Planning and General Requirements
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Planning and General Requirements

  • Dark
    Light
  • PDF

Article summary

Planning Your Installation

A CTERA Portal installation comprises a cluster of one or more VMs (servers). Each server can host any combination of the following services:

  • Main database. Only one server can host the main database. The server that hosts the main database is called the primary server.
  • Application service. This service accepts connections and handles requests from Web and CTTP clients.
  • Database replication server. A passive database service set to replicate an active database server. During server installation, you can turn on the replication service and select the database server from which to replicate.
  • Document preview server. This service is in charge of processing document preview requests. It is mandatory to launch a dedicated document preview server. The document preview service supports high availability. You can install one or more servers, in order to ensure uninterrupted document preview generation and redundancy in the event of a server failure.

By default, the first installed server is the primary database server, hosting the main database and application server. In the simplest topology, there are two servers: one server that includes a main database and application service, and a second server that provides document preview services. You can install any number of additional servers, for Scalability, Sizing, and Load Balancing and for Data Replication and Failover.

Scalability, Sizing, and Load Balancing

CTERA Portal is horizontally scalable. Additional servers can be added:

  • As application servers, to increase client handling capacity. Any servers that are enabled as application servers automatically balance the connected clients between them, allowing for maximized capacity and availability. The number of application servers deployed depends on the use case:
    • ROBO (remote office, branch office) use case – The users connect to the local CTERA Edge Filers, each edge filer connection to a virtual portal is one connection, even if there are thousands of users connected to each edge filer. You require one application server for every 100 edge filers.
    • FSS (file sync and share) use case – The users connect directly to a virtual portal. You require one application server for every 10,000 users and a minimum of one virtual portal for every 100,000 users.
  • As document preview servers.

Data Replication and Failover

The main database is stateful and contains critical data. You must replicate all such servers to maintain the availability of critical data. The application service is stateless, and therefore, any dedicated application servers do not require replication or backup. Failover between application servers is automatic.

Replicating the database is described as part of the installation for a CTERA Portal.

CTERA Portal includes a built-in replication function for achieving higher level of availability. Replication can be achieved using other platform dependent replication methods (such as SAN or VMWare-level replication).

Security

All internal communication between CTERA Portal servers is authenticated to prevent unauthorized access. Nevertheless, to follow the defense in-depth security philosophy, the primary database server, which stores sensitive data, should be placed in its own firewalled, isolated network, and only the application servers should be allowed to face the Internet.

Requirements

CTERA Portal is deployed as a 64-bit virtual machine or as an instance on a cloud provider. The following hypervisors are supported:

  • Hyper-V
  • Nutanix AHV
  • OpenStack/KVM
  • ESXi.

The following cloud providers are supported:

  • AWS
  • Azure
  • GCP (Google Cloud)
  • IBM Cloud

To install, you need the CTERA Portal virtual machine image for your platform, obtainable from CTERA support.

General Requirements

The following requirements apply to all platforms. For specific platform requirements, refer to the installation guide for the platform.

  • Web browser: The latest two releases of Apple Safari, Google Chrome, Microsoft Edge, and Mozilla Firefox.
  • SSH and SCP clients. For example, the freeware PuTTY.

Production Deployment Blueprint

A minimal production installation of CTERA Portal comprises of four 64-bit virtual machines: Two database servers (primary and secondary) and two application servers. The minimum two application servers are required for high availability and load balancing.

If the CTERA Messaging service is deployed, the minimal production installation comprises of five 64-bit virtual machines: Two database servers (primary and secondary), and three application servers that also function as messaging servers.

For more details about the CTERA Messaging service, see Managing the Messaging Service.

Additional application servers may be deployed for further load balancing.

Note

Three, and only three application servers function as messaging servers. Any additional servers function purely as application servers for load balancing.

Optionally, one or more preview servers can be deployed for document previews.

The following table details the requirements per CTERA Portal Server in a production environment.

ServerMinimum RequirementsNotes
Primary Database Server8 vCPU, 32GB RAM, 100GB data pool (SSD), 200GB archive pool (Magnetic)The data pool should have at least 2000 IOPS and should be sized around 1% of the expected global filesystem size.
The archive pool size should be at least double that of the data pool.
Secondary, Replication, DatabaseThe replication database server must have the same configuration as the primary database server.
Application Server4 vCPU, 16GB RAM, 100GB data pool (Magnetic) or, with the CTERA Messaging service:
4 vCPU, 32GB RAM, 250GB data pool (Magnetic)
An application server can handle up 10,000 clients. When the number of expected clients will be near 10,000, 8 vCPUs and an additional 16GB is recommended (32GB without the CTERA Messaging service and 48GB with the CTERA Messaging service).
Preview Server4 vCPU, 16GB RAM, 60GB data pool (SSD)
Notes

All resources allocated to a server must be dedicated to that server and not shared with other servers. You must not run non-CTERA applications on any of the CTERA Portal servers.

CTERA recommends seeking guidance from CTERA support for a more accurate estimation of the required sizing.

Test Deployment Blueprint

The following table details the minimal requirements in a test configuration, with a single 64-bit virtual machine deployment.

Do not use this setup for production.

If the CTERA Messaging service will not be part of the test deployment:

  • Single server, 2 vCPU, 8GB RAM, 100GB SSD storage

If the CTERA Messaging service will be part of the test deployment:

  • Single server, 2 vCPU, 24GB RAM, 250GB SSD storage

Other requirements

  • Access from the virtual machine to a Storage Area Network (SAN) or directly attached hard drive.
  • The ports listed in Port Considerations are open.
  • A DNS name for the CTERA Portal installation. This can be changed after the installation.
  • An ICAP Server and license if the antivirus feature will be used.
  • An SMTP mail server address and port for sending notifications, such as Amazon Simple Email Service (SES).

Port Considerations

To allow access to and from the Internet on the firewall on each machine that will operate as an application server or database server, ensure the following network ports are open:

PortProtocolDirectionNotes
22TCPInbound and OutboundSSH. CTERA recommends limiting SSH access to specific IP addresses that may require access to the CTERA application servers, for example to perform scheduled maintenance and support related work.
53UDPInbound and OutboundDNS
80TCPInbound and OutboundHTTP
123UDPOutboundNTP
443TCPInbound and OutboundHTTPS
995TCPInboundCTTP. Communications with CTERA Edge Filers and agents.
8443TCPInboundCommunications with CTERA Edge Filers and agents for log collection.
xx (Use the port number that is used at your site for SMTP. The default port for SMTP is 25.)TCPOutboundSMTP

The following ports must be opened towards storage nodes:

PortProtocolDirectionNotes
80 or 443 (for HTTPS)TCPOutboundObject Storage (When Direct Mode is set for the storage node, HTTPS is set as and cannot be changed, requiring port 443.)
111, 2049TCPOutboundNFS
1191TCPOutboundGPFS. Required for accessing GPFS nodes.

If you are running a separated environment that consists of multiple CTERA servers residing on separate firewalled network segments (such as different AWS security groups), open the following additional ports between the CTERA servers. These ports should not be accessible from the Internet:

PortProtocolNotes
22TCPSSH
443TCPServer to server messages.
4646TCPNomad to Nomad communication.
4647TCPNomad to Nomad communication.
4648TCPNomad to Nomad communication.
4648UDPNomad to Nomad communication.
5432TCPPostgreSQL. Only required for the primary database server and secondary, replication, servers.
8300TCPConsul to Consul communication.
8301TCPConsul to Consul communication.
8301UDPConsul to Consul communication.
8500TCPConsul to Consul communication.
8600TCPConsul to DNS server.
8600UDPConsul to DNS server.
18682TCPOnly required for document preview servers.

If CTERA Portal will be connected to Active Directory, open the following ports towards the Active Directory servers

PortProtocolDirectionNotes
53TCP/UDPOutboundDNS
88TCP/UDPOutboundIf Kerberos is used
389TCP/UDPOutboundLDAP/LDAP GC (Global Catalog)
3268TCPOutboundLDAP/LDAP GC (Global Catalog)
636, 3269TCPOutboundLDAP and LDAP GC with SSL (CTERA recommends using LDAP and LDAP GC with SSL instead of LDAP and LDAP GC.)

CTERA Portal requires the following port open for RSync for database replication between the main and secondary databases. This port does not need to be accessible from the Internet:

PortProtocolDirectionNotes
873TCPInbound

CTERA Portal requires the following port open for antivirus scanning. This port does not need to be accessible from the Internet:

PortProtocolDirectionNotes
1344TCPOutbound

CTERA Portal requires the following ports open communication between CTERA Messaging Servers. These ports should not be accessible from the Internet:

PortProtocolNotes
2888TCP
3888TCP
5044TCP
8443TCP
12181TCP
18081TCP
18083TCP
19092TCP
38081TCP
38083TCP
39092TCP

CTERA Portal requires the following ports open for monitoring with Varonis. The Varonis Data Security Platform secures data from unauthorized access and cyber-threats, The following ports must be opened on all servers:

PortProtocolDirectionNotes
3095TCPInbound and Outbound
8443TCPInbound and Outbound
Warning

CTERA Portal operates behind a firewall, and it is important to leave all other ports closed.


Was this article helpful?

What's Next