Concordance Desktop server security

<< Click to Display Table of Contents >>

Navigation:  Installing > Preliminary Planning > Preparing for Concordance Desktop >

Concordance Desktop server security

The Concordance Desktop server uses a variety of security methods to ensure data integrity, security, and high performance. Please read this section carefully, prior to implementing security for the computer you will be using as your Concordance Desktop server.

Concordance Server Connections

An installation of Concordance Desktop connects to the computer, registered as the Concordance Desktop server, using an SSL encrypted connection. This connection is fully compatible with firewalls that monitor and verify SSL traffic. Unlike a standard Web server connection, the Concordance Desktop server connection is kept open for the entire session for both efficiency and functionality. The connection is kept open to send progress messages, to update interactive search results and progress meters, and to perform other operations that would not be possible with repeated and unnecessary connections and disconnections.

Encryption

Data passed between the Concordance Desktop server and clients is both compressed and SSL encrypted for high speed and security. Concordance Desktop uses both RSA public and private key encryption. All data is transmitted using RSA 128-bit encryption. The initial handshake conversation is encrypted using 1024 bits. This is the same SSL encryption used by web servers for tasks such as online banking. We recommend that you install the server on SSL Port 443, as it is fully SSL compliant.

Ports

Administrators can log on to the Concordance Desktop Admin Console using an administrator user name and password. Firewalls are not required, but can be used to maintain security when exposing the Concordance Desktop server to public IP ranges. Using firewalls determines which IP ranges are allowed access to the Concordance Desktop server.

Setting Port Addresses:

End-user traffic for shortcut (.fyi) files via the Concordance Desktop server – Default Port is 443

Administration traffic on the Concordance Desktop server via the Admin Console – Default Port is 10001

We recommend that you periodically check your ports to ensure they are open to inbound/outbound traffic.

For more information about modifying port addresses, see Adjusting port settings.

DMZ or LAN?

The Concordance Desktop server can reside on your LAN or in your DMZ as your data security policy dictates.

If you are using external authentication, user log-ons and passwords in Concordance Desktop must be identical to the DMZ in order for reviewers to access databases on the computer registered as the Concordance Desktop server.

If you are only applying Concordance Desktop user management, we recommend that you register the server license on a computer on your LAN because the DMZ generally requires opening a connection from the server to the LAN, which can create a security risk.

We also recommend using NAT (Network Address Translation) to open an inbound port to the server, and setting the server to use SSL Port 443, as it is fully SSL compliant.

Authentication Types

Microsoft Windows NT, Microsoft Active Directory, and PDC secure login can be used by Concordance Desktop, making user administration easy and fully integrated with your existing network policies. Concordance Desktop will use NT, PDC, and Active Directory authentication, passing all login and passwords to your existing domain server for verification and enforcement of password policies including expiration, length, mix of alphanumerics, and all other policy restrictions used by your organization.

Concordance Desktop with Active Directory, Windows NT, or PDC can be used to verify users’ credentials. Logins are checked with Windows Security Controller. Setting this up helps ensure conformation with password policies.

Supported Authentication Types

Internal Types

Description

Concordance Desktop

Uses the .sec file to authenticate users. Highly recommend always implementing a user login and password to connect.

External Types

Description

External by Domain

Allows for authentication against an NT Domain Controller (without Active Directory).

External by NT Server

Allows for authentication against a stand-alone server (Member server).

External by Active Directory LDAP

Uses the Microsoft Windows Active Directory to authenticate users.

Authentication by Lightweight Directory Access Protocol (Active Directory).

For more information about external authentication and how it relates to users, see About setting up user authentication.

Using Microsoft Active Directory

If you are using external authentication, you will need to first set up users in Active Directory and then add the user's name in the Security Console of the Concordance Desktop database, before specifying Concordance Desktop .FYI  users in the Concordance Desktop Admin Console. When using external authentication, it is important that user names match in the Active Directory and the Concordance Desktop database.

We also recommend registering databases in the Concordance Desktop Admin Console as a means of adding users to the Concordance Desktop Server. User accounts are enabled in the Concordance Desktop Admin Console on the Management tab.

For more information about setting up users in the Active Directory refer to Microsoft's web site and search on "active directory."

File Storage Considerations

File size and storage considerations are additional planning elements when setting up the Concordance Desktop Server.

You need to ensure the following:

The server hosting Concordance Desktop databases can access other servers easily

That Concordance Desktop server can access files easily

Databases and images are local to the Concordance Desktop server

There are no latency issues arising from databases or image files that are too big

You can choose to store databases and images in two ways:

LAN - For this setup, we recommend you store databases and images on the same server/computer that you have registered as the Concordance Desktop server, to reduce any latency issues in accessing files.

Network Accessible Storage - You can choose to store databases on one network device and images on another, and have the Concordance Desktop server point to these locations to access them. Latency differentiations are minor if database size is kept smaller and all images are processed as single TIFs.

For more information about database design, see Preparing for Concordance Desktop.