Work Folders for Access Share Files on LAN as well Internet

Work Folders are one of the technologies in Microsoft BYOD strategy, by allowing Workgroup machines, domain joined machines, and popular tablet devices (in the future) to connect to work folders we can give users the ability to work with their files where ever they are and at the same time we retain central control over the service (and therefore the files) so we can secure them, audit them and back them up.Work Folders is a file synchronization technology introduced with Windows Server 2012 R2, it is designed to give your users access to a folder locally that synchronizes with a Sync Share on the network, users can subscribe several devices to their Work Folder and when a document is added to the local work folder on one device it will by synchronised with each device the user has subscribed. We can compare Work Folders with the older Offline Files feature but there are several distinct differences between the two.

Offline files synchronize documents from a network share to a PC, Work Folders Synchronize files with PC’s and Devices (the release date for the Device app is yet to be announced), Offline Files requires that the user connect to the network directly or over a vpn / direct access type connection in order to sync the files, Work folders uses a web service which allows files to be synchronized when inside the network or outside the network on the internet.

Before installing the Work Folders feature there are a couple of things to consider, firstly Work Folders need to be secure, we have to authenticate the server we are connecting to and secure the sync traffic traveling between our sync folders and the machines that we have subscribed to work folders. To do this we use a digital certificate, we will need a certificate for each Work Folders server and if we are publishing work folders to the outside (through a reverse proxy for example) we will need a certificate for that as well. As an alternative to purchasing several digital certificates you can purchase a single SAN cert and use subject alternate names.

If we have a single work folders server named Server1.FB.Com and we are going to publish through a Reverse Proxy then our Certificate will need two names attached. The first should be WorkFolders@yourdomain for me that would be a name of[email protected], this is the name that the work folder auto discover service will use to locate your work folders servers. The 2nd name on the certificate would beyourserver.Yourdomain so for me that would be Server1.FB.Com as that is the name of my Work Folders Server. Also worth considering is where you get your Work Folders certificates from, you can issue a certificate from an internal certificate authority but this authority will not be trusted by all machines, if you use a certificate from an internal authority you must also distribute the root CA certificate to the trusted root authority store on all PC’s and Devices, if you don’t then machines will not be able to connect to your work folders servers. If you buy a certificate from an online certificate authority then it will be trusted by all devices and it will simplify your deployment. If you are publishing your work folders to the outside then use a certificate from a trusted online authority. As a final note on certs it is possible by editing the registry to change the behaviour of Work Folders so that it doesn’t require a certificate, this is not recommended.

The next thing to do before install the Work Folder feature is to make sure both the work folder serve name (in my case Server1.fb.com) and the autodiscover name (in my case Workfolders.FB.COM) are added to DNS so that the names can be resolved to IP Addresses.

Installing Work Folders

On your Work Folders server use server manager to add a new Role and Feature, in the Server Roles section under Files and Storage Services, select File and iSCSI Services and then scroll down and tick the box next to Work Folders. Work folders requires IIS services but it does not require the full IIS role, once you select the box next to Work Folders a required features box should appear saying that the IIS Hostable Web Core feature is required and will be installed, this IIS Hostable Web Core feature provide IIS Services without the need to install the full IIS feature. Click Next and Next in the features page, click to confirm and then wait for the feature to install.

One thing you can think about while waiting for the Add Roles and Features Wizard to complete is who you would like to use the Work Folders feature, during the configuration you will asked to create a list of users and groups who can use the Work Groups feature, I have created a group called “Sync Share Users”, I have added all the users whom I wish to use Work Folders to this group

Once the wizard has finished, access file and storage service, and select Work Folders. You should see a screen similar to the one here, in the main windows we can select to create a sync share for Work Folders start the New Sync Share Wizard

When the wizard start Click Next on the before you begin page to access the Server and Path Page

Here you should see your server (in my example Server1) you should able be able to click browse and choose a folder (or create a new folder) for your sync share, it is in this folder that Work Folders will be created for each user who subscribes to Work Folders, it is worth noting that you can use existing shares including home folders as Sync Folders. Once you have selected a server and path click Next:

You are now on the User Folder Structure page,

here you can select who the user folders will be named, you choices are to name the folders based on the User Alias, this option may be usful in a single domain environment, or you can base the folder name on user alias@domain, this I the best option to avoid alias conflicts if you have multiple domains. The final option here is Sync only the following subfolder allows you to specify a specific folder to sync such as Documents. I chose user alias@domain. Click next once done:

On the Sync Share name choose a share name for your sync share, although the Sync Folder is shared out it will not appear on browse lists by default.

On the Sync Access page you now have the opportunity to choose which users and groups can use this sync share,

I have added my Sync Share Users group. Click add and choose your users and groups that you would like to use this sync share. The tick box Disable inherited permissions is at the bottom of the screen, if you tick this box it will grant the users exclusive rights to their work folders denying even the administrator access. If you need to gain access to the Work Folders in the future you will have to take ownership of them. Click next once you have selected your users and groups.

The final page is the Device policy page,

users syncing with this share will have to agree with the Device policy before being allowed to access the share. We have two options here. The first forces the work folders to be encrypted and the second forces a screen lock and password on the machines using work folders. Make your selection and click next, review the confirmation screen and the click create. It should only take a minute to create our new Sync Folder.

 We should now see our new Sync Folder through server manager and a list of users that have access to it.

Remember the certificate with the WorkFolders.FB.Com and Server1.FB.Com names? Now that you have installed the Work Folders Feature and configured a Sync Share don’t forget to change the IIS Bindings of the Default website to include a HTTPS binding using your Digital Cert.

For those of you note familiar on how to do this please leave a comment and I can provide the details in a later post.

Subscribing a Windows 8.1 computer to Work Folders

I have a client computer running Windows 8.1 called WKS2, it is in a workgroup. I have installed the certificate from my internal CA into the trusted root store of the PC (not required if you have purchased your Cert from an online authority) I have logged on as a user called BOB.

From Control Panel, System and Security choose work folders

Here you can select Set up Work Folders:

Here we can choose how we are going to connect to work folders, either provide an email address or enter the Work Folders URL. Either way a DNS lookup will be done to try and find the WORKFOLDERS DNS entry, this A record must exist and its IP Address needs to be the address of your Work Folders Server. If you have published Work Folders to the outside using a reverse proxy then the WORKFOLDERS external DNS entry will point at the Reverse Proxy IP Address, on the Internal DNS Servers the WORKFODLERS DNS A record should point at the internal IP of the WORK FOLDERS server.

If thinks are working well you should be shown a dialogue box like the one below:

Before being asked to login:

Provide your domain credentials to authenticate, if that works you should see a screen introducing you to Work Folders and asking if you want to change the default location of Work Folders. Click next once you have read the details on this screen.

The Next Screen asks you to agree to the Work Folders policy that has been defined and the select Set up Work Folders.

You should be able to see a Work Folders folder in explore and you can begin saving files there to be synced with the Sync Share.

Back in Control Panel you can see some options for managing Work Folders including a sync now option. Once you sync one workstation try syncing another to demonstrate the technology: