What will it take?

[LaRetta]

Hello all you wonderful Forum people,

I have Server Advanced. We have 8 licensed Users (WinXP), FM7v3, Windows 2000(3?) and a dedicated host system running Developer 7. I admit I've reached this point with absolutely no time to research the process. I have never used any FM Server version before. I haven't even read the book that comes with Server Advanced. My FM focus is process analysis and user-friendly design. I don't even know if Server Advanced gets installed on our Web Server, our Network Server or our dedicated Host!

My question is this: Is this going to be a simple matter of installing the software, setting a few privileges and going home? Would you anticipate this will take a few hours ... or a few days! I have committed to having this functional Monday morning.

Can someone tell me whether I may hope for (at least) a partial Thanksgiving holiday weekend ... or should I plan on digging in for a major pain. Can you point out some stumbling blocks to the process - things I should particularly watch for? Or give me a clue on how long this will take?

LaRetta

[Ted S]

LaRetta,

It shouldn't take days. Hours yes, but not days.

You may want to have an IT guy standing by to help out if networking is not your area of expertise. Have you determined whether you will be doing just FileMaker authentication or Windows authentication too? If you are doing Windows authentication then you will need to setup AD security groups and that may be beyond what your can do unless you are a domain admin.

Honestly, read the manual that comes with FMS. It's not as bad as it looks. The setup is kind of "wizard" like in that it leads you through a series of questions much of the time.

One thing, be sure to backup EVERYTHING before you get started in case the upgrade goes south. If the old system is gone on Monday and v7 doesn't work either you may wish you were gone too.

Good Luck!

[Wim Decorte]

The basic setup (just installing FMS, moving the files over, get them up and running) will take an hour or two max.

You do need to install FMS on its own machine for best performance, stability and security.

Move the files into the FMS database folder. Delete any and all stray copies of the file on the network. Make sure there is no OS file sharing on the FMS database folder (so that users can not navigate to them through their Explorer).

With FMS installed, launch the Server Admin Tool, connect to FMS. Right-click on the server entry and choose properties. This will give you access to all the settings in one nice tabbed dialog.

To get you going, you don't need to change much. Increaset the cache flush interval. It is set to 1 minute or so by default and that is too short (keeps the server machine way to busy). Set the # of allowed files and users to what is good for your deployment. Enable a remote admin pw.

Create at least one backup schedule

If you need web access then things get more complicated of course and you'd better schedule at least half a day if you've never done it before. Let me know if you need more help there.

[LaRetta]

Hi Ted,

"Have you determined whether you will be doing just FileMaker authentication or Windows authentication too? "

Is it bigger than a breakbox?

I have no idea what that means. We have no IT person. Company has used a Consultant a few times. I will see if I can line one up. This holiday weekend may not be the best time to find one but I wanted to have several days to be sure it's functioning before Monday and this four-day weekend seemed perfect for it.

"If the old system is gone on Monday and v7 doesn't work either you may wish you were gone too."

I already do.

Thanks for wishing me luck. I'll need all the help I can get.

LaRetta

[LaRetta]

Oh Wim, so much appreciated!

This actually sounds like something I can do! What terrifies me is the responsibility of our entire business being down ... or up, because of what I do.

It's one thing to stay up all night fixing a glitch and then uploading our file again so they can work the next day ... it's another to take on something I've never done - knowing the steep consequences of it. It makes me want to drink!!

But now I feel I can pull it off. If you say it takes just a few hours ... and I have four days, then I should be able to guarantee succeess. How do I know if I need FM authentication AND Windows authentication? Or do I just let FM do its thing and trust that it'll all work out?

I can't thank you both enough for responding.

LaRetta

[Fenton]

LaRetta, I'm not an IT person either. I recently installed Server Advanced (just on my own machine, the el cheapo "use it just for testing" version they'll send you for $10 if you own Developer; which was a very fine gesture on FileMaker's part).

It was quite painless. About the only trouble I had at all was having to reset the Mac OS permissions on the database files I wanted to serve; and you won't have to do that on Windows. You just put the database files in the correct folder (you can also specify another folder).

The "daemon" (Mac) or "service?" (Windows), which is always running in the background, is installed so that it loads itself at startup of the machine. Then you just launch the FileMaker Server Admin application to start or stop the actual serving of the files. There are a few panels for configuration. Of course, my being the only user, and not setting up backups yet, I had nothing to do there.

Also, I had the Apache Web Server pre-installed and running on port 80, so the Web Publishing hooked up with that. Yours would hook up with IIS. I don't know if you're even going to install the Web Publishing part, though you did say Server Advanced.

Does anyone have more info for her on the Web Publishing part, for Windows?

The "authentication" question is whether to hand off the login business over to an "external" authority, of the OS. If you're not doing that already (and it doesn't sound like you are), then just leave it as FileMaker, which is the default, and it'll work as usual.

[LaRetta]

Hello there Fenton!

Thank you!!

"The "authentication" question is whether to hand off the login business over to an "external" authority, of the OS. If you're not doing that already (and it doesn't sound like you are), then just leave it as FileMaker, which is the default, and it'll work as usual. "

Hmmm, well since I have no idea if we're handing off to an 'external' authority of the OS, I guess I'm safe to assume we're not? How would I tell (since I have no idea what that means)?

As for web publishing ... nah, not going there yet. We purchased Advanced so we CAN pull that piece in eventually. I have indicated to owner that it will be another 3 months before I attempt the web publishing piece. I may be insane for taking on too much, but I'm not crazy!!

Monday, we also step over to all invoicing and GL in the new solution. After I'm sure that it is running smoothly, I'm taking a week's vacation!!! 8 months of 16/7's has taken it's toll.

Thanks again for all the support and assistance I've received on this. My panic has dropped to extreme concern and THAT ... I can handle.

LaRetta

[Ted S]

Hi LaRetta,

With FileMaker authentication each user has an account and belongs to a security group (privlidge set). FileMaker manages the passwords and prompts the user to login.

External authentication (Windows authentication) each user does not have their own FileMaker account. Instead, they have the own Windows domain account and FileMaker server uses the the domain account to authenticate. The network administrator would normally create a set of Windows security groups for your FileMaker deployment and you would tell him or her which users belong to which groups. One of the plusses is that users are not prompted for any password when opening a protected file yet they can only get into the areas that you decide.

Reading the thread it sounds like you are not going to do Windows authentication.

[Barbecue]

"Hmmm, well since I have no idea if we're handing off to an 'external' authority of the OS, I guess I'm safe to assume we're not?"

Yes, and that's probably how you want to keep things.

In simple terms, FM Server 7 gives you the option of having users log into FM with their Windows network username and password. If you have a lot of users, it can be very convenient, since they only have one username and password to remember, but for a small workgroup, the effort involved in setting it up probably isn't worth it. And there are possible security concerns as well.

If you decide you do want it, you can always do it later. Definitely not something I'd worry about during a crunch.

[LaRetta]

Hi Ted, thanks for helping.

Well, Owner requires each User to enter login (Windows) and password to access their computers. Originally, the login name was the computer number. But when I networked us, I created FM accounts for each person (they each have different extended privileges also). This caused us problems because when user logged onto computer, it default entered the computer number and they had to delete it to enter their own name. So I had Owner change each computer name to the person's name so it matched their FM accounts.

Problem was ... When one person left and another took that computer, they would just delete the other persons name and type theirs. But I have a field in FM called gUserAccount and FM would insert it as: OldUserName/NewUserName. I had to reinstall FM on that computer to change it. Geez. I'd rather not have to do that each time someone leaves.

It would be nice if they didn't have to log into both places but our computers need to be protected and require login. Is this what you are talking about? Can FM grab and use that information so they don't have to log into FM at all when they click the Opener file? I have relogin buttons available (in FM solution) so I'm not concerned about that part.

In fact, will I need an Opener file at all? If not, how do Users call the file? Will Server Advanced change my User opener process or will I keep my opener? All Opener does is call external subscript in the host file and then close itself. It error traps so that if file isn't available it just closes also. User account and password is again required when the main file opens on host. I'd really like to understand this process and set it up right this weekend while I have all systems to myself.

Oh. This will probably all become clear when I get into it and if you think that's the case, don't bother answering. I really hate taking everyone's time. But it'll be a holiday weekend and getting assistance might be difficult. I hate the thought that something silly (and obvious to everyone but me), like my trying to use an opener when not required, will keep this from being ready on Monday morning. Any additional words of advice will be most appreciated.

And, although it sounds like a personal problem, I'm taking the manual to bed with me tonight.

LaRetta

[LaRetta]

Thanks Barbecue!

"FM Server 7 gives you the option of having users log into FM with their Windows network username and password. "

It sounds like I've already got this in place! It seems easier for our Users this way, although a pain for me (but that an acceptable trade-off). Am I *getting* the concept here? What is the security risk you mention? If both Account Name and Password are required on Windows login - and if FM just uses those, what's the security risk?

I have relogin buttons in my FM solution. It seems that the same problem would exist if someone walked over to another's computer and started working. My FM solution would indicate the wrong User changed data but, other than that, is there more to consider here?

LaRetta

[Wim Decorte]

Not all of us are in North America (anymore...) so feel free to post or email when you run into trouble.

From what you describe you've been trying to roll your own Windows authentication scheme. The way the FMS scheme works is different and a whole lot simpler and does not rely at all on computer names or what's stored in FileMakers UserName preference. But it does require you to have a Windows domain controller running Active Directory. That's what you need to find out first.

[LaRetta]

I can't believe all the time I'm taking. Thank you all so much for helping me through this.

Wim, I'm excited to hear that this authentication can be more cohesive using FMS. I look forward to solidifying this process. I will contact Owner as respectfully early as possible. I will find out if we have Windows domain controller running Active Directory. He will probably ask me what that means. I will admit I have no clue; but neither will he. But he can contact someone (his Consultant friend) and find out.

"... you've been trying to roll your own ..."

Ummm, errr well, it tends to be my style. Good night. I have a date with a Server Advanced manual. Thanks again!!

LaRetta

[Barbecue]

If both Account Name and Password are required on Windows login - and if FM just uses those, what's the security risk?

It's not necessarily a risk, it really depends on your situation. It creates a single point of failure, so if someone grabs your network password, they've automatically got access to your FM data as well.

My users often use each others' computers, don't lock their workstations when leaving for lunch, etc., and locking the workstations after a short time is politically infeasible. By having separate usernames/passwords for the database, I have an additional layer of security. I can also give database security control over to the paranoid guy, who can then lock me out of his database if he wants to.

...My FM solution would indicate the wrong User changed data but, other than that, is there more to consider here?

In my case, that would be a Very Bad Thing.

But if you're comfortable with that possibility, then by all means enjoy the convenience of single sign on.

[LaRetta]

Hi Barbecue, thanks for the comments.

All staff are REQUIRED to take 10 minute breaks and a minimum of 15-minute lunch, so they are required to log out and then back in when they do. My logout/login is tied directly to their timecards. It has taken a bit of 'harping' but that first pay period, when those employees were called into Management meeting to have the importance of adhering to labor laws stressed, seems to have eliminated any forgetfulness.

Staff are not allowed to use each other's computer. An employee has access to their own payroll, benefits and other sensitive information. And, because they don't WANT anyone else to see their commissions, they even turn their screens off if they walk to the copier. Our extended privileges are complex and user-specific and everyone knows it. They wouldn't want someone else doing something under 'their' name since all actions are logged and tracked, and then reviewed by me for data-normalization issues and by Owner for work habits.

"It creates a single point of failure, so if someone grabs your network password ..."

Supposedly, we have three layers of firewall (?) in place to protect from outside access. Is this what you mean? So our only real current protections from accessing our FM (or computers) is that one User password which Owner keeps on a list (not in the office). Do we sound safe enough? I would really prefer Users only have one login to remember.

LaRetta

[Barbecue]

Supposedly, we have three layers of firewall (?) in place to protect from outside access. Is this what you mean?

Actually, unless you're a high-profile organization, I'd be more worried about an insider sniffing passwords or running something like L0phtCrack against your domain. Despite all the media emphasis on cyber-terrorism and evil teenagers, the vast majority of so-called "hacking" is actually done by insiders. From a business perspective, strong policies and NDAs with teeth are more effective than technology-based solutions here, because they actually give you legal recourse to recover losses if a security breach does occur.

All that said, it sounds to me like you've got good policies in place and good monitoring (better than mine, for sure : ) The biggest thing you probably need to worry about is the quality of your users' passwords. Requiring strong passwords (8+ characters with mixed case and non-alpha characters) helps, but you'll still have the person who uses "Pa55w0rd" as a password and honestly thinks nobody would ever guess that.

Here's a link to SANS' recommended password policies (PDF file).

http://www.sans.org/resources/policies/Password_Policy.pdf

The aforementioned L0pht Crack is an excellent auditing tool, though too expensive for casual use. You can probably hire a consultant to audit your passwords.

http://www.atstake.com

[LaRetta]

Thank you for the password information, Barbeque. I will certainly use it!

Wim, I just received word from Owner. The Consultant said ... "We are running a Windows 2000 server as a domain controller running active directory."

We have one additional issue: Both Owner and I need to access the computers at night from home so 1) He doesn't want to turn them off and 2) Owner said file sharing must be on for us to access host at night!? I go to a website mycomputer.com and log into his computer; and then navigate to the host files. I download every night and upload again. I can't be without this ability. It is the only time I can design.

Maybe I can copy them to another computer that DOES have file sharing on and grab them from there? Zip first, right?

Today I made sure all FM files (except host directory) no longer exist anywhere on our network. I'm unsure whether to attack the authentication (and active directory) issues at this stage. Recommendations would be greatly appreciated. I'm going to install tomorrow. I'm terribly excited about Server Advanced.

LaRetta

[Barbecue]

LaRetta, I just noticed your questions, so if you've already resolved this ignore me.

There are several ways you could do this without having to enable file sharing on the host workstation.

You could enable a web or FTP server on the host computer, which would let you download and upload files directly. You could use a utility like PCAnywhere. Or you could simply open the database on the host computer and share it directly over the internet.

All of these options support use of encryption for security, and none require Windows file sharing. The only thing you'd need to worry about would be configuring any firewalls to allow traffic through on the required ports.

To do these things you'd need either a static public IP on the host computer or some form of dynamic DNS to automatically update a changing IP address with a static domain name. This works remarkably well, and can be done free of charge.

[LaRetta]

Hi there Barbeque

Well, I admit I put off installing Server Advanced because of my concerns with nightly access and you make it sound so easy. But you might as well have been talking in German for all the sense it made to me. I will make the time to figure out exactly what you mean however, because running Server Advanced is important!

I admit that, already working 16/7's and things running very well, I hate to risk change because I simply don't have enough hours (or energy) left to handle any problems that may arise out of it.

But then again ... it is positive stress. And that excites me! I'll get right on it and thank you for the great information.

LaRetta

[Barbecue]

Well let's see if I can make it less obtuse.

If your FileMaker server (or workstation) has a known Internet IP address, you can run FileMaker on your home machine, click Hosts, Specify Host, and then specify the IP address of your server and connect right up. The advantage of this approach is you don't need any special software on your home computer, (and can access the database from any machine that has FileMaker installed.) The main disadvantage is it's very slow if you're manipulating lots of data (searching, sorting, etc).

Another option is to use remote control software like PCAnywhere or VNC, which basically lets you take control of a remote computer at the office. You actually see the remote computer's screen. The advantage to this approach is searching, sorting, etc happens as quickly as it would at work. The disadvantage is the user interface is slow, mouse and keyboard commands are jerky, etc. Also, you must have the special software installed on both the server and your home computer.

If you need to do data processing, run reports, etc, you should use the remote control method. For doing design work (layouts, scripting, etc) use the direct connection method. If your home connection is slow (like dial-up) then the remote control is really the only practical option.

Now for another complication...

I wanted to access my database from my home computer. The problem was, the server didn't have it's own dedicated IP address, but used a shared IP address provided by what's called a NAT router. That meant the server's IP address could change at any time.

To get around this, I signed up with DynDNS.org, a free service that will assign a permanent domain name to a temporary IP address. I registered Bob.dyndns.org or something like that.

You install a special program on your server that monitors your IP address, and every time the address changes, the program sends a notice to the DynDNS.org servers telling them basically "Hi, this is Bob again, now I'm using THIS address." It's sort of like requiring your kids to call you whenever they leave one place to go to another.

Dynamic DNS means the IP address my name points to can change quickly and easily automatically, and I don't have to call anyone.

If your ISP can give you a static IP address for your FM Server, you eliminate the need for all the Dynamic DNS stuff, but static IP addresses are not always easy to get.

Here's a link to DynDNS...

http://www.dyndns.org/

No matter which approach you take, the trickiest part of the whole thing is probably setting up your firewall to allow you into the network from home.

One option to consider is Port Forwarding. Basically, that's where you tell your firewall or router that any incoming traffic it sees for a specific port should always be forwarded to a specific computer. You can also do other tricks, like having the server initiate the connection to your home computer at a certain time, settting up a VPN, and various other things I know about but can't actually do myself.

Your local networking guru should be able to tell you what's the best approach for the network you're using.

Good luck!

[LaRetta]

Wow, Barbeque. I did not anticipate the depth of your additional assistance. Certainly not obtuse; it makes sense (mostly) even to me. I will devour this thread until I understand it all. Thoroughly.

"Your local networking guru should be able to tell you what's the best approach for the network you're using."

Uh. Well. I guess that will be me (Lord help us). The only 'consultant' is off in the mountains on two-month vacation. Besides, he only helped us a few times when first setting up the network (before my time). Oh, double-Lord help us. Okay, no problem. We have a three-day Christmas holiday coming up. Guess what I'll be doing.

I am determined to have Server Advanced running before the first of the year. Everything through invoicing and GL are up and functioning and I want my baby under Server's umbrella. I can't thank you enough for your assistance.

LaRetta