Anda di halaman 1dari 9


WatchDox Virtual Appliance

Deployment Overview

March 2013

WatchDox Deployment Overview White Paper

WatchDox delivers an advanced solution to control, track, and protect your
organizations documents - wherever they go, on any device. By utilizing
virtualization technologies, such as VMware, WatchDox offers a virtual appliance
as an on-premise solution that provides the same functionality as the WatchDox
cloud-based deployment.
Key functionality includes:

Sharing of documents while maintaining control throughout the documents

lifecycle and allowing or restricting download, copy, print, and forward or
even revoking access altogether.
Individualized, customizable document watermarks, Spotlight (patent-pending
technology from WatchDox), and other embedded security features.
Ability to dynamically modify document permissions at any time, or wipe out
documents even after they have been downloaded.
Granular audit trail of all interactions with shared documents including who has
accessed them, when, and where.
Secure viewing and editing of documents on a variety of platforms including
popular mobile devices such as iPhone, iPad, BlackBerry, and Android
APIs enabling integration into third-party enterprise systems, such as content
management (SharePoint and others), CRM systems, proprietary systems, and
web portals.

The WatchDox architecture supports vertical and horizontal scalability, High

Availability (HA) clustering, and Disaster Recovery (DR) through synchronization
with another WatchDox virtual appliance deployed in a remote site.
This document provides a short overview of the elements required for deployment
of the WatchDox on-premise deployment solution. For more details, consult the
WatchDox Solution Site Readiness document.

Page 2

WatchDox Deployment Overview White Paper


The WatchDox virtual appliance is a composite system that is made out of multiple
virtual machines (VMs). These virtual machines run the systems front-end web
and management interface, document converters, encryption tools, search and
indexing, database, and other components.

Figure 1: WatchDox Components

The WatchDox virtual appliance VMs run hardened RedHat Enterprise Linux
(RHEL) and one or more instances of Microsoft Windows Server.
The virtual appliance integrates with enterprise systems, such as Active Directory,
multi-factor authentication/SSO systems, Hardware Security Modules (HSM) and
SIEM systems. It also supports a set of connectors to enterprise systems such as
Outlook, SharePoint, and Additionally, RESTful APIs provide
connectivity to virtually any enterprise system.

Page 3

WatchDox Deployment Overview White Paper


The WatchDox virtual appliance is a multi-tier application with strict separation
between the web application serving the users, the database holding the system
meta-data, and a secure file system holding the encrypted documents.

WatchDox web applications employ Role Based Access Control security
methodology. The security layer of the software restricts the user according to
security permissions, with no ability to move across unauthorized boundaries. Using
compartmentalized software architecture, the WatchDox server components are
protected against outside intrusion.

WatchDox uses the industry-standard Advanced Encryption Standard (AES), used
by businesses and governments to protect sensitive information. All user data
transmissions over the Internet to and from the WatchDox servers are sent using
HTTPS (Secure HTTP connection), and are encrypted via SSL (Secure Sockets
Layer) employing strong keys (128-256 bit, depending on the browser capabilities.
256-bit minimum can be set).
All key data fields that contain data from user input, registration, content, and
policies are encrypted. The storing of the documents and meta-data in encrypted
form ensures that even if intruders obtain the actual physical disks on which they
reside, they will not be able to read or modify them.
Each document is stored encrypted using its own unique cryptographic key. Thus,
gaining access to one key does not invalidate the security of the rest of the
documents in the system. The keys are stored in secure keystore. An additional
hardware security module (HSM) may be connected to the WatchDox virtual
appliance, storing the systems keys externally, with the highest level of security.
Secure Document Boundaries
The WatchDox web-application is further separated into components that handle
meta-data and components that handle users' documents. These components each
reside in their own security context with a strict interface and communicate amongst
themselves over SSL utilizing APIs. This architecture ensures the protection and
separation of users' documents, even in the face of maliciously crafted document.
Encrypted documents are stored in a manner that prevents association between the
document itself and meta-data information such as the documents owner, its
recipients, or its original file name.
The Appliance can be configured to report events that can be captured by various
SIEM solutions.

Page 4

WatchDox Deployment Overview White Paper


WatchDox runs on a VMware ESX/ESXi server, version 4.1 and above. See Sizing
for additional details on hardware requirements. vCenter is required for installation
of the WatchDox vApp image. The installation process extracts several discrete
virtual machines from the vApp .ovf file and installs them on the target machine.

NAS/SAN Drives
File storage for the virtual appliance installation requires a NAS/SAN deployed by
the customer. This component stores the encrypted customer files and the
permissions database. The file system can be set for root crunching. This storage
is configured as additional VMDKs.

SMTP Server
The WatchDox server uses email as part of its standard operation, sending out
various alerts to users. Therefore, the WatchDox server must connect to an SMTP

Mobile Devices
WatchDox provides mobile apps for iOS, Android, and BlackBerry devices. These
apps allow accessing, syncing, annotating, and editing documents, while
maintaining the WatchDox controls and tracking capabilities. Users may install
these apps from the global App Store, or alternatively these apps may be deployed
by the organization.

Windows Plug-in
The Windows Plug-in performs automatic document synchronization and enforces
document controls inside of Microsoft Office and Adobe PDF. It also allows the
revocation of documents residing on the device at any time.

Microsoft SharePoint or other ECM Systems

WatchDox can connect to Microsoft SharePoint and other ECM systems as its data
sources. This allows the automatic export of data residing on those systems into
WatchDox, which can then protect it and allow it to be shared with mobile and/or
external subscribers.

Page 5

WatchDox Deployment Overview White Paper

Active Directory/LDAP
In addition to supporting email-based identities, WatchDox can connect to
AD/LDAP to leverage existing AD groups for user management purposes.

SSO/Authentication Solution
Customer may deploy an SSO or authentication solution, such as CA SiteMinder,
IBM Tivoli Identity Manager and others. WatchDox can integrate with these
solutions (see user authentication).

Reverse Proxy or Web Application Firewall (WAF)

Many times, WatchDox is deployed on the internal network, connected behind a
reverse proxy or WAF residing in the DMZ (see network configuration section.)
Many customers choose to deploy advanced web application firewalls that
terminate the SSL traffic, scan it, and then send it over to the WatchDox server.
Some of these proxies may also provide authentication capabilities. WatchDox can
utilize such authentication functionality if desired. Note: If authentication
functionality is not used, make sure HTTP headers are not modified by the proxy
prior to being sent over to the WatchDox server.

Hardware Security Module (HSM)

For additional security, WatchDox can store its encryption keys inside a tamperproof HSM. In such a case, the master keys are stored on the HSM, and the
WatchDox server requests individual file encryption keys from the HSM whenever
encryption or decryption is required.

SIEM System
WatchDox can export or send its audit trail events to a SIEM system for archiving,
anomaly detection, or forensic purposes.

Other Systems
WatchDox provides RESTful APIs, allowing the integration of WatchDox into other
data sources, document workflows, or web portals.

Page 6

WatchDox Deployment Overview White Paper

WatchDox recommends deploying the virtual appliance on a sub-segment of the
internal network (see diagram below). A reverse proxy or WAF is often placed in
the DMZ between the external network and the virtual appliance. Additionally, the
storage and SMTP server need to be configured and connected to the appliance.
Optionally, a Hardware Security Module (HSM) can be connected as well.

Figure 2: Sample network configuration

Below is a listing of the recommended firewall configuration:

Port number


WatchDox Server

Client access


WatchDox Server

SMTP Server

Email notifications


WatchDox Server

DNS Server

DNS resolution


WatchDox Server

NTP Server

Time synchronization


WatchDox VMs

WatchDox VMs

Internal load balancing

Service (opened on-demand)


Redirect to port 443


Service person

WatchDox Server

Remote service


Service person

WatchDox Server

Activation and mgmt


Service person

WatchDox Server

Load balancer mgmt.


WatchDox Server


Global monitoring


Page 7

WatchDox Deployment Overview White Paper

To address ever-growing regulation and to fit into any sort of authentication
scheme, WatchDox is architected to flexibly support the variety of enterprise-level
methods for authenticating users: password-based, multi-factor authentication, or
single-sign-on (SSO). These can be integrated with WatchDox using the OAuth 2.0
Additionally, WatchDox offers out-of-the-box authentication schemes, such as
username/password and email-answerback for fast and simple authentication.

Below are some sample recommended hardware requirements:
WatchDox Virtual Appliance
3 VM config

9 VM config

VMware ESX/ESXi 4.1 and up

VMware ESX/ESXi 4.1 and up



Max # of Readers**



Min # of processors

3xQuad Core

9xQuad Core

Main VM: 12GB

Conversion VM (Win): 8GB
Conversion VM2 (RHEL): 4GB

Main VM: 16GB

Application Server: 16GB each
Conversion VM (Win): 8GB each
Conversion VM2 (RHEL): 4GB each





Online DB Replication

High Availability

Max # of Contributors*

Recommended Memory

Supported Storage
Supported Protocols

* Users allowed to upload and grant permissions to documents

** Users allowed to access and read documents
Numbers may vary dependent on customer usage patterns.

The number of server blades and VMs can be scaled out to fit larger organizations
or more demanding processing requirements.

Page 8

WatchDox Deployment Overview White Paper


Since the WatchDox virtual appliance makes use of standard VMDKs, it is
straightforward to incorporate these volumes into the standard enterprise backup
and/or data replication strategies. Since the WatchDox system is stateless, a
backup or a replicated DR volume provides all the necessary snapshot information
to perform a full system recovery. WatchDox can support multiple DNS
mechanisms to facilitate active-passive failover.

The WatchDox virtual appliance supports High Availability through a cluster
configuration with a backup virtual appliance running on different hardware. The
two systems synchronize database states and failover is controlled through a
VRRP (Virtual Router Redundancy Protocol). Depending on the configuration, the
backup system can access either the same NAS as the primary system or a
backup NAS.

Figure 3: High Availability configuration with redundant Appliance


WatchDox provides quarterly updates to the virtual appliance image and to its
various client components. WatchDox offers remote installation assistance in
upgrading a customers system.

Page 9