Here is the link to Isilon OneFS 8.2.2 CLI Administration Guide & if you look on page 215 it explains a little more how the restrictions work at the different levels. https://dell.to/37ZutGi
Please let us know if you have any other questions.
I agree that the document is factually correct, I just think that it is perhaps missing a couple of warnings. It describes the available settings accurately but it doesn't say anything about the effects.
In the section 'Enforce SMBv3 encryption' it could be clearer that unless --reject-unencrypted-access is set to Yes on the Access Zone, then access to a share may or may not use encryption, regardless of the settings of --support-smb3-encryption.
It could also make clearer that setting --reject-unecrypted-access globally to Yes is not effective in an Access Zone unless the setting for the Access Zone is also changed from the default 'No' to 'Yes', as the Access Zone setting (whether explicit or defaulted) overrides the global setting.
2.4.1 Feature introduction OneFS 8.1.1 and above provide SMB encryption to secure access to data over untrusted networks by providing over the wire encryption between the client and PowerScale cluster. It is an on-wire data encryption which prevents an attacker from tampering with any data packet in transit without needing an extra infrastructure.
SMB encryption can be used by any clients which support SMB3 encryption from Windows Server 2012, 2012R2, 2016, Windows Client 8, and Windows 10 and does not require any extra infrastructure management. PowerScale can also be configured to allow accepting or rejecting the old clients that lack the SMB encryption support access.
DELL-Sam L
Moderator
•
7.8K Posts
0
February 4th, 2020 13:00
Hello William,
Here is the link to Isilon OneFS 8.2.2 CLI Administration Guide & if you look on page 215 it explains a little more how the restrictions work at the different levels. https://dell.to/37ZutGi
Please let us know if you have any other questions.
WilliamDLB
1 Rookie
•
11 Posts
0
February 10th, 2020 09:00
I agree that the document is factually correct, I just think that it is perhaps missing a couple of warnings. It describes the available settings accurately but it doesn't say anything about the effects.
In the section 'Enforce SMBv3 encryption' it could be clearer that unless --reject-unencrypted-access is set to Yes on the Access Zone, then access to a share may or may not use encryption, regardless of the settings of --support-smb3-encryption.
It could also make clearer that setting --reject-unecrypted-access globally to Yes is not effective in an Access Zone unless the setting for the Access Zone is also changed from the default 'No' to 'Yes', as the Access Zone setting (whether explicit or defaulted) overrides the global setting.
Phil.Lam
3 Apprentice
•
631 Posts
0
July 2nd, 2020 09:00
@WilliamDLB
NL400 can only go to OneFS 8.1.2 and it has SMB3 encryption support.
https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h17463-wp-dell-emc-isilon-design-and-considerations-for-smb.pdf page 37.
2.4 SMB encryption
2.4.1 Feature introduction
OneFS 8.1.1 and above provide SMB encryption to secure access to data over untrusted networks by
providing over the wire encryption between the client and PowerScale cluster. It is an on-wire data encryption
which prevents an attacker from tampering with any data packet in transit without needing an extra
infrastructure.
SMB encryption can be used by any clients which support SMB3 encryption from Windows Server 2012,
2012R2, 2016, Windows Client 8, and Windows 10 and does not require any extra infrastructure
management. PowerScale can also be configured to allow accepting or rejecting the old clients that lack the
SMB encryption support access.