Trillian Server - Getting Started Guide

This primer is intended for use by the individual(s) who will be responsible for deploying Trillian Server within their organization. It covers the basic hardware and software requirements for Trillian Server, explains some of the prerequisites for a successful deployment, and outlines a basic topology example to give implementors an idea of how Trillian Server will fit within their existing infrastructure.

Deploying a Trillian Server is like deploying an email or web server - you will be installing and configuring a machine whose purpose will be communicating with users within your internal network and users outside of it (mobile phones, roaming employee laptops, etc). Accordingly, decisions need to be made about how to facilitate access to the machine itself within the scope of your existing security policies. While we've strived to make the deployment process as painless as possible, there are a few important steps to consider before you begin:

1. Preparing the server hardware itself (or the virtual equivalent if using a VM) according to the specifications below.
2. Opening the necessary ports on your firewall to reach the Trillian Server: 443 (for HTTPS) and 3158 (for IMPP).
3. Preparing the necessary DNS records, which let Trillian clients find your server instead of connecting to ours.
4. Obtaining or preparing a TLS certificate or deciding to generate a self-signed certificate.
5. Deciding on using internal storage or Amazon S3 storage. If you use S3, data is encrypted locally before transmission using AES-256.
6. Deciding on using a local user directory or one populated by Active Directory.

Trillian Server requires 64-bit hardware. The specific hardware used can vary depending on the size of your deployment, but the following guidelines can be used for deployments below 5,000 users:

Trillian Server requires a 64-bit version of Windows Server 2008 R2 or above. We recommend installing Trillian Server on a dedicated machine to avoid performance issues. Trillian Server listens on TCP ports 443 and 3158; if you deploy Trillian Server to a machine running other services, you must ensure these ports are available before installation.

To deploy Trillian Server, you must create DNS records that enable the discovery of your Trillian Server by Trillian clients. We recommend that the IM domain name you select for Trillian Server matches your organization's email domain name. For example, if your email address is smw@ceruleanstudios.com, configure Trillian Server to use the ceruleanstudios.com domain and publish the necessary DNS records there. There are three different service (SRV) records required and one A record (the "target" value below) required; for example, for the ceruleanstudios.com domain:

You can use the same hostname for all three service records because they all point to the same machine. Remember that the fully-qualified domain name (FQDN) of the Trillian Server will later be used when obtaining a TLS certificate, so choose the name with that in mind. If your organization already owns a wildcard certificate for its domain, you can pick any names you want here or even three different names (such as impp.ceruleanstudios.com, impp-media.ceruleanstudios.com, etc). If you expect to have to purchase a certificate, remember that it will be bound to the FQDN you're publishing through DNS.

If your organization hosts DNS for your IM domain name both internally and externally, we consider this "split-brain" DNS. For example, this would mean that you run a DNS server for ceruleanstudios.com internally as well as externally; how your external DNS is serviced is not important, whether you host it yourself or have a third-party service provider do it for you. Split-brain DNS environments allow you to configure the necessary SRV and A records internally to point to internal IP addresses (for example, 192.168.x.x) and externally to point to external IP addresses (internet-routable).

If your organization does NOT host DNS for your IM domain name internally, another option is to publish what is known as a "pinpoint" DNS zone specifically for the DNS records required by Trillian Server. Unfortunately, Microsoft's DNS manager doesn't support the creation of pinpoint zones through its user interface, but you can run the dnscmd tool at a command prompt to create the necessary zones. The perk of this solution is that you are emulating a true split-brain environment without actually having to host your DNS internally as well. For example, if our Trillian Server resides internally at 192.168.1.100, we would run the following commands to create the pinpoint zones and populate them with the necessary SRV and A records, replacing 'ceruleanstudios.com' with your chosen IM domain name:

dnscmd . /zoneadd _impp._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd _impp-media._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd _impp-https._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd impp.ceruleanstudios.com. /dsprimary

dnscmd . /recordadd _impp._tcp.ceruleanstudios.com. @ SRV 10 0 3158 impp.ceruleanstudios.com.
dnscmd . /recordadd _impp-media._tcp.ceruleanstudios.com. @ SRV 10 0 443 impp.ceruleanstudios.com.
dnscmd . /recordadd _impp-https._tcp.ceruleanstudios.com. @ SRV 10 0 443 impp.ceruleanstudios.com.
dnscmd . /recordadd impp.ceruleanstudios.com. @ A 192.168.1.100

Finally, if your organization does NOT host DNS for your IM domain name internally and you'd prefer not to create pinpoint DNS zones, this normally means Trillian clients behind your firewall will receive an external IP address when attempting to locate your Trillian Server. If your NAT environment allows what is known as "hairpinning" - meaning a client machine at 192.168.1.200 can reach Trillian Server at 192.168.1.100 by way of its external IP address 4.4.4.4 - then you only have to publish DNS records externally.

All connections to Trillian Server are encrypted with TLS. Accordingly, you will need to provide a TLS certificate during installation that corresponds to your domain. The name on the TLS certificate must match the DNS name of the Trillian Server itself. Wildcard certificates are also supported. For example, if your SRV records point to an A record of "impp.ceruleanstudios.com", your TLS certificate should be for "*.ceruleanstudios.com" or "impp.ceruleanstudios.com". This is why, unless you have a wildcard certificate, it's useful (and cheaper) to assign the same FQDN to all three SRV records.

Trillian Server supports optional integration with Amazon's S3 cloud storage service. As your users will be sharing files, images, and growing their chat history logs over time, it can be desirable to avoid worrying about local disk space requirements and constantly maintaining local storage supply. If you choose to utilize S3, all data sent to Amazon is first locally encrypted using AES-256. The encryption key is generated with a cryptographically secure pseudorandom number generator and stored locally on your Trillian Server. In addition, all ciphertext is signed using HMAC-SHA-256 using a second key to ensure your data is not modified after it leaves your server. Making a secure backup of your encryption and signing keys is vitally important to ensuring your ability to recover data on S3 in the event of a catastrophic system crash!

	Encryption and signing keys are stored in the 'trillianserver.conf' file, normally located in 'C:\ProgramData\Trillian Server\config\'.

	Even if you use local storage, data is still encrypted due to the architecture of Trillian Server, so backing the key up is always a good idea!

Trillian Server supports optional integration with Active Directory. If you hook Trillian Server into Active Directory, your users and groups will be imported from Active Directory. Passwords will remain on the AD side only, and users will authenticate with their existing AD passwords. This is desirable to prevent users from having to learn and maintain a new set of credentials.

The first step of deploying Trillian Server is to install the server software itself. Download and double click the installer to get started; all required dependencies should be installed automatically and you will be prompted to launch the server manager after a successful install. In the event that your machine needs to be rebooted after the install, reboot and launch server manager by hand.

After installation, you're greeted with a welcome page where you can provide your full company name to get started. The company name is purely for aesthetics, so make it neat!

The first step is determining whether you want to store your data locally or using a combination of local and cloud storage powered by Amazon S3. If you choose to utilize Amazon S3, you will gain the benefit of encrypted cloud backups and don't have to worry about disk space utilization as users grow their chat histories and share files and images. All data stored on S3 is first encrypted locally using AES-256.

The DNS step is where you select your IM domain name. Trillian Server will attempt to resolve the necessary DNS records to determine that they are present; in the event that they are not, you will be given the option to fix the DNS records or skip validation if you wish to perform this task at a later point in time.

Servers
Because Trillian Server normally sits behind your firewall, the DNS preview you will see here will only reflect the internal side of your DNS configuration in a split-brain scenario. You can verify external DNS records at a later point in time using your tool of choice.

IM Domain Name
Your IM domain name should be a domain under your control with both internal and external DNS services available.

If your organization already has a TLS certificate, you can provide it here by pointing to the file's location on your server. Trillian Server currently accepts TLS certificates in the PFX and PEM formats. If you are trialing Trillian Server, the easiest option is to generate a self-signed certificate for now and replace it at a later point in time. Trillian clients will show a warning when connecting to a server with a self-signed certificate, but will otherwise function normally.

The next step is to determine where Trillian Server should source your users from. You can add them by hand using the "internal" directory option or connect to an Active Directory server to import users and groups. When importing from Active Directory, you can provide both a users distinguished name (DN) and a groups DN. The users DN is where Trillian Server will look for user objects to import. The groups DN is where Trillian Server will look for group objects to import. Note that when we look for users, we attempt to crawl all the children of the DN you provide, including OUs and actual group objects. The value of these DNs will depend entirely on your particular Active Directory layout, but Trillian Server will suggest a default to try if you're unsure. Consult with the team responsible for your AD layout if you're in doubt about what values to provide here.

Login Username
Any user with access to crawl AD will work.

Users DN
Where should Trillian Server look for user objects?

Groups DN
Where should Trillian Server look for group objects?

After importing users from Active Directory, a preview screen will appear showing you the users and groups Trillian Server has found. You should take the opportunity to review your users and groups here; if things look incorrect, simply press the back button and provide new DNs to try again. You can also disable users and modify user groups on this screen as well as control whether or not Trillian Server should use the UPN or email address from AD for the import.

Users
Right click to disable users or groups. You can also choose a different group for users who exist in more than one group on the AD side.

During this step, Trillian Server is performing the actual import of your users into its internal databases. If all goes well, you will be moved to the dashboard.

By default, Trillian Server performs daily backups of its internal database. Backups are stored in a day-of-the-week grandfathering system ("Mon", "Tue", "Wed", etc) and are subsequently overwritten every 7 days. Backups are stored in 'C:\ProgramData\Trillian Server\config\plugins\sqlite\db\backups'.

	In addition to on-site backups of your databases, we recommend you make a backup of your trillianserver.conf file. This file contains important information relating to your Trillian Server installation that cannot be otherwise recovered, and is also not a part of the standard on-site backup!

When using Amazon S3 storage, Trillian Server automatically sends encrypted backups to S3 once per week. When using local storage, no off-site backups are performed by Trillian Server. You should use the backup strategy of your choice to copy your on-site backups to an off-site location.

Last updated: August 12, 2014