Step-by-step deployment guide

1. Ensuring your files are accessible to the gateway

The Elimity Insights gateway for NTFS scans from the container's local filesystem. This means you have to explicitly mount all the files you want to target. Refer to the sections below for additional details.

Local directories

Let's assume you deploy the gateway on a plain Windows Server VM and want to scan some directories on the local filesystem: C:\dir1\subdir and D:\dir2. The following Docker Compose specification would be a good starting point:

services:
  ntfs-gateway:
    image: europe-west1-docker.pkg.dev/elimity-general/docker/ntfs-gateway:<tag>
    restart: always
    ports:
      - 8080:80
    volumes:
      - .\config:C:\app\config
      - C:\dir1\subdir:C:\target1
      - D:\dir2:C:\target2

In this case you would typically configure the built-in connector to target C:\target1 and C:\target2. Note that you can freely choose the destination paths for these mounts.

SMB shares via host mount

Scanning permissions for SMB shares is very similar to scanning permissions for local directories, we just need one extra preliminary step to mount the shares into the local filesystem. Microsoft provides explicit support for making SMB share mounts available to containers, the official documentation contains detailed instructions about setting this up. In short: to mount a directory dir in share \\host\share to local drive D:, run the following PowerShell command:

You can now mount the D: drive into the NTFS gateway container using a Docker Compose specification based on the following snippet:

SMB shares via container mount

The NTFS gateway also supports mounting SMB shares directly from within the container. In this case you don't need to mount them from the host. Instead use the connection configuration option to provide SMB share addresses and credentials to the gateway. After mounting the shares you can use their UNC paths in the built-in connector's target configuration. Refer to the dedicated section on this page for additional information. Note that this approach is especially suitable for serverless deployments on e.g. Azure App Service.

2. Configuring the gateway

To configure your gateway, mount a JSON configuration file at /app/config/config.json with the properties listed below. Alternatively you can also fill the NTFS_GATEWAY_CONFIG_JSON environment variable with the contents of this file. Refer to the following attachment for a starting point:

Edit the following properties in this file to configure the gateway to your needs:

JWT validation

We highly recommend requiring JWT validation to secure your gateway. Please read our official documentation about the following topics to understand how Elimity Insights authenticates to gateways via OAuth2:

• Gateway-based imports

• OAuth2 endpoint parameters for gateway authentication

Our SaaS customers can simply set the jwtValidationBaseUrl, jwtValidationGatewayUrl and jwtValidationSourceId configuration options, which provides the following security guarantees:

• Only requests coming from the configured Elimity Insights tenant are allowed

• Only requests targeting the configured gateway URL are allowed

• Only requests for importing the configured source are allowed

On-premise customers should additionally set the jwtValidationAudiences, jwtValidationIssuer and jwtValidationExpr configuration options. Alternatively you can also set jwtValidationOptional to true and perform authentication in a proxy instead.

3. Deploying the gateway

Having configured the gateway we can now deploy it so the built-in connector can start importing. Since we distribute the gateway as a Docker image, our recommendation for deployment is to use a CaaS solution like Azure App Service. If that's not an option, you can also manually deploy the image on e.g. Windows Server. Refer to our documentation about gateways and import agents for additional details.