Remote Access Policy
Written authorization from the Customer is required prior to any remote access session conducted by NetXposure. All remote access sessions will be logged by NetXposure, including details of logon/logoff times, systems accessed, and specific tasks performed by Technician (NetXposure sysadmin). The Customer is responsible for securing credentials for all service accounts (including database accounts) that the Technician has knowledge of during installation/configuration. NetXposure is not liable for security incidents involving Customer’s credentials or network access configurations. Please note that If the Customer decides to change any service account passwords after installation, reconfiguration of application components may be required for the application to function properly. Please contact NetXposure support for proper guidelines before attempting service/database account password changes.
- The Technician will need remote access to the Customer’s Local Area Network, preferably via Remote Desktop/VPN connection.
- The Technician must be provided credentials for each machine involved in the installation. (SSH, Windows admin with RDP permissions, etc.) These credentials should be unique to NetXposure and separate from any internal administrative login credentials that are regularly used by the Customer. It is the Customer’s responsibility to maintain secure procedures for credentials, such as password complexity, expiration, connection timeout, and available logon times.
- The Technician must be allowed to copy files over to the server via the VPN/network share OR access download installation materials from the internet; this includes changing security settings on browser, if necessary.
- Technician must be provided administrative access to each machine the in which the installation needs to occur. This includes any remote servers running MediaRich, Indesign server, or FlipFactory, unless installed by the customer. These credentials should be unique to NetXposure and separate from any internal administrative login credentials that are regularly used by the Customer. It is the Customer’s responsibility to maintain secure procedures for such credentials, such as password complexity, expiration, connection timeout, and available logon times.
- NetXposure is not responsible for data loss or service interruption incurred during Remote Access; it’s the Customer’s responsibility to back up all systems before remote access sessions are commenced.
Server Configuration and Specification
- Regardless of database type, an empty, initial database must be created before installation begins unless arrangements have been otherwise made. NetX will not install or configure the database software.
- Technician must be provided a username/password to access the database, if the database is Microsoft SQL Server, Windows authentication or SQL authentication must be specified, along with ip address, database name, instance name, and port number.
- NetXposure recommends that a unique account (separate from Root or SA accounts) is used for NetX authentication for the database. This database user account must have read/write/ create table, index, alter table permissions. Basically, it must have full permission to the NetX database.
- The database software must be configured to allow TCP/IP connections.
- NetXposure is not responsible for backups, maintenance, or any other administrative tasks involving the database.
The Customer must provide the information listed below:
- Where is the repository located? If it is a UNC path, this requires an associated service account to use to access the network share and have read write privileges. Credentials for this account must be provided or an administrator must configure the NetX Core service to use them. NetXposure recommends that a unique service account be created for access, if necessary.
- Where are the thumbnails, preview, zoom files, versions, and constituents? If they are on a UNC path, it must have the same access permissions as the service account allocated for the repository (It must be the same account). 3. Where are the logs going to be located? (See requirements for appFiles) NOTE: All of the above paths must be completely separate. (one cannot be the parent directory of another).
Prerequisite and Supplementary Software
- The latest available version of the Oracle Java JDK 1.8 SE unless discussed otherwise.
- An appropriate JDBC driver is needed:
- MySQL JDBC driver
- Microsoft SQL Server (Microsoft JDBC driver is recommended)
- Oracle JDBC driver
- Any third party imaging engines that NetX does not distribute.
- Commercial (Adobe Indesign Server, Mediarich, FlipFactory)
- Free/Open Source (ffmpeg, Ghostscript, ImageMagick must be obtained by the customer prior to installation)
- Any available Engines will be configured by NetX technician.
- To use email features, SMTP server IP address and credentials are required.
- The following Email addresses must be provided
- Generic Admin email address to be used by NetX for sent email
- Email address to send logged error messages from NetX.
- Email address for the initial administrator account provided to the customer after installation.
- Any other email addresses specific to special features or workflow (can always be configured at a later time if needed).
NetX Configuration and Testing
- Technician must be given access to browser (or if over VPN, must be able to access HTTP port of server through VPN connection). This is required for the configuration stage.
- It is recommended that a test dataset of assets representing the types of files to be used in the application are provided by the customer. The technician will run tests to determine if the files will work with the imaging engines and verify the installation. The technician will upload these into a "Format Test" folder.
- The technician may create a "netxsupport" Administrator account local to the NetX application, this is for testing and post-installation configuration and can be removed by the Customer after configuration is complete.
- Firewalls must not block port 80 nor any other port that must be accessed for functionality of the NetX application. Additionally, software such as IIS or Apache HTTP server that may conflict on port 80 or other ports is not directly supported and must be correctly configured or removed by the customer prior to installation unless otherwise arranged by NetXposure.
- Firewalls must be open for communication with other services such as transcoding engines, email servers, etc.
- Firewall must be open for communication with the database server.
- All firewall configuration is the responsibility of the Customer.
- NetX does not support access to the application via proxy or web filter of any kind. It is recommended that any NetX URLs or IP addresses are whitelisted and bypassed by web proxies/filters.
Antivirus and Security Software
- All antivirus and other security software must be disabled during the installation. We strongly recommend that security applications be disabled on servers that run NetX, or exclude NetX application folders and processes from scanning.
LDAP or SAML Integration (if applicable)
- Customer must provide complete details of the LDAP or SAML setup as outlined by their respective configuration worksheets (NetX will provide on request). Any special mappings and configuration options must be provided to the NetX technician. If a customer wants to use the LDAP integration on their SaaS NetX instance, they need to follow the instructions listed here: Active Directory (LDAPS) Integration to SaaS Sites.
- If there are any issues during LDAP configuration, it is recommended that the Customer test using an LDAP client with the same settings on the same server that NetX resides on to ensure that there are no issues with the information provided.
Customer assumes responsibility for creating DNS entries for the application(s), these must be provided to the technician for the configuration process.
Multiple NetX application servers (if applicable)
- DNS names of each node must be provided.
- If nodes are to be behind a load balancer, IP address and DNS name of the balancer must be provided. Correct installation and configuration of the load balancer is the Customer’s responsibility.
Each application must have access to the repository at the same exact path for both instances. On windows, a network share such as \\server\share\repository that is identically accessible to both applications is recommended. On Unix, a permanent mount point such as /path/to/repository that is identical on all servers in the cluster is also acceptable.
- Similar to above, all nodes must have access to the appFiles directory. (location of thumbnails, etc.) This will be shared between nodes.
- Each node must have proper access to the same database.