立即与支持人员聊天
与支持团队交流

Metalogix Replicator 7.4 - Secure Replication

Replicator Services

The Replicator service runs under the SharePoint Central Administration (SP CA) Application Pool account. The Replicator service must run under the SP CA application pool account and can't be replaced with another account.  However, to increase security you could create separate application pool accounts for each web application which would result in the application pool account for the content web applications being different than the application pool account for the SP CA application pool account.  This will work fine provided you follow the instruction in the Metalogix Replicator Advanced Installation Guide under Access Requirements.  

 

Replicator Data Folders

When configuring Replicator during the initial setup, a file share is created to store inbound and outbound replication packages. The permissions on both the share and the physical folder location should be modified to limit access to the SharePoint access account and authorized administrators.   This can be further secured by removing the SharePoint access account and using a separate storage access account.  This account is identified at the Configure Web Application level, under Replicator Data Folders.

SKB121~1_img1

In the diagram at the beginning of this document, this security setting is applied on both the source and target web applications, securing the creation of replication packages on both ends. Furthermore, the data folders are commonly located on a network drive, like a SAN.

Connections

Replication functionality requires that each web application in a pair needs to have a connection created to the other one. Without a connection going each way there is no data access. This is clearly demonstrated in the above diagram, where we have two web applications connected with two connections, one in each direction, allowing for the transfer and reception of packages from both sides. Replicator also offers users the ability to secure their connections through the use of a passphrase, set up at the Web Application Configuration level, and applied for security settings at the Connection Configuration level.  

The exception to this rule is when your connections are set up in firewalled mode. Since the server outside the firewall cannot connect to the server inside the firewall, Replicator only requires a single connection. In these cases, you must set a passphrase on the web application outside the firewall and specify it when creating the connection on the web application inside the firewall. This passphrase confirms that the farm administrator creating the connection is authorized by a farm administrator on the other farm.

1.Set a passphrase at the web application level, under Advanced Settings.

SKB121~1_img2

2.Apply the passphrase when creating a firewalled connection, under Target Web Application.
SKB121~1_img3

3.Finally, when setting up Replicator, the account specified on the connection configuration page is the only account with permission to download packages from the target web application. This ensures that packages are only downloaded by the allotted account and cannot be downloaded by others.
SKB121~1_img4

Offline Replication

When setting up a connection to Transport in offline mode, replicator restricts replication to a specific target using an ID field. This ensures that once replication is brought back online, only the specified target will be able to receive packages during the import procedure.

SKB121~1_img5

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级