Planning
Use this section to plan your installation and set up the service accounts used by the application. You must prepare this information before installing the application.
Administrative access for installation
Nuix Discover installation requires Administrator access on all servers. Roles that include the appropriate access are either a local administrator account or a domain account added to a local administrator group. Additionally, installation requires SYSADMIN server role privileges for the SQL Server databases.
Service account
To install the application, you must:
Create service accounts.
Review password character restrictions.
Add permissions required on Nuix Discover servers.
Set up Active Directory groups for File Repository access control
Review the following sections to learn how to plan for service accounts.
Create service accounts
To install the application, create several accounts in Active Directory and SQL Server, as described in the following table.
|
Role |
Type |
Example Account Names |
Description |
Constraints |
|
Nuix Discover Service Account |
Active Directory domain (service) account |
NuixDiscoverSvc ndSvc |
An Active Directory user account for internal application authentication. This will also be the first “System Administrator” user in Nuix Discover that is used to configure system resources and import other users. The user is also used on the Nuix Discover “Set Service Account” page. |
The password cannot be expired or changed. Must be a member of the local administrator’s group and have “log on as a service” for some of the servers (see the following table) This account must be created before software installation. Password character restrictions* Group Managed Service Accounts (gMSA) cannot be used. |
|
Nuix Discover SQL Admin |
SQL Authentication |
DiscoverSA NuixDiscoverSQLAdmin ndSQLAdmin |
A SQL Server account with elevated permissions used by the application for new case (database) creation and decommissioning. This account must be created before software installation. |
The password cannot be expired or changed. Member of SysAdmin server role This account must be created before software installation. Password character restrictions* |
|
Nuix Discover SQL web user |
SQL Authentication |
Webuser ndWebuser DiscoverUser |
A SQL Server account used by the application services to connect to the database and for routine database activities.
|
The password cannot be expired or changed. This account is created at the time of software installation or created before installation. Password character restrictions* |
*Passwords can only contain certain special characters and must begin with an alpha character. The special characters that can be used in passwords are described in the following table.
|
Character |
Description |
SQL Password |
Active Directory Password |
|
! |
Exclamation mark |
Yes |
Yes |
|
@ |
At sign |
Yes |
Yes |
|
% |
Percent sign |
Yes |
Yes |
|
^ |
Caret |
Yes |
Yes |
Permissions required on Nuix Discover servers
Certain permissions are required on Nuix Discover servers. Certain permissions are also required for installation and ongoing application operation, as described in the following table.
|
Local Administrator for Installation |
Local Administrator for Operation |
Log on as a Service for Nuix Discover Service Account |
|
|
Discover Web |
Yes |
No |
No |
|
SQL database |
Yes |
No |
No |
|
SQL Server Analysis Services |
Yes |
No |
No |
|
Search service |
Yes |
Yes |
No |
|
User Audit service |
Yes |
No |
Yes |
|
RPF Coordinator |
Yes |
Yes |
No |
|
RPF Supervisor |
Yes |
Yes |
Yes |
|
Discover Login Service |
Yes |
No |
No |
|
Office Online |
Yes |
No |
No |
Set up AD Groups for File Repository Access Controls
Nuix Discover will use one or more SMB (CIFS) network share as “File Repositories” for the application to store and process data.
Note: The Server Message Block (SMB) protocol is a network file sharing protocol. The Common Internet File System (CIFS) protocol is a dialect of SMB.
As a best practice, we recommend using an Active Directory group to secure the File Repository share. We recommend using two groups to provide direct access to shares, as described in the following table.
|
Group Role |
Description |
Example Group Names |
Members |
|
System and Portal Administrators privileged access |
An AD group that contains all Nuix Discover Administrators, the Nuix Discover Service Account, the SQL Server Service Account. This security group will be used to secure the Nuix Discover File Repository share and NTFS permissions. |
NuixDiscover_SysAdmins ndSysAdmins |
Administrators Nuix Discover Service Account SQL Server Service Account |
|
Case Administrators |
An AD group that contains all Nuix Discover Power Users or Case Administrators who need to stage, import, and export data. |
NuixDiscover_CaseAdmins ndCaseAdmins |
Litigation support power users Case Administrators |
Document server host names and application role
In the following table, record the host names of the Nuix Discover servers by their server role. Be sure to include all servers, including each node if your SQL Server is clustered. Confirm you have Administrator access, which can be either a local administrator account or a domain account added to a local administrator group, and System Administrator access to SQL Server.
|
Server role |
Host name(s) |
|
SQL Server database server(s) |
|
|
SQL Server Analysis Service server(s) |
|
|
web server(s) |
|
|
Content search service and Hit highlight service server(s) |
|
|
Office Online servers |
|
|
RPF coordinator server(s) |
|
|
RPF supervisor server(s) |
|
|
Elasticsearch server(s) |
|
|
Login Service |
|
Document URLs
Before installing the application, determine the virtual directories that will host the Nuix Discover application(s), and then record the URL information in the following table. You must have this information to install the application.
Always use the same URL format and note if the URL is http or https. The URLs must be in one of the following formats:
http://servername/ OR https://servername/
http://IPAddress/ OR https:/IPAddress
http://DNS alias OR https://DNS alias
This document will reference URLs as http(s)://<address>/ You must replace this with a proper URL, using one of the above formats.
If you are using Domain Name System (DNS) redirection, before installing the application, configure and provide DNS details for the application to use during the installation. You must specify the URLs shown in the following table during the installation.
|
Web site |
URL |
|
Nuix Discover |
/Ringtail |
|
Nuix Discover STS |
/RingtailSTS |
|
UIStatic |
/UIStatic |
|
Online help |
/RingtailHelp |
|
RPF coordinator |
/Coordinator |
|
Content search service |
/Content-Search |
|
Connect API |
/Portal-API |
|
Hit highlight service |
/Hit-Highlight |
Define File Repositories
A File Repository is a network store location or location(s) used to store data that is accessed by Nuix Discover. The File Repositories contain case files, images, indexes, archives, ESI source data, load files to import, and exports. Nuix Discover accesses a File Repository via a UNC path and uses the Nuix Discover Service Account to access the files.
Nuix Discover supports four types of File Repositories, as described in the following table.
|
Type |
Purpose |
|
Image/Index |
Location of image, native, and text files stored for each case. Also includes the location of dtSearch indices for each case. |
|
File Transfer |
Location of data transferring in and out of Nuix Discover (for example, Upload, Import, Ingestions, and Export). |
|
Archive |
Location of the files archived in a case and case decommission archives (for example, database backup, Elasticsearch snapshot, and the case images/index/file transfer folders). |
|
External |
Amazon S3 bucket used for Promote to Discover in the Nuix Workstation. |
Nuix Discover can be configured to use a single file share to host images, index, file transfer, and archive File Repositories.
Nuix Discover supports more than one image, index, file transfer, and archive file shares. Each of these File Repository types can be hosted on unique file shares. This is beneficial for performance, segregating data that requires logical or physical separation, configuring different retention requirements, or scaling out.
File shares should be configured in advance of installation. The File Repository is configured in Nuix Discover after the application is installed.
File shares and permissions should have the following configuration:
The share name should be as short as possible such as NDDATA or NDDATA$.
The share permissions are configured to allow FULL CONTROL to EVERYONE.
NTFS permissions are restricted to MODIFY access to only the Nuix Discover System/Portal Administrators Group. This share should be expandable as case volumes grow.
There are multiple file types, as described in the following table.
|
Type |
Share Path (UNC) |
Share Permissions |
NTFS Permissions |
|
Image / Index / File Transfer |
or \\servername\NDDATA$
|
Everyone (Full Control) |
Nuix Discover System/Portal Administrators Group (Modify) |
|
File Transfer (if setting up as a unique file share) |
or \\servername\NDTransfer$
|
Everyone (Full Control) |
Nuix Discover System/Portal Administrators Group (Modify) Nuix Discover Case Administrators Group (Modify) |
|
Archive |
or \\servername\NDArchive$ |
Everyone (Full Control) |
Nuix Discover System/Portal Administrators Group (Modify)
|
Define User Authentication Method
Nuix Discover can be configured to use two different components for user authentication. Only one type can be configured per environment at a time. The below sections describe the two components.
RingtailSTS
Historically, Ringtail used the RingtailSTS (Secure Token Service) web application to authenticate users. This was part of the standard Ringtail Web components. At the time of installation of a Ringtail Website, you can choose if RingtailSTS will authenticate against Active Directory or against Ringtail authentication.
Discover Login Service
With the introduction of the separate login service, each administrator can define multiple Identity Providers and assign users to them. Each user can be assigned to a single identity provider. Using the Login Service, Discover can support multiple authentication methods and multifactor authentication.
Configuration
Only one technique can be used. If you enable the Discover Login Service, all authentications must happen via the Login Service.
Authentication Method Matrix
The authentication method for RingtailSTS and the Discover Login Service varies per authentication source or identity provider, as described in the following table.
|
Authentication source / Identity Provider |
Authentication component |
|
|
|
RingtailSTS |
Discover Login Service |
|
Ringtail Authentication |
ü | ü |
|
Active Directory (single domain) |
ü | ü |
|
Active Directory (multiple domains) |
Only via trusts |
ü |
|
Active Directory Federation Services |
r | ü |
|
Active Directory Passthrough Authentication |
ü | r |
|
Duo two factor authentication |
r | ü |
|
OKTA (via SAML2) |
r | ü |
|
Azure AD (via SAML2) |
r |
ü |
|
Single Sign-On (SSO) |
AD Passthrough only |
IdP Initiated (SAML) |
|
Other SAML2 Identity Providers |
r |
Not tested but should work. |
|
Mix of any or all of the above |
r |
ü |