Introduction Access Connect has traditionally only included the ability to share files and folders located on the Windows server where Access Connect is installed, or on storage that is directly attached to that server. A folder within this local storage can be selected as an Access Connect volume and made available to Macintosh users as a standard Mac AFP file share. With the introduction of “Network Reshare” in version 8.0, Access Connect now includes the ability to create file share volumes that point to folders located on other servers and NAS devices on your network. Macintosh clients continue to connect to Access Connect using the standard AFP file sharing protocol, while Access Connect utilizes the SMB/CIFS file sharing protocol to access files that are requested by Mac users from remote servers and NAS systems. By doing so, Mac users retain all the benefits of AFP file sharing while gaining access to resources that have traditionally only been available through SMB/Windows file sharing. Access Connect Network Reshare allows access to both standard SMB/CIFS file shares, as well as Distributed File System (DFS) file shares. More details on Network Reshare of DFS resources can be found in the Knowledge base article here. A common use case: AFP access to NAS storage A common real world Network Reshare use case involves Mac access to NAS storage, such as NetApp NAS systems. Most NAS systems do not include the ability to host AFP file shares. Mac users are left with no choice but to connect to NAS file shares using the native OS X SMB client. This typically results in suboptimal file browsing, transfer, and search performance, along with frequent Mac application incompatibilities, file name issues, file corruptions, etc. Using Network Reshare, file shares on NAS systems can be made available to Macs through a Windows server running Access Connect. Macs connect to Access Connect AFP file shares and Access Connect interfaces with the NAS system through the NAS’s existing SMB/CIFS file shares. In this way, incompatibilities and issues on the Mac side are addressed by allowing native AFP access and Access Connect uses Windows server-side SMB access to NAS storage, which provides improved performance and throughput compared to Mac SMB client access. As a result, the performance of Mac AFP file share access though Access Connect to NAS storage is most often better than that same Mac accessing the same NAS files directly over SMB. Requirements Windows 2003 Server, Windows 2008 Server (including R2 versions) or Windows 2012 (including R2 versions) Server. Note: If using Windows 2008 R2, make sure to install this MS hotfix. Access Connect Server 8.0 or later. Access Connect trial license or Enterprise License Program (ELP) license. The Network Reshare capability allows a single Access Connect server to give AFP file access to many additional file servers or NAS systems. This feature is only enabled in Access Connect trials and on Access Connect Enterprise License Program (ELP) annual subscription licenses. This licensing option allows Access Connect to be installed on an unlimited number of servers in your enterprise, as well as to create Network Reshare volumes. Recommendations Access Connect Server Network Interface Card Performance Network Reshare routes all communication between your Mac clients and your file server or NAS storage through the Windows server where Access Connect is installed. Installing Access Connect on a server with the fastest available NICs, and ideally one or more dedicated NICs for communicating with the servers or NAS being reshared, will result in the highest level of performance. Windows 2008 and SMB v2 While Network Reshare is compatible with Windows 2003 and 2008, the SMB v2 protocol supported by Windows 2008 consistently demonstrates higher levels of performance. Installing Access Connect on a Windows 2008 server and using remote storage that is running Windows 2008, or a NAS operating system that supports the SMB v2 protocol, will result in the best file sharing throughput for Mac users. Kerberos for Access Connect Network Reshare In order to support Kerberos logins you will need to configure Active Directory to “Trust this computer for delegation”. Limitations To support real-time indexed filename search, Access Connect requires file system notifications provided by Windows in order to keep its search index up to date when files change. These notifications are not available over the SMB connection Access Connect uses to access file servers and NAS systems being reshared. For this reason, traditional index-based filename search is disabled on Network Reshare volumes. Access Connect 9.0 introduces a new Acronis Content Indexing option. This indexing is performed based on a defined schedule, rather than tracking real-time changes. With this option enabled, users can take advantage of fast indexed filename searches. To support full content Network Spotlight search, Access Connect utilizes either the Window Search index maintained by the Windows Search service on the server Access Connect is installed on, or the Acronis Content Indexing service. Windows Search can be configured to index remote shares that are hosted on a Windows Server that has Windows search installed and indexing. Acronis Content Indexing can be configured to index any remote shares, even those residing on a non-Windows server or NAS. If Network Spotlight search, either using Windows Search or Acronis Content Indexing, is not enabled, Macs searching Access Connect Network Reshare volumes will receive search results based on filename, but searches will take additional time to complete compared to searching indexed local volumes. Finder color labels may be removed when saving/overwriting a file on an Access Connect Windows 2003 Network Reshare volume. If Access Connect server is installed on Windows 2003, opening and then saving an existing file that exists in a Network Reshare volume may result in the Finder color label on that file being removed. Initial Network Reshare configuration Access Connect runs as a standard Windows service on the Windows server it is installed on. By default, the Access Connect service runs in the context of the Windows local SYSTEM account. By acting as this account, Access Connect has access to the files and folders in Access Connect volumes that are located directly on the server’s storage. When Access Connect is configured with Network Reshare volumes, it also needs access to the files and folders on the remote file servers and NAS devices that are being reshared. In order for Access Connect to be allowed access to these files, the Access Connect service must be reconfigured to run in the context of an Active Directory (AD) user account that has Administrator access to the local Windows server and Full Control access to any necessary file shares that exist on remote servers or NAS systems being reshared. Note: On the machine running the Access Connect service, you must not have a local account with the same name and password as the Active Directory account used by the Access Connect service. If you’re using Windows 2008 R2, ensure you’ve installed this Microsoft hotfix. It addresses an issue that is directly related to Windows functionality used by Access Connect Network Reshare. To configure Network Reshare: Ensure you’ve upgraded to Access Connect version 8.0 or later and have launched the Access Connect Administrator application at least once and allowed the Access Connect service to start up. Configuring the Active Directory account which will handle authentication for Access Connect: a. In Active Directory: Create or identify an AD user account that will handle authentication for Access Connect. Ensure the AD account used is dedicated to this Access Connect server, has a fixed password, is not subject to group policies for password expiration and is a subject to any domain group policy necessary to grant the rights to "Act as part of the operating system" and "Log on as a service". b. On the Access Connect Server: Add the dedicated Access Connect user account to the local Windows server Administrators group. This user needs Full Control permissions to the C:\Program Files (x86)\Group Logic\Access Connect folder and to any locally shared volumes. c. On remote shares: The dedicated Access Connect account needs Full Control access to the remote shared volumes as defined in NTFS or NAS device permissions. On the EMC Isilon, true 'Full Control' requires granting the service account the Isilon right "Run as root". Add the selected user to the Windows server’s local security policy: a. From Administrative Tools on the Start menu, open Local Security Policy. This policy is found under Security Settings -> Local Policies -> User Rights Assignment section. b. Double-click Act as part of the operating system and add the chosen user. You may have to reboot Windows for this setting to take effect. Open the Services control panel. Open the Acronis Files Connect File and Print Server for Macintosh service’s properties by right clicking on the service from the Services control panel. a. Select the Log On tab and choose the This account radio button. b. Configure the service to log on as the same AD service account used in step 3. Keep the Services control panel open. You will need it in step 7. Turn on Network Reshare support a. Start the Access Connect Administrator application. b. Click the Settings button. c. Open the File Server tab. d. Select the Enable Network Reshare support checkbox. e. Click OK. f. Press the Close button to close the Access Connect Administrator. In the Services control panel restart the Access Connect File and Print Server for Macintosh service. Network Reshare and Kerberos authentication In order for Mac users using Kerberos to access SMB/CIFS reshares through Access Connect, delegation must be enabled in Active Directory. If your environment requires Kerberos authentication, you will need to update the Active Directory computer object for any Windows servers that are running Access Connect. The Access Connect server must be given permission to present delegated credentials to the SMB server on behalf of your users. To enable Kerberos authentication: Open Active Directory Users and Computers and locate the Windows server that you have Access Connect installed on. It is commonly found in the Computers folder. Right-click on the Access Connect server and select Properties. Open the Delegation tab. Select Trust this computer for delegation to specified services only. Select Use any authentication protocol, this is required for negotiation with the SMB server. You must now add any Windows servers or NAS devices that you would like your users to be able to access through reshare. Click Add… to search for these Windows computers in AD and add them. Select only the “CIFS” service type. Repeat these steps for all Access Connect servers for which you want to enable Kerberos authentication. Note: It may take 15 to 20 minutes for these changes to propagate through the Active Directory forest. Configurations for the Access Connect dedicated AD account: Configuring the permissions: Open Active Directory Users and Computers and locate the Access Connect dedicated account object. Right-click on it and select Properties. Open the Security tab and press Advanced. Note: The Security tab may not appear until Active Directory Users and Computers > View > Advanced Features is enabled Enter the name of the Access Connect dedicated account object and press OK. Press Add and enter the name of the dedicated account object again and press OK. On the Permissions Entry For window, select This object only for the Apply to field. Select the Allow box for Write All properties and press OK. Close all open dialogs by pressing OK. Restart the Access Connect File and Print Server service. Configuring the delegation: Open Active Directory Users and Computers and locate the Access Connect dedicated account. Right-click on it and select Properties. Open the Delegation tab. Select the Trust this user for delegation to specified services only radio button and the Use any authentication button. Press Add and enter the name of the machine where Access Connect is installed. Select CIFS and press OK. Press Apply and close all remaining dialogs. Network Reshare volume configuration Launch the Access Connect Administrator application. Click the Volumes button and the then click Create. Click On another server. If you are not shown an option to choose On another server, you may be running a standard Access Connect retail license rather than the required Enterprise License Program (ELP) license. Enter the UNC path of the SMB/CIFS file share that you would like to reshare as an Access Connect volume, then click OK. This UNC path is in the typical \\servername\sharename format. An example is: \\nas.mycompany.com\myshareDistributed File System (DFS) UNC paths can also be entered for Network Reshare volumes. DFS target resolution will all occur in the SMB reshare layer and Macs will be able to seamlessly browse and access the reshared DFS resource. For more details on DFS with Network Reshare, see our Accessing DFS files using Access Connect Network Reshare article. In the Volume Properties dialog, modify the Volume Name if desired and click OK. Note: If you receive an error stating that “The specified path is not available.” you may have entered an invalid UNC path, or the user account you selected in the Initial Network Reshare configuration steps above may not have Full Control access to this file share at this UNC path. If this is a Windows file share, ensure this user account has both “Sharing” and “Security” permissions to the file share.