FileCloud on AWS - User Deployment Guide

Introduction

Use AWS infrastructure (EC2, EBS, S3) to jumpstart your own branded, file storage solution in few minutes.

Use Cases

File Sharing Portal- Use FileCloud to create your own own, branded file sharing, sync and mobile access, solution for your employees, customers and partners.
File Sync - Use FileCloud for effortless file synchronization across users computers, smart phones and tablets, so everyone can work together anywhere from any device
Client Document Portal - Use FileCloud to create a client document portal on AWS infrastructure to server your clients, customers and partners.
Endpoint Backup and DLP - Use FileCloud to securely backup your endpoint computing devices (PCs, Mobile Phones and Servers).
Enterprise Data Protection and DLP: Use FileCloud's unique data leak prevention (monitor, prevent and fix) capabilities to protect your enterprise data across all your users devices (Computers, Mobile Phones/Tablets.
File Server Enablement - Use FileCloud's ServerSync to sync/backup you branch office windows files servers to FileCloud running on AWS to get low latency LAN access as well as remote access from anywhere.
White Label Content Platform - Use white label FileCloud Platform as part of your own product line to manage digital assets.

Overview of Typical Customer Deployment

FileCloud AMI's are available on the latest versions of Ubuntu and Windows. Depending on your requirements and familiarity, you can choose any operating systems supported by FIleCloud. FileCloud stores the file, user and shares metadata in MongoDB (pre-installed in AMI) and actual files can be stored in a disk, AWS Elastic File System or AWS S3. For smaller deployments, disk is sufficient for file storage. For medium and large deployments, our recommendation is to use AWS S3 for file storage. The FileCloud AMI is also pre-configured for document preview and document indexing for full text search. It takes less than 30 minutes to configure the FileCloud AMI and get it running for production workload.

Prerequisites and Requirements

FileCloud AMI's are completely self contained. You don't need to install any additional software. Basic AWS skills are sufficient to deploy FileCloud on AWS. Simple deployments involve just EC2 and Disk (OR) EC2 and AWS S3. FileCloud AMI's are available as BYOL model. You need to register in our customer portal to get the trial license. Once you get the trial license you need to upload the license to your running EC2 instance. Since FileCloud AMI's are available on Ubuntu and Windows Server OS, you can choose the OS you are familiar with.

Architecture Diagrams

To access FileCloud, you only need port 80 (http) or 443 (https). We strongly recommend to use 443 and only allow SSL access. Depending on the underlying OS, you may need to open up port 22 (SSH access) and 3389 (Remote Desktop) for managing the FileCloud instance. Our recommended security practice is to specify the IP range for SSH and Remote Desktop instead of opening it for access from anywhere.

FileCloud secrets and keys are protected and managed in the FileCloud database. FileCloud supports encryption at Rest. To initialize encryption, administrator may supply an optional master password and start the initialization process. Once the initialization process is started, the following steps happen as part of the process:

An asymmetric key pair (private/public) known as "Master" key is generated with the optional master password.
A symmetric key known as "Plain File" key is generated.
The File key created in step 2 is encrypted using the Master private key resulting in an "Encrypted File" key.
All the existing uncrypted files (if they exist) in the FileCloud storage will be encrypted before the system will be ready for use. Look at the next section for more information on file encryption.

Warning On Master Password

If an optional master password was specified, then administrator has to retain the password for future use. Without this password the encryption module cannot encrypt/decrypt files in the FileCloud storage.

Additional details on the keys:

Key	Key Details	User Input	Persistence	Remarks
Master public/private key pair	Asymmetric 4096 bits RSA sha512 digest	Password (optional)	Both private and public keys are persisted.	It is important to save the password (if one was provided).
Plain File Key	Symmetric AES 128 bits	None	Not persisted	Plain file key will be used to encrypt/decrypt all files using symmetric encryption. This key will not persisted but will be cached for performance. The cache will be valid for the lifetime of the FileCloud server process.
Encrypted File Key	Encrypted using master public key	None	Encrypted file key is persisted	Decryption of the encrypted file key results in plain file key. Decryption of the encrypted file key will be done using the master private key and optional master password. Encrypted file key is decrypted every time FileCloud server is started. The plain key that is a result of decryption process is cached for the lifetime of the FileCloud server process. Restarting the server will need a fresh decryption.

If you are going to use S3 for Managed File storage, please see the security section given below to understand possible file encryption options available.

Planning Guidance

Security

When you deploy FileCloud you can use EBS for managed file storage or you can choose the S3. If you choose S3, Please use the following instructions to set up your S3 for FileCloud.

Setting up Amazon S3 Credentials

Log into Administration Portal
Navigate to Settings
Select "Storage" tab
Enter the S3 config information. Refer to the following table for more information about each setting
Click on Save S3 setting

Field	Description
S3 Key	This is your amazon authentication key (To get your access key, visit Amazon security portal) . For IAM user, it requires the IAM Policy for S3 Access given below.
S3 Secret	This is your amazon authentication secret (To get your access key, visit Amazon security portal). For IAM user, it requires the IAM Policy for S3 Access given below .
S3 Bucket Name	Provide a bucket name. The bucket should be new (in some circumstance, previously used bucket in FileCloud could be used). It is very important that the S3 bucket is never modified outside of the FileCloud subsystem.
S3 Storage Folder	Optional: All files will be stored inside this root storage folder (Will be created automatically).
S3 Region	Optional: Provide the region string. If the region is not provided, then US Standard region will be used. If you are planning to have your bucket in different region(say europe, south east) provide the correct region string. The strings should match the region string published by amazon. Note: For govcloud installs, you must use region string: us-gov-west-1
S3 End Point URL	Optional: This is the S3 endpoint. Use this if you are planning to use your own S3 endpoint (typically S3 compatible storage) or if it is a unpublished region. For using AWS end point, it must be the ones published at here

Note: The Amazon S3 Bucket should NEVER be modified outside of FileCloud subsystem
Do not add/edit/modify files directly using Amazon tools. Doing so will destabilize your FileCloud installation.

IAM Policy for S3 Access

If you are going to use S3 for file storage, FileCloud requires S3 access in order to create bucket and manage it.The IAM user used to manage it must have the following permissions. This shows access to all buckets in your S3 console. You can restrict to specific bucket using the appropriate resource arn. Something like arn:aws:s3:::bucket_name

{
          "Version": "2012-10-17",
          "Statement": [
                            {
                               "Effect": "Allow",
                               "Action": [
                                     "s3:CreateBucket",
                                     "s3:DeleteObject",
                                     "s3:GetObject",
                                     "s3:ListBucket",
                                     "s3:PutObject"
                               ],
                                "Resource": [
                                     "arn:aws:s3:::*"
                              ]
                          }
                      ]
}

Setting up S3 Encryption for FileCloud Managed Storage

S3 Managed Storage Encryption support to protect data at rest is available in Filecloud. The communication between FileCloud to AWS will use SSL encryption resulting in complete protection for data in transit. Once the S3 is set up correctly, a new field "S3 Encryption" will be available under Amazon S3 Storage Settings.

FileCloud supports the following Server Side Encryption:

Encryption Type	Notes
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)	All data is encrypted at rest using AES256 bit encryption. The data can only be accessed using the supplied key/secret credentials. The data will be accessible via S3 Console (which should NOT done for FileCloud Managed storage data)
Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)	Similar to SSE-S3 but the key itself is managed using Amazon's KMS service. This allows management of specific keys and their permissions for encrypting the data. The data is still encrypted at rest and is accessible via S3 Console with appropriate credentials.
Server-Side Encryption with Customer-Provided Keys (SSE-C)	This is a new support available from FileCloud v15 on-wards. The data will be encrypted using customer supplied 32 bit encryption key. This option will have SLOWER performance due to restriction on how this data can be decrypted (Amazon server will NOT be able to decrypt the data and the data has be first downloaded to FileCloud server and decrypted). The data will NOT be accessible via S3 console as well.

To manage S3 encryption,

Log into Administration Portal
Navigate to Settings
Select "Storage" tab
Click on "Manage" button in the S3 Encryption option

Depending on the status of encryption, you will see "Enable encryption" or "Disable encryption" button.

Enabling encryption will attempt to encrypt all available data in the bucket as well as all new data will be encrypted. This can take some time depending on the amount of existing data in the bucket. Please modify encryption setting when there is minimal activity in FileCloud.

Though, changing encryption can be done at any time, we recommend using off-peak hours to avoid any unexpected access issues

For Windows, If your xampp is installed in location other than c:\xampp, then add the following key in <your xampp folder>\htdocs\config\cloudconfig.php
For example, if your xampp is in D:\xampp, then in file D:\xampp\htdocs\config\cloudconfig.php, add the following string (any location before the bottom "?>" line)

define("PHPBIN_PATH","D:\\xampp\\php\\php.exe");

Costs

T2.Medium or T3.Medium is suffice to run FileCloud for 100 users. File Storage cost depends on the storage method you choose (EBS, EFS or S3) and amount of files you will be storing and the access pattern. Typical cost for 100 users and 10 TB storage comes around 2800-3250$ per year.

Sizing

A T3.medium (Unlimited) can handle approximately 30-40 FileCloud calls per second which equates to approximately 100-200 users using FileCloud. Depending on number of users and thier access pattern, you can vertically (choose bigger instance) or horizontally (add more instances) can scale your deployment.

Deployment Guidance

Deployment Assets

FileCloud pre-built AMI's (Amazon Machine Image) are currently available in Amazon AWS Marketplace. We have pre-built images for both Linux (Ubuntu) and Windows Server OS. You can choose the base OS as per your preference.

Steps to Launch FileCloud AMI

Login to AWS management console and Click EC2 (Virtual Servers in the Cloud)

2. Click Launch Instance

3. Search FileCloud AMI in AWS marketplace. Choose the latest version.
The version details in the screen shot is for reference purposes only. The latest version details may be different from the information shown.

4. Choose the desired Amazon EC2 Instance type. We recommend atleast t2.medium or t3.medium. However, for best performance, the "m" series is better. For example m3.medium. If you choose the t2 or t3 series, please enable T2/T3 unlimited when you configure the instance.

5. Configure the security group to open up the port 80/443 for web access.

Note: You might need to open other ports such as 443 (HTTPS), depending on your business requirements.

6. Complete the Final Review and launch the instance.

7. You can see now your FileCloud is running in your AWS dashboard. Please note the Public DNS name to access your FileCloud.

Instance started with a public IP

8. Type 'http://<public_dns_name>/ui/admin/index.html' in your browser to access the FileCloud admin portal. If the Webpage fails to load, please verify port 80 is open as mentioned above in Step 5.

Default Admin	admin
Default Password	Your amazon instance ID
Note	Please change the admin password upon first login.

9. Once you logged into the admin portal, please install the FileCloud License.
Please register at our license management portal (https://portal.getfilecloud.com/ui/user/index.html?mode=register) to get trial licenses.

The user name for the underlying Ubuntu OS is 'ubuntu'. Before launching the instance you will be required to create a key pair or you can use your existing key pair.
If you go to 'http://<public_dns_name>/install' , the page will show all the installed packages in this instance. Check the page and familiarize yourself with FileCloud components. Before going production move the install folder to somewhere else.
We recommend you to use S3 for file storage instead of the EBS. Please check the following section (Enabling Amazon S3 Storage) to know how to set up S3 for FileCloud file storage.
The default FileCloud instance uses our SMTP servers and accounts to send emails. Please change this to your SMTP server for security purposes.
Please change the admin email to your organization email address. This email address is used in all the emails that sent out from the FileCloud System

Enabling Amazon S3 Storage

warning

Do not change this once the installation is set up and data is already stored. This should only be set up for fresh installs.
When changing the storage type from local to amazons3, the file(s)/folder(s) that have been already stored in the local storage will not be automatically moved to was s3 storage.
In this case, adminstrator has to manually export file(s)/folder(s) from local storage before changing storage type and manually import them after changing storage type.
Be very careful when changing the storage path, If done improperly it could lead to data loss.

To enable Amazon s3 storage as the backend,

Step 1:

Edit the file "WWWROOT/config/cloudconfig.php" and change the line

define("TONIDOCLOUD_STORAGE_IMPLEMENTATION", "local");

to read as

define("TONIDOCLOUD_STORAGE_IMPLEMENTATION", "amazons3");

Step 2:

Rename file "WWWROOT/config/amazons3storageconfig-sample.php" to "WWWROOT/config/amazons3storageconfig.php"

Nothing needs to be added or edited in amazons3storageconfig.php

In Windows WWWROOT is typically c:\xampp\htdocs and in Linux it is /var/www/html

e using

Once you configured the FileCloud storage, Please follow the site setup instructions to set up the FileCloud site according to your requirements

Operational Guidance

Health Checkup

AWS offers excellent system, instance status checks and CloudWatch monitoring. Pay attention on CPU utilization, Network In/Out and Network Packet In/Out of your EC2 instance. Using CloudWatch monitoring scripts, you can also monitor memory, swap, and disk space utilization of your EC2 instance.

Apart from the standard AWS monitoring metrics, FileCloud also offers system alerts. FileCloud Alerts are available in FileCloud's Admin portal.

This page tracks all unhandled exceptions, system error messages generated in the FileCloud server. The number of alerts are shown in the Dashboard and the Alerts page will show detailed information about the various errors encountered.

Depending on the error, you might need to take steps to correct the problem. For example, if alerts indicate that system is frequently running out of memory, then system memory may need to be increased.

To view alerts:

Log into the Administration portal.
On the left navigation panel, click Alerts.

The following view shows errors detected by FileCloud. The alerts are categorized as Informational, Warning, Critical and Fatal. Always pay attention to critical and fatal errors. FileCloud administrators also get periodic Administrator Summary emails that will show the number of alerts.

Backup and Recovery

FileCloud supports unlimited file versioning and to recycle bin. You can configure this options by logging in to FileCloud admin portal. This provides protection from accidental deletes by users.

In addition to that, please take periodic snapshots of your running instance for disaster recovery and as an additional backup for FileCloud database and app. If you are not taking snapshots of your running instance, atleast make sure you are backing up the mongodb database to a disk or S3 using AWS CLI . As long as we have the FileCloud database, we can recover the FileCloud application from instance/service failure.

The following instruction will backup the mongodb to a designated s3 bucket (You can also make it as a cron job so that it runs periodically),

cd /var/lib/mongodb
aws s3 sync . s3://my-bucket/fileclouddbbackup/

In case of instance failure, Please start a new FileCloud AMI and and follow the instructions below to bring the instance up and running.

1. Before making any changes, stop mongodb service

service mongod stop

2.  Copy the backup database files back to /var/lib/mongodb from the s3 bucket

cd /var/lib/mongodb
aws s3 sync s3://my-bucket/fileclouddbbackup/ .

3. Finally start the mongodb service using following command.

service mongod start

Routine Maintenance

We release 2 or 3 major releases every year. Routine maintenance requires you keep your FileCloud system updated to the latest version.

Generally, new FileCloud release availability will be notified in two ways:

By subscribing to the FileCloud Mailing List
By seeing the version update available in the FileCloud Admin Dashboard.

FileCloud offers in-place system updates. Please follow the instructions to update FileCloud from the admin portal.

Login into the admin UI. Select "Upgrade" from the left-side navigation panel.
In the upgrade screen, click on "Click here to upgrade" button.
If there are no new updates available, no additional actions required.
If there are any new updates available, a popup will be shown with new update information.
Click on the "Click here to Upgrade" button to start the upgrade process.
The upgrade process will check for perform the upgrade and a report will be generated after the update process is completed
Once the upgrade is completed, you will be redirected to the install verification page at http://site/install
Once it is verified that the checks are complete, refresh the browser UI (Ctrl + F5) to get the latest updated User Interface.

Emergency Maintenance

If the EC2 instance where you are running FileCloud is degraded, You have two options:

Take the snapshot of EBS disk and start an instance from the snapshot.
(or)
If option 1 is not feasible, please start a new FileCloud AMI and copy the backed up FileCloud Database files to /var/lib/mongodb (Linux) or c:\xampp\mongodb\bin\data (Windows). Then start the mongod service.

Support

Please send an email to support@filecloud.com to receive technical support.

We answer all support questions within one business day and most within a couple of hours
If your question or issue cannot be resolved via email, our support team will connect remotely via screen sharing software to troubleshoot and fix the problem on your server

Support Costs

Your annual FileCloud subscription includes a basic support plan, software updates, and security updates. For pricing of advanced support plans, please contact our sales team.

Accessibility

Reference Materials

FileCloud Site Setup Guide - FileCloud Site Setup Guide

FileCloud End User Guide - FileCloud End User Guides

FileCloud API Getting Started Guide - FileCloud Developer Guide