1.0 System Architecture
The FileFlex Zero Trust Data Access (ZTDA) solution has been built from the ground up to facilitate ultra-secure access to both local and remote workstations, concerning data resource management. The solution is comprised of 3 main components that work in unison to provide Zero Trust access to an organizations data, down to the file and folder level.
The 3 components are:
- FileFlex Policy Server
- FileFlex Connector Agent
- FileFlex Client App
All 3 components of FileFlex utilize AES256 symmetric encryption in various ways to completely secureand protect the data that it facilitates, along with tokens and communication channels. The use ofencryption coupled with architectural design and process flow ensures privacy, security andauthorized access to content.
2.0 System Components
FileFlex Policy Server
This is a public facing server that is accessible from the Internet to authenticate, validate and ultimately provide access to the secure data access services. It manages access rights and permissions to the service by validating and authenticating all transactions and acts as a relay service between the authenticated users and the content sources that they have the rights to access. This server does not hold any user content data and only manages and enforces the rights and permissions of authorized users of the system. All external server communications are performed using encrypted channels to and from this public facing server, and it communicates exclusively with FileFlex Connector Agents & the Client App. All connections are made over HTTPS and using the following dedicated ports for communicationswith both FileFlex Connector Agents and FileFlex Client Apps:
- Ports 443, 9443, 80 are used to communicate with Client Apps
- Ports 4010, 4011 are used to communicate with Connector Agents
- All these ports must be open inbound to Server and open as bi-directional
FileFlex Connector Agent
The FileFlex connector agent is a software only component that runs on a device located on the corporate infrastructure behind the corporate Firewall. The connector agent can access any device or storage located on the same infrastructure on behalf of the user using the local permissions of the user. The main purpose of the Connector Agent is to perform requested task (access, relay and manipulate data) located on the same infrastructure on behalf of a user as if the user were physically present on that infrastructure. The connector agent is also responsible for encryption and decryption
functions for all data transmission as well as managing revisioning and aspects of collaboration functions.
There exist multiple flavors of the Connector tor Agent for all types of devices, OS & architecture.
OS: Windows, Mac, Linux
CPU: ARM, Intel
Devices: NAS, Routers, Servers, Desktops, Laptops
All external communications from Connector Agents to the FileFlex policy server are performed on encrypted channels. Connections are made using HTTPS. The Connector Agent is designed to only communicate with the FileFlex Server by establishing an outbound connection using a number of secure measures to ensure that connections are only to designated FileFlex servers. By establishing outbound connections, this ensures that no new ports need to be open on the corporate Firewall thus eliminating the risk of external access to Connector Agents inside the corporate infrastructure. The Connector Agent uses the following ports to communicate with the FileFlex Server:
- Ports 4010, 4011 are used to communicate with FileFlex Server
- All these ports must be open outbound only and open as bidirectional
- No inbound ports are required to be open to the FileFlex Connector Agents
FileFlex Client App
The FileFlex client App provides a mechanism for the user to access, browse, manipulate and shareany content from a single dashboard. It works in conjunction with the FileFlex Policy Server to allow the user to perform these actions securely with assigned privileges and enforce permission activities such as share, download, view-only, copy, paste, move and edit.
All external communications are performed over encrypted channels, using HTTPS connections. The Client App is designed to communicate exclusively with its FileFlex Policy Server on outbound bidirectional communication channels.
The Client App uses the following ports to communicate with the FileFlex Policy Server:
- Ports 443, 80, (9443 Admin only) are used to communicate with FileFlex Policy Server
- All these ports must be open outbound only and open as bidirectional
- Port 9443 is used for administration console access to FileFlex Server.
3.0 Hardware Requirements
Server Hardware Requirements
The FileFlex Enterprise system is a complex set of modules, and is therefore deployed as a virtual
machine to greatly simplify deployment.
Supported Virtualization Platforms:
VMware Workstation 16.1
VMware Workstation 16
VMware Workstation 15.5.7
VMware ESXi 7.0 (vSphere)
VMware ESXi 6.7 (vSphere)
VMware ESXi 6.5 (vSphere)
Oracle VirtualBox 6.1
Hyper-V VM (OVA to VHD Conversion needed)
FileFlex Enterprise may be deployed on a variety of hardware configurations, with an underlyingrequirement of Intel x64 CPU architecture. When discussing deployment hardware, it is specificallywith respect to the VM’s allocation of hardware resources to the VM, rather than the total capacity of the underlying host machine.
This document is focused on single-machine/VM deployments rather than a clustered deployment.
View-Only Conversions
The advanced panel of the server administration contains a configurable property “Maximum concurrent view-only conversions”. This defines the maximum number of view-only conversions that may execute at the same time. When a user chooses to view an office document within the application, a conversion is necessary. The number of conversions that can happen at the same time is directly connected to the amount of CPU and RAM allocated to the server. Each “concurrent view-only conversion” requires 1 dedicated CPU core, and 1gb of RAM. We recommend adding 1 CPU core and 1gb of RAM for each additional 1,000 users added to the system, depending on the frequency with which they are viewing documents within the application, and the size of the documents they are viewing.
Effect of RAM
The most important fundamental resource is RAM because several running processes are launched for data accumulation, proxying, data encryption, etc. A minimum of 4gb is required to run all needed services adequately. The maximum activations introduce a persistent RAM requirement, so a higher RAM total allows for more total activations/users. Simultaneous transfers also require more RAM. A larger cache allows for a larger number of “active users”. View-Only conversion is by far the largest consumer of RAM, and allocation must be made as indicated above.
Effect of Disk IO
The server is not critically bound to drive IO, so most typical well-functioning NAS drive deployments will be adequate. The connector however which is responsible for fetching files from the local device is tied to the IO performance of the device – especially the seek time. SSD caching schemes will greatly improve it’s ability to deliver high numbers of files concurrently without overly slowing down the NAS’s performance. The exception is view-only conversions. If your use-cases involve a great deal of document viewing, then IO limitations may come into play and the deployment of an SSD-backed high performance data-storage solution is recommended.
Effect of CPU
The CPU is highly utilized for encoding/decoding of requests, so is directly related to the number of active users. It is also directly related to the number of high-speed transfers due to the active encryption. The CPU becomes especially important when dealing with 10GbE connections with clients located on the same high-performance network. View-Only conversion is a large consumer of CPU, and allocation must be made as indicated above.
Effect of Network
The network is very important when dealing with a large number of concurrent transfers if one wants to maintain consistent local-network level performance. For the reasons described above, it’s important to correlate the CPU with the network speed.
Clustering
When capacity becomes saturated, it is possible to deploy FileFlex in a clustered configuration. Supporting a clustered configuration requires dual networks, so it’s important that such deployments have at least two network adapters. In a highly de-centralized deployment, the CPU and RAM become less important as the load is spread across several machines.
4.0 Verified Platform s and Operating Systems
The following software and OS/browser combinations have been tested and approved by Qnext.
FileFlex Connector
Windows Operating Systems:
-Windows 8/8.1 32/64 bit
-Windows 10/11 32/64 bit
-Windows Server 2016 64 bit
-Windows Server 2019 64 bit
Macintosh OS
-Mac OS Mojave 10.14.6
-Mac OS Catalina
-Mac OS Big Sur 11.0
Red Hat Linux Enterprise
-RHEL 8.3 64 bit
-RHEL 8.2 64 bit
-RHEL 7.9 64 bit
-RHEL 7.8 64 bit
CentOS Linux Enterprise
-CentOS v7 64 bit
-CentOS v8 64 bit
Ubunt u LTS Enterprise Server
-Long Term Support (LTS) Ubuntu 19.04 64 bit
-Long Term Support (LTS) Ubuntu 18.04 64 bit
Deb ian Linux Enterprise
-Debian 10 (buster) 64 bit
-Debian 9 (stretch) 64 bit
-Debian 8 (jessie) 64 bit LTS
Ubunt u Linux Desktop
-Ubuntu 20.04 LTS (Focal Fossa) 64 bit
-Ubuntu 20.10 (Groovy Gorilla) 64 bit
-Ubuntu 19.10 (Eoan Ermine) 64 bit
-Ubuntu 19.04 (Disco Dingo) 64 bit
-Ubuntu 18.10 (Cosmic Cuttlefish) 64 bit
Fedora Linux Desktop
-Fedora V31 64 bit
-Fedora V32 64 bit
-Fedora V34 64 bit
Mint Linux Desktop
-Mint 19.3 Tricia 64 bit
-Mint 20 Ulyana 64 bit
-Mint 20.1 Ulyssa 64 bit
OpenSUSE Linux Desktop
-OpenSUSE 15.1 (48) 64 bit
-OpenSUSE 15.2 (50) 64 bit
FileFlex Client
Android Operating Systems
-Android 10
-Android 11
iOS Operating Systems
-IOS 12.5.1
-IOS 14.4
Windows Operating Systems
-Windows 10
OSX
-macOS 10.15 Catalina 64-bit
-macOS 11 big Sur 64 bit
FileFlex Web Client
PC – Windows
-IE 11 and up
-Firefox 85.0 and up
-Chrome 88.0 and up
-Opera 63 and up
PC – OSX
-Firefox 85.0 and up
-Chrome 88.0 and up
-Safari 14.0 and up
-Opera 63 and up
PC – Linux
-Firefox 85.0 and up
-Chrome 88.0 and up
-Safari 14.0 and up
-Konqueror 20 and up
Mob ile – Windows Phone
-Pocket Internet Explorer 11.0
Mob ile – Black Berry
-BB Browser 10.3.3.3216
Mob ile – Android
-Firefox 79.0 and up
-Chrome 88.0 and up
-Puffin 9.0 and up
Mob ile – IOS
-Firefox 85.0 and up
-Chrome 84.0 and up
-Safari 13.0 and up
-Puffin 4.2 and up
