File and Print Services
From Wiki@Commgate
Flexshare
Overview
| Flexshare | Information |
|---|---|
| Description | A file collaboration utility. |
| Package Name | cc-flexshare |
| Configuration Page | Software > File Services > Flexshare |
A Flexshare is a flexible and secure collaboration utility which integrates four of the most common methods of accessing files or content:
- Web (HTTP/HTTPS)
- FTP (FTP/FTPS)
- File Shares (Samba)
- E-mail (SMTP/MIME/SMIME)
It is an extremely powerful and versatile tool that has many uses. The example below (a hypothetical engineering consulting firm Eng-123 and its client OEM-XYZ) describes a Flexshare and a typical working environment.
A Flexshare might be defined on a server owned by Eng-123 after successfully bidding on an engineering project for OEM-XYZ. CAD files (engineering drawings) associated with the project's design are centrally located on the server and should be accesssed only by the users included in Eng-12's engineering group. The file-sharing (Samba) Flexshare definition is used to allow restricted access to this directory from the Local Area Network (LAN) or over Virtual Private Network (VPN) tunnels in the event engineers work remotely.
By adding Flexshare's FTPS (secure FTP) access and configured to require a username/password for read-only permission, the project manager of OEM-XYZ can have access to the drawings at any time from anywhere on the Internet. The increase in productivity by allowing real-time access to the CAD drawings keeps the project on track and negates having to e-mail CAD files which are often large and not ideal for e-mail transfers.
In the event Eng-123 and OEM-XYZ want to track schedule 'snapshots' of an OpenOffice Calc document or notes on the design phase in PDF format, Eng-123's administrator configures Flexshare's email upload access. Both companies can now send signed/encrypted emails to a single email address where the attachment (a .ods or .pdf file extension in this case) is automatically stripped from the email and stored on the server. These same files can then be accessed by web, FTP or file share and provides the added benefit of having a historical view of the entire project.
Nearing the completion of the project, OEM-XYZ's sales/marketing team make a request to have an assortment of images created from the CAD software's rendering engine from 3D wire-frame. Flexshare's web access, set-up with unrestricted access, gives the sales team the images they need to begin pre-selling - with just a browser and a URL provided.
The above illustrates just one possible use of Flexshares. Much simpler Flexshare's can be created for every-day tasks common to any small business such as hosting and updating a website, creating user-restricted file shares or using e-mail as a simple file transfer utility.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
You will also need to install one or more of the following modules to enable functionality for the following services:
- Web access - cc-httpd
- FTP access - cc-proftpd
- File access - cc-smbd
- E-mail upload - cc-postfix, cc-cyrus
Configuration
Share Overview
Once the system user has been updated with the password provided, you will be presented with the Flexshare Overview.
The first table lists the shares you have currently defined, allowing you to quickly view which access methods are enabled in addition to overall flexshare status (either enabled or disabled). You can Edit, Delete and Toggle the status of each Flexshare using the Action links in the right hand column. Of course, if no Flexshares are defined, the Action links will not be visible.
The second table allows you to define (create) a new Flexshare. See Creating a New Flexshare below.
Back to top
Creating a New Flexshare
To define a new Flexshare, fill out the Name and Description fields and select a Unix group to represent the share owner in the Add a new Flexshare form. A Flexshare template will be created (with no access and disabled by default). The Editing a Flexshare form will be displayed, allowing you to customize the share options and enable access options.
Back to top
Editing a Flexshare
You can make edits/changes to any defined Flexshare at any time. A newly created Flexshare will have no access points enabled, so you will want to configure at least one service (Web, FTP, Filesharing or E-mail) to take advantage of the share you have created.
To begin editing a Flexshare, you'll need to select which access point you want to modify.
Select the appropriate tab and use the help sections below to guide you through each type of access point and the options that are available.
Warning! Changes will take place immediately upon clicking the Update button if the share is enabled.
Web
Configuring Flexshare's Web access enables anyone (or authorized users only) to use a web-browser to navigate to a website in order to view content, interact with a dynamic web page (for example - a PHP or CGI enabled online store) or download files from an index listing.
One of the most common uses of Web access it to configure a Flexshare to define settings for a company website.
The rest of this section will describe the different settings that will modify the behaviour of a Web accessible Flexshare.
Enabled
Indicates the current status of the Web Access for a Flexshare. Note, even though the Web Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Back to top
Last Modified
A timestamp indicating the last time a change was made to the Web Flexshare configuration.
Back to top
Server Name
The server name (domain name) that will be used to access this Flexshare. If the default ports are being used (ie. 80 for HTTP or 443 for HTTPS), this parameter is locked to the Server Name field defined in the Web Server configuration. If custom ports are used, you can set this parameter to take advantage of Apache's Virtual Host capability.
Back to top
Server URL
This field (actually a hyperlink for convenience) indicates the URL which will be used to access the share.
Back to top
Accessibility
Accessibility allow you to restrict which interfaces incoming requests to the share are allowed from. Setting this field to LAN Only essentially makes your Flexshare accessible from your Intranet only.
Firewall Configuration If set to All, make sure you have added the appropriate incoming firewall rule if the server is the gateway, or forwarded the appropriate port on your firewall.
Show Index
If Show Index is set to Yes, browsers will display a listing of all files if there is no index page (ie. index.html, index.php etc.). This is normally only desirable if using the Flexshare as a file access service (similar to FTP). If you are running a website, this option should definately be set to No.
Back to top
Follow Symbolic Links
If Follow Symoblic Links is set to Yes, symbolic links leading to directories outside the document root will followed.
Back to top
Allow Server Sides Includes (SSI)
If Allow Server Side Includes is set to Yes, standard includes will be allowed. By default, execution of code on a SSI will not occur for security reasons. To override this behavior, please see the Flexshare API.
Back to top
Allow .htaccess Override
If Allow .htaccess Override is set to Yes, the presence of a file named .htaccess will permit users to change specific options inside the web directory. The default and recommended setting for this parameter is No, unless you have advanced knowledge of this Apache directive.
Back to top
Require SSL (HTTPS)
Determines the protocol to use - HTTP or HTTPS. If you have enabled authentication, you are advised to set this to Yes (use HTTPS) since users will be required to provide their username/passwords to authenticate to the server. Using HTTPS ensures this sensitive data is encrypted.
Back to top
Override Default Port
In some cases (for example, an ISP that blocks port 80), you may want to run the server on a non-standard port. In this case, set this field to Yes and supply a valid port for the service to bind to.
Back to top
Require Authentication
If set to Yes, upon first connecting to the server, a user (ie. web client) will be prompted with a login dialog pop-up where they will enter their username/password. Before gaining access to the Flexshare, the username/password will be confirmed as a valid account on the server. In addition, the user must belong to at least one group that has been given access to the share as defined in the Group Access field (see below).
Typical dialog box pop-up requiring username/password authentication
Back to top
Web Domain (Realm)
Indicates to the person logging in what realm they are attempting to access. The only time the value of this field is displayed in during the authentication process. In the screenshot above, the text "Sales Team Secure Flexshare" is the Web Domain (Realm) entry.
Back to top
Group Access
Displays a list of all user-defined groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share.
Back to top
Enable PHP
Enables the execution of PHP script on the server. Any file with a .php/php4/php5 extension will be parsed by the PHP engine rather than by Apache directly.
Back to top
Enable CGI
Similar to the PHP field above, but pertaining to CGI script. CGI script, however, is isolated to the /cgi-bin sub-directory (ie. http://beaker.lan/flexshare/sales/cgi-bin/store).
Back to top
FTP
Configuring Flexshare's FTP access enables anonymous or authorized users only (or both) to use an FTP-client to connect via File Transfer Protocol in order to upload and/or download files to the server. The FTP protocol, while outdated, is still a prominent service today and is particularly useful for handling large files.
One of the downsides of the FTP protocol is that it uses separate ports to control dataflow and transmit payload data which causes conflicts with firewalls (both server and client side).
Enabled
Indicates the current status of the FTP Access for a Flexshare. Note, even though the FTP Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Back to top
Last Modified
A timestamp indicating the last time a change was made to the FTP Flexshare configuration.
Back to top
Server URL
The FTP URL (or domain name) used to access the service. This parameter is defaults to the Server Name field defined in the ProFTP Server configuration. If you are having difficulty accessing the Flexshare, see the Modules_-_Flexshare#FTP_Access_Going_to_Home_Directory_Instead_of_Flexshare troubleshooting guide.
Back to top
Require SSL (FTPS)
Determines the protocol to use - FTP or FTPS. If you have enabled authentication, you are advised to set this to Yes (use FTPS) since users will be required to provide their username/passwords to authenticate to the server. Using FTPS ensures this sensitive data is encrypted.
Back to top
Override Default Port
Flexshare FTP/FTPS uses port 2121/2120 and 2123/2122 as the default ports (see bubble below for an explanation). You can override these standard ports by setting this parameter to Yes and entering the custom ports in the fields that will appear upon changing the override drop-down.
Virtual Hosts Unlike the Apache web-server, the ProFTP FTP-server lacks true virtual host capability, restricting the server domain to a single entry. As a result, the ProFTP server default ports for FTP and FTPS have been set to 2121 and 2123 respectively to allow users/administrators to continue to the default configuration file for FTP for their own custom use (ie. users home directories etc.).
Allow Passive (PASV)
Allowing passive connections can improve the experience/usability of FTP access to clients accessing the service outside the local network. However, care must be taken to open or forward appropriate ports to your network for the port range you designate for passive exchange. For more information on Active vs. Passive connections, see the #Links links section below.
Back to top
Require Authentication
If set to Yes, non-anonymous authentication is required. Before gaining access to the FTP Flexshare, the username/password will be confirmed as a valid account on the server. In addition, the user must belong to the group that owns the share.
Back to top
Group Greeting
A greeting that is displayed once when a user authenticates and has access to the FTP Flexshare.
Back to top
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share.
Back to top
Group Permissions
Depreciated in 4.2 and above
Files uploaded via FTP to the server require to constraints:
- Ownership (user and group)
- Permissions (user, group and world)
For authenticated connections, the first constraint is satisfied by using the username of the user logged in and the default system group flexshare. This allows tracking who originally uploaded the folder, yet the generic flexshare allows anyone who has access to the share to be able to read (and possibly overwrite) the file.
The second constraint is dealt with by setting FTP's UMASK directive. This setting is handled by the Group Upload Attributes parameter.
Back to top
Group Upload Attributes
Depreciated in 4.2 and above
Allows you to set FTP's UMASK directive, which sets the file permissions on upload. This field consists of three drop-down boxes, each with the same permissions options.
- List 1 - User permissions
- List 2 - Group permissions
- List 3 - World permissions
The options contained in each drop-down box contain three characters. The characters are defined as:
- Hyphen - No permissions
- r - Read
- w - Write
- x - Execute
Allow Anonymous
Allows anonymous FTP access. Users only have to provide the username anonymous and (usually) their e-mail address to gain access to the share. Use anonymous when you are not providing access to restricted files and you do not want/need to create individual accounts on your server to authenticate against.
Back to top
Anonymous Greeting
Same as Group Greeting except applied to the anonymous login.
Back to top
Anonymous Permissions
Same as Group Permissions except applied to the anonymous login.
Back to top
Anonymous Upload Attributes
Depreciated in 4.2 and above
Same as Group Upload Attributes except applied to the anonymous login.
Back to top
File
Configuring Flexshare's File access (SAMBA) enables public or authorized users only (or both) to connect via file sharing in order to move files from desktop to the server and vice-versa.
Enabled
Indicates the current status of the File Access for a Flexshare. Note, even though the File Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Back to top
Last Modified
A timestamp indicating the last time a change was made to the File Flexshare configuration.
Back to top
Comment
Allows a comment or description of the fileshare to be displayed to other computer clients accessing the share.
Back to top
Public Access
Set Public Access field to Yes if you want to allow anyone on the Local Area Network (LAN) access to the Flexshare.
Back to top
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined< groups on the system (note, not system groups). A user requiring authentication must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order to gain access to the share.
Back to top
Permissions
The Permissions field determines what type of access group members (or public if set) they have to files on the share.
Back to top
File Write Attributes
If users have write permission to this flexshare, setting this field will set all files copied to the server with the appropriate permissions. See Group Upload Attributes for information on these settings.
Back to top
Configuring Flexshare's E-mail access allows the uploading of files to the server. This is accomplished by simply attaching one or more files to the an e-mail and sending it to the corresponding Flexshare e-mail address. To place restrictions on who can upload files, mandatory digital signatures combined with group lists and a separate Access Control List (ACL) are imposed.
Enabled
Indicates the current status of the E-Mail Access for a Flexshare. Note, even though the E-Mail Access point is enabled, the overall Flexshare must also be Enabled in order to work.
Use the Enabled/Disabled link at the bottom of the form to toggle the status.
Warning! If disabled, all email sent to the Flexshare will automatically be deleted, regardless of the Save Attachments setting.
Last Modified
A timestamp indicating the last time a change was made to the E-mail Flexshare configuration.
Back to top
Email Address
The e-mail address that users will use to upload files to the Flexshare.
Back to top
Save Attachment Path
Possible options are:
- Root Directory - files will be saved to /var/flexshare/shares/FLEXSHARE_NAME
- Mail Sub-Directory - files will be saved to the /mail sub-directory off the root directory
- Specify in Subject Heading - A user can specify the path they would like the file(s) uploaded to by using the format Dir ====== PATH in their subject, where PATH is the directory path to use
Write Policy
Allows you to control overwrites if a file already exists.
Back to top
Save Attachments
Setting this field to Require Confirmation keeps messages (and their attachments) in the queue. Any file attachments will only be saved when confirmed.
Set this field to Automatically poll at 5 minute intervals to have the server initiate a check for new messages and save the attachments automatically to the server. These files will then be immediately accessible by the other Flexshare access methods.
Back to top
Notify on Receive (e-mail)
If the Save Attachments field is set to Require Confirmation, use the Notify on Receive (e-mail) field to enter a valid e-mail address to send an alert upon receiving new e-mails contains file attachments.
Back to top
Restrict Access
Set this to Yes to match an address to a system user or the ACL.
Security Alert It is highly recommended that the Restrict Access feature is enabled to prevent anonymous file uploads from occurring.
Group Access
Depreciated in 4.2 and above
Displays a list of all user-defined groups on the system (note, not system groups). A user sending an e-mail with attachment(s) to the Flexshare address must belong to at least one group that is enabled to access the Flexshare (checkbox in a checked state) in order for the file(s) to be saved. If it is determined the e-mail sender does not have access to upload files, the e-mail will be deleted.
Back to top
E-mail ACL
Add e-mails to the E-mail ACL (Access Control List) to allow non-system accounts access to upload files to the server via e-mail.
Back to top
Require Signature
Signing e-mail using digital signatures is the only way to verify e-mail is originating from the address it claims to be sent from. Enabling this feature will discard any e-mails and the associated attachments which are not signed.
Spoofing Return Address It is a trival task to spoof the From Address contained in an e-mail header. Take advantage of 4.0's SSL Certificate Manager and use signed certificates to validate the sender's address.
Back to top
File Write Attributes
Saved files to the server originating from e-mail attachments will use the permissions set in this field. See Group Upload Attributes for information on these settings.
Back to top
Deleting a Flexshare
Deleting a Flexshare that is currently defined can be done from the Overview page. Click on the Delete link next to the share you wish to delete. A form similar to the one shown below will be displayed requesting you to confirm your intention to delete the share.
Checking the Delete all files and remove share directory will do exactly that - make sure you no longer need any files in the share directory and all sub-directories or have backups located elsewhere.
Use the Disable share function instead of Delete in the event you want to remove share access temporarily but not lose all your configuration settings.
Advanced Configuration
Custom Paths
In some cases, it is desirable to host a Flexshare in a location other than the default path (/var/flexshare/shares/SHARENAME). For example, a mounted USB Mass Storage Device or an encrypted filesystem. In this case, edit the file /etc/flexshare.conf using an editor or a utility like SCP. The parameter key is named FlexshareDirCustom. The format of the value is name:path. For multiple entries, each definition is separated by the pipe (|) character. The following is a valid entry example:
FlexshareDirCustom======Iomega:/mnt/dmcrypt/Iomega|USB:/mnt/usb
The above would provide two additional paths to the dropdown list of any Flexshare...The first (Iomega) mounts an Iomega REV drive with an encrypted filesystem to the path /mnt/dmcrypt/Iomega. The second is an example of a mounted USB drive at /mnt/usb.
Back to top
Troubleshooting
Firewall
Remember to open up appropriate ports on your firewall if your intention is to allow access from outside your network. Some common ports for Flexshare access services are listed below. FTP Access Going to Home Directory Instead of Flexshare
If you have enabled FTP access and require authentication and you find that users are being sent to their home directories instead of the defined Flexshare, the solution is quite simple - the cause quite complex.
The problem stems from the fact that ProFTP does not support virtual domains and is attempting to resolve the system hostname in order to determine which configuration to use. If you have an entry in your /etc/hosts file mapping your system hostname to your internal IP, users logging in from outside the network will experience the problem described above. To fix the problem, use Webconfig and navigate to "Network Image:icon_arrowright.png Hosts and DNS Server". Remove the entry that maps your server hostname to the internal address (ie. 127.x.x.x or 192.168.x.x or 10.x.x.x). Once you have done this, goto the ProFTP configuration and stop and then restart the service.
Back to top
Access
Not all access methods have the same capabilities because of the protocol/design of individual services. The table below illustrates the capabilities of the four access services available to the Flexshares you have created.
| Access Method | View | Upload | Download | Default Port(s) |
|---|---|---|---|---|
| Web | 
| 
|
| 80 (HTTP), 443 (HTTPS) |
| FTP |
|
|
| 2121/2120 (FTP), 2123/2122 (FTPS) |
| File |
|
|
| N/A |
|
|
|
| 25 (SMTP) |
Links
FTP Server
Overview
| FTP Server | Information |
|---|---|
| Description | A full-featured FTP server. |
| Package Name | cc-proftpd |
| Configuration Page | Software > FTP > FTP Server |
Configuration
The default configuration for CommGate system allows read-only anonymous FTP to the /var/ftp directory and full access to valid user accounts. Advanced configuration of the FTP server can be done in one of two ways:
- Creating and configuring a Flexshare (Version 4.0 and up only)
- Editing the /etc/proftpd.conf configuration file. See the links section below for details.
Links
Print Server
Overview
| Print Server | Information |
|---|---|
| Description | A print server. |
| Package Name | cc-cups |
| Configuration Page | Software > Printing > Print Server |
The CommGate Server includes the Cups - the Common Unix Printing System - as well as a large set of printer drivers.
Back to top
Configuration
Configuration of the printing system is done using the Cups web interface. You can access this interface via the CommGate web-based interface.
Warning! As a security precaution, the Cups web interface is only accessible on a trusted (LAN) network. You can not access the web interface from a remote Internet connection.
Supported Printers
Not all printers are compatible with Linux. The best resource is the Linux Printing Database. You can find whether or not your printer is supported. If so, then follow the link from the web-based administration tool to add your printer.
Back to top
Cups and Samba
When you configure a new printer with Cups, it will appear as a shared printer in Windows Network Neighborhood (if Samba is installed). However, you will need to restart the Samba service after adding a new printer.
Back to top
Links
Windows File Sharing
Overview
| File Sharing / Samba | Information |
|---|---|
| Description | Samba file sharing system for Windows. |
| Package Name | cc-samba |
| Configuration Page | Software > File Services > Windows File Sharing |
Your CommGate system provides file serving capabilities for a Windows network. Among other tasks, you can use the software for backup file storage, and sharing printers.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
Basic Configuration
The basic configuration for the Windows/Samba file server is straightforward -- at the very least, you will want to change the Name, Workgroup and Comment. If you are using Windows PCs, you will be able to see your CommGate Server through your Network Neighborhood.
Name
The name of the system as it appears on Windows Networks.
Back to top
Workgroup
The Windows Network workgroup. If you are configuring your system as the primary domain controller (PDC) then this is also the name of the domain.
Back to top
Comment
The comment is a short description for the system.
Back to top
WINS Server / WINS Support
If you plan on using VPN or have more than two local networks, we strongly recommend that you enable a WINS server on your network. If you already have a WINS server, you can enter the IP address of the server in the WINS Server field. Alternatively, the CommGate Server can be configured as a WINS server on your network. Enable the WINS Support option. More information on WINS is available in this Howto.
Back to top
PDC - Primary Domain Controller
If you would like your CommGate Server to act as a primary domain controller (PDC), you can configure the settings.
Status
Toggle this field to enable/disable PDC mode.
Back to top
Administrator
Select a user account for PDC administration. This account will be used to add computers systems to the domain.
Back to top
Logon Fields
Review the Samba documentation for configuring the Logon fields.
Back to top
Common File Shares
- The homes folder contains private user folders.
- The printers icon will appear if you configure a shared printer.
- The shared folder is for public file sharing.
- The website folder contains the files for your web site.
- The ftpsite folder contains the files for your web site.
Custom File Shares
To add custom file shares, use the Flexshare groupware tool (Enterprise and Community Edition only).
Back to top
Advanced Configuration
For some installations, you may need to fine tune the Windows/Samba file sharing software. Please review the Samba documentation before changing these settings.
Security Type
If you are using the CommGate Server as a PDC, this should be set to Domain, otherwise it should be set to User. If you want to disable user authentication, you can set this option to Share (not recommended).
Back to top
Domain Master
If you do not have a Windows server running on your network, you may want the CommGate Server to act as the Domain Master (in other words, the "boss" of the Windows Network). You should also set the OS Level to 50 or higher.
Back to top
Local Master
In most cases, this should be set to Automatic.
Back to top
OS Level
See the Domain Master section.
Back to top
Troubleshooting
Due to a feature in Microsoft networking, you may not see the CommGate Server in Network Neighborhood right away; sometimes it takes several minutes to appear. A quick way around this "feature" is to use the Find Computer tool and typing typing the IP address of the System.
