Mittwoch, 7. März 2012 17:10
We are testiing SharePoint Workspace before considering a full deployment.
I have searched over the internet for any information regarding Microsoft public relay infrastructure, but did not find much information.
Except that relay servers have URL of *.groove.microsoft.com, does anyone have any info about security, performance (hosted in which datacenters...), approx number of relay servers...
Thanks in advance
Freitag, 9. März 2012 20:20Moderator
We do not release information on where Groove servers are located or how many there are, but there is lots of information about data security available. The key points are these:
- Groove Relay servers forward data for Groove workspaces and Shared Folders when a direct connection between sender and recipient is not possible.
- This data is encrypted in transit and on the server. (Groove workspace data is also encrypted on the local drive.)
- Groove Relay servers do not retain data once the recipient has successfully recieved it.
- Groove Relay servers are not used by SharePoint workspaces.
For more information, see the following resources:
- 939806 How Groove 2007 and SharePoint 2010 use Groove servers http://support.microsoft.com/kb/939806
- How Groove maintains the security of a workspace and helps protect data that is sent over a non-secure network http://support.microsoft.com/kb/916359
I hope this helps!
- Als Antwort markiert guelno Sonntag, 11. März 2012 14:03
Montag, 28. Mai 2012 07:10
i did a Groove 2010 implementation (Groove manager server, Groove Relay Server, SQL Server).
i need supporting documents on how it can be published online, to enable the users to connect to Groove server and to work on workspaces from outside the internal network (from internet).
please your fast responce is highly appreciated!
Dienstag, 29. Mai 2012 15:02Moderator
Groove workspaces (and Shared Folders) work across networks by design, usually without modification, if the server is installed as documented. If users outside your network are having problems, your network might be blocking incoming HTTP (port 80) and SSL (port 443) connections. For more details, see this article:
How to use Groove through a firewall
Also, here is the corresponding section of the server documentation:
Plan port configurations for Groove Server
You'll notice that the first article applies to "Office Groove 2007 and earlier versions" and also to "Groove workspaces in Microsoft SharePoint Workspace 2010." SharePoint workspaces do not use the Groove Relay server. They connect directly to the SharePoint server, which would have to be configured to support external access.
Let me know if you have more questions,
Mittwoch, 30. Mai 2012 08:36
Thank you Frances,
i used this topology: (Groove manager server, Groove Relay Server, SQL Server) integrated with Active Directory, and SharePoint workspaces as client application on the users machines- no SharePoint Server in this topology.
all of these servers are in internal network.
the question is,
- how can it be accessable, or the users to work from home (external access) to my internal groove implementation.?
- can it be published? should i put one of the servers in DMZ? should i use TMG or IZA ?
btw: i did the implementation as microsoft says.
Mittwoch, 30. Mai 2012 18:51Moderator
This is a very broad topic. If you have installed and configured according to the documentation, and have opened the ports listed in the sources I cited above, nothing further should be needed to enable external access. As part of creating and configuring accounts on Groove Manager, each account is provisioned to a Relay server pool.(http://technet.microsoft.com/en-us/library/ee681784) The account obtains that information from Manager automatically.
If you look at the "Best Practices" section of the Deployment guide (http://technet.microsoft.com/en-us/library/ee681768) you will see that we do recommend that both servers be placed in a perimeter network, which is the same as a "DMZ". Keep in mind, however, that no workspace data resides on the Relay. Changes sent to the Relay server are encrypted on the network and on disk, and are deleted from the server once the endpoint has received them. You should follow reasonable practices for network security, but you are not protecting a document repository.
Donnerstag, 31. Mai 2012 06:19
Thank you Frances:)
i need to ask this because im facing security issues with the customer..
1- If we keep the Relay server in DMZ and the Groove Manager server in internal network, what are the ports requirements to internal network from DMZ and from internet to DMZ.?
2- Should the relay server be part of Active Directory Domain?
many thanks for the fast response!
Freitag, 1. Juni 2012 17:09Moderator
Briefly, both servers need to be available to external clients via FQDN. Manager needs to be available at port 80, and Relay at minimum at port 80, but ideally on 80, 443, and 2492. You will see better performance if clients can communicate with the Relay over port 2492 (incoming on the Relay).
Groove Manager needs to be able to open a connection to the Relay (via FQDN) on port 8009.
The Relay administrator needs to be able to open a connection to the Relay on port 8010.
A table listing required inbound and outbound ports for each server, with detailed explanation of what each is used for, is available here:
The Relay server does not need to be domain joined.
I regret that I have to keep refering you to the documentation, but as you point out, these configurations affect security as well as efficiency. If I generalize to a list, even a notated one, as above, I am leaving out information. Also, network configuration involves choices that are affected by more than server software. If you need more help with this, I recommend that you open an advisory support case, so someone can go through it with you individually.
Dienstag, 3. Juli 2012 07:29
Hi Frances, there is a question, when i provision users from AD to the Groove manager, it takes long time for them to appear on the Groove Manager console. Any idea what could be causing this?
and one more question,
if i did the installation of the groove Relay and the manager in internal network (NOT in DMZ) can i publish it through ISA to make it available for external users? how?
thanks in advance:)
- Bearbeitet Imad El-Qasem Dienstag, 3. Juli 2012 07:45
Freitag, 6. Juli 2012 20:17Moderator
If there are not network problems, you should see new users within 30 minutes. See "You do not immediately see the changes in Groove Manager after you change a user record in Active Directory in Groove Server 2010" at http://support.microsoft.com/kb/982770/EN-US.
You would need a route relationship to the internal network for the external users to connect to the Groove Servers. Because the clients have configuration that is based on the domain names of their assigned servers, they cannot access the servers via a NAT. (See "Groove Server Manager URL" in http://technet.microsoft.com/en-us/library/ee681746.aspx for an explanation of this in Groove Manager.)