System Administration II

Training Reference Guide

January 2017

© 2017 Laserfiche
Laserfiche is a division of Compulink Management Center, Inc. Laserfiche®, Run Smarter® and Compulink® are registered
trademarks of Compulink Management Center, Inc. All other trademarks are properties of their respective companies. Due to
continuing product development, product specifications and capabilities are subject to change without notice.
About this Training Reference Guide

Purpose This Training Reference Guide is intended to be used as a reference when taking the
System Administration II online course.

This guide provides an outline of key points and is intended to complement the
online course and to aid in note taking. In addition, links to helpful resources are
provided for learners who would like more information about a particular topic.

In this This document contains the following topics.

Document
Topic See Page
1. Introduction 3
2. Volume Configuration and Security 4
3. Indexing and Search Engine Configuration 7
4. Backing Up Laserfiche Rio and Avante 9
5. Monitoring and Improving Performance 11
6. Managing Laserfiche Rio Installations 13
7. Security Considerations for Laserfiche Installations 16

System Administration II Page 2

1. Introduction

Course This course is for system administrators who intend to use advanced features to
Description secure, back up, and monitor Laserfiche repositories.

This course focuses on optimizing a Laserfiche installation, rather than outlining

specific procedures for implementation. For this reason, we recommend
administrators take the System Administrator I course first.

Overview By the end of this course, you will be able to:

 Manage and secure volumes of all sizes.
 Optimize search engine settings.
 Back up Laserfiche repositories and settings.
 Monitor and improve performance of Laserfiche installations.
 Identify important system and web-based security configuration settings.

System Administration II Page 3

2. Volume Configuration and Security

Introduction This lesson provides an overview of volumes: what they are, how you can use them
to help manage a growing repository, and how to address information requirements.
In addition, this lesson discusses how to transfer information between repositories
and how to back up information.

Volume Your Laserfiche repository contains two types of information:

Definition and  Metadata about your documents, which is stored in the database.
Terminology  The document files themselves, which are stored in the volumes.

Volumes contain pages from scanned documents, what most people think of as the
‘contents’. These include:
 TIFF images
 Thumbnails
 Location files
 Electronic files such as Microsoft Word documents
 PDFs

Volumes exist on the hard drive of one or more computers, and, as your repository
grows, can be distributed across multiple computers. When a user scans or imports
a document, or adds new pages to an existing document, that document’s pages and
electronic file will be saved in a particular volume.

For more information on volumes, see the Laserfiche Help Files – What are
Volumes?

Physical and There are two types of volumes:

Logical
Volumes  A physical volume is a set of folders that contain your documents on a
computer’s hard drive.
 A logical volume is a collection of physical volumes which share the same
name.

To make sure that you don’t run out of space on your hard drive, the physical
volumes within a logical volume will generally have a size limit. Once they reach
the limit, they will roll over, creating a new physical volume.

Logical volumes allow an administrator to control the size of physical volumes, and
distribute them across multiple computers. At the same time, users can just keep
scanning into the same volume without needing to change their workflow.

For more information on logical volumes and rollover, see the Laserfiche Help
Files – Logical Volumes and Volume Rollover.

System Administration II Page 4

 Best Practices When you create a new repository, it will include a starting volume. Unless you
specify a different name, this volume will be named DEFAULT. It is a logical
volume that rolls over when it reaches 20 GB in size.

In general, we recommend keeping the number of logical volumes in your

repository as small as possible. Since the physical volumes within a logical volume
can be distributed to multiple computers, you do not need to create new logical
volumes for space considerations. In general, you will only need to create new
volumes in the following situations:

 If you need to secure the contents of one or more volumes in a particular

way that is specific to that volume.
 If one or more of the volumes has different backup needs.
 If one or more of the volumes has different file retention needs.
 If you must keep certain files on a specific file server or at a specific
physical location.

If none of these is the case, you can simply make sure that the Default volume has a
rollover size that makes sense for your organization.

If you want to change the logical volume size limit, be aware that it will only affect
the new physical volumes created within that logical volume, not the existing
volumes. If you want to re-size existing physical volumes, the best way to do it is to
migrate the contents of the logical volume into a new logical volume with the correct
size limit.

Remember to distribute logical volumes so that you don’t run out of hard drive
space on a particular computer. This can be done by modifying the logical volume’s
path.

For more information on best practices for volume administration, see the
Laserfiche Help Files – Best Practices for Volume Administration.

System Administration II Page 5

 Volume Since volumes contain the contents of your documents, it’s important to ensure that
Security they are secured properly.

 Windows Security: You can use Windows security to lock down your
volumes. We recommend only allowing the user that the Laserfiche Server
Service runs to have access.

 Laserfiche Security: Laserfiche security restricts who can see the parts of
a document stored in a volume, such as its pages or electronic file. It
doesn’t restrict access to other parts of the document, such as its metadata.
If you want to restrict access to the entire document, you should use Entry
Access Rights instead.

If you do need to restrict access to volume contents on a volume-by-volume

basis, you can do so by modifying the volume’s rights in the Administration
Console.

 Volume Checksums: Volume checksums automatically monitor when

changes have been made to a document outside of Laserfiche. Enabling
checksums should not be used in place of security—a checksum report can
reveal where an unauthorized change has been made after the fact, but
cannot prevent it. It is still important to secure your documents. For more
information on volume checksums, see the Laserfiche Help Files – Volume
Checksums and Validating Volume Content.

Exporting and If you want to move a volume from one repository to another, you can do so by
Attaching exporting or detaching the volume.
Volumes
Detaching or exporting a volume is different than simply copying the volume’s
folders on the hard drive, because it also includes information about the folder
structure and metadata of the entries. Note that some information, most notably
security, is not included when exporting or detaching a volume.

 Exporting a volume creates a copy of the volume, leaving the original

volume intact and still attached to the original repository. For more
information on exporting volumes, see the Laserfiche Help Files –
Exporting a Volume.

 Detaching a volume removes the volume from the original repository

entirely. For more information on detaching volumes, see the Laserfiche
Help Files – Detaching a Volume.

In most cases, we recommend exporting a volume rather than detaching it, even if
you intend to remove it from its original repository., This allows you to test the
volume in its new repository before deleting it.

System Administration II Page 6

3. Indexing and Search Engine Configuration

Introduction This lesson introduces the component that handles most of the searching in your
repository: the Laserfiche Full-Text Search Engine.

Text Most searches are performed by the Laserfiche Indexing and Search Engine or your
Generation, repository’s database engine. There are two steps that must be performed before
Indexing, and these searches will return results:
Searching
 Text Generation: Text must be generated from the document. This is done
by performing OCR or by generating text directly from electronic
documents. For more information on text generation, see the Laserfiche
Help Files – Search Engine Text Extraction.
 Indexing: The document must be indexed by the search engine. When the
search engine indexes a document, it tracks the location of each word
within the document and stores that information in the search catalog. For
more information on indexing, see the Laserfiche Help Files – Indexing
Repository Content.

If the document is indexed, but has no text generated, then there is nothing to search
for. If the document has text generated but is not indexed, the search engine doesn’t
know where to find the text. We recommend enabling automatic text generation and
indexing for your repository to ensure that documents remain searchable.

Search To ensure that searches are performed as efficiently as possible, the Laserfiche
Architecture Indexing and Search Engine optimizes its search catalog files periodically. The
and Best search engine monitors the repository for off-peak hours and schedules to reduce
Practices the impact on general repository performance.

While we recommend indexing new documents immediately to ensure that every

document becomes searchable, you can also pause indexing during high traffic
periods to reduce the performance impact.

For more information on scheduling indexing, see the Laserfiche Help Files –
Scheduled Indexing Overview and Examples.

System Administration II Page 7

 Search Engine It is a good idea to use Windows security to secure the location of your search
Security and catalog files. The search catalog contains lists of all the words in your repository,
Backup which may include sensitive information such as names and social security
numbers.

Unlike your repository’s database and volumes, it isn’t strictly necessary to back up
your search catalog files, because they can be regenerated from the documents
themselves.

For more information on managing the search catalog, see the Laserfiche Help Files
– Managing the Search Catalog.

System Administration II Page 8

4. Backing Up Laserfiche Rio and Laserfiche Avante

Introduction This lesson describes how to back up your repository. You will learn the basic
principles and best practices of backup and recovery, and what files and
components in Laserfiche need to be backed up.

Backup Backups are vital in managing your repository. Without frequent, well-tested
Principles backups, important data may be permanently lost in the event of hardware failure,
user error, natural disasters, or other issues.

Back up your data often. Remember that any information that is added or changed
in Laserfiche since your last backup is vulnerable to being lost if you run into an
issue. The more frequently you back up, the less likely that you will need to redo
work (or, worse, lose data permanently).

Automated systems are especially good for ensuring that information is backed up
frequently, since they don’t require you to remember to manually perform a backup.

Differential backups, in which only the files that have changed since the last full
backup are backed up, can be helpful in backing up frequently. Since only changes
are backed up, rather than the full repository, they are much quicker and less likely
to cause performance issues.

For additional information on backup principles, see the Laserfiche Help Files –
Backup Principles.

Components to The Laserfiche repository, hosted by the Laserfiche Server, consists of four major
Back Up components that should be backed up:

 The database, hosted by Microsoft SQL Server or Oracle.

 The volumes, which may be distributed across multiple folders on multiple
hard drives.
 The named user licensing database, found in the Laserfiche Server
installation directory.
 The search index files, found in the SEARCH folder at the location you
specified during search engine configuration.

For more information on backing up major components, see the Laserfiche Help
Files – Backup Scope.

In addition to these components you should consider what other Laserfiche products
you’re using:

Audit Trail: If you are using Laserfiche Audit Trail, it’s important to back up your
binary audit log files, since auditing data is not stored elsewhere and can’t be
recreated. By default, these logs are stored in the AUDIT folder of the repository
directory. For more information on backing up Audit Trail, see the Laserfiche Help
Files – Backing Up Audit Data.

System Administration II Page 9

 Workflow: Workflow information is stored in four places:

 The Workflow database is hosted by Microsoft SQL Server or Oracle. Back

up the database that you specified when you configured Workflow.
 The Workflow configuration files are hosted in the Workflow installation
directories on the Workflow Server and Workflow Subscriber computers.
 The Workflow volume is saved by default on the Workflow Server
machine. If you chose to store it elsewhere when configuring the Workflow
Server, you can review it in the File System Path section of the Workflow
Configuration Utility.
 Workflow custom activities are stored at C:\Program Files\Common
Files\Laserfiche\WF\Activities if you are using a 32-bit version of
Windows, or at C:\Program Files (x86)\Common Files\WF\Activities if you
are using a 64-bit version of Windows. This folder only needs to be backed
up if you have added custom Workflow activities.

For more information on backing up Workflow, see the Laserfiche Help Files –
Backing Up Workflow.

Web Client: Web Client configuration files are stored in the Web Access
installation directory, under Web Files. Back up the web.config file stored in this
folder, and then back up the Config folder.

Laserfiche Discussions: Laserfiche Discussions stores its information in a database

hosted by Microsoft SQL Server. Back up the database that you specified when you
configured Discussions.

Laserfiche Directory Server: Laserfiche Directory Server also stores its

information in a database hosted by Microsoft SQL Server. Back up the database
that you specified when creating a licensing site.

System Administration II Page 10

5. Monitoring and Improving Performance

Introduction This lesson describes how to monitor and improve the performance of your
Laserfiche system. It discusses ways of monitoring your repository’s performance,
best practices for improving it, and Laserfiche tools that you can use to make your
system perform more efficiently.

Monitoring To keep better tabs on your Laserfiche system’s performance, you can use
Performance Windows Performance Monitor, a tool included with Windows that allows you to
monitor activity in real time, or save a log of it for later review.

Performance Counters: Used to track specific information in real time. Laserfiche

includes a number of performance counters for Workflow, the Laserfiche Indexing
and Search Engine, and the Laserfiche Server.

Data Collector Sets: Used to log activity for later review.

Detailed information on Performance Monitor is available on the Microsoft

TechNet website.

Performance There are several best practices to help identify potential bottlenecks and improve
Best Practices system performance:

 Deploy SQL server and the search engine on different servers. This means
that they will each have their own dedicated resources.

 Distribute other system components to different servers. It is a good

practice to make sure that Laserfiche components and applications all have
their own dedicated resources

 Use performance metrics to determine times of heavy load, and find ways
to adjust his process to distribute them more evenly throughout the day.

System Administration II Page 11

 Laserfiche There are also a number of Laserfiche tools and components that can help you
Tools manage performance:

 Import Agent allows you to schedule document import and indexing—two

high-load activities—for off-peak hours. For more information on Import
Agent, see the Laserfiche Help Files – Overview & Quick Start.

 Quick Fields Agent, like Import Agent, allows you to bring documents
into Laserfiche on a schedule, with the added benefit of the powerful
document processing of Quick Fields. For more information on Quick
Fields Agent, see the Laserfiche Help Files – Quick Fields Agent.

 Web Accelerator can improve performance when displaying document

images if using Laserfiche Web Client with Laserfiche Rio. For more
information on Web Accelerator, see the Laserfiche Help Files – Laserfiche
Web Accelerator.

 Settings Lockdown can ensure that your users don’t modify their options
in a way that will slow down their Laserfiche experience. For more
information on Settings Lockdown, see the Laserfiche Help Files – Settings
Lockdown.

 Schedule Indexing for Off-Peak Hours to reduce the load on your search
engine. For more information on Index Scheduling, see the Laserfiche Help
Files – Scheduled Indexing Overview and Examples.

System Administration II Page 12

6. Managing Laserfiche Rio Installations with Laserfiche

Introduction This lesson explores how to use Laserfiche Directory Server to manage your
Laserfiche Rio installations. It discusses what Laserfiche Directory Server is and
what it’s used for; user types, groups, and organizations; user license allocation;
application registration; and public portal licenses for WebLink.

What is Laserfiche Directory Server is a web application that allows you to manage your
Laserfiche Laserfiche Rio installation, including users and applications.
Directory
Server? With Directory Server, you can perform the following tasks:

 Create Laserfiche users, add directory users, and grant user licenses.

 Configure Active Directory synchronization to automatically update your

named user list.

 Create organizations to help you reserve licenses appropriately.

 Register named devices.

 Review application registrations, and allocate new application licenses.

Note that Laserfiche Directory Server is only used with Laserfiche Rio, not with
Laserfiche Avante.

For more information on Laserfiche Directory Server, see the Laserfiche Help Files
– Welcome to Laserfiche Directory Server.

Users and User Users who log into Laserfiche Rio must have an account and a license. There are
License three types of users:
Allocation
 Directory Users: Can be either Windows accounts or LDAP accounts, and
are managed in Laserfiche Directory Server.

 Laserfiche Users: Created and configured in Laserfiche Directory Server.

 Repository Users: Created and configured in the Laserfiche

Administration Console, and are not managed in Laserfiche Directory
Server.

Any type of user can be allocated a named user license. However, unlike directory
and Laserfiche users, repository users are specific to a particular repository, and
cannot be granted access to other repositories.

Organizations are subsets of your Laserfiche Rio installation, for which you can
reserve licenses and use to organize your users.

System Administration II Page 13

 Groups are collections of users or other groups. Groups are usually used for
granting access to repositories and setting security.

Named devices are computers that have been granted licenses. Any user who logs
into one of these computers can access Laserfiche, even without their own license.
Named devices are often used as scan stations. You cannot access Laserfiche web
applications from or grant retrieval licenses to a named device.

Active Directory synchronization can automatically grant licenses to members of

specific Windows groups. This makes it easier to ensure that the correct users have
licenses.

For more information on managing accounts with Laserfiche Directory Server, see
the Laserfiche Help Files – Managing Accounts.

Application You can also use Laserfiche Directory Server to manage your application licenses.
Licenses
In most cases, you can automatically allocate a license to an application during
installation. To do so, when installing a product, select “Activate using the
Laserfiche Rio License Manager” and follow the specified steps.

You can view your allocated application licenses, and allocate new application
licenses manually, in Laserfiche Directory Server.

Directory Server will show you the version for the product, all your allocated
licenses, how many licenses you have remaining (if the installations aren’t
unlimited), and, for the Laserfiche Server, how many repository named user
licenses and public portal licenses you have allocated.

For more information on managing application licenses with Laserfiche Directory

Server, see the Laserfiche Help Files – Managing Applications.

System Administration II Page 14

 Public Portal Public portal licenses are a special kind of license used with Laserfiche WebLink.
Licenses Although they are associated with WebLink, public portal licenses are allocated by
the Laserfiche Server.

If you have two Laserfiche Servers that you want to be accessible via WebLink, you
will need two public portal licenses. In addition, public portal licenses are
categorized by number of processors on your Laserfiche Server. A dual-processor
Laserfiche Server must have a dual-processer public portal license, and a
multiprocessor Laserfiche Server must have a multiprocessor public portal license.

Any user who has been marked as read-only in the Laserfiche Administration
Console can log in to WebLink using the public portal license. If a user is not a
read-only user, they must have a license of their own. Access to Laserfiche via
WebLink is always read-only, no matter what type of license the user has.

For more information on public portal licenses, see the Laserfiche Help Files –
Public Portal Licenses.

System Administration II Page 15

7. Security Considerations for Laserfiche Administrators

Introduction This lesson highlights security considerations for Laserfiche Administrators. We’ll
list out mechanisms that serve as a baseline checklist of common security
configurations.

Encryption When securing data using encryption, it is important to do so consistently, and

recognize the states of digital data. For example:

 Data at rest represents data currently stored on a drive or volume. This

data should be encrypted at the local level, to prevent unauthorized access
when other types of security fail.

 Data in transit represents data being moved or transmitted between

locations. Security protocols such as SSL/TLS secure data as it moves
between secure locations.

 Data at endpoint represents data stored on a client machine. Like data at

rest, this data should be encrypted locally, but as this might not be
guaranteed, network security should be an additional consideration.

SSL/TLS Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are
protocols used to secure web connections and are the default model for securing
data in transit.

SSL/TLS provides a secure channel where data is encrypted in transit between

Laserfiche and client endpoints.

With a secure channel, data in transit cannot be easily read by someone who
intercepts that data.

For additional information on how to configure SSL/TLS within Laserfiche, please

see the Laserfiche Help Files – Using SSL/TLS with Laserfiche.

Windows Laserfiche provides robust security tools for controlling access to data within the
System Laserfiche repository. However, you also have to ensure that Laserfiche resources
Security themselves are properly secured outside of Laserfiche.

The Laserfiche SQL database and all volume files stored on disk must be properly
secured outside of Laserfiche.

If this data is not properly secured at the file system layer, users without access to a
document within Laserfiche may be able to bypass those security measures, by
accessing the data directly from the local machine.

System Administration II Page 16

 Firewalls In the most basic sense, firewalls act as a barrier between a secure network (usually
a local area network, or LAN) and an insecure network (usually the internet itself.)

Exceptions can be made to the firewall by allowing certain ports to be open, usually
on an application-by-application basis.

Ensure that appropriate communication channels are open for Laserfiche and its
related services when crossing firewall boundaries, while still maintaining a secure
environment.

For additional information on how to configure firewalls for use with Laserfiche,
please see the Laserfiche Help Files – Firewalls.

Kerberos Kerberos is a protocol used to authenticate connections over the web.

In certain network configurations, Kerberos authentication may be is required for

Windows authentication to Laserfiche.

Through authentication, Kerberos makes connections more secure (the user’s

identity is verified) and more convenient, as a user can use their verified credentials
across the server.

For additional information on how to configure Kerberos within Laserfiche, please

see the Laserfiche Help Files – Configuring Kerberos.

Audit Trail Laserfiche Audit Trail logs actions that occur within a repository.

Any action categorized for tracking through Audit Trail is saved to a log file as an
event, to be viewed by authorized users and administrators. These events may
include actions such as printing, searching, modifying documents, or altering a
user’s account.

While Audit Trail records changes, it does not prevent them from happening. In
addition, actions taken outside of Laserfiche (such as taking a screenshot using print
screen) are not tracked by Audit Trail.

For these reasons, it is recommended to use Audit Trail as a compliment to other

security measures rather than a replacement for them.
For more information on Audit Trail, see the Laserfiche Help Files – Laserfiche
Audit Trail.

System Administration II Page 17