- 02 Feb 2023
- 8 Minutes to read
Planning and General Requirements
- Updated on 02 Feb 2023
- 8 Minutes to read
Planning Your Installation
A CTERA Portal installation comprises a cluster of one or more VMs (servers). Each server can host any combination of the following services:
- Main database. Only one server can host the main database. The server that hosts the main database is called the primary server.
- Application service. This service accepts connections and handles requests from Web and CTTP clients.
- Database replication server. A passive database service set to replicate an active database server. During server installation, you can turn on the replication service and select the database server from which to replicate.
- Document preview server. This service is in charge of processing document preview requests. It is mandatory to launch a dedicated document preview server. The document preview service supports high availability. You can install one or more servers, in order to ensure uninterrupted document preview generation and redundancy in the event of a server failure.
By default, the first installed server is the primary database server, hosting the main database and application server. In the simplest topology, there are two servers: one server that includes a main database and application service, and a second server that provides document preview services. You can install any number of additional servers, for Scalability, Sizing, and Load Balancing and for Data Replication and Failover.
Scalability, Sizing, and Load Balancing
CTERA Portal is horizontally scalable. Additional servers can be added:
- As application servers, to increase client handling capacity. Any servers that are enabled as application servers automatically balance the connected clients between them, allowing for maximized capacity and availability. The number of application servers deployed depends on the use case:
- ROBO (remote office, branch office) use case – The users connect to the local CTERA Edge Filers, each edge filer connection to a virtual portal is one connection, even if there are thousands of users connected to each edge filer. You require one application server for every 100 edge filers.
- FSS (file sync and share) use case – The users connect directly to a virtual portal. You require one application server for every 10,000 users and a minimum of one virtual portal for every 100,000 users.
- As document preview servers.
Data Replication and Failover
The main database is stateful and contains critical data. You must replicate all such servers to maintain the availability of critical data. The application service is stateless, and therefore, any dedicated application servers do not require replication or backup. Failover between application servers is automatic.
Replicating the database is described as part of the installation for a CTERA Portal.
CTERA Portal includes a built-in replication function for achieving higher level of availability. Replication can be achieved using other platform dependent replication methods (such as SAN or VMWare-level replication).
All internal communication between CTERA Portal servers is authenticated to prevent unauthorized access. Nevertheless, to follow the defense in-depth security philosophy, the primary database server, which stores sensitive data, should be placed in its own firewalled, isolated network, and only the application servers should be allowed to face the Internet.
CTERA Portal is deployed as a 64-bit virtual machine or as an instance on a cloud provider. The following hypervisors are supported:
- Nutanix AHV
The following cloud providers are supported:
- GCP (Google Cloud)
- IBM Cloud
To install, you need the CTERA Portal virtual machine image for your platform, obtainable from CTERA support.
The following requirements apply to all platforms. For specific platform requirements, refer to the installation guide for the platform.
- Web browser: The latest two releases of Apple Safari, Google Chrome, Microsoft Edge, and Mozilla Firefox.
- SSH and SCP clients. For example, the freeware PuTTY.
Production Deployment Blueprint
A minimal production installation of CTERA Portal comprises of four 64-bit virtual machines: Two database servers (primary and secondary) and two application servers. The minimum two application servers are required for high availability and load balancing.
If the CTERA Messaging service is deployed, the minimal production installation comprises of five 64-bit virtual machines: Two database servers (primary and secondary), and three application servers that also function as messaging servers.
For more details about the CTERA Messaging service, see Managing the Messaging Service.
Additional application servers may be deployed for further load balancing.
Three, and only three application servers function as messaging servers. Any additional servers function purely as application servers for load balancing.
Optionally, one or more preview servers can be deployed for document previews.
The following table details the requirements per CTERA Portal Server in a production environment.
|Primary Database Server||8 vCPU, 32GB RAM, 100GB data pool (SSD), 200GB archive pool (Magnetic)||The data pool should have at least 2000 IOPS and should be sized around 1% of the expected global filesystem size.|
The archive pool size should be at least double that of the data pool.
|Secondary, Replication, Database||The replication database server must have the same configuration as the primary database server.||–|
|Application Server||4 vCPU, 16GB RAM, 100GB data pool (Magnetic) or, with the CTERA Messaging service:|
4 vCPU, 32GB RAM, 250GB data pool (Magnetic)
|An application server can handle up 10,000 clients. When the number of expected clients will be near 10,000, 8 vCPUs and an additional 16GB is recommended (32GB without the CTERA Messaging service and 48GB with the CTERA Messaging service).|
|Preview Server||4 vCPU, 16GB RAM, 60GB data pool (SSD)||–|
All resources allocated to a server must be dedicated to that server and not shared with other servers. You must not run non-CTERA applications on any of the CTERA Portal servers.
CTERA recommends seeking guidance from CTERA support for a more accurate estimation of the required sizing.
Test Deployment Blueprint
The following table details the minimal requirements in a test configuration, with a single 64-bit virtual machine deployment.
Do not use this setup for production.
If the CTERA Messaging service will not be part of the test deployment:
- Single server, 2 vCPU, 8GB RAM, 100GB SSD storage
If the CTERA Messaging service will be part of the test deployment:
- Single server, 2 vCPU, 24GB RAM, 250GB SSD storage
- Access from the virtual machine to a Storage Area Network (SAN) or directly attached hard drive.
- The ports listed in Port Considerations are open.
- A DNS name for the CTERA Portal installation. This can be changed after the installation.
- An ICAP Server and license if the antivirus feature will be used.
- An SMTP mail server address and port for sending notifications, such as Amazon Simple Email Service (SES).
To allow access to and from the Internet on the firewall on each machine that will operate as an application server or database server, ensure the following network ports are open:
|22||TCP||Inbound and Outbound||SSH. CTERA recommends limiting SSH access to specific IP addresses that may require access to the CTERA application servers, for example to perform scheduled maintenance and support related work.|
|53||UDP||Inbound and Outbound||DNS|
|80||TCP||Inbound and Outbound||HTTP|
|443||TCP||Inbound and Outbound||HTTPS|
|995||TCP||Inbound||CTTP. Communications with CTERA Edge Filers and agents.|
|8443||TCP||Inbound||Communications with CTERA Edge Filers and agents for log collection.|
|xx (Use the port number that is used at your site for SMTP. The default port for SMTP is 25.)||TCP||Outbound||SMTP|
The following ports must be opened towards storage nodes:
|80 or 443 (for HTTPS)||TCP||Outbound||Object Storage (When Direct Mode is set for the storage node, HTTPS is set as and cannot be changed, requiring port 443.)|
|1191||TCP||Outbound||GPFS. Required for accessing GPFS nodes.|
If you are running a separated environment that consists of multiple CTERA servers residing on separate firewalled network segments (such as different AWS security groups), open the following additional ports between the CTERA servers. These ports should not be accessible from the Internet:
|443||TCP||Server to server messages.|
|4646||TCP||Nomad to Nomad communication.|
|4647||TCP||Nomad to Nomad communication.|
|4648||TCP||Nomad to Nomad communication.|
|4648||UDP||Nomad to Nomad communication.|
|5432||TCP||PostgreSQL. Only required for the primary database server and secondary, replication, servers.|
|8300||TCP||Consul to Consul communication.|
|8301||TCP||Consul to Consul communication.|
|8301||UDP||Consul to Consul communication.|
|8500||TCP||Consul to Consul communication.|
|8600||TCP||Consul to DNS server.|
|8600||UDP||Consul to DNS server.|
|18682||TCP||Only required for document preview servers.|
If CTERA Portal will be connected to Active Directory, open the following ports towards the Active Directory servers
|88||TCP/UDP||Outbound||If Kerberos is used|
|389||TCP/UDP||Outbound||LDAP/LDAP GC (Global Catalog)|
|3268||TCP||Outbound||LDAP/LDAP GC (Global Catalog)|
|636, 3269||TCP||Outbound||LDAP and LDAP GC with SSL (CTERA recommends using LDAP and LDAP GC with SSL instead of LDAP and LDAP GC.)|
CTERA Portal requires the following port open for RSync for database replication between the main and secondary databases. This port does not need to be accessible from the Internet:
CTERA Portal requires the following port open for antivirus scanning. This port does not need to be accessible from the Internet:
CTERA Portal requires the following ports open communication between CTERA Messaging Servers. These ports should not be accessible from the Internet:
CTERA Portal requires the following ports open for monitoring with Varonis. The Varonis Data Security Platform secures data from unauthorized access and cyber-threats, The following ports must be opened on all servers:
|3095||TCP||Inbound and Outbound||–|
|8443||TCP||Inbound and Outbound||–|
CTERA Portal operates behind a firewall, and it is important to leave all other ports closed.