Server Setup Guide
The MyWorkDrive Server services provide web based access to existing Windows file sharing folders that support our Web File Manager, Mapped Drive Client and Mobile Apps. The MyWorkDrive Server services should be installed on a stand-alone Windows physical or virtual server that is located on the same LAN and domain as the Windows file shares and run within IIS. Setup will install the IIS services automatically. In addition to making the file shares available over a web browser, the MyWorkDrive server enables our API for securely mapping drives using our Mapped Drive, Office 365 & Mobile Clients. For additional details, read the Technical Overview Support Doc and the MyWorkDrive security overview.
View the setup video here:
Before you begin, ensure you have regular and complete backups of your file server(s). In addition, we recommend volume shadow copy be enabled with hourly snapshots on all file share drives.
Step 1: Server Prerequisites
- Domain-joined, fully patched server running Windows 2016 – 2019 Server.
- .Net 4.6.1
- Minimum 4 GB ram, 2 virtual cpu’s if installed as a virtual machine – for larger enterprises please review our Server Sizing Guide.
- Direct Internet access on the server running MyWorkDrive (no proxy services) to activate and initialize the software with outgoing firewall access to ports 443, 7844. For additional details on outbound ports for locked down environments review our firewall settings guide.
- Antivirus software products installed on the MWD server can interfere with MyWorkDrive processes. Review our Antivirus Settings Article.
- Incoming port 443 (if you will be using your own domain name & SSL certificate).
- Server must be part of a Windows Active Directory domain, ideally a member server.
- The server where MyWorkDrive is installed should be on the same LAN or very fast connection as the Windows File Shares for best performance.
- We do not support installing MyWorkDrive on a server that is running Small Business Server, Microsoft Exchange, other IIS sites or any software that includes IIS .net components.
- If shares are accessed through DFS, ADFS or SAML is used for authentication it is necessary to enable delegation so that the MWD Server trusts these servers – see support article here.
- Additional client requirements and limitations are located in our support article here.
Step 2: Verify & Run the MyWorkDrive Server Setup
- Logon to the server as a domain user with admin rights on the member server.
- Run MyWorkDrive-Setup.exe,
- When setup completes restart the server to complete the installation.
- Open the MyWorkDrive Control Panel (shortcut on the Desktop) in Chrome browser at http://127.0.0.1:8358
- The post setup wizard will launch with basic setup questions including shares, Office 365 editing and optional myworkdrive.net relay usage
- Once at least 1 share is setup and the server is made public (using myworkdrive.net domain or your own host name(see below) you may begin using MyWorkDrive.
- You will receive an email when your site is ready if using *.myworkdrive.net domain – this takes about 15 minutes.
Step 3: Post Setup: Login into the Admin Portal to Setup Shares
- Open the MyWorkDrive Admin page at http://127.0.0.1:8358 on the MyWorkDrive Server
- Login using an Active Directory Domain Account with local administrator rights on the MyWorkDrive server and permissions to read network file shares. For example the domain admin credentials ( mycompany\administrator or [email protected] ). Be careful to only login using a domain account, do not login using a local machine account.
- If you have trouble viewing the admin page in your server’s browser adjust your screen size and disable Internet Explorer Enhanced Security Configuration (IE ESC) for administrators or use our recommended browser – Chrome.
Step 4: Setup Shares
If no shares are already setup (new installs) The MyWorkDrive Admin Panel will start with the Add Shares section already open, otherwise click Add to setup shares. Enter a Name (share name) and the Path which points to the network share using host name and share name on the same LAN as the MyWorkDrive Server (eg: \\server1\project ).
Import existing Users and Groups permissions to begin choosing what users/groups should be able to see the share in MyWorkDrive or manually search and Add Groups and/or Users you wish to permit access to the shares in MyWorkDrive. Note we only import existing permissions to help you select which users/groups that already have NTFS permissions to access the share using MyWorkDrive. Note future user/group changes need to be added/removed from MyWorkDrive shares so ideally use Active Directory Groups to limit updates.
For MyWorkDrive servers starting with version 6 or higher, administrators my limit access by user or group to specific client types; Web Client, Mapped Drive or Mobile.
Please also note that the sharing of subfolders of a share is possible. IE, your path might be \\server\share\subfolder. However, if you do that, they will not appear that way on the simulated smb mountpoint for the Windows Map Drive Client. Due to a limtation in the file system driver we use to simulate the SMB mount point, shares which include a subfolder will be simulated as \\server\subfolder on the Windows Map Drive Client. The shares will work normally in all regards in the GUI on the Windows map drive, as well as on the Web client and Mobile client, however their simulated SMB mount point will not match a traditional SMB Share.
Verify Home Drive Settings on the Settings tab – enabled by default – this information is pulled from Active Directory automatically for each user on their profile tab.
Set the file size limit for transfers ( this will depend on your internet upload/download speed ), we recommend limiting to 30 MB or less on slower connections.
MyWorkDrive also supports entering %username% variables – for example: \\servername\project\%username% in the folder path. If the user has a folder only their folder will appear under the share. Starting in Server 5.3 in addition to username variable a new variable %upnname% can be used which pulls username from UPN (user principal name).
** Note existing file share permissions on your file server should be everyone full control and only utilize NTFS to limit user file permissions (where users should only be given Modify and not Full NTFS permissions so as to prevent file ownership issues) – As a security precaution, MyWorkDrive passes through authentication and can limit permissions further but not grant NTFS permissions to any shares. , Users must already have NTFS and share permissions to the files prior to adding to MyWorkDrive. To prevent users from seeing files they don’t have rights to, enable Access Based Enumeration on the share. For more information on cleaning up ownership and NTFS permissions, see our Windows File Sharing Article.
*** For very large organizations with 100’s of shares, MyWorkDrive supports importing shares from a csv file share list. Contact Support for additional details.
You can limit who can login to the MyWorkDrive site by restricting user groups on the MyWorkDrive shares – only the users or groups who are added to at least 1 share in MyWorkDrive will be able to login (even if they have underlying NTFS permissions they will still be denied login to MyWorkDrive). If desired set to require at least 1 share under home drive settings.
Step 5: Proceed to accessing the client file web access site to verify functionality
- Access the local site for basic testing of the site at http://127.0.0.1:8357 or over port 80 at http://127.0.0.1 beginning with Server Version 4.2 (Chrome browser is best)
- Login using various users to test web file access, shares and home drive access (if allowed) on the Server.
Step 6: Publish to the cloud
When you have completed the setup, you can make your files available remotely (in the cloud) by utilizing 1 of these 2 methods:
a. Cloud Connector: https://YourCompany.MyWorkDrive.net
If you would like to use our Cloud Web Connector to make your server available to user’s for testing or light usage using our relay at YourCompany.MyWorkDrive.net, access the settings page at http://127.0.0.1:8358 on your server and enter your host name on myworkdrive.net. A tunnel will be created for you on Cloudflare with a 100 MB file size limit. For fastest speeds and larger file access we recommend you setup direct access using step b below.
b. Publish your own domain by adding an SSL certificate
For fastest speeds, mapped drive client use and enterprises, use your own hostname, SSL Certificate and open port 443 from your firewall. Steps: Setup a host-name on your domain:eg: share.mycompany.com, Install and purchase an SSL certificate, Bind the “WebClient” site in IIS to port 443 and finally expose your site over port 443 through your firewall. For security we do not recommend opening up your site to port 80 (http) unless redirected to port 443 (https) – See Require SSL setting. For additional instructions see our support guide on how to setup and install your own SSL Certificate/Hostname to your MyWorkDrive server.
Optimization Tip: We recommend using internal DNS to force any site traffic as local – So for example internally share.yourcompany.com should resolve to the internal ip address. This speeds up internal access and bypasses any firewall issues. This is standard practice for any internally hosted website – for example Exchange Outlook Web Access and ADFS.
Security Tip: We recommend reviewing our guide on how to harden your IIS Server and disable unneeded IIS SSL Ciphers: Read the SSL Lock Down Guide Here.
Standard Features & Settings
Office 365 Online/Office Online Server File Editing: Knowledge Base Article
MyWorkDrive Server supports online editing of documents stored on local file shares in Office 365 Online or using a Local Office Online Server in our Web Browser client and in iOS Office apps. MyWorkDrive is the only solution that allows users to edit Office Documents in Office 365 Online but store them on-premise.
An Office 365 Business account is required to edit Office documents online (View does not require an Office 365 Business Account).
Enable Office 365 Editing using the setting tab in the MyWorkDrive Server Admin Site on your MyWorkDrive Server.
Email Domain Lookup: The Email Domain lookup feature saves users who are logging in on the Desktop or Mobile clients a step when using their email address as their user name. The client will automatically lookup the server URL based on their email domain and pre-populate it in the client.
It is also used to assist mobile users when using Office Mobile Apps if your domain user’s email address can also be used to sign-in to active directory. If enabled, when a user adds MyWorkDrive as a place in iOS or Android mobile office apps they can sign-in with just an email address and password and will not be prompted to enter their MyWorkDrive server URL.
Office Local Web Edit: By Enabling this feature users can choose edit from the menu in the Web Browser client and office documents will open directly from the browser in local office. For security an additional security prompt will be presented. If DUO Two Factor Authentication is enabled it will be requested as well. The administrator can optionally disable password saving for this additional pop up – which means the user will be prompted for username password every time a document is opened for edit from the browser in local office.(default:enabled).
Office Double Click Action: This feature allows the administrator to control the action when an office file is double clicked in the web client – Open Online, Open Locally or Download (default:open online).
Require SSL: By enabling this option any http port 80 connections to the MyWorkDrive client site are automatically redirected to https (http port 80 and https port 443 must already be bound to the webclient site in IIS and Windows Firewall on the server must be set to allow ports 80 and 443 to public addresses) (default:disabled).
Require Email Username Format: Enabling this option will require users to login using email address. This is helpful in larger companies with multiple domains and also lessens the impact of entering a bad password lockout since only the 1 username is checked (default:disabled).
Enable Mapper Client: By disabling this option users will be unable to login using the desktop mapped drive client (default:enabled) in addition the administrator can restrict password saving or file types (requires version 5 of the mapped drive client).
Enable Mobile Client: By disabling this option users will be unable to login using the desktop mobile client (default:enabled).
Enable WebDAV: By disabling this option user will be unable to use WebDAV to login to MyWorkDrive (note disabling is recommended when Two Factor Authentication is used) (default:enabled).
Enable OneDrive Sharing: By disabling One Drive Sharing users will not be able to share files externally using OneDrive (default:enabled).
Enable Outlook Sharing: By disabling Outook Sharing users will not be able to share files externally using Outlook Online (default:enabled). The maximum attachment size can also be set – default is 10 MB. If company policy requires MFA to authenticate users to Office 365 additional steps are required before enabling this feature – Outlook Sharing Article.
Enable Favorites: By enabling favorites users will see a new option in the web file manager browser client to create and delete favorites to folder paths. By default favorites are saved to the local MWD Server. In clustered environments favorites may also be saved to a shared hidden share on the network (each MyWorkDrive server computer account will need NTFS permissions to create and modify favorites in this share).
Web Client Text Editor: Version 5.4.3 introduces a new inline light text editor option. This will allow users to edit .txt files in the web client, as well as other file types defined by the administrator – such as .log, .xml, etc.
The text editor can be enabled in Settings, and an entry area to specify the file extensions to permit editing will display when enabled.
Note that, when enabled, txt files bypass DLP restrictions and can be edited with clipboard access.
Outbound Proxy: An outgoing proxy server may be specified for the MyWorkDrive server to communicate outbound to our licensing services in the format of http://hostname or IP Address and optional port number. For example http://10.10.10.10 or http://10.10.10.10:8888.
Home Drives: By default home drives are enabled and available to users when they login. MyWorkDrive will display the UNC path as specified for that user in AD Users & Computers. The file server should be located ideally on the same LAN as the MyWorkDrive server ( or on a very fast connection ) and will need to be able to resolve the server by the host name as entered in AD Users & Computers. Optionally require users have access to at least one MyWorkDrive share to restrict user logins to the MyWorkDrive server.
Search: MyWorkDrive integrates with the the Windows Search Service. Due to Windows limitations, Windows Search integration is only appropriate for up to 2 TB maximum. Windows File Server Search Guide. For Enterprises with larger file server volumes or NAS devices MyWorkDrive integrates with dTSearch. dtSearch Setup Guide.
File Lock Manager (beta) – Available as of version 5.4.3, a hidden page in Server Administration provides a list of open file locks by MyWorkDrive users. It can be accessed on the server console by visiting http://127.0.0.1:8358/locks Please review our File Lock guide for details on usage and troubleshooting
Session Timeout: In Settings it is possible to edit the default settings for user session timeouts. As of version 5.4.1 user timeouts are absolute; in previous versions they were idle timeouts.
When a timeout is reached, the user is prompted to log back in using the server’s configured login process – username/email/mfa/sso/etc. Any exsiting operations such as document open/save/copy will complete prior to the login being required.
Private computer – a user’s time logged in to the Web Client on a Private computer (as marked on the login screen).
Public computer – a user’s time logged in to the Web Client on a Public computer (as marked on the login screen).
The default times are 8 hours for Public computer and 5 days for private computer (these match Microsoft Office 365 defaults).
Mapper Client – a user’s time logged in to the PC and macOS Map Drive client.
Mobile Client – user’s time logged in on the iOS or Android client.
Admin Panel – the administrator’s timeout session for the admin panel on the server desktop. Note that updating this will reset the existing login when changed.
Search Query – the timeout length of the search query when search is configured for the Web Client. A longer timeout will allow a query to consume server resources for a longer time scanning a given directory. It may be desireable to keep a more modest timeout and encourage the users to search deeper in the directory tree.
Zip File Download – the timeout length the zipping process will run preparing zip files in the web client. An increased timeout length will permit larger files or a larger count of files to be zipped, but will consume additional server resources. How many files or how large a file set may be will depend on enviornmental variables. It may be desireable to keep a modest timeout and encourage the users to create smaller zip files.
Adjust these timeouts to meet your companies security requirements. For additional security enable Duo Two Factor Authentication.
Enterprise Features & Settings
Two Factor: MyWorkDrive supports Duo Two Factor Authentication for enhanced security. Configuration details are located in our Two Factor Authentication Support Article. Two Factor Authentication requires an Enterprise or Partner License.
ADFS/SAML SSO: ADFS integration allows users to access MyWorkDrive using ADFS for a Single Sign On (SSO) Experience without requiring re-entering of credentials. ADFS Support Article Note: MyWorkDrive users can already sign-in with their Active Directory accounts, ADFS or SAML adds additional integration options for enterprises. MyWorkDrive supports SAML integration with easy integration for popular providers such as Microsoft Office 365/Azure AD, OKTA and OneLogin. SAML Support Article. Optionally require users to access the MyWorkDrive Web Browser client using ADFS or SAML by enabling “Require ADFS/SSO Login in browsers”. To enable logging out of ADFS or SAML when signing out of MyWorkDrive “Enable single logout”.
Azure AD B2B Guest User File/Folder Collaboration: Customer’s who utilize MyWorkDrive Azure AD integration for authentication can now easily invite external guest users to collaborate on Windows File Shares. With this feature, external users are invited to Azure AD as Guest Users who can fully collaborate with internal users on files and folders without managing internal Active Directory accounts. Review the setup article here for additional details.
Clustering/Load Balancing: MyWorkDrive supports clustering multiple servers for fail-over and load balancing. See our support article for additional details.
Branding: Enterprise licensees can customize the powered by, help page URL, background and toolbar colors and user locked out and password expired messages.
Data Leak Prevention (DLP): Review the support article for DLP. Data Loss/Leak Prevention requires an Enterprise or Partner License
Previous Versions MyWorkDrive connects to Windows Volume Shadow Copy Snapshots (VSS) services to enable previous versions restores from our Web Client. Review the support article for Previous Versions
With MyWorkDrive server version 5.2, you are now able to configure alerts via email about user actions on the server – excess file downloads, deletes, etc. The settings are housed in a new menu item in Server Admin titled Alerts.
Depending on the volume of activity at your organization, the alerts themselves, the count of events and timeframe are adjustable to match your organization. Enable the ones you need and set the count of events and timeframe as appropriate.
Note that you cannot have a Server Alert Frequency greater than the shortest minutes/activity interval. You also cannot set a frequency less than 5 minutes for any of the alerts.
The outbound email uses your SMTP settings.
You’ll receive an email notifying you the threshold was exceeded.
The details can be seen in the Logs menu item including who took the action, what the action was and what file(s) are impacted.
Backup MyWorkDrive Settings
The MyWorkDrive server files are located under c:\wanpath. Include this folder in any backup strategies to ensure MyWorkDrive settings can be restored in the event of a server failure. Note that no user data files are stored by MyWorkDrive – only settings, user favorites (version 5.2) and license information.
A backup of c:\wanpath should only be used to restore an instance in case of recovery and cannot be used to migrate to a new server, create a disaster recovery standby or create additional instances for clustering. Attempting to use the files in c:\wanpath on multiple machines simultaneously will result in license conflicts, and attempting to restore to a different version of MyWorkDrive server or new hardware is not recommended or supported.
With MyWorkDrive server version 5.2, you are now able to export and import your MyWorkDrive settings. This makes it easier to save your settings, maintain a DR site or migrate installations of MWD. At the bottom of the Settings section of Server Admin you will find buttons for export and import.
Export will create a zip settings file and initiate a download. The download will include your MyWorkDrive server configuration, user favorites and SMTP configuration.
Import will take that zip and setup your new server. In order to avoid a license conflict in situations of Disaster Recovery standby or Clustering, some settings which must remain unique like Cloud Wed Connector URL and license key are not imported. Please have your license key handy during setup of a new server.
Import also does not adjust any settings outside of the MyWorkDriver such as the SSL settings of IIS, NTFS Permissions, NTFS Shares, Delegation, etc. Those settings will need to be made/adjusted as appropriate.