Prerequisites Hardware Requirements Software Requirements DNS TLS Storage LDAP Reference Topology Deploying Welcome Encryption at Rest Media DNS User Directory Users Preview Import

Prerequisites

This guide is intended for use by the individual(s) who will be responsible for deploying Trillian Server within their organization. It covers the basic hardware and software requirements for Trillian Server, explains some of the prerequisites for a successful deployment, and outlines a basic topology example to give deployers an idea of how Trillian Server will fit within their existing infrastructure.

Deploying a Trillian Server is like deploying an email or web server - you will be installing and configuring software on a machine whose purpose will be communicating with users within your internal network and users outside of it (mobile phones, roaming employee laptops, etc). Accordingly, decisions need to be made about how to facilitate access to the machine itself within the scope of your existing security policies. While we've strived to make the process as painless as possible, there are a few important steps to consider before you begin:

  1. Preparing the server hardware itself (or the virtual equivalent if using a VM) according to the specifications below.
  2. Opening the necessary ports on your firewall to reach the Trillian Server: 443 (for HTTPS), 3158 (for IMPP), and 5269 (for XMPP; optional).
  3. Preparing the necessary DNS records, which let Trillian clients find your server instead of ours.
  4. Obtaining or preparing a TLS certificate or deciding to use a self-signed certificate, which Trillian Server will generate for you.
  5. Deciding on using internal storage or Amazon S3 storage. All data sent to S3 is first encrypted locally using AES-256.
  6. Deciding on using a local user directory or one populated by Active Directory or OpenLDAP.

Hardware Requirements

Trillian Server requires 64-bit hardware. The specific hardware used can vary depending on the size of your deployment, but the following guidelines can be used for deployments below 5,000 users:

Hardware component Recommended

CPU

64-bit processor, 2.0 GHz or higher, dual-core or higher

Memory

8GB

Disk

Local storage with at least 72GB free on a 10,000 RPM+ drive.

Network

1 network adapter, 1 Gbps or higher

Software Requirements

Trillian Server requires a 64-bit version of Windows Server 2008 R2 or above. We recommend installing Trillian Server on a dedicated machine to avoid performance issues. Trillian Server listens on TCP ports 443 and 3158; if you deploy Trillian Server to a machine running other services, you must ensure these ports are available before installation. In addition, Trillian Server supports XMPP federation for optional server-to-server communication. If you choose to utilize XMPP federation, TCP port 5269 is also used.


DNS

To deploy Trillian Server, you must create DNS records that enable the discovery of your Trillian Server by Trillian clients. We recommend that the IM domain name you select for Trillian Server matches your organization's email domain name. For example, if your email address is smw@ceruleanstudios.com, configure Trillian Server to use the ceruleanstudios.com domain and publish the necessary DNS records there. There are three different service (SRV) records required and one A record (the "target" value below) required; for example, for the ceruleanstudios.com domain:

The below examples assume your domain is ceruleanstudios.com, which it is not. Replace ceruleanstudios.com with your actual domain before publishing any DNS records.
_impp._tcp.ceruleanstudios.com

Service

_impp

Protocol

_tcp

Name

ceruleanstudios.com

Priority

10

Weight

0

Port

3158

Target

impp.ceruleanstudios.com

_impp-media._tcp.ceruleanstudios.com

Service

_impp-media

Protocol

_tcp

Name

ceruleanstudios.com

Priority

10

Weight

0

Port

443

Target

impp.ceruleanstudios.com

_impp-https._tcp.ceruleanstudios.com

Service

_impp-https

Protocol

_tcp

Name

ceruleanstudios.com

Priority

10

Weight

0

Port

443

Target

impp.ceruleanstudios.com

You can use the same hostname for all three service records because they all point to the same machine. Remember that the fully-qualified domain name (FQDN) of the Trillian Server will later be used when obtaining a TLS certificate, so choose the name with that in mind. If your organization already owns a wildcard certificate for its domain, you can pick any names you want here or even three different names (such as impp.ceruleanstudios.com, impp-media.ceruleanstudios.com, etc). If you expect to have to purchase a certificate, remember that it will be bound to the FQDN you're publishing through DNS.

XMPP Federation

If you want your Trillian Server to be available to other XMPP-enabled servers for purposes of server-to-server federation, you need to publish an additional SRV record to let XMPP servers know how to reach your server. Note that we are re-using the same "target" value below, but you could decide to create a new A record "xmpp.ceruleanstudios.com" pointing to the same machine if you so desire. Feel free to skip this step entirely until you decide on utilizing federation.

_xmpp-server._tcp.ceruleanstudios.com

Service

_xmpp-server

Protocol

_tcp

Name

ceruleanstudios.com

Priority

10

Weight

0

Port

5269

Target

impp.ceruleanstudios.com

Split-Brain DNS

If your organization hosts DNS for your IM domain name both internally and externally, this is considered "split-brain" DNS. For example, this would mean that you run a DNS server for ceruleanstudios.com behind the firewall as well as outside it (hosted by you or a third-party ISP). Split-brain DNS environments allow you to configure the necessary SRV and A records internally to point to internal IP addresses (for example, 192.168.x.x) and externally to point to external, internet-routable IP addresses.

Pinpoint DNS

If your organization does not host DNS for your IM domain name internally, another option is to publish what is known as a "pinpoint" DNS zone specifically for the DNS records required by Trillian Server. Unfortunately, Microsoft's DNS manager doesn't support the creation of pinpoint zones through its user interface, but you can run the dnscmd tool from a command prompt to create the necessary zones. The perk of this solution is that you are emulating a true split-brain environment without actually having to host your DNS internally as well. For example, if your Trillian Server resides internally at 192.168.1.100, you would run the following commands to create the pinpoint zones and populate them with the necessary SRV and A records, replacing "ceruleanstudios.com" with your chosen IM domain name:

dnscmd . /zoneadd _impp._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd _impp-media._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd _impp-https._tcp.ceruleanstudios.com. /dsprimary
dnscmd . /zoneadd impp.ceruleanstudios.com. /dsprimary

dnscmd . /recordadd _impp._tcp.ceruleanstudios.com. @ SRV 10 0 3158 impp.ceruleanstudios.com.
dnscmd . /recordadd _impp-media._tcp.ceruleanstudios.com. @ SRV 10 0 443 impp.ceruleanstudios.com.
dnscmd . /recordadd _impp-https._tcp.ceruleanstudios.com. @ SRV 10 0 443 impp.ceruleanstudios.com.
dnscmd . /recordadd impp.ceruleanstudios.com. @ A 192.168.1.100

NAT Hairpinning

If your organization does not host DNS for your IM domain name internally and you'd prefer not to create pinpoint DNS zones, this normally means Trillian clients behind your firewall will receive an external IP address when attempting to locate your Trillian Server. If your NAT environment allows what is known as "hairpinning" - meaning a client machine at 192.168.1.200 can reach the Trillian Server at 192.168.1.100 by way of its external IP address 4.4.4.4 - then you only have to publish DNS records externally.


TLS

All connections to Trillian Server are encrypted with TLS. Accordingly, you will need to provide a TLS certificate that corresponds to your domain. The name on the TLS certificate must match the DNS name of the Trillian Server itself. Wildcard certificates are also supported. For example, if your SRV records point to an A record of "impp.ceruleanstudios.com", your TLS certificate should be for "*.ceruleanstudios.com" or "impp.ceruleanstudios.com". This is why, unless you have a wildcard certificate, it's useful (and cheaper) to assign the same FQDN to all three SRV records.


Storage

Trillian Server supports optional integration with Amazon's S3 cloud storage service. As your users will be sharing files, images, and growing their chat history logs over time, it can be desirable to avoid worrying about local disk space requirements and constantly maintaining local storage supply. If you choose to utilize S3, all data sent to Amazon is first locally encrypted using AES-256. The encryption key is generated with a cryptographically secure pseudorandom number generator and stored locally on your Trillian Server. In addition, all ciphertext is signed using HMAC-SHA-256 using a second key to ensure your data is not modified after it leaves your server. Making a secure backup of your encryption and signing keys is vitally important to ensuring your ability to recover data on S3 in the event of a catastrophic system crash!

Encryption and signing keys are stored in the "crypto.conf" file, normally located in "C:\ProgramData\Trillian Server\config\".

Even if you use local storage, data is still encrypted due to the architecture of Trillian Server, so backups are still important!

LDAP

Trillian Server supports optional integration with Active Directory or OpenLDAP for user import. In this mode, users will authenticate with their existing LDAP passwords and Trillian Server will not store passwords internally. This setup can be desirable to shield users from having to learn and maintain a new set of credentials.


Reference Topology


Deploying

The first step of deploying Trillian Server is to install the server software itself. Download and double click the installer to get started; all required dependencies should be installed automatically and you will be prompted to launch the server manager after a successful install. In the event that your machine needs to be rebooted after the install, reboot and launch server manager by hand.


Welcome

After installation, you're greeted with a welcome page where you can provide your full company name to get started. The company name is purely for aesthetics, so make it neat!


Encryption at Rest

Trillian Server can optionally encrypt all of your data at rest. Encryption at rest will require you to provide a passphrase or recovery key each time you start Trillian Server! If both of these values are lost, Trillian Server will have to be re-initialized and all data will be lost. Only proceed with encryption at rest if your organization is comfortable managing a secure passphrase.

Media

The media step is where you decide whether you want to store your data locally or using a combination of local and cloud storage powered by Amazon S3. If you choose to utilize Amazon S3, you will gain the benefit of encrypted cloud backups and don't have to worry about disk space utilization as users grow their chat histories and share files and images. All data stored on S3 is first encrypted locally using AES-256.


DNS

The DNS step is where you select your IM domain name. Trillian Server will automatically generate a self-signed TLS certificate to match the domain name you choose. You will have the opportunity to provide a CA-signed certificate after the installation process.


User Directory

The user directory step is where you determine where Trillian Server should source your users from. You can either add them by hand using the internal directory option or connect Trillian Server to an Active Directory or OpenLDAP environment and import your users from there. When importing, you must provide the distinguished name (DN) of the container you want Trillian Server to source users from. Note that when Trillian Server looks for users, it attempts to crawl all the children of the DN you provide, including OUs and actual group objects. The value of this DN will depend entirely on your particular layout, but Trillian Server will suggest a default to try if you're unsure.


Users Preview

If you've opted to import users from Active Directory or OpenLDAP, the users preview step will then show you the users Trillian Server has found. Take the opportunity to review your users; if things look incorrect, simply press the back button in the upper left and try again.

If Trillian Server finds valid email addresses for your users, the option to switch between UPN and email will be presented to you here.


Import

During this step, Trillian Server is performing the actual import of your users into its internal database. If all goes well, you will be moved to the dashboard and can begin testing clients and tweaking settings!