOME>/components/Apache-2.0/conf/ssl.crt ii. <BDS HOME>/components/Apache-2.0/conf/ssl.key f. Copy: server.cert to the ssl.crt folder g. Copy: server.key to the ssl.key directory 6. Configure Apache and mod_ssl. a. Copy: mod_ssl.so to <BDS HOME>/components/Apache- 2.0/modules b. Ensure httpd.conf has the line uncommented: LoadModule ssl_module modules/mod_ssl.so c. Edit ssl.conf i. Enter path to the certificate for: SSLCertificateFile conf/ssl/server.crt ii. Enter path to the key for: SSLCertificateKeyFile conf/ssl/server.key iii. Copy the jkmount directives from http.conf to ssl.conf so that users can be redirected to the application properly when using HTTPS. Make sure that these jkmount directives go into inside the <VirtualHost _default_:443> element. 7. To generate a valid certificate for use in your production site, you must contact a Certification Authority (CA) such as Verisign, GeoTrust, Comodo, GoDaddy, etc., and provide your CSR. 29

29 Installing SSL on Apache 2 for Linux Note: These instructions are to be used as a guide only, as actual instructions and procedures may vary slightly depending on your Linux distributions. 1. Make sure Apache is running and working on port 80 (http). 2. Update the Apache configuration file located here: /etc/httpd/conf/httpd.conf. a. Update: ServerName <your server domain name> 3. Start the Apache server and test the 443 port is working by going to the URL -- it won't be encrypted but it should show a valid web page. 4. Make sure OpenSSL is installed and in your PATH. 5. Create a RSA private key called server.key: $ openssl genrsa -out server.key Create a Certificate Signing Request (CSR) with the server key (output will be PEM formatted). You will need information such as your company name, location, and hostname for the server on which you will be installing the SSL certificate: $ openssl req new key server.key out server.csr 7. Use the server.csr file to generate a certificate for use in your production site. You can submit your CSR file to a Certification Authority (CA) such as Verisign, GeoTrust, Comodo, GoDaddy, etc., and provide your CSR. Follow the instructions on their site for proper submission. Once the CSR is signed, you will receive a signed certificate server.crt. 8. Place the returned, certified server.crt file and the previously generated server.key file into the directories referenced by /etc/httpd/conf.d/ssl.conf (with the SSLCertificateFile and SSLCertificateKeyFile directives). 9. Ensure mod_ssl.so exists in the /etc/httpd/modules directory: LoadModule ssl_module modules/mod_ssl.so Include /etc/httpd/conf.d/ssl.conf 10. Restart Apache with: $ service httpd restart 11. You can verify SSL is functioning correctly a number of ways: $ openssl s_client connect localhost:443 state debug $ curl $ curl Troubleshooting SSL: - Look at the following tutorials: If Apache doesn't start from the Service, look at the Application Log under Event Viewer/Application for useful debugging information. 30

30 Section 3: System and Application Configuration Biscom Delivery Server uses a properties file named fds.properties to configure several server settings. Other Biscom Delivery Server configuration is handled through the Web application. The configuration file is located in the config directory under the location that Biscom Delivery Server was installed, e.g. <BDS HOME>\config\fds.properties. System Configuration through fds.properties Any time the configuration file is updated, you will need to restart the application server. See the section below on starting and stopping the application. The configuration file has the following format: ################ Server Configuration ################ domainname = secure.my-server.com appname = bds docroot = c:\\apps\\bds\\data protectedrecyclebindir = c:\\apps\\bds\\recyclebin licensefile = c:\\apps\\bds\\license\\license.xml ldapconffilename = c:\\apps\\bds\\config\\ldap.conf ldapdefaultdomain = biscom.com ldapdefaulttimeout = 5 upnauthuserlist = *@corp.my-company.com, *@corp2.mycompany.com upnauthgaldomain = Biscom compressionextexclusionlist = zip, rar, jpg compressionextinclusionlist = asp, aspx Note: The backslash used to separate directory names in Windows must be escaped by using another backslash. Any directory locations using backslashes must be escaped in the properties files. For Linux, the double backslashes should be replaced with a single forward slash. These properties can be updated to meet the specific needs of your organization: domainname: The hostname of the machine that Biscom Delivery Server has been installed on. By default, this value is set to localhost. appname: The application name. This appears in the URL after the domain name, e.g. docroot: The location of the user data files (note that this is not the Web server document root). 31

31 protectedrecylebindir: The location where the system places deleted files (e.g. when a user deletes a package). The system permanently deletes these files periodically using the cleanup process (described later). licensefile: The location in which the license file resides. See the section on Licenses for more information. ldapconffilename: This points to the LDAP configuration file. This is an internal property and should not be changed by the administrator. ldapdefaultdomain: The default domain to use if no domain is specified when a user signs into the application. If this is defined, administrators may want to hide the domain field in the sign in page to reduce potential confusion for the user. ldapdefaulttimeout: The default timeout for LDAP queries. upnauthuserlist: A comma separated list of users who can use their User Principal Name (UPN) to authenticate against their AD or LDAP server. This value can include patterns using wildcard symbols. When this optional property is defined, matching users can use their UPN to sign in, typically their addresses, and their AD or LDAP password. upnauthgaldomain: To enable users authenticating with their UPN to access the global address list, this property must be defined. The value of this property is the Domain name (short) value specified in the Exchange Server connection. compressionextexclusionlist: When the applet is used for file upload and download, you can define a comma-separated list of extensions for which compression will not apply. For example, you can specify zip, rar, and jpg as file extension. If these file extensions are seen in a filename, the file will not be compressed. Typically, this is for files for which compression will not significantly reduce file size, so the additional computing power used is not efficient. Note: compression is only used when the applet is enabled and used by the client. Compression is applied to files within the client, and is transparent to the end user. compressionextinclusionlist: You can specify a comma-separated list of extensions that should be compressed that are not covered by the default list of extensions. Server Configuration through the Application Several aspects of server configuration are handled through the application s interface. Most of the configuration is application-specific rather than server-specific. This is covered in the System and User Administration section. Changes to the application configuration do not require a system restart. 32

32 Section 4: Encryption Module BDS supports back-end encryption for files that are stored in the file system. BDS uses Advanced Encryption Standard (AES), a symmetric key encryption algorithm that is the current NIST-approved encryption algorithm, to encrypt files. Encryption is an optional module and can be enabled or disabled using a command line utility. Key management is also performed using the command line utility. Encryption and Decryption When you enable encryption, files that are uploaded and saved in packages are encrypted automatically. When an encrypted file is downloaded, BDS automatically decrypts the file and sends the unencrypted file to the requester. Keys and Key Management AES is a symmetric encryption algorithm that uses secret keys to perform the encryption. Managing these keys is an important aspect of encryption, and includes tasks such as key generation, selection, storage, and backup. The secret keys used to encrypt files are also stored on the file system in an encrypted format. BDS internally manages the encryption of the secret keys. The encrypted keys are stored by default in the <BDS HOME>/kr directory. This location can be changed using the utility. When you enable encryption for the first time, a secret key is generated. The generated key will be selected as the default secret key for BDS. You can generate additional keys later, and change the default key to one of the newly generated keys. Additional key management features, such as removing keys, can be found in the utility s Advanced Options. Encryption Utility The encryption utility is a command line tool that is accessible only to BDS users with the Administrator role. The utility is available in the <BDS HOME>/tools directory, and can be started by running enctool.bat on Windows, and enctool.sh on Linux. Note: Before starting the encryption utility, all BDS components should be shut down. C:\BDS\tools>enctool.bat NOTE: All BDS components must be shut down before using this tool. Please verify that all BDS components have been shut down. Then enter C to continue or X to exit. Continue/exit (C/X)? C 33

33 Username: admin1 Password: ****** If sign in succeeds, the user will see the current encryption setting and the main menu: Encryption is not enabled. Main menu: 1. Enable/Disable encryption 2. Encrypt file system 3. Decrypt file system 4. List keys 5. Create a new key 6. Change key storage location 7. Change the default key 8. Advanced options 9. Exit Option: Enable/Disable encryption This menu item will be Enable encryption if the current system is not encrypted. If the system is already encrypted, then the menu will be Disable encryption. If encryption is enabled, all files uploaded from that point forward will be encrypted. Existing files stored in unencrypted form will not be encrypted automatically. If encryption is disabled, all files uploaded from that point forward, will not be encrypted. Existing files that are encrypted will not be automatically decrypted. Because this option can be toggled at any time, it is possible that some files in the system may be encrypted while others will not. The system handles both encrypted and unencrypted files automatically and no input or maintenance is needed by an administrator. Encrypt file system If encryption is enabled, then selecting this option will encrypt all unencrypted files in the file system. This is a potentially lengthy operation, and time considerations should be factored in before selecting this option. Example: Are you sure you want to encrypt all unencrypted files (Y/N)? Y 34

34 Processing file 386 of 4828 (8% complete); Time remaining: 1 hr 29 min When all files have been processed, the following should be displayed: Encrypted 4828 files. Total time: 1 hr 20 min. Press any key to continue... Decrypt file system Decrypting the entire file system will decrypt all encrypted files in the file system. Like the encryption option, this is potentially a lengthy operation and should be considered before proceeding. Example: Are you sure you want to decrypt all encrypted files (Y/N)? Y Processing file 3476 of 4828 (72% complete). Time remaining: 23 min When all files have been processed, the following should be displayed: Decrypted 4828 files. Total time: 41 min. Press any key to continue... Listing keys This option lists all existing keys used in the system. The current key used for encryption will be highlighted. Example: 1. k1 07/04/07 2. k25 12/26/07 3. k /01/08 default Press any key to continue... Creating a new key This option is used to add a key to the system. Keys are generated automatically by the system and no input is required from the user. Example: Key k generated successfully. 35

35 Press any key to continue... Changing key storage location The default storage location is <BDS_HOME>/kr. Use this option to change the location. Example: Current directory for keys: C:\BDS Are you sure you want to change the directory (Y/N)? Y Please enter new directory: D:\SecretKeyLoc Directory for storing keys updated successfully. Press any key to continue... Changing the default key To change the default key used to encrypt files, select the key from the list of keys. When the default key is changed, all files moving forward will be encrypted using the new default key. Existing files will not be re-encrypted. To change all existing files to use the new default encryption key, set the default key here, and then encrypt the entire file system using the Advanced Options menu (see below). Example: List of keys: 1. k1 07/04/07 2. k /26/07 3. k /01/08 default Are you sure you want to change the default key (Y/N)? Y Please enter the number of the key you want to select as default: 2 Default key changed to k successfully. Press any key to continue... Advanced options: encrypt full file system The encryption option in Advanced Options provides the ability to change the encryption of all files, including existing files encrypted using different keys. (The standard encryption option, described above, only encrypts unencrypted files, and leaves encrypted files alone.) Example: Are you sure you want to encrypt all files (Y/N)? Y 36

36 Processing file 3882 of (12% complete); Time remaining: 9 hr 20 min When all files have been processed, the following should be displayed: Encrypted files. Total time: 10 hr 29 min. Press any key to continue... Advanced options: remove a key Removing keys from the system requires all files encrypted using the key to be decrypted first. If encryption is currently set to enabled, the files must also be reencrypted using the default encryption key. Once all files have been decrypted, the selected key is removed from the system. Example: List of keys: 1. k /26/07 3. k /01/08 default Are you sure you want to remove a key (Y/N)? Y Please enter the number of the key you want to remove: 1 Are you sure you want to remove key k (Y/N)? Y Processing file 3781 of 8795 (43% complete) encrypted using key k120234; Time remaining: 2 hr 23 min When all files have been processed, the following should be displayed: Processed all files encrypted using key k Key k has been removed. Press any key to continue... 37

37 Section 5: Licenses Licenses Biscom Delivery Server installs a 15-day trial license by default, which supports ten Senders and unlimited recipients. Biscom Delivery Server licenses are XML files that contain information on product features and licensed modules. The license requires a valid license key and serial number. These are used in conjunction to verify the validity of the license. Modifying these values (e.g. the product, module, expiration date, maximum senders, or other features) will invalidate the license. A license will have the following structure: <?xml version="1.0" encoding="utf-8"?> <bds-licenses> <license key="001242w120fd87q1a7d110650d3003lep90"> <product>bds</product> <module>base</module> <serial-number>trial</serial-number> <expiration>d30</expiration> </license> </bds-licenses> To install a new license, obtain the license XML file and place it in the license directory (as specified in the fds.properties configuration file). Open the fds.properties file and update the value for the licensefile property by specifying the name and directory location of the license file. See the section on System and Application Configuration for more information on the fds.properties file. After copying the license to the proper license location, stop and restart the application server to enable the new license. 38

38 Section 6: Starting and Stopping the Application Starting the Application The installation scripts normally start up the applications upon completion or after a server reboot. But in cases where the application is not running, use the following steps to start the application. Windows: 1. Log on to the computer with a user that has privileges to start and stop Windows services. 2. Open the Windows Services manager by going to Start Menu > Control Panel. Double-click the Administrative Tools icon, and then double-click the Services icon. 3. Start up the services in the following order if not already started: a. Database (PostgreSQL by default). b. Web server (Apache2 by default). c. Application server (Apache Tomcat by default). Biscom Delivery Server should now be running and accessible. Linux: 1. Log on to the computer as a user that has privileges to start and stop the application server, web server and database server (often an administrator or root). 2. Ensure the Web server is running. This will vary from system to system use the command you are most comfortable with. For example, the following command may be used: $ /etc/init.d/httpd [ start restart ] 3. Ensure the database is running. This will vary from system to system use the command you are most comfortable with. For PostgreSQL, the following command may be used: $ /etc/init.d/postgresql [ start restart ] 39

39 4. Start up the application server. For Apache Tomcat the following command may be used: $ /etc/init.d/tomcat [ start restart] Biscom Delivery Server should now be running and accessible. Stopping the Application To stop the application, simply shut down the application server. Some changes to the configuration will require a restart of the application server. The Web server and database server usually do not need to be shut down and restarted for configuration updates. Windows: 1. Log on to the computer with a user that has privileges to start and stop Windows services (usually an Administrator of the system). 2. Open the Services manager by going to Start Menu > Control Panel. Double-click the Administrative Tools icon, and then double-click the Services icon. 3. Find the application server (e.g. Apache Tomcat) service and click the Stop button. 4. Optionally stop the PostgreSQL and Apache2 services if desired. Linux: 1. Log on to the computer as a user that has privileges to start and stop the application server, web server and database server. 2. To stop the application server: $ /etc/init.d/tomcat stop 3. To stop the Web server: $ /etc/init.d/httpd stop 4. To stop the database server: $ /etc/init.d/postgresql stop 40

40 Section 7: Signing In for the First Time First Sign In Now that you ve completed the initial installation and started up the application, you re ready to sign in for the first time. Fresh installs of Biscom Delivery Server have a single user preconfigured who has been assigned the Administrator role. The username is admin and the password is admin. This is a temporary password which should be changed as soon as possible. One of the first tasks is to configure the application to work in your environment setting default behavior, customizing the look and feel, and setting default parameters. Once the system is configured properly, the next task is to create users, including other Administrators who can manage the system and users. You can create as many users with Administrator, Report, and Recipient roles. However, you are limited to creating only up to the licensed number of Senders you have purchased. The steps to get the server prepared for users to start sending files: 1. Specify an SMTP mail server to use to send delivery and access notifications. This is performed in the Server Configuration section and is described in more detail below. 2. Customize the application with your organization s messages, logo, etc. The common customization done are: a. Company name and system b. Logo c. Text in the sign in page d. Delivery notification message e. Footer text in delivery notifications f. User registration behavior g. Package settings and restrictions 3. Create users manually (one at a time) or import them from an XML or CSVcompatible spreadsheet. Also, if you are using LDAP or Active Directory, assign users and roles using security groups. 4. Sign in as a Sender and create a package and deliver it. 41

41 Section 8: System and User Administration Administrators have access to system configuration and user management. From the Home page, click the System and User Administration icon or click the System and User Administration link. Server Information Server information contains configuration settings and system statistics including license serial number and key, number of Senders supported by the license, users and roles currently active, pending, and disabled, and the number, size, and status of all packages and deliveries. Server Configuration The primary application configuration happens in the Server Configuration 42

42 page. This page contains multiple sections ranging from delivery and package settings, to user registration, user interface, and authentication. Configuration updates are reflected immediately in the application without requiring an application server restart. Any user with the System Administrator or Super User role can update the system configuration by going to System and User Administration > Server Configuration Server Configuration Company name: Name of your company. System name: The system name that is used when a system generated or other notification is sent to a user. This is used, for example, when a user resets his or her password the system will notify the user via , and the will be signed using the system name. Administrator One or more addresses of administrators who will receive s from the system for various notifications. Time zone: Specify the time zone in which the server resides. Locale language: The language used for the locale. Currently, en is the only supported language. Locale country: Currently, US and GB are the only countries supported. and Notification Settings BDS sends notifications to recipients of deliveries, as well as to senders when a recipient has viewed a delivery. BDS leverages your existing mail server when sending notifications and you must specify your mail server to enable notification. The mail server configuration is found by signing into the Web application as an Administrator and opening the System and User Administration > Server Configuration page. Enter the mail server information and if required, any authentication information in the Notification Settings section. 43

43 Notification mail server: Enter the SMTP server to use for sending out delivery and access notifications. Notification mail server username: If the mail server used to deliver notifications requires authentication, enter the username for authentication - otherwise, leave this property blank. Notification mail server password: If mail server authentication is required, use this property to enter the password for authentication - otherwise, leave this property blank. Confirm notification mail server password: Re-enter the password to confirm. Notification sender: Sets the notification address that sends the notification. Set this property to SENDER to use the address of the user who has sent the delivery. Notification link protocol: This specifies the protocol used for the delivery URL in the notification sent to recipients. Set to http by default. Can be set to https if an SSL certificate has been installed on the Web server. Notify user when password reset by an administrator: Whether to send an to the user when an administrator resets the user s password. Notify user when password reset by user: Whether to send a confirmation to the user when the user resets his or her own password. System notification sender: This sets the address from which system notifications are delivered. For example, this is the address that Senders receive when a recipient views a delivery. If no value is entered for this property, the address will be notify@<domain name>. Populate username for delivery notification links: If set to Yes, the application will populate the username field automatically when recipients click on the delivery link. 44

44 Microsoft Outlook Add-in Settings (OPTIONAL) These settings are used for the optional SMTP API module only. If purchased, the SMTP API enables applications to send an SMTP message along with commands to create and send deliveries. Allow SMTP Input (API): Set this to Yes if your server supports the SMTP API. This is an optional module. Outlook server: The IP address or host name of your mail server used with the SMTP API. Outlook mail server username: The username to log onto the mail server to retrieve messages sent to the SMTP API. Outlook mail server password: The password to log onto the mail server to retrieve messages sent from the Outlook Add-in. Confirm Outlook mail server password: Re-enter the password to confirm. Note: This is a deprecated configuration for an earlier version of the BDS Outlook add-in. The later versions of the BDS Outlook addin do not use this API. To configure the newer BDS Outlook add-in, click on the Configure Outlook add-in policies link. The configuration is described in detail in the section on the BDS Outlook add-in. For Outlook add-in policies and configuration, see the section on Microsoft Outlook Add-in below. 45

45 Delivery Settings Default secure message: If text is entered for this property, it will be the default secure message used when creating deliveries. Note: This secure message does not apply to deliveries created with the Outlook Add-in; the add-in only uses the text entered in the original message. Default delivery notification message: If text is entered for this property, it will be the default message used for delivery notifications. This message can be change or deleted by senders before sending the delivery out. Delivery notification footer: If text is entered for this property, it will be appended to the bottom of all notification messages. This message is always sent with the notification message and cannot be deleted by the sender. For example, a privacy policy or confidentiality statement may be entered here. 46

46 List files in delivery notification message: If checked, the notification message will contain a list of all files sent through BDS. Unchecking this will suppress the file listing. Delivery expires after (in days): If a number is entered for this property, it is used to calculate and enter a default delivery expiration date when a delivery or express delivery is created. A sender can delete this expiration date before sending the delivery. Always require recipients to sign in: This setting allows administrators to remove the Require recipients to sign in checkbox as one of the delivery parameters. If set to Yes, senders cannot create no sign-in deliveries, and any existing deliveries that did not require sign in will immediately require users to sign in. Require recipients to sign in by default: This is the value used in checkboxes for deliveries. For Outlook add-in deliveries, because the sender does not have the option to choose the sign in requirement, this value will be used. For example, if this is set to Yes, then any Outlook add-in deliveries will require sign in; if set to No, the Outlook add-in deliveries will not require sign in. Enable secure reply: The secure reply feature may be enabled or disabled. When disabled, recipients of deliveries cannot send messages or files back to the sender. When enabled, administrators have the option of showing or hiding the secure reply section. When hidden, the user must click the reply button to open the reply section. If this feature is disabled, all existing deliveries will no longer have the reply option. However, any existing replies will still exist and are accessible by users. Express Delivery: Show options/hide Options: You can simplify the express delivery page to show only the most critical sections of the form. You can decide whether to show all delivery options, or hide the delivery options, minimizing the information requested. If delivery options are hidden, users can easily unhide them by clicking a Show options link. Configure limited sender settings: Click this link to go to the limited sender configuration page and define delivery settings for users who do not have the Sender role assigned. If you click this link before updating the configuration, any changes you made will be lost. Limited Sender Settings View and update the limited sender settings on this page, including enabling and disabling this feature. Limited sender can be configured to give external users the ability to send files into an organization, but restricts various features that full senders can access. Some of the limitations of a limited sender compared to a full sender: 100MB file size upload limit Standard file upload, no access to Java applet for drag and drop, checkpoint restart 47

47 Three files maximum can be uploaded per delivery No notification to the limited sender when a delivery is viewed by recipients Recipients cannot securely reply to a limited sender No access to detailed delivery reports Deliveries created by limited senders can be viewed in the Deliveries Sent page, but cannot be edited. Other restrictions may apply, based on the settings defined in this section by an administrator. Enable limited senders: To enable limited sending for non-senders, set this value to Yes. This will provide a delivery page with the restrictions settings defined below. Require sender to sign in: If this is checked, only authenticated users will have the ability to create limited deliveries. If unchecked, the limited delivery capability is available even without signing into the application. This enables administrators to provide the limited delivery form outside the application. Senders using this form will be required to enter their address before a delivery can be created. Note: If you do not require senders to sign in, users can potentially create deliveries and spoof the sender s address. Recipient settings 48

48 o o Allow user to type in: Select this to permit users to freely enter any address in the recipient field. Administrators can restrict the recipients to certain domains or even individual addresses by entering patterns and addresses in the Restrict recipients to text box. Use default value: Select this to automatically send deliveries to a specific address. The recipient can be displayed to the sender (if the Visible checkbox is checked) or hidden. Message settings: You can show or hide the subject field or message field to the sender. If the subject field is hidden, a default subject message is used. If the message field is hidden, the default secure message defined in the system configuration is used. File upload settings: You can select the number of file upload slots to display, from zero to three slots. You can also limit the size of the files a limited sender can upload. Maximum size specified applies to each individual file. Delivery settings: Limited senders do not have the ability to change the delivery options like full senders. Delivery options are pre-defined by the administrator. The delivery options you can configure are: sending an notification to recipients, requiring recipients to sign into the application to retrieve their delivery, and automatic package deletion (if this is set to 0, then the package will never be deleted). Package Settings 49

49 File upload slots per page: This sets the number of file upload slots per page when creating deliveries (both normal deliveries of an existing package as well as express deliveries). Valid values are between 1 and 10. Notify user when added as a package owner or sender: If set to yes, a notification will be sent to users who are added as an owner or a sender of a package. This informs people if they are given access to edit and/or deliver a package. Allow users to delete multiple packages: If set to yes, Senders can select and delete multiple packages from the Manage Package list. Senders can only delete packages that they own. Because this can be a potentially dangerous operation that can quickly delete many packages and all associated deliveries, this feature can be disabled by an administrator. Package deletes after (in days): Define the number of days newly created packages will be valid before being deleted by the system. Reminder before package deletion (in days): System sends an reminder to all package owners and senders whose packages will be deleted shortly. Hide auto-deletion fields if not editable: For users who cannot override the auto-deletion values, the auto-delete fields are displayed but grayed out and uneditable. If this is an uneditable field, some administrators will choose to hide it from the sender. List of owners who can override deletion: Enter a specific user or user pattern (using wildcards like? and *) who can override the deletion dates. These users can change the dates for deletion and reminders, as well as completely override the deletion by deleting the date entirely. Multiple addresses or patterns should be separated by commas. Note: Package deletion is permanent and will delete all files, deliveries, replies, and files uploaded through replies. Recipients will no longer see deliveries in their Received Deliveries list for deleted packages, and any delivery notifications links in will no longer be valid. Unrestricted senders: If defined, this is the list of Senders that are not subject to the inclusion and exclusion lists. So, if this list contains *@biscom.com, then all Senders who have an address are exempt from the inclusion/exclusion rules. A Sender with address mary@externalcompany.com will be subject to the inclusion/exclusion rules. If a user has an inclusion or exclusion list defined at the user level (not at this system level), then that takes precedence over their inclusion on this unrestricted senders list, and they will be subject to the inclusion/exclusion restrictions defined for their specific user account. Default recipient inclusion list: If defined, this is a list of recipients or recipient patterns that are acceptable recipients for all Senders. An Administrator may override this on a per user basis. If any delivery recipient matches any or patterns specified in this list, they will be allowed as 50

50 recipients. Pattern matching is supported through the asterisk (*) and the question mark (?), which specify 0 or more occurrences, or 0 or 1 occurrences of character, respectively. For example, for the list specified as follows: sales@telemarketingcompany.com, *@xxx.com, tom?@xyz.com The single addresses from sales@telemarketingcompany.com will match, any and will match, and tom@xyz.com, tom1@xyz.com, and tomz@xyz.com will all match. However, jane@telemarketingcompany.com, bob@xxxx.com, and tom10@xyz.com will not match. If this list is not defined, or a single asterisk is used, all recipients are allowed. Default recipient exclusion list: If defined, this is a list of recipients s or patterns that are not acceptable recipients for all Senders. An Administrator may override this on a per user basis. Similar to the recipientinclusionlist, this defines the set of addresses that will be rejected by Biscom Delivery Server if added as recipients to a delivery. File type restrictions: If defined, this comma-separated list defines the list of files that are restricted from being uploaded to the system and downloaded from the system. Pattern matching is supported through the asterisk (*) and the question mark (?), which specify 0 or more occurrences, or 0 or 1 occurrences of character, respectively. Allow unrestricted senders to bypass file type restrictions: When checked, this enables the list of unrestricted users to upload files that are blocked by the file type restrictions values. Allow applet for upload and download: A Java applet is available for users to upload and download files. Senders can take advantage of the applet when creating an express delivery or creating or editing packages to upload multiple files by simply dragging and dropping them onto the applet. Recipients can use the applet to download multiple files simultaneously. If you do not want to provide the applet functionality, set this radio button to No, and file uploads will be handled through the standard Web file upload component. For downloads, the files will be saved individually by clicking on the file name. Default value for overwrite files checkbox: When using the applet to download multiple files, you can configure the default behavior on download to overwrite by default (checked) or not (unchecked). File upload and download with applet allowed for: If you do enable the applet, you can still restrict the users who can use the applet s functionality. Enter a list of users or wildcard pattern that specifies who can use the applet. For example, to allow everyone in the Biscom.com domain to use the applet, the value for this property would be *@biscom.com. 51

51 Enable collaboration: This setting provides senders the ability to designate a package for easier sharing of files. With this enabled, senders will see an additional checkbox in the delivery options section: Allow collaboration. When a recipient or owner of a package uses the secure reply feature, an additional button is available. The new button enables the user to Reply securely to all, which creates a threaded discussion viewable by all recipients and owners (everyone) of the delivery. Files uploaded to everyone can be viewed and downloaded, and the user replying has the option to save the file to the files in the package. Note: files saved to the package from this thread can potentially overwrite an existing file in the package if the filenames match. User Settings Enable compliance role: The compliance role can be enabled or disabled. When the role is enabled, it will be available for assignment (by Super users only). Enforce user quota: If enabled, user quotas are tracked and when exceeded, will prevent users from uploading additional files. o o Maximum quota allowed: The maximum quota any user can be assigned. Quota per user: The default quota assigned to any new user if quota when quota is enabled. Individual user quota can be by changed by editing the user and changing his or her quota. The maximum quota limit, however, is defined by the maximum quota value above, and may be higher than the default quota specified. 52

52 Users who are at 95% of their quota will see a warning message in the main menu page. Users can click the Manage quota usage link and selectively remove packages. Note that user quotas are affected if another sender assigns ownership (owner or sender attribute) of a package to him or her. Users have the option to unassign ownership of packages or delete their own packages thorugh the Manage Quota Usage page. Enable user expiration: If enabled, users can be expired. Automatic expiration applies to recipients, limited senders, and senders. Users who have the report, administrator, or compliance roles are not affected by the expiration policy. o o o o Expire users if inactive for (in days): Number of days of inactivity before a user expires. - Users expire based on a period of inactivity. If a user does not sign into the application within the specified time period, their account will expire, and the user will no longer be able to sign into the application. - Deliveries sent by expired users are no longer available to recipients. - If the user has the sender role, that role is freed up and can be assigned to another user. If an expired user with the sender role is reactivated, and a sender license is available, the reactivated user will be re-assigned the sender role. Send first/final warning message: You can specify up to two warning messages to go out to users whose accounts are expiring. Expiration exclusion list: Define patterns or individual addresses that are exempt from expiration. Delete expired users after (in days): Users can be automatically deleted from the system after expiration. 53

53 o Explicit user expiration date: Administrators can set a specific expiration date for users when creating a new user, or when editing a user in the Manage Users page. This expiration applies regardless of user activity. If you specify a date in the past, the user will expire immediately. Contact and Group Settings Administrators can define a Microsoft Exchange Server connection to access the global address list (GAL) from the Web interface when delivering files or creating packages. Senders can automatically pull contacts from the GAL to use as delivery recipients and package owners and senders. The synchronization process can be managed (started and stopped) in the Manage Server Processes page. 54

54 When entering Active Directory information, specify a username/password for a user that has the ability to access the system. This can be an existing user or you may create a special user for this purpose. Sign In and Password Session timeout (in minutes): The timeout in minutes for all users who log on. If not set, the default timeout is 15 minutes. Show domain field on sign in page (for LDAP/AD only): If you have configured your server to use LDAP/AD to authenticate users, you have the option to show a domain field below the username and password fields. For organizations that have users authenticate with their domain as part of their username (e.g. corp-domain\john smith), the domain field may be hidden. Turn auto-complete on: Enables or disables the auto-complete attribute in the sign in page. Require re-authentication for viewing each delivery: If set to yes, recipients who click on notification links will always need to re-authenticate to view a delivery. If this is set to no and a recipient is already logged in, then clicking on a delivery link will open the delivery without forcing the user to go through the authentication step. 55

55 Maximum sign in attempts before locking user account: This determines the number of attempts a user may try logging on before having their account locked. Only an administrator can unlock a user s account. Auto-unlock after (in minutes): After a user has locked his or her account after reaching the maximum number of attempts with an invalid password, the account is locked. If a value is entered in this field, the account will automatically unlock and the user is able to reattempt signing in. User auto-unlock limit: When auto-unlock is enabled, administrators can specify the number of cycles that the user s account is unlocked. E.g. if this value is set to 2, can lock their account twice. If the final cycle of attempts at signing in fails, the account is locked permanently, and can only be unlocked by an administrator. The manage users report will show a red key icon to indicate a permanently locked user (blue key shows a temporarily locked user), and an will be sent to BDS administrators notifying them of the account locked out (see figure below). Automatically expire user password: Set to yes to enable password expiration. When this is enabled, enter the number of days that the password remains valid (if set to 0, passwords never expire). A warning message will be displayed in the main menu page the number of days specified before the user s password expires (if set to 0, no warning will be displayed). This message is displayed at every logon until the user changes his or her password. If the user s password has already expired, the user will be prompted to change his or her password before being allowed to enter the application. Require users to change password after admin update: This specifies the default value to use when an administrator resets a user s password or when creating a new user. Previously created users and users whose passwords were already reset are not affected by this setting. 56

56 Allow old user password to be reused as new password: If set to Yes, users are allowed to use the same password after their current password expires. Some administrators may set this to no to force users to choose a different password for increased security. Password length: Enter a minimum and maximum length for user passwords. By default, this is between 1 and 50. You cannot set the maximum above 50. Required characters for password: You can specify what characters are required to be part of a user s password: uppercase, lowercase, numbers, and non-alphanumeric characters. Enable external authentication source Set to Yes to integrate with an external authentication source such as LDAP or Active Directory. When set to Yes, BDS will scan through all configured and active authentication sources. External authentication source configuration You may select and delete one or more authentication sources from the list of sources. To view the list of authentication sources, click on the name of the authentication source. See the section Defining an Active Directory Authentication Source for more information on the AD connector. 57

57 User Registration Allow self-registration: When set to Yes, any user can register. When set to Yes, for delivery recipients only, self-registration is available only for the recipients of a BDS delivery. A user who has never been sent a secure delivery will not be able to register. When set to No, the registration page is disabled. If the Require administrator approval checkbox is checked, users can register and activate their accounts, but an administrator must manually approve each registration (see administrator approval section for more details). Note: If you turn off user registration, you should also modify the Custom sign in text in the User Interface section so that no registration link appears on the sign in page. Require activation: If checked, new registrants will automatically receive an with an embedded link. Clicking the embedded link is a required stop to complete and activate the registration. If this is not checked, a user can register and immediately sign into the application. activation helps associate the registrant with the address supplied during the registration process. 58

58 Registration not allowed message: If registration is disabled, you can display a message informing users that they are not allowed to register. Self-registration not allowed for: If self-registration is allowed, you can still restrict registration by not allowing registration for certain user addresses, or address patterns. For example use *@hotmail.com, *@yahoo.com to not allow users to register from these domains. The registration page will still be available to these users, but when they submit the registration request, they will be denied. Confirmation for self-registration: If set to Yes, users who register themselves and complete activation (if required), will receive a confirmation verifying the registration. Assign roles for self-registered users: Select the roles to assign to users who self-register. Most administrators choose only the recipient role with this role assigned to new registrants, they are restricted from sending files through BDS unless replying to a valid delivery from a registered sender. Allow Outlook add-in for new registrations: When set to Yes, selfregistered users will be able to use the Outlook add-in client. If set to No, users can still install the Outlook add-in, but any deliveries created using the add-in will fail. This setting does not apply to LDAP or AD users. Require terms of service: If this property is set to Yes, registrants are shown the text that is in the Terms of service text area. To register, users must agree to the terms by checking the checkbox next to the I accept the terms of service text. Require password reset question: You may want users to select (or enter) a password reset question. If set to Yes, users must fill out the password reset question and answer. If set to No, and no password reset question/answer are provided by the user, then the user will not be able to reset his or her password automatically and must request this from an Administrator. Maximum password reset attempts: Limits the number of times a user may attempt to reset their password before locking his or her account. Once locked, only an Administrator can unlock a user s account. predefinedpasswordquestion1-5: If at least one question is defined, then users can select one of these questions to answer. If predefined questions are not used, then users can enter their own freeform question. If you only want to provide three pre-defined questions, only enter three questions and question codes. predefinedquestioncode1-5: For each defined question, specify a unique code for the question. This is used by the application to match up the question that the user selected with the questions configured. This also allows administrators to make slight alterations to a question without breaking how user questions are looked up by the application as long as the code is not changed. 59

59 User Interface The Biscom Delivery Server user interface can be altered by using a custom Cascading Style Sheet and a custom logo. You can specify the location of the style sheet and logo in this section. The style sheet can be used to change font faces, font sizes, colors, etc. Browser window title tag: If this field contains a value, then all title tags will be changed to use the text entered. If this is left blank, then the title tags defined in the text resource file are used. Note that each page s title tag can be individually changed through the text resource file. See the section below on Application Customization for more information. CSS style sheet location: Specifies the location on the file system of the custom style sheet. This can be any valid URL. Logo location: Specifies the location on the file system of the logo. This can also be a valid URL. If a logo or URL is specified here, the logo width and logo height fields must be entered. Logo links to (optional): This is the URL to link to when the logo is clicked. If this property is not set, the logo will link to the Logon page (if a user is not currently logged on), or the main application page (if a user is currently logged on). Logo width: The width of the logo in pixels. Logo height: The height of the logo in pixels. Custom sign in text (top): This field enables administrators to modify or customize the area above the sign in text box (username/password fields). 60

60 Administrators can use HTML and styles from the internal CSS style sheet or from an externally defined style sheet. Click the Reset to original value link to reset the content to the original content (when the server was initially installed). Custom sign in text (right): This field enables administrators to modify or customize the area to the right of the sign in text box (username/password fields). Administrators can use HTML and styles from the internal CSS style sheet or from an externally defined style sheet. Click the Reset to original value link to reset the content to the original content (when the server was initially installed). Custom web page footer: This field enables administrators to modify or customize the bottom (footer) of every page in the web application. Administrators can use HTML and styles from the internal CSS style sheet or from an externally defined style sheet. Click the Reset to original value link to reset the content to the original content (when the server was initially installed). Custom help URL: The help icon in the main menu will link to the internal help page (an abbreviated help section for users). You can define and link to your own help file by entering the URL for a customized help file in this field. 61

61 recaptcha Image Verification Settings BDS supports recaptcha to prevent abuse by automated bots and other scripts that attempt to register users automatically. recaptcha is a free CAPTCHA service provided by Google, and displays distorted text as an image that is hard to read by machines (e.g. by OCR), but fairly easy to ready by humans. To use recaptcha for user registration, you must have a Google account in order to create a public/private key pair. Go to the following URL: Navigate to the My Account page (you may be asked to log in), enter the domain name of your BDS application, and press the Create Key button. Manage Users Google will create both a public and private key for the site. Go back to the recaptha section on the BDS Server Configuration page, enable recaptcha, and enter the public and private keys. When users go to the BDS registration page, they must successfully enter the recaptcha text in order to register. The Manage Users tool allows Administrators to create, update, and delete users. Click the Manage Users icon or click the Manage Users link to display the list of users on the system. You can continue to retrieve all users, or you can use the search feature and enter keywords to reduce the number of users to retrieve, and specify filters to narrow your listings based on roles and statuses. In the Manage Users list, text for active users is shown in blue; expired users in light blue; disabled users are shown grayed out; pending users are shown in 62

62 green. Usernames are hyperlinked and when clicked, you can view and edit user settings. 63

63 Creating a New User 1. From the User Manager page, click the Add link to create a new user. 2. An address and password are required fields. One or more roles must also be assigned to the user at this time as well. 3. Display as is used when displaying the user in the application. If this field is not populated, the first and last names are used. If they are also not populated, the address is used. 4. If you are assigning the Sender role to the user, the Inclusion and Exclusion list text boxes will become editable. See the section on Inclusion and Exclusion lists for information on how to use this feature. Also, the Allow Outlook add-in checkbox will become editable. This feature only applies for systems that have the Outlook module. 64

64 5. Optionally set a quota the user this quota will override the default quota assigned, but cannot exceed the maximum quota allowed. 6. In addition to the global user expiration setting, you can define a specific expiration date for an individual user. However, a user may expire prior to this date if they exceed the period of inactivity for expiration. 7. Click the Create button to create the user. Modifying an Existing User Administrators can modify existing users to change the user s name, password, or roles. The address used as the user name cannot be modified. 1. Select the user to update or modify by clicking on the user s address. Use the search box to search for users based on address and first, last, and middle names. 2. The user update form is shown below: a. You cannot change the address field for a user once created. You can update the user s name, company, roles, and other user settings. 65

65 b. If the user has the Sender role assigned, the inclusion and exclusion lists can be updated. See the section on Inclusion and Exclusion lists for information on how to use this feature. c. If quota is enabled in the system configuration, the quota section will be visible and can be changed per user; default quota is defined in the system configuration, and can be adjusted higher or lower, but quota cannot exceed the maximum value defined in the system configuration. d. Users expire, if expiration is enabled, based on a period of inactivity. However, users can have explicitly defined user expiration dates that will cause users to expire regardless of activity. e. The user s status can be change to Active or Disabled. Disabled users will be prevented from logging onto the Biscom Delivery Server application to retrieve deliveries, send packages, view reports, or administer the system. All packages and deliveries belonging to a disabled user are no longer accessible by recipients. f. An Administrator may lock user accounts or a user may lock his or her account by entering an incorrect password too many times. Once a user s account is locked, the user will no longer be able to log on until an administrator unlocks the account. Users who are locked out can still use the Outlook add-in to create deliveries, and can still view no sign-in deliveries. User accounts are locked to prevent unauthorized access to the web application. g. User statistics (not shown) are provided for quick information on the user, including the number of packages the user owns, how much storage space is being used by all files in the user s packages, and number of deliveries received and sent. More detailed information can be viewed through the User Activity reports. h. Click the Update button to save the changes you have made. 3. To reset the user s password, click the Click here to reset user password link. Note: Clicking this link will bring you to a new page. Any changes you may have made on the Update User page will be lost unless you have already clicked the Update button. 66

66 a. Enter a new password and retype the password to confirm it. b. Click the Update button to save the new password. c. Click the Back button when you are satisfied with your changes. Inclusion and Exclusion Lists Inclusion and exclusion lists are used to restrict Senders from delivering packages to certain recipients. Your system administrator may have configured the system with global inclusion and exclusion lists. However, these global settings may be overridden on a per user basis by entering values into the text boxes. For example, if the global inclusion list is *@biscom.com but you want to override this to allow the user to send to any address, you would enter an asterisk (*). Individual addresses as well as patterns may be specified in these lists. Patterns use the asterisk (*) and the question mark (?) for pattern matching. * will match 0 or more occurrences of characters.? will match 0 or 1 occurrences of a character. For example: Inclusion List Exclusion List robert??@somecompany.com will match Robert@somecompany.com, robertf@somecompnay.com, and robert23@somecompany.com; robertson@somecompany.com will not match however. *@anothercompany.com will match lisa@anothercompany.com and steve@anothercompany.com. This defines the list of recipients to whom the Sender can deliver packages. This defines the list of recipients to whom the Sender cannot deliver packages. If a recipient matches the pattern or address on both the inclusion and exclusion list, the exclusion list match will take precedence and the Sender will not be able to deliver packages to that recipient. 67

67 Deleting a User Administrators can delete users from the system. When deleting a user, all packages that are owned only by the user and deliveries associated with the user will no longer be valid. Any recipients who have received deliveries from a deleted user will no longer have access to those packages. Any deliveries of a package owned by a deleted user will also be inaccessible even though the sender is currently an active user. Note: This is a function that should be used with caution as it permanently removes the user from the system the user cannot be restored. 1. From the Manage Users list, select the checkbox to the left of the address and click the Delete button. A confirmation page will display the selected users. 2. Click the Delete Users button to permanently delete the selected users. Importing Users Administrators can import users from an XML or a CSV file to quickly create and register a large number of users. 1. From the Home page, click the System and User Administration icon or click the System and User Administration link. 2. Click the Manage Users icon or click the Manage Users link. 3. Click the Import link. 4. Select a file to import. The file must be formatted in XML or as a tab-delimited file. For import format details, see Appendix A: User Import File Format. 68

68 Standard tab delimited files have one tab between each column. Some files have columns separated by more than one tab in order to visually align the data under the column headings. If your text file uses multiple tabs between column data, select the checkbox to treat consecutive tabs as a single tab. This feature only works if all import fields contain text. If any field is not entered (left empty), the import will fail. 5. Enter a password (and confirm the password) for users in the import file who do not have an assigned password. Since passwords are required for all users, this field cannot be blank when importing and registering users. 6. Click the Import button to import the users. The results of the import are displayed, with a summary of the import results, and the result of each individual user: a. : The user was imported successfully b. : The user was imported, but with a warning. The typical warning is when a user is imported with the Sender role designated, but the system s maximum number of Senders has been reached. The user is imported, but the user will not have the Sender role. c. : Imported user already exists in the system and was not imported. d. : User was not imported because the user information provided was invalid (e.g. an invalid address) Manage Users with LDAP or Active Directory For organizations that use directory services such as LDAP or Microsoft Active Directory (we will use LDAP as the general term for LDAP and Active Directory), administrators can perform user management through their primary directory services management software. BDS uses security groups to assign roles to users, and users can sign in to the application using their network username and password. Because BDS accesses the directory service directly rather than through a synchronization process, any changes to a user in the directory 69

69 immediately is reflected in BDS. Changing a user s password in the directory immediately changes the BDS password. Enabling Authentication Using LDAP To enable support for LDAP, administrators must set the Enable external authentication source to Yes under the Sign In and Password section of the System and User Administration page. Enabling this will display a link to the External authentication source configuration page. A list of external authentication will be shown. Click the Create AD Authentication Source for Active Directory servers, or Create LDAP Authentication Source for OpenLDAP, SunONE, or other LDAP servers. This will create a new authentication source. Click on the name of an existing source to view the authentication source details, or click the edit icon to change an existing authentication source. Defining an Active Directory Authentication Source When creating or editing an existing authentication source, you are shown a page with three main sections: the source meta data (e.g. name and type of source), the role mappings, and any pre-windows 2000 mappings you may need to add. You can add multiple authentication sources. When a user signs in using their network credentials, each source is searched in the order in which they are listed. Or, if you installed the BDS AD Connector, enter information in the Active Directory connector settings. 70

70 The meta data includes the authentication source name, type of source (LDAP or Active Directory), status, realm (usually the same as the domain), authentication method (Simple or Kerberos), protocol (ldap or ldaps), and port (389 by default). Authentication source name: Specify a name for your authentication source. This is for your information only, and is not used in the authentication process. Description: Enter any description or label for the authentication source. Status: Active or inactive. You can define an authentication source, but choose to not enable it by marking it as inactive. Realm: Enter the realm, typically the Active Directory domain name. Authentication method: Select simple or Kerberos. Most AD methods are Kerberos. Protocol and Port: Can be ldap or ldaps. Default port for ldap is 389, and ldaps is 636. Search base: You can define the starting point for searches in the directory tree instead of searching the entire tree. For example, to query a specific organizational unit (OU) in the directory, you might enter OU=users, dc=biscom, dc=com which specifies the user organizational unit in the biscom.com domain. Configuring the BDS Active Directory Connector (ADC) When using Active Directory, the AD connector must be installed on a machine that can access both the BDS server as well as the AD server (see section on installing the ADC). To use the ADC, make sure the Use Active Directory connector checkbox is selected, and enter the host name where the connector is installed, and connector port. The default connector port is

71 For machines that require a proxy to access AD, you can define the proxy within the fds.properties configuration file. Add or edit the lines in fds.properties, using your proxy host name and proxy port number: adcproxyserverhost=<proxy host name> adcproxyserverport=<proxy port> Defining an LDAP Authentication Source BDS also supports Lightweight Directory Access Protocol (LDAP) for user authentication and role assignment. Many settings are similar to the AD configuration, but a few notable differences exist. From the Manage External Authentication Sources page, click the Create LDAP Authentication Source link. Type: BDS supports OpenLDAP and SunONE LDAP. Other LDAP servers may be compatible. If you are not running OpenLDAP or SunONE, select OtherLDAP Server. Authentication source name: Specify a name for your authentication source. This is for your information only, and is not used in the authentication process. Description: Enter any description or label for the authentication source. 72

72 Status: Active or inactive. You can define an authentication source, but choose to not enable it by marking it as inactive. LDAP Server: Enter the LDAP server name. LDAP Port: Enter the LDAP port, set to 389 by default. Protocol: Can be ldap or ldaps. Default port for ldap is 389, and ldaps is 636. Authentication method: Select Simple or Kerberos. Base DNs: You can define the starting point for searches in the directory tree instead of searching the entire tree. Typically, the base DN is the top level of the LDAP direcotyr tree. Example: cn=users,dc=ldap1. Username attribute: Map the attribute that is used to specify the username, e.g. uid. Group membership attribute: Enter the attribute type that defines the users of a group. The Field Mapping section is used to map the LDAP attributes to BDS. The only required field is the address.assigning Roles using Groups The next section of the page shows the security groups that are assigned to roles. Both the Active Directory and LDAP configuration use the same role assignment scheme. Groups can contain nested groups. You can enter one group name per line or multiple group names on a single line separated by semicolons. Spaces and commas are valid characters within groups and you should not use these characters to separate multiple groups. 73

73 For domains that were created on pre-windows 2000 servers (i.e. NT domains) can be entered here to map to a standard domain. Viewing an Authentication Source The authentication viewing page shows the list of roles and the mappings defined for each role. Roles can be mapped to multiple groups. To delete the entire authentication source, click the Delete AD Authentication Source or Delete LDAP Authentication Source link. 74

74 User Registration If you enable user registration, recipients and others can create an account on their own. When a user registers, they must enter a minimum amount of information, including a username ( address) and a password. A password reset question is optional, but system administrators can require this for registration. Based on the settings defined in User Registration section of the Server Configuration page, self-registering users are assigned one or more roles, and may need to go through an activation process to verify their address. 75

75 If activation is required, the user who is registering will receive an activation in his or her inbox. 76

76 Users must click the activation link or visit the activation page and manually enter their username and activation code. Pending Registration Requests If BDS is configured to require administrator approval (see the section on User Registration on the Server configuration page), newly registered users must be manually approved before they are allowed access to the BDS application. Administrators can select one or more pending requests and approve or deny registration. Completing User Activation Some users have started the user registration, but have not completed the user activation step. If user activation is required, new registrants will receive a confirmation message to the address they specified as his or her username. To complete activation, the registrant must click the link to confirm his or her address. Some users will never complete the activation because they have not received the confirmation , it was blocked by a SPAM filter, or they have accidentally deleted it. If the activation link does not work, users can also manually activate their account by visiting the activation page. Alternatively, an administrator can activate an account by navigating to the Manage Users page and editing the user. Once in Update User page, click the Activate user account link to complete activation, allowing the user to sign into the BDS application. 77

77 Completing User Registration for Pre-Registered Users A recipient who has been added to a delivery by a sender but is new to the BDS system, has a status of pending registration and will need to go through the user registration process in order to view his or her delivery. In these cases, the recipient has not yet gone through the first step of user registration yet. In these cases, an administrator can edit the user s account, and complete the registration for them. To complete the registration, the administrator must assign a password and can require the user to change the password when he or she first signs in. 78

78 Section 9: Viewing Reports Biscom Delivery Server records the transactions that occur in the application and can generate reports on Delivery activities, Package activity, User activity, and System information. Most reports offer filtering capability to show specific date ranges and search terms, and can be exported to CSV format. Role Reports Available Description Sender Deliveries I ve sent List of the current user s deliveries sorted by delivery access date. Packages activity List of packages for which you are a sender or owner. Report System report Summary information for usage covering a date range. This includes reports on users, deliveries, packages, and files. User administrator Users activity List of all registered users, whether active, disabled, or with pending registration. Includes deleted users. System administrator and Super user Users expiring Pending deliveries notification System activity report Displays a list of users whose accounts are expiring in the next 14 days. List of deliveries that are pending. This may include any deliveries created while the delivery process is stopped, or deliveries created with an availability date in the future. Listing of all transactions occurring in the system. Users To view reports, click the View Reports icon from the home page. You will see all available reports based on your roles. Sender reports include delivery and package activity. Details of these reports can be found in the User s Guide. Administrators have access to the following reports: users activity, users expiring, pending deliveries notification, system activity report The Users activity report is available to all administrators. The Users activity report displays all registered users, sorted by the last time they logged onto the system. 79

79 Also shown are the status and space used for each user (users exceeding their quota have their space used highlighted). Users may be Active, Disabled (grayed out), or Pending Registration (green). Check the checkbox Include deleted items to view deleted users. Note: Since a user may be deleted and another user created with the same address, each deleted user s address is followed by a unique string. This can help differentiate deleted users with the same address. Note: You can click the edit icon to go directly to the Update User form. This is not available for deleted users. To view a detailed user activity report, click a user s address. You will see the User Activity report with the transactions sorted by transaction date. User activity reports can be filtered by date. 80

80 The Users expiring report lists all users who will expire in the next 14 days. Click the username to update the selected user, where you are able to change the expiration date. Pending delivery notifications This report is available to users assigned the System administrator or Super user roles. The report displays delivery notifications that have not been sent out. This includes any notifications that have not been sent because the delivery notification process has been stopped, or deliveries that have an availability date in the future. 81

81 System activity report This report is available to users assigned the System administrator or Super user roles. The report displays all transactions that have occurred in the system in reverse chronological order. Filters can be applied, such as viewing transactions from specific clients (i.e. Web, Outlook, desktop client). Monitor System Activity System administrators and Super users have the option to open a pop-up window with near-real time transaction monitoring. The link to open the window is under the System Administration icon on the main menu. 82

82 You can change the popup settings by clicking the settings link to display the refresh interval and the number of transactions to show in the window. This window will automatically refresh itself according to the refresh interval setting. To view the full report, go to the System Activity Report. Sorting Reports Columns headings that are highlighted can be sorted. Click the column heading to sort by that column s attribute. Clicking a column that is the currently selected sort will reverse the sort order. Names that are too long to fit in the list are truncated and followed by to indicate that there is more text. 83

83 Section 10: Compliance Compliance Role The compliance role is a powerful role intended for compliance officers and auditors. Compliance users have the ability to view packages and deliveries of other users without the users knowledge. All compliance transactions are tracked, but transactions that relate to a specific user s package or delivery, such as viewing a package or downloading a file, are not visible in activity reports available to the package owner. View Packages Compliance users have access to all packages in the system, regardless of owner. When viewing the list of packages, compliance users can click the package icon to the left of the package name to view a preview of the package details. Clicking the history icon to the right of the package name will display the package activity report, including all compliance transactions. Clicking the package name will open the package details page, and compliance users can download files, view history, and access package deliveries. 84

84 View Deliveries Compliance users can view deliveries by first opening the package that contains the deliveries, or going to a listing of all deliveries. Viewing all deliveries, compliance users can click on the envelope icon to the left of the delivery name to preview the delivery details, or click the delivery name to view the full delivery details page. Clicking on the report icon to the right of the delivery will display the delivery history with compliance transactions included in the report. Compliance users can view the full delivery details, including the recipients, subject, and secure and notification messages. Compliance users can also download the files that are part of the associated package. 85

85 View Users This report shows users in the system and associated compliance transactions. Compliance activity can be previewed for each user by clicking on the icon to the left of the username. 86

86 Clicking on the username or address will show the detailed compliance transactions for that user. View System Activity Viewing all system activity. 87

87 88

88 Section 11: Microsoft Outlook Add-in Installing the Microsoft Outlook Add-in If you have the optional Outlook Add-in module installed, your users can take advantage of the Biscom Delivery Server Microsoft Outlook Add-in, which enables users to create express deliveries from within their environment. To use the add-in, the following conditions must be met: An account on the mail server must be created and configured to be the recipient of message stubs. When a secure message is sent through BDS by any sender, a small message is also created and sent to this address, and contains the notification message, secure message, and list of files attached (administrators can configure BDS to suppress the file listing). This account should not be used for anything other than receiving Biscom Delivery Server messages. Each user who wants to use the Outlook Add-in must be running Microsoft Outlook 2003, Outlook 2007, or Outlook 2010 on Windows XP, Windows Vista, or Windows 7. Each user who wants to use the Outlook Add-in must have the Outlook Addin client installed on their machine with the proper configuration (mail server and account properly defined). Each user who wants to use the Outlook Add-in must have the Sender role assigned, and have the Allow Outlook Add-in checkbox checked in the Update User page (by default, this is not checked). If using LDAP or Active Directory, any user who wishes to use the Outlook Add-in should be a member of a group that is assigned the Outlook Add-in role in the external source authentication definition. Note: LDAP/AD group setting takes precedence over the Allow Outlook Add-in checkbox in the user management page. How it works: 1. When a user clicks the New Message button (or the New Secure Message button if enabled see below for instructions on enabling this feature), a normal mail message form will open. 89

89 Senders can add recipients as they would normally, enter a subject, and type in text in the memo field. To attach files, users can use the menu item Insert > File, or users can simply drag and drop files from their desktop onto the memo field. 2. Based on the settings in the server configuration, the different aspects may trigger the message to go out through BDS. For example, if the total size of the attachments exceeds the size limit defined in BDS, or a keyword matches the list of keywords defined, then the message will be delivered through BDS. Otherwise, the message will go out normally through the mail server. 3. Users can change the delivery method in the BDS section of the main ribbon. A drop down menu called Send via BDS has three selectable values: Use policy, Yes, and No. The Use policy value (which is the default setting for users) will follow the policies defined by the BDS administrator. The Yes value will force sending the message securely through BDS. The No value will force the message to go through the regular mail server. If the sender clicked the New Secure Message button, the Send via BDS drop down menu will automatically be set to Yes. This can later be changed by the user. 90

90 Note: The No value can be disabled by the administrator, so senders only have the choice of using the default settings or to force the message to go out securely. 4. If the message meets the criteria for delivery through BDS or the user forces the message to go through BDS, a stub message is sent to the mailbox defined by the administrator, containing the message in the memo field, and the names of the files delivered. Based on user settings (below), the file attachment may or may not be attached to the sent mail. A separate process will upload the files to the BDS server and create a delivery to be sent to the recipients listed in the message. Users can view the status of the file upload by going to the Sent folder, right clicking on the message and selecting the Status menu option. If the upload is still in progress, the user will see the progress meter of each file upload. Enabling Users on the BDS Server You must enable your users to utilize the add-in. This is done differently for your LDAP/AD users and your non-ldap/ad users. 1. For non-ldap/ad users, go to the Manage Users page under System and User Administration. When creating a new user, select the checkbox for Allow Outlook add-in. When updating an existing user, select the user from the Manage Users list, and select the Allow Outlook add-in checkbox. Note that the user must have the sender role assigned. 91

91 92

92 For LDAP/AD users, you enable the BDS add-in by adding the security groups that the user belongs to. So, if you have a group called domain senders who have the sender role assigned to them and will be using the add-in, simply add this group to the role mapping field Outlook Add-in. In the following screenshot, internal senders is the group that can use the Outlook add-in. This typically matches the groups that are assigned the Sender role. Setting up Users with the Client End users can install the BDS Outlook add-in by simply double-clicking the Setup.exe file. The add-in can also be pushed out through Microsoft Group Policy if you are running Active Directory. Please contact Biscom technical support if you are interested in using Group Policy to distribute the BDS Outlook add-in. To install the add-in on a user s desktop directly: 1. Make sure the user s Outlook client has been shut down. 2. Double-click the Setup.exe file and follow the setup instructions. The first step is to install the Microsoft Office Primary Interop Assemblies as a requirement to run the BDS add-in. 93

93 3. You will be prompted to start the installation of the BDS software. Click Next to start the installation. 4. Select the installation directory. 94

94 5. Click Nex to perform the installation. 95

95 6. Once installation is complete, you can close the installer. 7. When a user first starts up Outlook, a BDS configuration form will be displayed. This configuration can also be viewed at any time afterwards by going to the Tools menu and selecting BDS Configuration. Each user must enter their username and password. If the other fields were not pre-populated, then the user must also enter the domain, server name, and SSL setting. For LDAP/AD users, in addition to the username and password fields, the proper domain must be entered. Non- LDAP/AD users will leave the domain field blank. 8. The add-in supports a direct internet connection or proxy server. The user can also try to have the add-in automatically detect the proxy settings. 96

96 Configuring Policies for the Add-in To configure the add-in behavior and policies, BDS administrators should open the Outlook Add-in Configuration page in Server Configuration and click the Configure Outlook add-in policies link. 1. Enable Outlook add-in: Must be set to Yes to use the add-in. 2. Server address: The mailbox on the mail server that receives the stub messages from each user. 3. Policy synchronization interval (in minutes): How often the add-in communicates with the BDS server to retrieve the policies. The default value is 60 minutes. 4. Enable Secure Message button: When checked, Outlook 2003 and 2007 clients will have a Send Securely button next to their New button on the Outlook ribbon. When pressed, a new Outlook message is created, and the delivery will automatically be routed through BDS, whether or not any policies apply. Note: Outlook 2010 does not allow add-ins to modify the main message ribbon, even if this property is checked, the Secure Message button will not appear. All BDS buttons and options will appear in the Add-in ribbon. 97

97 5. Policies a. Keywords (Subject line): One keyword or keyword phrase per line. If a phrase is used, it will be matched exactly, for example social security. This is not case sensitive. If a user enters a keyword or keyword phrase that is defined by an administrator, the message will be sent through BDS. Note, the body and any attachments are not scanned for keywords. Keywords are also matched optimistically so, if the keyword is secure, then the words secure and securely will match. But security will not match. b. Total attachment size (KB): Define the maximum attachment size limit that will trigger a secure delivery. c. Attachment name patterns: Enter the extensions that you want to trigger the add-in to re-route through BDS. Wildcards are supported, e.g. to specify all files with an.exe extension, you would enter *.exe in this field. d. Allow users to bypass policy: If set to Yes, senders can force a message that matches a BDS policy to be sent through the mail server. If set to No, senders will not see the option to disable sending through BDS in the Outlook client. 98

98 6. Attachment retention: If checked, this feature will keep attachments with the sent mail message up to the designated file size. It is important to match the file size with any Exchange file size limits so you are not trying to keep attachments that exceed the maximum file size allowed by Exchange. Any files that exceed this limit will not be retained. If a file exceeds the Exchange file size limit, the sent message will list the file and display a message that the file was not retained. This feature is useful for systems that use archiving to store attachments along with all sent message. 7. Delivery Settings a. body as: The main body of the message can be configured to be the secure message (viewable only by recipients who sign into the BDS application) or the notification message. When configured as the secure message, the notification message can be entered by opening the options dialog. Conversely, when the main body is configured as the notification message (sent as clear text to the recipients), the secure message can be entered by opening the options dialog. b. Notify when recipients access this delivery: Select whether to be notified the first time each recipient opens the secure delivery, or every time a recipient opens the delivery. c. addresses to notify: Specify one or more recipients to notify when a secure delivery is opened. Or, use the reserved word SENDER, to have notifications sent back to the original sender of the delivery. Uninstalling the Microsoft Outlook Add-in To prevent a user from using the Outlook add-in, you can disable outlook by deselecting the Allow Outlook add-in checkbox when updating the user or removing the user from the LDAP/AD group mapped to the Outlook Add-in. To fully remove the add-in from a user s Outlook client, follow these steps: 99

99 1. Shut down the user s Outlook client and confirm that no Outlook processes remain. 2. Go to the Control Panel and open Add/Remove Programs (Windows XP) or Programs and Features (Windows Vista) and uninstall the add-in. Upgrading the Microsoft Outlook Add-in Simply run the new Setup.exe file and the new add-in will upgrade the existing addin. All user values will be saved and will not have to be re-entered. 100

100 Section 12: Managing Processes Biscom Delivery Server has three processes that perform various system functions: delivering notifications, retrieving SMTP messages, and cleaning up the system. Administrators can start or stop each process individually from within the application. From the System and User Administration menu, click the Manage Server Processes icon or link. To start a process, click the green Start icon. To stop a process, click the red Stop icon. If a process is currently running, the Start icon will be disabled and grayed out and the Stop icon will be enabled. If a process is currently stopped, the Stop icon will be disabled and grayed out, and the Start icon will be enabled. The process status will visually show that the process is in the middle of starting or stopping. Contact Synchronization For organizations that use Microsoft Active Directory, this process synchronizes BDS with the Global Address List. Synchronization interval is defined in the Manage Exchange Connection section in the Server Configuration page, with synchronization as often as every 15 minutes. Delivery Notification The delivery notification process sends notifications out when a Sender creates a normal or express delivery. If this process is stopped, no delivery notifications will go out. Once the process is restarted, all notifications that had been queued up will be delivered. This does not prevent users from receiving deliveries they will still be able to see any packages a sender delivers to them immediately, but they will not be notified via that their delivery is available. SMTP Input Handler The Outlook Add-in and the API require the SMTP input handler process to be running in order to process incoming with delivery instructions. BDS uses an account on the organization s server to retrieve and process Biscom Delivery Server API commands embedded in an message. System Cleanup The system cleanup process runs every twelve hours and deletes any files associated with deleted packages. When a package is deleted, the files are put into the recycle bin directory. When the system cleanup process runs, it permanently deletes the files from the system. To force the process to run immediately, stop and restart the process. 101