RelativityOne technical overview
Welcome to RelativityOne. Before you can set up your Relativity instance for case workflow, you will want to configure your organization's infrastructure and network access, and implement necessary security, in addition to reviewing the following system-level tools RelativityOne provides .
If you're an IT or network admin that is charged with preparing your organization for RelativityOne, review the following system-level technical overview.
This page contains the following information:
RelativityOne government (FedRAMP)
The following functionality is not currently available for FedRAMP customers / government entities:
- Utility server
- Customer-managed keys (CMK)
- Sandbox environments
- Preview environment
As a security measure, Relativity blocks all outbound connections to the internet for FedRAMP government entities by default. This may prevent the loading of linked images or interfere with the functionality of custom applications that require internet access. FedRAMP customers can request that these outbound internet connections be allowed by reaching out to firstname.lastname@example.org.
Across your organization you should assess workstations to ensure that they meet Relativity minimum system requirements and have all required software installed.
- Check your browser compatibility.
- Perform workstation configuration.
The following diagram depicts the RelativityOne network in a RelativityOne instance with regards to the UDP and TCP ports that must be allowed by your business firewall.
(click to enlarge)
Refer to the following sections for further description of the considerations for network access:
Ensure your port settings are configured correctly for the following:
The following ports must be opened on user machines and/or firewalls for the
|443||TCP||Used for communication between GlobalProtect agents and portals, or GlobalProtect agents and gateways and for SSL tunnel connections. GlobalProtect gateways also use this port to collect host information from GlobalProtect agents and perform host information profile (HIP) checks.|
|4501||UDP||Used for IPSec tunnel connections between GlobalProtect agents and gateways.|
Windows does not support multiple active connections on the same UDP port. Therefore, your firewall must allow a range of UDP ports to reach the Aspera server. Incoming client connections automatically increment to use the next available port in the range. Open these ports on any user machine that stages any data to RelativityOne. This includes ports on your network, as well as local machine firewalls. You must make the following firewall changes to ensure concurrent transfers can occur:
- Allow outbound connections to the server on the TCP port 33001.
- Allow outbound connections to the server on the UDP ports 33001 - 33050.
The opening of the required ports for the Windows firewall are typically handled on the end-user's machine. However, if you use any third party firewalls, you must manually open the ports referenced above. Improperly configured ports and/or a lack of UDP port ranges result in transfer failures.
For more information, contact Relativity Support at email@example.com.
You can test the TCP port connection by running the following commands in Windows Powershell:
- Test-NetConnection -ComputerName [FQDN] -Port 33001
For more information on FQDN, refer to the list of FQDN in the
You will need to allow the following:
You will need to allow connections to the following:
All VPN portal URL are formatted as vpn.[regional domain].relativity.one
Note: VPN portal URL are only accessed when connecting to your Utility Server or Direct SQL via the VPN. See Accessing the RelativityOne backend (custom reporting, application dev, data manipulation).
Primary Azure data center IP address ranges for Aspera data transfer and VPN portal URL:
|Primary Azure region||Primary IP Range||VPN Portal URL|
|Germany-West Central (DECT)||184.108.40.206/27||vpn.dect.relativity.one|
|Switzerland North (CHNO)||220.127.116.11/27||vpn.chno.relativity.one|
|Southeast Asia (SEAS)||18.104.22.168/27||vpn.seas.relativity.one|
** For Sandboxes, you may continue to use the FQDN listed in the dropdown below
All FQDN are formatted as fta-[regional domain].relativity.one
All VPN portal URL are formatted as vpn.[regional domain].relativity.one
Note: VPN portal URL are only accessed when connecting to your Utility Server or Direct SQL via the VPN.
|Azure Region||FQDN for Aspera data transfer||VPN Portal URL|
You should also allow connections to the following URL:
- If your firewall restricts all internet traffic, you may need to specifically whitelist the WebAPI URL (i.e., https://[customername].relativity.one/relativitywebapi).
To access RelativityOne backend resources, you must first connect to your VPN, and then connect to your desired resource (e.g., Utility Server or Direct SQL).
- Step 1 – Connecting to your VPN network
- Step 2a - Connecting to Utility Server
- Step 2b – Connecting to Direct SQL
The first step in accessing the RelativityOne data directly is connecting to RelativityOne via your GlobalProtect VPN connection. Your GlobalProtect VPN is used to access backend components of your RelativityOne environment.
Your VPN enables a secure connection between your computer and resources on your Relativity instance's network. The following resources are available when you connect to the GlobalProtect VPN client:
For Sandbox environments, you can access the following back end resources via the VPN:
For more information on how to connect to your VPN client, see GlobalProtect VPN client.
Note: This functionality is not currently available for FedRAMP customers / government entities.
The Utility Server is a virtual machine that can optionally be connected to your RelativityOne instance. It contains additional support tools to help you work with data in your RelativityOne staging area before editing and loading it into your RelativityOne instance. You access your Utility server through a remote desktop connection, using an issued set of credentials and a custom IP address.
Once you are connected to your Utility Server, you can perform the following actions:
- Access a mapped drive for the file share (TenantUser accounts) - access your uploaded files to edit in the staging area before you add them to your RelativityOne workspaces or save them to a RelativityOne file storage location. You can also access and verify any production sets before you download them locally.
- Install applications - if you have TenantAdmin access you can install applications
- Manage user administration - if you have TenantAdmin access and have Terminal Services licensed on the computer you can manage user administration yourself.
Note: It's not recommended to store files on your Utility Server. If your Utility Server becomes inaccessible, you will lose the files you stored.
Note: Direct SQL Access on the Utility Server is not supported.
Complete the following actions to connect:
- If you haven't already, connect to the Global Protect VPN and credentials that you have been provided with.
- After you have connected to the VPN client, open the ZIP file you downloaded, and then open the Credentials text file to view your provided Utility Server credentials.
- Launch the Windows Remote Desktop Connection tool.
- When the Windows Remote Desktop Connection window appears, enter the IP address provided via the Credentials file in the Computer field.
- Click Connect.
- Enter the Username and Password (provided in the Credentials text file) when prompted, and then click OK.
- When prompted again, enter your TenantUser, TenantUser2, or TenantAdmin (by request only) Utility Server credentials, and then click OK.
You have successfully logged into the RelativityOne Utility Server.
The Utility Server comes pre-loaded with the following tools:
- AZCopy - to create copies of files you want to move from your local machine to use with the Microsoft Azure Drive Shipping service or to move files from one Azure subscription to another.
For more information, see Get started with AZCopy.
- Relativity Desktop Client - to import and export native files, images, metadata, and productions to or from Relativity.
For more information, see Relativity Desktop Client.
- Notepad++ - to correct any errors in load files or other data editing needs.
- You can install Microsoft Office using your own license to correct any errors in load files or other, more robust data editing needs.
- Other minor third-party tools can be added to perform file manipulations. If your Utility Server becomes inaccessible, we will issue you a new Utility Server.
- AZCopy can be connected to blob storage.
For more information, see Moving data to and from Azure Storage on Microsoft's website.
Note: Relativity does not install any third party or custom applications on customer utility servers. You must re-install any custom applications if you're issued a new Utility Server.
See Utility Server for more information.
Note: Direct SQL access is not included automatically with your RelativityOne subscription, and must be requested by contacting your customer success manager or implementation specialist.
In addition to querying and manipulating data through Relativity's suite of API's, administrators and developers can extend the power of the Platform even further by directly querying the SQL database. This is an important aspect of the Platform that you may be accustomed to using in your Relativity Server deployment, and something you can also take advantage of in RelativityOne. You can run Relativity Scripts in your RelativityOne instance, and you can also run SQL scripts in SQL Server Management Studio (SSMS) directly against your Relativity databases. Direct SQL can be used for situations that require running custom reports, Relativity scripts, or running commands directly in SQL Server Management Studio against your RelativityOne database.
You will be provided with one TenantAdmin account that you can use to create additional accounts with the limited permissions that you specify.
Note: You do not receive access to the physical server, you are only able to access SQL via the SQL Management Studio. No additional infrastructure components (certificates, etc.) are required for the access - only the VPN connection and SQL Server Management Stuio.
To connect to Direct SQL using SQL Server Management Studio:
- Download SQL Server Management Studio to the local machine or server that has the VPN connection.
- Connect to the GlobalProtect VPN.
- Use the server name and credentials received from Support or Customer Experience to connect to the primary SQL server using SQL Server Management Studio from your local machine. To access RelativityOne databases, refer to the SQL server coding considerations section in the RelativityOne developer considerations page on the Platform site. This page contains information on the following:
- Access to SQL servers and databases
- SQL Server query resiliency
- Direct SQL access and location considerations including how to return a list of SQL instances and instance values
Note: You are required to change the password on the first connection and must manage these passwords internally. See SQL tenant admin operations overview on the Platform site.
See Direct SQL access.
The advantage to RelativityOne is that we maintain and upgrade your software to ensure that your business operations in RelativityOne run smoothly and that you always have access to the latest features and defect fixes. Regular downtime windows are required to do this (typically during non-business hours).
Please refer to RelativityOne maintenance downtime windows for more information on this schedule.
RelativityOne resource scaling
Scaling in terms of software products refers to increasing server infrastructure resources or re-prioritizing system processes to increase a system's workload capacity on demand. Increasing a system's workload capacity either entails finishing one unit of work in a smaller amount of time (i.e., speed) or finishing more units of work in the same time interval (i.e., concurrency). Scaling is typically used for large batch operations or when there is a large volume of jobs that may take a long time.
One of the benefits of using RelativityOne is that customers do not need to manually perform resource scaling themselves by purchasing and configuring new infrastructure like they would in Relativity Server or think about the system scaling at all which is happening in the background.
However, we want customers to notify the RelativityOne team proactively when they know they will be bringing a large matter into the instance so that RelativityOne can be at it's most powerful when handling large amounts of information ingestion and processing such as with Imaging, OCR, Branding, and Productions.
Automated RelativityOne resource scaling
RelativityOne monitors system activity and automatically makes decisions about the following:
- System resource scaling - increasing workers and server resources
- Resource prioritization - which processes should receive resources given jobs that are competing for the same resources
System resource scaling
Automatic scaling in RelativityOne detects large jobs and automatically increases system resources to a higher performance capacity. Currently, RelativityOne automatically scales resources in the following product areas:
- Processing (i.e., Ingestion, Imaging)
- Mass PDF
- Indexing (i.e., Analytics)
- Processing note - if a Processing job (i.e., Processing, Native imaging) is running for 10 minutes, and if workers detect more jobs in the queue, a scaling event is initiated. It takes 30-45 minutes to scale up. Customers can contact Support if they do not see worker scaling happening after 30-45 minutes. See Scaling workers.
- OCR, Branding, Mass PDF, and Production note - when the size of a job or jobs in the queue requires 2 hours or more of execution (based on known performance thresholds and job parameters) a scaling event is triggered. The number of agents added depends on the size of the job. Customers can contact Support if they do not see worker scaling happening after 2 hours.
Increasing system resources does not help in situations where a large Processing image job is running and someone sends a small Processing job containing 100 documents for imaging that needs to be done right away. The smaller job might only take 15 minutes to run on its own, but if a large job is running at the same time, this same small imaging job will take 3x longer because it has to wait for system resources to free up.
The following tools currently enable better resource prioritization in RelativityOne:
- WorkerIQ - The Worker IQ agent enables smarter resource allocation and prioritization within Processing.
Customer-initiated scaling (proactive scaling)
If you know that you will require additional system resources in RelativityOne for upcoming work, customers have the following options to proactively scale resources:
- Scaling Analysis Requests - Customers can submit request for specific anticipated spikes in activity. This can include ARM / Application Installation Manager / File Validation Manager, large dtSearch builds, large Analytics operations, and large Legal Hold projects. See RelativityOne Resource Requests in the Relativity Community.
- Processing (Scale to max button) - A scaling event is initiated when Scale to Max is pressed. It takes 30-45 minutes for workers to scale up once the button is pressed. See Scaling workers.
At Relativity, no topic is more important than security. With preventative defense, automated processes, and transparent operations, we keep our customers’ most sensitive data protected.
Security white paper
RelativityOne runs on Microsoft Azure and is built on Microsoft’s foundational investment in security technology, operational processes, and expertise. Relativity Security utilizes logs, telemetry, and configuration data generated from the Relativity Application, underlying infrastructure, and Azure to monitor and secure the environment. No customer data or any Personal Identification Information (PII) leave the environment for this purpose.
Refer to the Security white paper for comprehensive information regarding the security built into RelativityOne.
RelativityOne Security Center
As organizations workforces are increasingly dispersed, you want to be sure you’re keeping your data secure. Security Center provides a single-threaded view into the most pressing areas of concern for securing your data.
These areas include:
- User 2-factor Authentication - 2-factor authentication (2FA) provides an additional layer of protection in the event that passwords are compromised. In Security Center, admins have the ability to track two-factor authentication usage and send users notifications to enable 2FA to make sure user endpoints are secure.
- User Activity - Security Center provides insight into the status of inactive users and allows you to disable or delete them to ensure your data is secure.
- Lockbox access - transparency and trust are two core tenants of the security program at Relativity. Lockbox in RelativityOne ensures that Relativity support staff only have access to your workspaces when you give it to them. In Security Center, you can do real-time access audits of Lockbox/Relativity support and revoke access if needed.
Note: Only RelativityOne System Administrators have access to the Security Center dashboard.
The client domains feature enables Relativity to deliver more powerful managed service offerings for enterprise customers in a single Relativity
Using client domains, system admins can empower a user group that is not part of the System Administrator group (client domain admins) to perform common administrative tasks within their own client domain while limiting their visibility into the Relativity environment as a whole. The client domain admins can customize the permission settings to various objects according to their preferences within their own domain, but cannot access any permissions outside of that. This resource isolation functionality grants your enterprise clients more administrative control over their own portions of the environment while preventing back-end visibility and unauthorized changes to your Relativity
Note: Client Domains are targeted for the above use case only and it is important to consider all the limitations outlined in
Implementing client domains requires an additional license from Relativity ODA LLC. Each client domain license is unique, and client domains can have different terms encoded on their license keys. The license for a client domain is unrelated to any other license for Relativity (e.g., number of seats). Client domain licenses are not transferable from one client to another. Contact your Customer Success Manager or CSM@relativity.com to learn more about activating client domains.
See Client domains.
The customer lockbox feature in RelativityOne prevents Relativity support or operations teams from seeing customer data even when granted administrative privileges necessary to provide responsive, high-touch support. When this feature is enabled (default), the customer lockbox prevents any system administrator (Relativity teams included) from seeing workspace data unless explicitly granted access.
Consider the following:
- Lockbox is enabled by default.
- System administrators must also belong to a group within a workspace to access that workspace or to administer security within that workspace.
- With this feature enabled, members of Relativity's Customer Support team will not be able to access customer workspaces. If troubleshooting an issue requires workspace access, the customer will be prompted to add the Relativity Support technician to a workspace group in order to troubleshoot issues within that workspace.
- You will see Relativity Support team users on the security permissions page (along with their specific permissions) unless you lock us out.
Note: Since Relativity will not change customer data, you will have access to report scripts via the
Note: Customer Lockbox is not a full lock-out feature. System administrators can grant themselves access to these workspaces but this action is audited.
When you contact Relativity Support for troubleshooting, the following high-level steps are performed if access to customer workspace is required to resolve an issue:
- Support is requested through the usual means.
- The Relativity Customer Support technician will request that you add a RelativityOne Support group to the workspace in question.
- The Relativity Customer Support technician will troubleshoot your case per standard protocol.
- Upon resolution, the Relativity Customer Support technician will advise you that the issue is resolved.
- You should then remove the RelativityOne Support group from the workspace you added them to.
See Customer lockbox.
Customer-managed keys (CMK)
Note: This functionality is not currently available for FedRAMP customers / government entities.
Customer Managed Keys (CMK) give you control over the keys that encrypt data at rest in RelativityOne by enabling you to own and control your own keys through 3rd party key management solutions for persistent data in RelativityOne.
The scope of the feature covers RelativityOne services that retain persistent data, which includes:
- Secret Store
Note: If you have any issues, please contact firstname.lastname@example.org with “R1 – CMK – ” in the subject.
See Customer-managed keys (CMK) for more details.
- Password – a method that includes a username (the user's email address) and a password.
- Client Certificate – an external method requiring a smart card and PIN. This method validates from an IIS server. It may also be referred to as smart card authentication.
- OpenID Connect – a protocol for an external identity provider, authenticating against an external identity provider using the OpenID Connect protocol. OpenID Connect is a modern authentication protocol can be used to connect to providers such as Azure Active Directory. See OpenID Connect for more information.
- SAML 2.0 – a method that authenticates against an external identity provider using the SAML 2.0 protocol. SAML 2.0 is an older authentication protocol that is still in widespread use. See SAML 2.0 for more information.
- When implementing single sign-on (SSO) across Relativity instances, the following scenarios are supported:
- Identity Provider-initiated SSO using SAML 2.0
- ID provider and service provider-initiated SSO with OpenID Connect
In addition to the above protocols, Relativity has the following additional authentication features:
- Two-factor Authentication – when logging in with the Password method, you can require the user to pass an additional two-factor check based on an email or message sent to the user's phone (through a mobile email gateway).
- Mode - Always required or require only for non-trusted IPs
- Method - Authenticator App or email. For more information, see the authenticator app's documentation.
- Trusted IP Range – limit access to the Relativity application based on the user's source IP address.
Relativity initially issues the credentials for the items below. However, after credentials are sent, you will directly manage the following access credentials:
- VPN - password is active for 90 days. When it expires and you must reset it as the customer; you will need your original password in order to complete the password reset (or you will need to contact Support for a new temporary password).
- Direct SQL - does not expire
- Utility Server - does not expire
Note: When someone leaves your organization who has been issued one of these access credentials, you should open a Support ticket to have that person's user access removed. We recommend that you track who in your organization has access to these credentials, and make submitting a Support ticket part of the employee exit process.
Setting up a hybrid environment (Relativity Server and RelativityOne)
With the introduction of RelativityOne, hybrid environments (combining cloud and on-premises instances) are becoming a common deployment scenario. The Relativity hybrid model provides a compelling alternative to on-premises hosting of cases.
Hybrid environment business scenarios:
- Your organization decided to start migrating older cases to RelativityOne
- Your firm’s IT department then no longer has to provision more hardware for new cases
- Simply migrate old cases to RelativityOne to free up infrastructure in your local data center
Relativity hybrid model allows you to start new cases in the RelativityOne instance with benefits such as:
- Avoiding the hassle of provisioning hardware to support those cases
- Viewing/accessing cases in a different instance
- Single sign on across instances (when using OpenID Connect protocol)
Despite the benefits of this hybrid model, RelativityOne is a separate instance with a separate user store and separate credentials. You must manage user credentials across two different systems - a task that can be time consuming and prone to errors.
Refer to the following topics for more information:
Consider the following regarding personalization in RelativityOne:
- Custom logo - Customers can request a custom logo that will display on the login screen and optionally in the upper right corner of the instance next to the "Hi, User!" drop down from their Relativity implementation specialist or customer success manager. The logo submitted should be a maximum height of 50 pixels; width may vary dependent on the style of the logo
- Custom URL - Relativity does not provide unique URLs for customers. Your RelativityOne URL will always be formatted as: https://<organization name>.relativity.one.
If you have questions on personalization, contact Support.
Relativity now supports the modification of the default regional date format setting for customer Relativity instances (e.g., setting the regional date format to DD/MM/YYYY for an instance in Australia vs. the current default US date format MM/DD/YYYY). When completing your RelativityOne onboarding questionnaire, discuss considerations for changing regional date setting in your instance with your Relativity Implementation Specialist. If you are already a customer and want to make this change, please contact your CSM.
Once this change is made by Relativity for your instance, the following will be true:
- Email regional date considerations:
- Emails processed prior to a regional date format change will have a different date format in the header text than those processed after the change. For email chains with different date formats in the email (e.g., emails sent from other regions) the extracted text does not change and it’s retained simply as extracted text.
- Email threading dates will still be impacted if the Use Email header fields setting is set to No.
- Imaging / Save as PDF regional date considerations:
- Images created before a regional date format change will have a different date format than images after the change.
- DATE fields used for branding images (with designations) will always be in US date format.
- When imaging a document, if you select “replace field codes” (which replaces auto-filled dates), and you choose a DATE field in Relativity, it will always replace the date in US format.
- When branding during a Save As PDF action, if you select a DATE field, it will always be in US date format.
Note: Consideration should be given when importing workspaces from instances with different regional date setting as there may be inconsistent date formats with Processing or when using Save as PDF / Imaging features. Additionally, pre-Foxglove RelativityOne release, deduplication output will be inconsistent if different regional date formats were used. The hashing algorithm changed in the Foxglove RelativityOne release to ensure deduplication is not impacted when a workspace with non-US date format is restored, however manual corrective steps (including executing a script) will be required before additional data can be processed into the workspace. Please reach out to Support for information on these manual steps.
RelativityOne platform API
The RelativityOne platform provides a rich set of APIs that enable you to enhance the functionality of the Relativity system by creating customized applications that meet the specific e-discovery needs of your business.
RelativityOne Sandbox refers to reusable RelativityOne environments that allow you to test SQL scripts, event handlers, API based applications, custom pages, and custom agents for both the current and Early Access (EA) release of Relativity.
Note: Sandbox is a service that you must subscribe to. Please contact your Account Manager for more details. (Sandboxes are free with 10TB and up subscriptions. Subscriptions less than 10 TB can opt to purchase Sandboxes.)
Note: This functionality is not currently available for FedRAMP customers / government entities.
Preview refers to a free RelativityOne instance that gives you early access one month ahead of your RelativityOne upgrade. This enables you to identify feature changes that impact your workflows and adjust accordingly. The Relativity Preview feature, lets you try out the new version of Relativity prior to release in an environment that has the same Security and feature functionality of a RelativityOne instance.
Relativity Preview offers you the the following benefits:
- The ability to preview workflow changes in the UI prior to a production release.
- Seamless integration with RelativityOne production instance via User Sync and Federated Instances.
- Preview is pre-loaded with dummy data that effectively demonstrates new Relativity features.
System logging in RelativityOne
RelativityOne does not provide external access to logs except in Sandbox test environments; if a log is needed, we encourage you to contact Support in order to troubleshoot these sorts of issues.
RelativityOne activity dashboard
You can use the RelativityOne Activity Dashboard to obtain a high-level view of the health of your instances and users.
- The RelativityOne Activity Dashboard will not display data from Relativity Server instances.
Customers have access to an SMTP server that will send password reset / invitation emails, and other system notifications such as job notifications. These settings are not configurable in RelativityOne and the email will come from a generic relativity.one address.