Sybase software described herein is furnished under a license agreement. It may be used or copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated.
Sybase software described herein is furnished under a license agreement. It may be used or copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated.
Sybase software described herein is furnished under a license agreement. It may be used or copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated.
Afaria 7 DOCUMENT ID: DC-7-00-00 LAST REVISED: March 2012 Copyright
2012 by Sybase, Inc. All rights reserved.
This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. A
indicates registration in the United States of America.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Java and all Java-based marks are trademarks or registered trademarks of Oracle and/or its affiliates in the U.S. and other countries. Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. All other company and product names used herein may be trademarks or registered trademarks of the respective companies with which they are associated. Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies. Sybase, Inc., One Sybase Drive, Dublin, CA 94568 Contents Installation User Assumptions.............................................1 Afaria Technical Support ......................................................3 Sybase Social Media Channels............................................5 Locating Product Documentation........................................7 Afaria Architecture ...............................................................9 Afaria Server .................................................................10 Additional Afaria Components ......................................11 Installation Options.............................................................13 Installing a Standard Environment ................................13 Afaria Reinstallation......................................................13 Afaria Upgrade..............................................................14 Afaria Appliance Installation.........................................14 System Requirements and Release Notes........................15 Afaria 7 Upgrade..................................................................17 Eligible Upgrade Path and Environment .......................17 Entering or Updating Your License Key ........................17 Discontinued Platform Support .....................................18 Afaria Single Server Upgrade.......................................18 Afaria Server Farm Upgrade.........................................19 Automatic Actions .........................................................19 Device IDs ...........................................................19 Assigned User Groups .........................................20 Discontinued Channel Types ...............................20 Session Manager Channels .................................21 iOS Device Configuration Policies .......................21 Portal Application Packages ................................22 Preparing to Install Afaria...................................................23 Creating a Domain User Account for Operating Afaria ..................................................................................23 Updating Passwords and Domain User Accounts for Afaria..........................................23 Installation Guide iii Syntax Examples for Updating Afaria Server Password.........................................................24 Afaria Database Preparation........................................24 Estimating Your Database Size Requirements ....24 Creating an SQL iAnywhere Database and User .........................................................................25 Configuring the iAnywhere SQL Anywhere Database for Operations .................................25 Creating a SQL Server Database and User ........26 Configuring the SQL Server Database for Operations .......................................................27 Apple Certificates for Managing Afaria Devices ...........27 Obtaining Root and Intermediate Certificates ......28 Obtaining an Apple APNS Certificate..................28 Obtaining a Google API Key .........................................33 Installing Afaria Server ........................................................35 Entering or Updating Your License Key ........................35 Starting the Setup Program..........................................35 Defining Server Type and Directory ..............................36 Selecting Microsoft SQL Server Database...................36 Selecting iAnywhere SQL Anywhere Database............37 Selecting Authentication Type.......................................37 Configuring LDAP Information.............................38 Completing the Installation...........................................39 Installing Afaria Server Farm........................................40 Installing Afaria API Service and Administrator ...............41 Verifying Afaria Administrator IIS Settings ....................42 Changing the IIS Connection Timeout Value................43 Starting Operations and Server Configuration.................45 Logging In to Afaria Administrator ................................45 Logging in as Added User ............................................45 Starting, Stopping, Restarting the Afaria Server ...........45 Verifying Afaria Server Settings for Device Communication........................................................46 Verifying Afaria Server Settings After Installation.........46 Contents iv Afaria Server Configuration for Installation and Management ..................................................................................47 User Role Management ................................................48 Viewing the Server Roles .................................... 48 Adding or Editing a User Role............................. 48 Afaria Server Messaging.....................................................51 Addresses and Routing for Afaria SMS and SMTP Messages .................................................................51 SMS and SMTP Message Address Syntax ..................51 SMS Gateway ...............................................................53 Installing SMS Gateway .......................................53 HTTPS Support Certificates ................................54 Configuring Afaria Server for SMS Gateway ....... 54 Setting Up SMS Modem .....................................55 Setting Up SMPP.................................................56 Setting Up SMTP..........................................................56 Installation and Configuration for Enrollment Components....................................................................57 Installing Enrollment Server - Basic ..............................57 Configuring Afaria Server for Basic Enrollment Server ..................................................................................58 Configuring Afaria Server for Enrollment Codes ...........59 Configuring Certificate Authority for iOS Devices .........60 Configuring an Enterprise Root Certificate Authority for iOS..............................................60 Tuning the Certificate Authority for Afaria............62 Installing the Afaria SCEP Plug-In Module on the CA................................................................... 62 Configuring Afaria Server for iOS Certificate Authority ..................................................................................63 Importing Apple Root and Intermediate Certificates for MDM Management ...................................................64 Configuring Afaria Server for iOS Notifications .............64 Configuring SSL Connections for Enrollment Server ....65 Configuring SSL Connections for iOS CA.................... 66 Contents Installation Guide v Adding iOS MDM Payload Signing for iOS...................66 Importing Apple Root and Intermediate Certificates for MDM Payload Signing .............67 iOS MDM Payload Signing Certificate Requirements ..................................................68 Reinstalling the Enrollment Server for iOS MDM Payload Signing...............................................68 Configuring Afaria Server for iOS MDM Payload Signing............................................................69 Configuring the Relay Server for iOS Certificate Authority and Enrollment Server Connections .........69 Package Server ....................................................................71 Installing Package Server .............................................71 Configuring Afaria Server for Package Server ..............72 Configuring SSL Connections for Package Server .......72 Access Control for Email ...................................................75 Access Control Components .......................................75 Access Control Configurations for Microsoft Exchange ..................................................................................76 Access Control Configurations for IBM Lotus Domino ..................................................................................78 Setting Up Access Control for Email .............................81 Configuring the Afaria Filter Listener ...................81 Installing the ISAPI Filter Component ..................82 Installing the PowerShell Service Component .....83 Files Installed with and Generated by the Afaria Filter ..................................................................................84 Self-Service Portal ...............................................................87 Preparing to Install Self-Service Portal .........................87 Installing the Self-Service Portal ...................................87 Afaria Self-Service Portal Address ...............................89 Configuring Afaria Server for Self-Service Portal Request Timeout ......................................................90 Editing Enrollment Codes for Self-Service Portal .........90 Relay Server .........................................................................91 Contents vi Afaria Relay Server Executable Components .........................92 Setting Up the Relay Server for Basic Operations ........92 Setting Up the Relay Server for Basic Operations with IIS 7.5....................................92 Setting Up the Relay Server for Basic Operations with IIS 6.0.................................. 100 Restarting the Relay Server Host ............................... 106 Relay Server Support for Server Components ........... 106 Relay Server Configuration FileExamples ....... 108 Configuring Relay Server for Afaria Server ........109 Configuring Relay Server for Enrollment Server ....................................................................... 112 Configuring Relay Server for iOS Certificate Authority ........................................................ 113 Configuring Relay Server for Access Control .... 114 Configuring Relay Server for Package Server ... 115 Configuring Relay Server for Application Onboarding Certificate Authority ................... 116 Launching the Relay Server Outbound Enabler ......... 117 Installing the Relay Server Outbound Enabler as a Windows Service........................................118 Relay Server with SSL................................................118 Relay-Server-Related Logging................................... 119 Uninstalling Afaria Components......................................121 Uninstalling Afaria Server ........................................... 121 Contents Installation Guide vii Contents viii Afaria Installation User Assumptions Afaria installation requires that you have knowledge of Window servers, Microsoft IIS, database servers, your user directory manager, and the device types you plan to support. Installation User Assumptions Installation Guide 1 Installation User Assumptions 2 Afaria Afaria Technical Support Sybase provides industry-leading support and a variety of downloads to help you get the most out of your Sybase products and solutions. For information about Sybase Customer Service and Support, visit www.sybase.com/ support. If you have a technical support contract, you can locate your local technical support center at www.sybase.com/contactus/support. For Afaria customers with a maintenance agreement, visit METS at http:// frontline.sybase.com/support. Afaria Technical Support Installation Guide 3 Afaria Technical Support 4 Afaria Sybase Social Media Channels Sybase is active on a number of social media channels, such as Twitter, blogs, and YouTube. Visit us online for our social media channels at www.sybase.com/resources/socialmedia. Sybase Social Media Channels Installation Guide 5 Sybase Social Media Channels 6 Afaria Locating Product Documentation Locate documentation for help with installing and using the product. Documentation is on the product installation image. 1. Start the setup program (setup.exe). 2. Click Documentation. 3. Click the item of interest. Readme includes information about finding system requirements and release notes on the technical support site and information about what is located on the product installation image. Installation guide the English version of Afaria Installation Guide . Documentation folder opens the \Documentation folder on the installation image. All product documentation is available in English. Some documents may be available in additional languages. Locating Product Documentation Installation Guide 7 Locating Product Documentation 8 Afaria Afaria Architecture Afaria uses a distributed architecture that provides complete functionality and enterprise- grade security while managing mobile devices and computers. The Afaria architecture uses the enterprise network behind your firewall for components that require the highest security, uses the DMZ for proxy components, and uses public entities in the Internet for publicly available services, such as commercial application markets. Figure 1: Afaria Architecture Internet, DMZ, and Enterprise Network Afaria Architecture Installation Guide 9 Internet Afaria devices and public entities. Afaria devices user devices, such as smartphones and computers that Afaria manages. Devices either have an Afaria application installed or have a native capability that Afaria uses to interact with the hosting device. Devices connect to Afaria servers or their proxies using HTTP and SSL. Public entities and services entities that support device management and features, such as the Apple Push Notification Service (APNS) for managing iOS devices, or a commercial application market for Afaria application policies. DMZ relay or proxy servers, such as a Microsoft Forefront Threat Management Gateway server or a Sybase iAnywhere
relay server to enforce firewall rules and receive device
communication before relaying it to an Afaria server in the enterprise network. For Afaria Access Control for Email, an optional feature, the e-mail proxy server hosts the access control filter to allow or block incoming requests based on access control policy information from Afaria. Using relay servers in the DMZ to relay communication is optional, but recommended to increase enterprise network security. Enterprise network Afaria component servers and the email network require connectivity to the Afaria server, and sometimes the database. When relay servers are configured for Afaria components, Afaria servers receive incoming communication from the relay servers, rather than directly from the Internet. You can consolidate some or all Afaria server components onto fewer servers, or onto a single server. If Afaria devices are resident within the enterprise network, you can configure them to make direct connections to Afaria servers. Afaria Server The Afaria server program is central to Afaria operations. The Afaria server has no user interface; settings and features are available through the Afaria Administrator Web application. The Afaria server can operate as a single, standalone server, or as multiple servers in a server farm. The Afaria server communicates with the Afaria database and additional components or devices as necessary. Standalone Afaria server a single Afaria server operating as the only Afaria server in an Afaria installation. The server has a one-to-one relationship with the Afaria database. Afaria server farm multiple Afaria servers operating together in an Afaria installation. The servers have a many-to-one relationship with the Afaria database. A server farm includes one master Afaria server and one or more farm servers. See also Creating a Domain User Account for Operating Afaria on page 23 Afaria Database Preparation on page 24 Afaria Architecture 10 Afaria Additional Afaria Components on page 11 Additional Afaria Components The Afaria Administrator, database, and additional server components support the Afaria server for operations. Supporting components: Afaria Administrator the Afaria server interface, a Web console that you can access with any supported Web browser. Afaria uses role-based access policies to control user rights. Rights are associated with functions in the user interface and with individual tenants. Afaria Administrator, the console the Web console that provides an interface for the Afaria server. Use Afaria Administrator to define the server configuration; define roles for Afaria Administrator users; manage Afaria devices, groups, and policies; and monitor system activity. Afaria administrator, the individual the person that installs and operates the Afaria product. Afaria database Sybase's SQL Anywhere or Microsoft SQL database that stores Afaria procedures; configuration properties; device, group, and policy data; and all message and activity logging. For Afaria server components, access to the database is either direct to the database or indirect through the Afaria server. Certificate authority for iOS operations, as defined by Apple to support iOS mobile device management (MDM), Afaria requires a Microsoft certificate authority (CA). The CA uses native Simple Certificate Enrollment Protocol (SCEP) to issue certificates to devices for all inbound MDM communication. The CA also hosts the optional Afaria SCEP plug-in that further increases security by verifying that devices are in the Afaria database before allowing payload delivery. Enrollment server required for handheld device enrollment and iOS operations. The enrollment server retrieves enrollment policies and starts the enrollment process for devices requesting enrollment. For iOS, the enrollment server also delivers management payloads. Self-service portal lets end users enroll their device in Afaria management, and lets users view their device information and issue commands, such as to reset a password. The portal is optional for enrollment and allows users to install application policies with support from the Package server. Relay server proxy for HTTP and HTTPS connections from the Internet to an Afaria component server, such as the Afaria server or the enrollment server. The relay server is optional, but recommended for increased enterprise network security. Package server for application policies, serves Afaria application packages to devices. For application onboarding, serves certificates and device provisioning data to calling Afaria Architecture Installation Guide 11 third-party applications. The portal package server does not serve commercial applications to devices. Email server for Afaria Access Control for Email, an optional feature, the server hosts the access control PowerShell service, which polls the Afaria server for current access control policies, and delivers that information to the email proxy in the DMZ. See also Installing Enrollment Server - Basic on page 57 Configuring Afaria Server for Package Server on page 72 Configuring Relay Server for Access Control on page 114 Configuring the Relay Server for iOS Certificate Authority and Enrollment Server Connections on page 69 Afaria Architecture 12 Afaria Installation Options Install Afaria on a server that does not have the Afaria software installed, or to reinstall to a different installation path. Installing a Standard Environment Complete a standard installation to install Afaria with a separately installed database, Afaria server, and Afaria Administrator Web console. A standard environment is appropriate for installations with one or multiple Afaria servers. Prerequisites Before the installation, create a Windows user account for operations and establish your database environment. Task 1. On your planned Afaria server, enter your license key and complete the Afaria server installation. If your installation is planned to have only one Afaria server, the server is a standalone server. If your installation is planned for a farm, the first server installed is the master or main server. 2. On your planned administrator server, complete the Afaria API Service and Administrator installation. 3. Complete procedures for getting started with operations. 4. (Server farm) For each additional server, prepare for the install by creating a Windows user account for operations, enter your license key, and complete the Afaria server installation. The additional servers in a farm are called farm servers. 5. Install and configure additional components. Afaria Reinstallation Reinstallation is re-running an installation on an Afaria server or administrator server that already has the same version of Afaria installed. Reinstalling is appropriate for repairing problems associated with corrupted or deleted files, and for making certain types of changes to your current installation. Reinstall Afaria when changing your database version or type, changing the authentication type, adding newly licensed features or capacity, or repairing Afaria. Installation Options Installation Guide 13 Afaria Upgrade Upgrade is running an installation on an Afaria server or administrator server that has a version of Afaria installed that is on the supported upgrade path. An upgrade is defined as upgrading the complete environment; the devices must upgrade along with the server and administrator components. Afaria Appliance Installation Install the Afaria Appliance on a VMware host with minimal interaction, as most of the settings are preconfigured. During the setup, you configure only a few computer-specific and security settings. Once installed, this Afaria installation supports device enrollment and management. For complete details installation and configuration details for the Afaria Appliance, see document Afaria Appliance Installation Guide. Installation Options 14 Afaria System Requirements and Release Notes Before you install your Afaria components, ensure that your environment complies with the system requirements. Complying with system requirements and reviewing the information in the release notes helps you to take full advantage of features and operate your system appropriately. Complete system requirements are delivered with your order fulfillment. They are also available in the product release notes available on the technical support site. The release notes include information about known product issues. Note: Using terminal services or comparable means is not a viable method for installation. System Requirements and Release Notes Installation Guide 15 System Requirements and Release Notes 16 Afaria Afaria 7 Upgrade Before beginning an upgrade, validate all prerequisite and system requirements, and create an Afaria system backup. A system backup includes the database, application software, and application data. Eligible Upgrade Path and Environment Upgrading to Afaria 7 is supported only for Afaria 6.6 FP1 2011_06 systems on a supported Windows Server 2008 server. The Afaria 7 setup program prevents these environments from upgrading: Afaria instances on servers that are not supported for Afaria 7, such as Windows Server 2003. Afaria versions earlier than Afaria 6.6 FP1 2011_06. Afaria instances integrated with an Oracle database. Entering or Updating Your License Key Enter or update your license key, which defines available setup menu options, any time you receive a new key. Perform the update on each Afaria server. 1. Start the setup program (setup.exe). 2. In the Set Up menu, click License Key. 3. Type your license key into the key box, then click Licensing Details to review your licensing information. The maximum number of concurrent sessions supported per server depends on your licensing. The ability to run the maximum number of licensed concurrent sessions depends upon the amount of memory, the speed, and number of the processors on your server. 4. Click Apply to save the license key and return to the setup menu with your licensed options available. 5. On the setup menu, click Install > Install Server and complete the server installation. The reinstallation updates the server as necessary to support the license change. 6. Click Next. Afaria 7 Upgrade Installation Guide 17 Discontinued Platform Support Prepare for discontinued support of several device and channel types in Afaria 7. Recommendations for items that have been discontinued in Afaria 7: Device type Symbian delete devices and data prior to upgrading. Device type Java delete devices and data prior to upgrading. Data Security Manager for Windows 1. Unencrypt devices and uninstall Data Security Manager client. 2. Delete channels. Data Security Manager for Handhelds 1. Unencrypt devices and uninstall Data Security Manager client. 2. Delete channels. Antivirus/Firewall policies 1. Disable policies in group profiles to remove the Antivirus/Firewall client from devices. 2. Delete policies. OMA DM policies 1. Run session to remove policies from devices. 2. Disable policies in group profiles. 3. Delete policies. Application Control policies 1. Disable policies in group profiles to remove the Application Control client from devices. 2. Delete policies. License Manager delete License Manager data and settings. API object model plan for discontinued use. Afaria 7 introduces a new API service model. Afaria Single Server Upgrade Upgrade an Afaria installation that includes a single Afaria server. 1. Stop Afaria services. 2. Upgrade the server. Do not start the Afaria server service at this time. 3. Upgrade the Afaria Administrator application. 4. Start Afaria server service. Afaria 7 Upgrade 18 Afaria 5. Upgrade additional servers, such as the enrollment server (formerly "provisioning server"). 6. Connect devices for upgrade. Afaria Server Farm Upgrade Upgrade an Afaria installation that includes multiple Afaria servers. 1. Stop all Afaria services on a master (main) and on all farm servers. Do not start the main server and all farm servers until all components are upgraded. 2. Upgrade the main Afaria server. Do not start the Afaria server service at this time. 3. Upgrade the farm servers. Do not start the Afaria server service at this time. 4. Install the Afaria API and upgrade Afaria Administrator application. 5. Upgrade additional servers, such as the enrollment server (formerly "provisioning server"), package server, Self-service portal. 6. Start Afaria server service on main server, then start the Afaria server service on the farm server(s). 7. Start the remaining Afaria services on all server(s). 8. Verify Afaria Client Service is running on all farm servers and replication is successful. 9. Connect devices for upgrade. Automatic Actions Upgrading to Afaria 7 includes actions to support the new management model. The Afaria management model has changed from one that used group profiles as a container for assignments, monitor/action pairs, allowed channels, policies, and packages. The new model is improved for usability to use only policies and groups to manage devices. Device IDs In Afaria 7, the device ID is a required field for new devices. It is a column in the device grid. The upgrade to Afaria 7 processes device IDs and client names: If the device ID is blank in Afaria 6.6 FP1 2011_06, then the upgrade copies client names into the device ID fields. If the device ID is non-blank in Afaria 6.6 FP1 2011_06, then the upgrade leaves the device ID untouched. Afaria 7 Upgrade Installation Guide 19 Afaria customers who rely on client name instead of device ID for searches, custom views, and other operations, consider the impact to your continued operations. Assigned User Groups In Afaria 7, user groups are available and NT/LDAP groups are no longer used. The upgrade to Afaria 7 processes NT/LDAP groups. For each group profile with one or more NT/LDAP groups assigned in Afaria 6.6 FP1 2011_06, the upgrade: Creates a new user group that contains all of the NT or LDAP groups assigned to that profile. Names the group to reflect the NT/LDAP group names, such as "Upgrade_grp1_grp2." In the group note field, includes the name and path of each NT/LDAP group. If subsequent group profile processing has an identical set of NT/LDAP groups assigned, the upgrade does not create a duplicate user group. Discontinued Channel Types In Afaria 7, all channels other than Session Manager channels are discontinued. Inventory Manager and Configuration Manager channels are discontinued as channels but the features remain present in Afaria 7 configuration policies. The upgrade to Afaria 7 processes Inventory and Configuration Manager channels: Create an Afaria configuration policy for each channel using a naming convention to reflect its origin: If it was assigned to a group profile <ChannelName>-<ProfileName>-<ChannelID If it was not assigned to a group profile <ChannelName> Description is preserved. Priority value is preserved. For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit" schedules are created. Authentication and published states are preserved. The upgrade to Afaria 7 processes remaining discontinued channels: Backup Manager Delete any existing Backup Manager channels. Leave backed up data in ABD folder. Document Manager Delete any existing Document Manager channels. Leave data in source locations. Leave files in differencing and compression caches. They will eventually age out. Software Manager for Windows, Windows Mobile, Symbian, and Palm Afaria 7 Upgrade 20 Afaria Delete any existing Software Manager channels. Remove package tracking information. Patch Manager Delete any existing Patch Manager channels. Delete the patches pulled down from Microsoft site to the path configured on the Afaria server. Session Manager Channels In Afaria 7, all Session Manager channels continue, but are delivered in session policies. The upgrade to Afaria 7 processes Session Manager channels: Create an Afaria session policy for each channel using a naming convention to reflect its origin: If it was assigned to a group profile <ChannelName>-<ProfileName>-<ChannelID If it was not assigned to a group profile <ChannelName> Description is preserved. Priority value is preserved. For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit" schedules are created. Channel encryption is discontinued in Afaria 7. We recommend users run secure sessions instead. Authentication, published, and default channel states are preserved. iOS Device Configuration Policies In Afaria 7, all iOS Device Configuration policies continue, but become configuration policies. The upgrade to Afaria 7 processes iOS device configuration policies: Create an Afaria configuration policy for each channel using a naming convention to reflect its origin: If it was assigned to a group profile <PolicyName>-<ProfileName If it was not assigned to a group profile <PolicyName> Description is preserved. Priority value is preserved. Group assignment is preserved. A policy with an assignment is published. A policy without an assignment is unpublished. Enabled or disabled state in group profile is preserved as enabled or disabled in the payload. Afaria 7 Upgrade Installation Guide 21 Portal Application Packages In Afaria 7, all portal application packages continue, but become application policies. The upgrade to Afaria 7 processes portal application packages: Create an Afaria application policy for each package using a naming convention to reflect its origin: If it was assigned to a group profile <AppName>-<ProfileName If it was not assigned to a group profile <AppName> Description is preserved. Priority value is preserved. Group assignment is preserved. A package with an assignment is published. A package without an assignment is unpublished. Required or optional state is preserved. Enabled or disabled state in group profile is preserved as published or unpublished in policy, respectively. Afaria 7 Upgrade 22 Afaria Preparing to Install Afaria Before starting Afaria installation and configuration, prepare for the installation process. For example, prepare the database, and obtain Apple Certificates. Creating a Domain User Account for Operating Afaria Create a domain Windows account to install the Afaria server, farm server, and related servers. If applicable, the account is also used to run the Windows service. The main Afaria server, farm servers, and other related servers and components must use the same domain user account name and password. Note: If you plan on installing SSP with LDAP, ensure the domain user you create has permission to access the Active Directory server. 1. On the planned server, create a Windows domain user account with these attributes: Log on as Service if the server uses a Windows service, Afaria starts automatically after reboot 2. On the planned server, add the domain user as an administrator in the user group. 3. Record the account credentials you will use when prompted as you install the Afaria server, Afaria Administrator programs, and additional components. 4. (Active Directory environment) On the domain controller, update the user account properties (AccountName > Properties > Account > Log On To) to ensure the Log On To list of log on workstations is either unrestricted or includes the planned Afaria Administrator server and all planned Afaria Administrator browser computers. Updating Passwords and Domain User Accounts for Afaria As needed and without reinstalling the Afaria server, change the domain user account and password associated with the Afaria server service, or the user password associated with the database. The main Afaria server and all farm servers must use the same user account name and password. 1. Close all Afaria programs. 2. Using a command line, run the setup program (setup.exe) with parameters to change the service account or password. The setup program accepts parameters in any order. Available parameters: -Maintenance required for all commands. Preparing to Install Afaria Installation Guide 23 -ServiceAccount= name required if changing the user account and password associated with the Afaria server service. -ServicePassword=password required if changing the user account and password associated with the Afaria server service. -DatabasePassword=password required if changing the database user account password. 3. Allow the program to run to completion. The Afaria setup program runs silently, and may take several minutes to complete. You may not know when it has finished unless you watch the task list or run the setup from a batch file. To check for errors, see C:\silent.log. Syntax Examples for Updating Afaria Server Password When updating the user account and password on an Afaria server, the Afaria setup program accepts parameters in any order. Examples: setup -Maintenance -DatabasePassword=password setup -Maintenance -ServiceAccount=name -ServicePassword=password setup -Maintenance -DatabasePassword=password -ServicePassword=password2 Afaria Database Preparation The Afaria server uses a database to log system activity and data. All servers in a farm access the same database, unless you install the Afaria Appliance, in which case you must to install and configure your database before installing the Afaria server. The Afaria Appliance includes database installation and configuration. The product supports using iAnywhere SQL Anywhere
or Microsoft SQL Server for the
Afaria database; however, configure only one type of database. Refer to the system requirements for complete database support information. Estimating Your Database Size Requirements To understand your weekly disk space requirements for operations with all logging enabled, estimate your database size. Plan disk availability based on requirements. 1. Estimate values: Number of sessions per day Average session size 2. Apply the estimates to the daily formula for estimated growth per day: (# of sessions per day) * (average session size) = estimated growth per day Preparing to Install Afaria 24 Afaria 3. Apply the daily estimate to the weekly formula for estimated growth per week: (estimated growth per day) * 7 = estimated growth per week For example, to determine the weekly disk space growth for 1000 daily sessions with an average session size of 60KB: (1000 sessions per day) * (60KB average session size) * 7 days = 420MB So in this example, the database is estimated to grow by 420MB per week. Consider these items for calculating estimates: Add 1MB of data per week to the estimate for each device that reports inventory. Session channels with 100 events add an average of 40KB in database growth per session in additional log data. Creating an SQL iAnywhere Database and User If you plan to use Sybase iAnywhere SQL Anywhere database with Afaria, create the database for operations, and an associated user to provide a user context to access the database. The database name should remain the same throughout the Afaria server installation and configuration process. 1. Create a database. Use default configuration settings with the exception of these attributes: Install jConnect metadata support disabled. Page size 8192 KB minimum. 2. Create a database user for the Afaria service to use for database access. Assign the database administrator (DBA) authority to the user. 3. Connect to the new database using these network database server properties: Identification database user name and password that you created for Afaria database access. Database indicate the Afaria database server name and start line dbsrv11.exe, as well as the database name and file. Do not start the database using start line dbeng11.exe, which is for non-network database servers and does not support enough database connections for the Afaria service. Sybase strongly recommends that you have only one instance of dbsrv11.exe per database. Configuring the iAnywhere SQL Anywhere Database for Operations For Sybase iAnywhere SQL Anywhere operations, prepare your database environment for sustainability and availability. To create a Windows service that automatically starts the database whenever the Afaria server is restarted: Preparing to Install Afaria Installation Guide 25 1. In Sybase Central, select the Services tab and run the New Services wizard. 2. Name the service. 3. Select the Network Database Server service type. 4. Accept the default executable, dbsrv11.exe. 5. Specify the parameters to run only the TCP/IP network driver (-x) for the database name and path (-n). For example, -x tcpip -n afariadb c:\afaria\afaria.db 6. Select default Local system account and Allow service to interact with desktop for running the service. 7. Select start-up type Automatic. 8. Select to restart the service now. Upon completion of the wizard, create a system event to back up and truncate the log. Sybase recommends a log size of 50MB for an initial setting. Creating a SQL Server Database and User For Microsoft SQL Server database operations with Afaria, create the database and an associated user to provide a user context to access the database. The database name should remain the same throughout the Afaria server installation and configuration process. 1. Create a database with these attributes: Datafiles Automatically Grow File, Unrestricted Filegrowth. Transaction Log Minimum size 25 MB, Automatically Grow File, Unrestricted Filegrowth. 2. Create a role called db_executor with the execute right. 3. For the user you plan to use for Afaria operations with the database, ensure the user has these attributes for your Afaria database: Default schema dbo Role db_ddladmin Role db_datawriter Role db_datareader Role db_executor Password does not contain the semicolon (;) character Example SQL Script for Creating a SQL User for Afaria Database Operations This example script creates a new role with the execute right for a database named Afaria and assigns the user JBrowne all the required attributes the user needs for Afaria operations. --For a database named Afaria and a login named JBrowne, create a User named JBrowne and grant the user the appropriate rights. Preparing to Install Afaria 26 Afaria USE Afaria GO --Create a new role for executing stored procedures CREATE ROLE db_executor --Grant stored procedure execute rights to the role GRANT EXECUTE TO db_executor GO --Assign user to dbo and required roles IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'JBrowne') BEGIN CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA = dbo EXEC sp_addrolemember db_ddladmin, JBrowne EXEC sp_addrolemember db_datawriter, JBrowne EXEC sp_addrolemember db_datareader, JBrowne EXEC sp_addrolemember db_executor, JBrowne END; When you install the Afaria server, use the credentials from a user like this one if you choose SQL authentication for the Afaria database. If using Windows integrated authentication instead of SQL authentication, the Windows user requires the same rights and roles. Configuring the SQL Server Database for Operations For Microsoft SQL Server operations, prepare your database environment for sustainability and availability. Verify that logs are truncated on checkpoint: 1. Right-click the database and select Properties. 2. In the Properties window, click the Options tab. 3. In the Recovery section, click the Model list box and select Simple. Apple Certificates for Managing Afaria Devices Using Afaria to manage iOS devices requires an Apple Push Notification Service (APNS) certificate, an Apple, Inc. Root certificate, and an Apple Application Integration certificate. These certificates allow Afaria to communicate securely with iOS devices and uniquely identify your enterprise Afaria installation as a trusted vendor for mobile device management (MDM). An enterprise uses a Macintosh or Windows computer, the Apple Push Certificates Portal, and the Sybase Apple CSR signing site to obtain the push, root, and application integration certificates, then installs the certificates for Afaria operations. Preparing to Install Afaria Installation Guide 27 See also Configuring Afaria Server for iOS Notifications on page 64 Obtaining Root and Intermediate Certificates Once per Afaria environment, obtain root and application integration certificates to install in your Afaria environment, so that any APNS certificates you or your tenant customers install have a valid chain to the root. You will install the certificates when you are installing and configuring for iOS operations. 1. Go to the Apple Root Certification Authority site at http://www.apple.com/ certificateauthority. 2. Download Apple Inc. Root Certificate. 3. Download Application Integration. See also Completing and Exporting the APNS Certificate on page 31 Adding Apple Certificates to AfariaYou can use the Afaria certificate installation utility or Windows Microsoft Management Console (MMC) to install the Apple root, application integration, and push certificates on your Afaria server. After the installs, you will be able to manage your iOS devices. Obtaining an Apple APNS Certificate For a system tenant or non-system tenant, obtain an Apple APNS Certificate to validate your iOS MDM request to the Apple APNS service. You will install the certificate when you configure the Afaria server for iOS notifications. Obtain a certificate based on the Afaria tenant implementation: If you are an enterprise using only system tenant, obtain one Apple push certificate for the system tenant. If you are an enterprise, using multiple tenants to separate operations obtain one Apple push certificate for the system tenant. If you are a hosting enterprise using multiple tenants to separate multiple customers, ensure each customer obtains their own Apple push certificate for their tenant. Do not obtain a push certificate for the system tenant, as it will become the back up certificate for tenants that do not obtain a certificate. Requirements for Obtaining Apple an APNS Certificate To obtain an Apple Push Notification Service (APNS) certificate, you must have a Web browser and an Apple ID. Computer with administrator rights Macintosh OS X workstation or Windows server. Preparing to Install Afaria 28 Afaria Web browser Safari or Mozilla Firefox. Apple ID as issued to your enterprise (recommended) or to you as an individual by Apple to associate with the certificates. An Apple iOS Developer Program membership is not required to obtain an Apple ID. General Apple Certificate Tasks for Afaria iOS MDM From your Mac or Windows server and the Sybase Apple CSR signing site, create your certificate signing request (CSR) to deliver to Apple and get a push certificate and download the root and application integration certificates. 1. Creating a Certificate Signing Request On either a Macintosh or Windows server, start the certificate signing request that will become your enterprises APNS certificate (push certificate). Use the same server to finish the request later. 2. Getting Your CSR Signed by SAP Sybase As a required part of the Apple certificate process, submit your enterprise CSR to the SAP Sybase Apple CSR signing site. 3. Getting an APNS Certificate from the Apple Portal Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria- based Apple Push Notification Service requests. 4. Completing and Exporting the APNS Certificate On the Macintosh or Windows server that originated the certificate signing request, complete the request and export the APNS certificate for Afaria operations. 5. Obtaining Root and Intermediate Certificates Once per Afaria environment, obtain root and application integration certificates to install in your Afaria environment, so that any APNS certificates you or your tenant customers install have a valid chain to the root. You will install the certificates when you are installing and configuring for iOS operations. 6. Adding Apple Certificates to Afaria You can use the Afaria certificate installation utility or Windows Microsoft Management Console (MMC) to install the Apple root, application integration, and push certificates on your Afaria server. After the installs, you will be able to manage your iOS devices. Creating a Certificate Signing Request On either a Macintosh or Windows server, start the certificate signing request that will become your enterprises APNS certificate (push certificate). Use the same server to finish the request later. See also Getting Your CSR Signed by SAP Sybase on page 31 Preparing to Install Afaria Installation Guide 29 Creating a Certificate Signing Request on Macintosh On any Macintosh server in your enterprise, use the Keychain Access utility to create your CSR. 1. On your server, open Applications > Utilities > Keychain Access. 2. In the left pane, select Keychain > Login, and Category > Certificates. 3. From the menu, select Keychaine Access > Certificate Assistant > Request a Certificate from a Certificate Authority. 4. On the Certificate Information page, enter the e-mail address and common name, select Save to disk and Let me specify key pair information, then click Continue. 5. Save the file (.CSR) and record the location. The CSR request is created and ready for signing. Creating a Certificate Signing Request on Windows On any Windows server in your enterprise, use the IIS Manager utility to create your CSR. 1. On your server, open Internet Information Services (IIS) Manager. 2. From the Connections column, select the server. 3. In the center pane, in the IIS section, double-click Server Certificates. 4. In the right pane, click Create Certificate Request. 5. On the Distinguished Name Properties page, enter: Common name name of the person generating the request. Organization legally registered name of your organization. Organizational unit name of the department within the organization. City/locality organizations city location. State/province organizations state location. Country/region two-letter ISO code for organizations country location. 6. On the Cryptographic Service Provider Properties page, select: Cryptographic Service Provider Microsoft RSA SChannel. Bit length 2048 or greater. 7. On the File Name page, define the path and file name (.TXT). 8. Save the file and record the location. The CSR request is created and ready for signing. Preparing to Install Afaria 30 Afaria Getting Your CSR Signed by SAP Sybase As a required part of the Apple certificate process, submit your enterprise CSR to the SAP Sybase Apple CSR signing site. 1. Go to the Sybase Mobile Enterprise Technical Support site's Apple CSR signing page at http://frontline.sybase.com/support/applecert.asp. 2. Upload your CSR certificate to the Web site. The CSR may be in .CSR (Macintosh) or .TXT (Windows) format. 3. After the upload is complete, download your signed CSR (.SCSR). The signed CSR is ready for upload to the Apple Push Certificates Portal site to get an APNS Certificate. See also Creating a Certificate Signing Request on page 29 Getting an APNS Certificate from the Apple Portal Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria-based Apple Push Notification Service requests. 1. From your computer and using a Web browser (Sybase recommends Safari) go to the Apple Push Certificates Portal site at https://identity.apple.com/pushcert. 2. Log in using your Apple ID credentials. 3. Click Create a Certificate. 4. After accepting the terms of use, click Choose File and select the signed CSR (.SCSR) received from the Sybase Apple CSR signing site. 5. Click Upload. After uploading your certificate, a new Apple-signed push certificate for mobile device management for vendor Sybase appears on the Certificates for Third-Party Servers page. 6. Click Download to save it locally in .PEM format. You now have an APNS certificate from Apple that is incomplete state. Complete the certificate on the server that originated the CSR. Completing and Exporting the APNS Certificate On the Macintosh or Windows server that originated the certificate signing request, complete the request and export the APNS certificate for Afaria operations. See also Obtaining Root and Intermediate Certificates on page 28 Preparing to Install Afaria Installation Guide 31 Completing and Exporting the APNS Certificate on Macintosh On the Macintosh server that originated the certificate signing request, complete the request and export the APNS certificate for Afaria operations. 1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple Push Certificates Portal. 2. Double-click the file to install and complete the certificate request. The Keychain Access utility displays. 3. In the Keychain Access utility, in the left pane, select Keychain > Login, and Category > Keys. 4. Verify that the certificate, identified by the common name you assigned it, appears with a key value in the Kind column. 5. Right-click the private key and select Export. 6. Save the file in .p12 or .pfx format. 7. Enter and record a password of your choice to export the certificate. You now have an APNS certificate from Apple, which is now ready to be added to the Afaria Server. Completing and Exporting the APNS Certificate on Windows On the Windows server that originated the certificate signing request, complete the request and export the APNS certificate for Afaria operations. 1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple Push Certificates Portal. 2. Click Start > Administrative Tools > Internet Information Services (IIS) Manager. 3. From the Connections column, select the server. 4. In the center pane, in the IIS section, double-click Server Certificates. 5. In the right pane, click Complete Certificate Request. 6. Select the .pem certificate from the Apple Push Certificates Portal. 7. Enter a common name for tracking the certificate and click OK. 8. To export the APNS certificate to the correct format, right-click the certificate and select Export. 9. Specify a path to save the certificate file in .pfx format. 10. Enter a password, and then click OK. You now have an APNS certificate from Apple, which is now ready to be added to the Afaria Server. Preparing to Install Afaria 32 Afaria Obtaining a Google API Key To create enrollment policies for Afaria device enrollment, the Google URL Shortener API must be accompanied by an API key that identifies your organization as the calling entity. If you are planning to use TinyURL as your only URL shortening service, you need not have a Google API key. 1. Go to developers.google.com 2. In the Developer Tools group, click API Console. 3. After logging in, create a new API project or using an existing project, navigate to the list of all services, and activate the URL Shortener API. 4. Navigate to the API Access page, locate the Simple API Access item. 5. Record the API key for use in Afaria configuration for enrollment codes. Next Google APIs Web site http://code.google.com/apis/console Google URL Shortener API getting started http://code.google.com/apis/urlshortener/v1/ getting_started.html See also Configuring Afaria Server for Enrollment Codes on page 59 Preparing to Install Afaria Installation Guide 33 Preparing to Install Afaria 34 Afaria Installing Afaria Server Install the Afaria server as the first server component in your Afaria installation. This section is intended as as a sequence of steps to follow from start to finish. Entering or Updating Your License Key Enter or update your license key, which defines available setup menu options, any time you receive a new key. Perform the update on each Afaria server. 1. Start the setup program (setup.exe). 2. In the Set Up menu, click License Key. 3. Type your license key into the key box, then click Licensing Details to review your licensing information. The maximum number of concurrent sessions supported per server depends on your licensing. The ability to run the maximum number of licensed concurrent sessions depends upon the amount of memory, the speed, and number of the processors on your server. 4. Click Apply to save the license key and return to the setup menu with your licensed options available. 5. On the setup menu, click Install > Install Server and complete the server installation. The reinstallation updates the server as necessary to support the license change. 6. Click Next. Starting the Setup Program Start the Afaria server setup program and install an Afaria server. Prerequisites Install, configure, and start your database for Afaria server. Establish a user account for installing and operating Afaria server. Task 1. Start the setup program (setup.exe). 2. On the setup menu, click Install. Installing Afaria Server Installation Guide 35 3. Click Install Afaria Server . The End User License Agreement dialog displays. 4. Click Yes or No to indicate your acceptance or rejection, then click Next to continue with the installation wizard, and specify the server installation type (master or farm) and directory. The installation continues only when you accept the agreement. Defining Server Type and Directory Select options for master or standalone server setup, directory selection, and service account. 1. On the Confirm Master or Standalone Server install page, click Next. If you are installing a main or standalone server, continue selecting the authentication type. If you are installing a farm server, complete the installation. 2. On the Directory Selection dialog, accept the default location or click Browse to navigate to a new location and click Next to continue with the installation wizard, and database definition. The default directory is C:\Program Files (x86)\Afaria\. Selecting Microsoft SQL Server Database If you selected Microsoft SQL Server, continue with the Microsoft SQL Server Setup dialog. 1. One the Select Database Engine dialog, select the applicable database. 2. Select the Microsoft SQL Server. 3. On the Service Account dialog, specify the account name and password you created for operating Afaria. This account should be the same domain account that is used across Afaria servers and components. 4. Select either Windows Authentication to use a Windows administrator account with SQL Server privileges or SQL Server Authentication to use the SQL Server account with its associated password that you set up for Afaria. 5. Click Next to continue. 6. On the SQL Server Database dialog, select the database you configured for Afaria. If you are installing a farm server, you must select the database for the existing Afaria server. If you are reinstalling the Afaria server as standalone, you must select a new database. 7. Continue with selecting server authentication options. Installing Afaria Server 36 Afaria Selecting iAnywhere SQL Anywhere Database If you selected iAnywhere SQL Anywhere, continue with the SQL Anywhere Server Setup dialog. Prerequisites If you are using SQL Anywhere iAnywhere server, manually restart the database server to pick up the most up-to-date client drivers. Task 1. On the SQL Anywhere Server Database dialog, enter the Database name and click Next. 2. Select the SA Server Name from the list. The list populates only with names of SQL Anywhere servers on the same subnet. To locate a SQL Anywhere server outside the subnet, select Edit Host/Port. The Host name may be a machine name or IP address. 3. Select a login type and click Next to continue: Integrated login select this option to integrate your Windows login with your SQL Anywhere login. SA user login enter the login information for the database user with DBA authority that you created for your Afaria database. 4. On the SQL Anywhere Server database dialog, select the database you created for Afaria, then click Next to continue. The Afaria installation program validates the database you specify. If you type the database name incorrectly or type the name of the wrong database, you may see a Request to start/stop database denied error. 5. Continue with selecting server authentication options. Selecting Authentication Type Select the user authentication type for connecting devices; either Windows authentication or SQL Server Authentication. Local authentication is always enabled. 1. In the SQL Set Up dialog, select the applicable authentication type and click Next to continue. a) Select Windows Authentication and choose either NT or LDAP. For NT domain or local authentication, click NT domain-based and retain <none> as the domain. For NT domain authentication, click NT domain-based and enter the domain. As the Installing Afaria Server Installation Guide 37 administrator, you must also be a member of this domain. Use commas to separate multiple domains. Click Next. For LDAP authentication select LDAP-based, click Configure LDAP and proceed to Configuring LDAP Information topic. b) Select SQL Server Authentication and define the SQL Server Login and authentication. This username and password should be in the domain and be the same name used throughout the installation of Afaria and its components. Click Next. 2. Complete the installation. If you do not choose a domain during installation, you can add a domain for authentication on the Server Configuration > Properties > Security page To allow users to use blank passwords, additional operating system settings are required. See the Administration Reference to learn more about the requirements for allowing blank passwords. Configuring LDAP Information Configure LDAP settings to support LDAP user authentication and channel assignments. 1. In the LDAP Server Login Information dialog, enter the login information. Server Address enter your LDAP server address as either a fully qualified domain name, such as afaria.mycompany.com, or as an IP address. Port Number Afaria automatically defaults to the LDAP standard port 389. If you enter another port number, you must enter a number greater than 1024. Server Type select your LDAP server type. Use SSL select to enable SSL communication with your LDAP server. SSL Port Number define the LDAP server port for SSL communications. Anonymous Login select Anonymous Login to allow the Afaria server to communicate with the LDAP server without using a dedicated LDAP user account for the server. If using anonymous login, configure your LDAP server to allow a search of the directory structure for users, user groups, and organizational units and all of their attributes. User DN if not using anonymous login, enter the user DN (distinguished name) for the LDAP account the Afaria server uses to communicate with the LDAP server. If you do not know the user name for the account, click Search User. You must have an LDAP proxy user configured for an anonymous login to be able to search for users. You can enter a name using a wildcard character to search for the correct User DN. For example, you can enter *mith or *mit* to search for Smith. Password enter the password for the LDAP account the Afaria server uses to communicate with the LDAP server. 2. In the LDAP Root Directory dialog, select a root directory that contains all of the groups, organizational units, and users the server requires for authentication and assignments. 3. In the LDAP User Characteristics dialog, select a characteristic. Installing Afaria Server 38 Afaria LDAP Class Name for Users select or enter the LDAP Class Name for Users. User Name Attribute select or enter the user name attribute to use in the LDAP environment. When client users connect to the server, they enter the user ID as the user name you specify. 4. In the LDAP Container Settings dialog, select a membership basis for assigning channels to users. Support OU membership select to assign channels to users based on their organizational unit (OU). Support OU and group membership select to assign session policies to users based on both their OU and groups. 5. Complete the installation. Completing the Installation Continue with the Ready To Start Installation dialog box to complete installation. 1. On the Ready to Start Installation dialog, click Install. The Setup Complete dialog opens when the installation is complete. 2. If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files have been updated and some have not, leaving the installation in an undesirable state. Re-run the installation program to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then click Retry to install the file again. If the installation does not continue, click Ignore. Ignore continues the process but requires you to restart the computer to complete the installation. You may be prompted to restart your computer when the file copying process is completed. After the restart, the installation program continues from the point at which it was interrupted. 3. Select whether to start the service at this time. To allow connections immediately, start the service. To continue with additional installations and configuration, do not start the service. 4. Click Finish. Installing Afaria Server Installation Guide 39 Installing Afaria Server Farm For a farm environment, install additional servers after installing the main Afaria server and the Afaria Administration Web console. Prerequisites Ensure all farm servers are in the same domain and the domain username and password matches the ones specified for Afaria Administrator and API services. Task For each planned farm server: 1. Start the setup program (setup.exe). 2. Enter the license key. 3. Start the server installation. 4. Complete the installation, using the same domain user account, database, and options as the main Afaria server. You must select the database for the existing Afaria server. 5. Start Afaria server service on the main server, then on the farm servers. Installing Afaria Server 40 Afaria Installing Afaria API Service and Administrator Install Afaria API Server and Administrator on either the Afaria server or a different server. 1. Start the setup program (setup.exe) in the Afaria installation directory. 2. On the setup menu, click Install. 3. Click Install Afaria and API Service Administrator, and click Next. 4. On the Select Database engine dialog, select the applicable iAnywhere SQL Anywhere or Microsoft SQL database you configured previously and click Next. 5. On the SQL Anywhere Server Set Up dialog, select a Server Name and confirm the existing or enter the applicable field values. All the database fields will be pre-populated if the Afaria server is installed on the same machine. If not, you will need to enter them manually. 6. On the SQL Anywhere Server Database dialog, enter the Database name and click Next. 7. On the Directory Selection dialog, change the default install path, if desired and click Next . Create a directory for the installation if required. 8. On the Service Account dialog, define the domain or local account associated with the Afaria API Service and Administrator Next. The account credentials should be the same as those used for the Afaria server install. 9. Click Install to start the Afaria API Service installation set up and click Next on the resulting welcome dialog. 10. On the Set Up complete dialog, celect to start the service now or later. The Administrator installation will stop the API Service automatically if required. 11. On the Select Virtual Directory dialog, define the virtual directory for Afaria Administrator in IIS. If you created a directory, select it from the list. If you have not created a directory, type the name for the directory to create it. The directory appears in the IIS directory under Default Web Site. 12. On the Select Physical Directory dialog, enter or browse to the Physical directory to install Afaria Administrator files. If you are installing Afaria Administrator on the same server as the Afaria server, install Afaria Administrator in a different directory. 13. On the Domain Selection dialog, enter the domain for selecting Afaria Administrator users to administer the Afaria server. To limit selection to only local users, keep <none> as the domain. 14. On the Ready To Start Installation dialog, click Install to begin the installation. The Setup Complete dialog box opens at completion. Installing Afaria API Service and Administrator Installation Guide 41 The Afaria Administrator installation will stop the API Service prior to installation, if required. 15. If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files have been updated and some have not, leaving the installation in an undesirable state. Re-run the installation program to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then select Retry to install the file again. If the installation does not continue, select Ignore. Ignore continues the process but requires you to restart the computer to complete the installation. You may be prompted to restart your computer when the file copying process is completed. After the restart, the installation program continues from the point at which it was interrupted. 16. On the Setup Complete dialog, and click Finish. An Afaria Administrator shortcut appears on the desktop. 17. If you used a predefined virtual directory for this installation rather than allowing the setup program to create one for you, verify the API Service and Afaria Administrator settings in the directory before operating the Afaria Administrator program. Verifying Afaria Administrator IIS Settings If you used a predefined virtual directory when installing Afaria Administrator (instead of allowing the setup program to create one for you, or if you are having problem accessing Afaria Administrator from a browser) verify the Afaria API Server and Administrator and IIS settings. 1. From the Afaria Administrator, select Start > Administrative Tools > Internet Information Services (IIS) Management. 2. Click the Basic Settings link on the right toolbar. 3. In the Edit Application dialog, verify that the physical path is the one you set during installation. 4. Open Default Document and verify that default.aspx appears in the list. 5. Open Authentication and ensure that only Windows authentication is enabled. 6. Click Back and click Browse on the right toolbar. Note: If you have stopped and restarted IIS at any time before opening Afaria Administrator, ensure that when you restarted IIS that the WWW Publishing Service also started. If it is not started, you can reset IIS, or you can restart it manually. This service must be running for you to open Afaria Administrator. Installing Afaria API Service and Administrator 42 Afaria Changing the IIS Connection Timeout Value Change the IIS connection timeout value to prevent the Afaria server from disconnecting with an inactive browser user. Disconnected sessions can result in data loss. 1. From the Afaria home page, select Administrative Tools > Internet Information Services (IIS) Manager. 2. Right-click Default Website on the left pane. 3. In the connections section, increase the timeout value to meet your needs, then click OK. When you change this value, it impacts all the Default Web Site members. Ensure you have determined an acceptable value for all sites. Installing Afaria API Service and Administrator Installation Guide 43 Installing Afaria API Service and Administrator 44 Afaria Starting Operations and Server Configuration To get started with Afaria after completing the installation, complete tasks that prepare for, and validate, basic operations. Logging In to Afaria Administrator Use the default user credentials to log in to the Afaria Administrator application. By default and after installation, the only user that can log in to the Afaria Administrator application is the user who installed the product. If you are in a different user context, the application prompts you for the installing user credentials. Open your browser and enter the Afaria Administrator address: http://<AfariaAdministratorAddress>/ <AfariaAdministratorVirtualDirectory> If your current user context differs from the user context for installing the product, then the Enter Network Password dialog opens. Enter the installing user name, password, and domain and click OK. Domain is not required when logging in to a local machine. Logging in as Added User Use your Windows user credentials to log in as an added user. Log in to Afaria a second time, using your Windows user credentials. You can switch your user context by using the Logon As User feature. 1. From the Afaria Homepage, click Logon As User. The Connect To dialog opens. 2. Supply your Windows user credentials and click OK. The default page opens with content appropriate for your user role. Your user context appears on the banner. Starting, Stopping, Restarting the Afaria Server Use Start, Stop, or Restart commands to control the state of the Afaria Server. Server/client sessions can run only when the server is started. You can conduct other operations, such as reviewing logs or reports, performing server configuration, or performing administration and user support tasks when the server is in a stopped or started state. Some configuration changes require you to restart the server to take effect. Starting Operations and Server Configuration Installation Guide 45 1. From the Afaria Homepage, click the role link that is associated with the server to start. The Server Status page opens. The page includes a dynamic link that changes between Start Server or Stop or Restart Server, depending on the current state of the server. 2. Click the Start Server or Stop or Restart Server link to open the Current Status dialog. The dialog is dynamic based on the current state of the server and the relevant actions. Click on the appropriate action: Start start a stopped server. Stop stop a started server. Restart stop then start a started server. Verifying Afaria Server Settings for Device Communication Verify server-device connection settings for connecting Android, BlackBerry, Windows Mobile, and Windows devices for communications. After you configure Afaria server for device communications, review your settings for correctness in Afaria Administrator. 1. On the Server page, click Configuration, expand the Communication list, and click Device Communication. 2. Review the device communication settings for validity, namely: Protocols and ports, Certificate settings, and the Address for Device communication. Verifying Afaria Server Settings After Installation Verify specific security and Afaria server farm settings that you entered during the installation process. After you install Afaria Server, review your security (NT or LDAP) and server farm settings for correctness in Afaria Administrator. 1. On the Server page, click Configuration, expand the Server list, and click Server Farm. Review the settings for the server farm you set up for validity, namely: Name, State, IP Address, Type and Replication Address. 2. Choose Security from the list. Review and validate the settings for the NT or LDAP domain you set up. Starting Operations and Server Configuration 46 Afaria Server Configuration for Installation and Management Documentation for Afaria Server configuration properties, as defined in the Afaria Administrator Server Configuration page, are located in different documentation references, based on their purpose as properties for general operations or for optional features. Properties documented in the Installation Guide basic for core operations, such as for configuration for the SMS gateway or connectivity for the access control server: Device communication Access control server Enrollment code Relay server Security SMS gateway SMTP Enrollment server iOS notification Package server Properties documented in the Administration Reference optional based on the features you license or choose to use, or performance optimizations, such as for defining access control policies for users: Tenants Schedules Logging option and cleanup Outbound notifications Google C2DM for Android Device Activity For session policies: Bandwidth throttling File compression File differencing User defined fields iOS branding For access control, options for known and unknown device policies For device activity management: General settings to enable and notify users Roaming Thresholds for data views Device activity log cleanup Starting Operations and Server Configuration Installation Guide 47 See also Installing Enrollment Server - Basic on page 57 Configuring Afaria Server for Package Server on page 72 Configuring Relay Server for Access Control on page 114 Configuring the Relay Server for iOS Certificate Authority and Enrollment Server Connections on page 69 User Role Management The Afaria Administrator application uses role management to control access to the application and its individual features and tenants. Use the installing user's credentials to log into the Afaria Administrator application the first time. By default, after installation, the only user that can log in to the Afaria Administrator application is the user that installed the product. If you are in a different user context, the application prompts you for installing the users credentials. These are predefined user roles: Administrators role for access to perform various administrative tasks and policies, which includes control over role assignments and adding and removing servers. By default, the role allows unrestricted access to the server. Help Desk role for server operations, such as for individuals who perform administrative operations and provide support for users. You can edit the predefined roles or add new roles as needed. Viewing the Server Roles View the server roles. 1. On the Home page banner, click Server to open the Server Dashboard page. 2. On the left toolbar, click Role to open the Server > Role page. 3. (Optional) To inspect a role's details, select a role and click Edit in the top toolbar, then click Cancel after inspection. Adding or Editing a User Role Add or edit a user role by defining the features and tenants for the role, and the users to assign to the role. 1. On the Home page banner, click Server to open the Server Dashboard page. 2. On the left toolbar, click Role to open the Server > Role page. 3. On the top toolbar, click Add, or select a role and click Edit in the top toolbar, to add or edit a server role, respectively. Starting Operations and Server Configuration 48 Afaria 4. On the Role tab, enter a new role name and assign access policies for the sections Devices, groups, and policies pages, Remote actions on devices, Server pages, and Server configuration pages. 5. On the Tenants tab, select all or specific tenants to which the users you add to the role are allowed access. Every Afaria installation has a system tenant, but you can create additional tenants. 6. On the Users tab, click Add to add users to a role by specifying the DomainName \UserName. 7. Click Save. Starting Operations and Server Configuration Installation Guide 49 Starting Operations and Server Configuration 50 Afaria Afaria Server Messaging Short Message Service (SMS) is configured on the Afaria server for the delivery of SMS messages from the Afaria server to devices that may or may not be Afaria devices. The Afaria Server supports SMS messaging protocols SMTP and SMS Gateway, including SMPP and SMS Modem. Afaria uses the SMS gatewayfor devices and Afaria Clients that support SMS messaging to deliver outbound notifications and remote wipe commands. Afaria uses the SMTP to send e-mail communications and e-mail-based Short Message Service (SMS) messages related to Afaria operations. Addresses and Routing for Afaria SMS and SMTP Messages Both the Afaria SMS Gateway and the SMTP server use addresses to deliver their respective Afaria-initiated messages to recipients. Addresses are used in multiple Afaria contexts, including but not limited to: Notification messages to devices for message broadcasts, provisioning, or client deployment Alert notifications to an administrator contact Security commands to Afaria clients SMS and SMTP Message Address Syntax The address determines how the Afaria Server routes the message. Use this syntax to format addresses: <prefix>[<routing information>] where < > encloses a parameter value, and [ ] indicates an optional parameter. SMSC address requirements your Short Message Service Center (SMSC) configuration entities may have specific address requirements for successful routing. For example, a service provider or carrier modem may require you to format all mobile numbers in their respective international format and may stipulate that the leading + symbol is or is not part of the requirement. It is your responsibility to understand the requirements for your SMSC entities, and it is your responsibility to create your address entries appropriately. SMSC name the name of your SMSC entity has a direct impact on how Afaria routes Afaria- initiated messages. Afaria Server Messaging Installation Guide 51 Prefix Routing Infor- mation Examples Afaria Routing Logic Prefix = <mobile number> <pre- fix> + null = 5554122212 15554122212 +15554122212 +445555121212 IF any SMS gateway SMPP service is defined, THEN send via SMPP service, ELSE IF any SMS gateway en- tity is defined, THEN send via SMS gateway entity, ELSE discard message. <pre- fix> + <routing infor- mation> = +15554122212@allcel- lular 5554122212@mobile- today.com IF <routing information> = an SMS gateway SMPP service name, THEN send via SMPP service, ELSE IF <routing information> = an SMS gateway modem name, THEN send via modem, IF any SMS gateway SMPP service is defined, THEN send via SMPP service, ELSE IF any SMS gateway en- tity is defined, THEN send via SMS gateway entity, ELSE send via SMTP server. Prefix = <recipient identifier> <pre- fix> + null = john.doe jdoe Invalid, discard message. Afaria Server Messaging 52 Afaria Prefix Routing Infor- mation Examples Afaria Routing Logic <pre- fix> + <routing infor- mation> = john.doe@mobileto- day.com jdoe@allcellular jdoe@egroup.gov Send via SMTP server. SMS Gateway Afaria uses the SMS gateway to deliver outbound notifications, remote wipe commands, and any other Afaria communication that is addressed for SMS routing to supported Afaria devices. The Afaria solution leverages the Cygwin product libraries and tools and other open source tools to implement its SMS Gateway. The Cygwin product is a set of libraries and tools developed by Cygnus Solutions that creates a Unix-emulating environment on a Windows operating system. Due to the nature of open source licensing practices, cited in the GNU General Public License, Sybase cannot distribute, install, or license the libraries and tools as part of a commercial product delivery. Therefore, you must obtain and install the required items on behalf of your organization to enable the SMS gateway operations in Afaria. Installing SMS Gateway Install SMS Gateway on the Afaria server to deliver outbound notifications and remote wipe commands. 1. Run the setup program (setup.exe). 2. On the setup menu, click Additional Installations and Resources > Access SMS Gateway Resources. 3. On the Afaria third-party component dependency reference page, find version information and download instructions for obtaining the Cygwin components. SMS gateway operations use only some of the Cygwin product components. Therefore, these installation steps describe a manual process for installing only the component that the SMS gateway requires, rather than using the Cygwin installation program. 4. Use a decompression utility to decompress the BZ2 download packages from within the <download folder> folder. For each installation package file with file extension BZ2, the decompression yields one extracted file with file extension .tar. 5. Extract the decompressed packages into the same download folder. The file extraction creates these folders: Afaria Server Messaging Installation Guide 53 <download folder>\usr contains additional, nested folders. <download folder>\etc contents are not used for SMS gateway operations. 6. Modify the Afaria Server environment to include the required libraries and tools by either including <download folder>\usr\bin in the default system path or by copying these <download folder>\usr\bin files into the Afaria folder <AfariaInstallation>\bin\SMSGateway: cygcrypto-0.9.8.dll cygiconv-2.dll cygssl-0.9.8.dll cygwin1.dll cygxml2-2.dll cygz.dll The default value for <AfariaInstallation> is C:\Program Files\Afaria. HTTPS Support Certificates HTTPS support for SMS Gateway requires you to install a certificate that is known to both Windows and Linux. SMS Gateway runs on the Afaria server and is encapsulated within an emulated Linux operating system environment; the Afaria server runs on a Windows operating system. A certificate is required for proper communication between the two separate operating systems on the same server. 1. Obtain a certificate and key that identify the Afaria server in PEM format. Ensure that the common name attribute on the certificate is the name of the Afaria server, exactly as the name is defined in the Gateway Host field on the SMS Gateway configuration page. 2. Certificate for Windows import the PEM-formatted certificate and its associated key as a visible Windows Trusted Root Certificate Authority. The Windows Trusted Root is accessible only to the Afaria Server. 3. Certificate for Linux complete the Cert file and Key file fields on the SMS Gateway Interface configuration page to point to the certificate and key files. The files must reside on the Afaria Server. The SMS Gateway uses these references to access the certificates, as it cannot access certificates as imported into the Windows Trusted Root Certificate Authority. Configuring Afaria Server for SMS Gateway SMS Gateway configuration settings and data elements establish connectivity between the Afaria server hosting the SMS Gateway and the Afaria SMS Gateway. In a farm environment, the Afaria server is always the main server. To successfully start the SMS Gateway, you must define SMS Gateway properties and at least one SMSC server configuration entity. Afaria Server Messaging 54 Afaria 1. On the Server page, click the Configuration icon on the left panel, expand the Server list, and select SMS Gateway. The SMS Gateway page appears with the Gateway tab enabled. 2. Enter the Port number for the first Afaria server port number dedicated to SMS gateway communication. The server uses this port and the next two consecutive ports. For example, if you select port 3000, then the SMS gateway uses ports 3000, 3001, and 3002. 3. Enter the Access Phrase for all communications from an Afaria server to the SMS gateway. SMS gateway ignores all communications requests that do not include this phrase. 4. Click the Character Set SMS Gateway uses to compose SMS messages. The appearance of the message at the client depends on device support for a given character set. Devices that support ASCII but are sent a Unicode-based message show messages padded with extra characters. 5. (Optional) Click Enable HTTPS Support to enable HTTPS support for secure communications from the Afaria server to the SMS gateway. 6. Enter the Certificate File path and file name on the main Afaria server for the PEM- formatted certificate file. The SMS Gateway uses this file to verify the identity of the Afaria server. 7. Enter the Key File path and file name on the main Afaria server for the PEM-formatted key file. The SMS Gateway uses the file to verify the identity of the Afaria server. 8. Define an SMSC server configuration entity. Setting Up SMS Modem For each SMS modem from your providers, add and configure Afaria server for communication. Prerequisites Follow the instructions from your modem provider to connect the modem to the Afaria server. Task SMS modems are typically carrier specific, as each modem uses a carriers Subscriber Identity Module (SIM) card. They use the associated carrier's network to deliver SMS messages to an SMSC; messages take an indirect path to the SMSC. Modems can often support basic SMS message (example: text messages) delivery to different carrier networks. 1. On the Server page, click the Configuration icon, select the Modem tab, and click Add. You see a new line of configuration fields. 2. Select Enable to enable communications with this entity. Unselect the check box to suspend communications but retain the configuration values. 3. Enter the Name. The name you enter directly impacts how Afaria routes Afaria-initiated messages. Afaria Server Messaging Installation Guide 55 4. Select an Afaria server COM port; ports 116 are valid for the SMS Gateway operations. 5. Complete the required port, source, and destination properties guided by the definitions in the SMPP Configuration Properties topic. 6. Click Save. Setting Up SMPP You can configure Short Message Peer-to-Peer (SMPP) entities for use with SMS Gateway on the Afaria server. Short Message Peer-to-Peer (SMPP) is a protocol for delivering SMS messages directly to a Short Message Service Center (SMSC) or SMSC aggregator. SMPP services are typically carrier agnostic. Message routing from the SMS gateway is direct to the SMSC, rather than over a carrier network. As a result, an SMPP service can typically deliver most SMS messages to any carrier network. Note: You can create multiple SMPP entities, but the Afaria server uses only those that you enable. 1. On the Server page, click the Configuration icon, select the SMPP tab, and click Add. 2. Select Enable to enable communications with this entity. Unselect the check box to suspend communications but retain the configuration values. 3. Enter the Name of the service. The name you enter directly impacts how Afaria routes Afaria-initiated messages. 4. As defined by your SMPP service provider, define the remaining property values. 5. Click Save. Setting Up SMTP You can use the SMTP page to configure your SMTP server to send e-mail communications and e-mail-based Short Message Service (SMS) messages related to Afaria operations. 1. On the Server page, click Configuration. 2. Enter the name of the SMTP Server. This field can contain either the IP address or the host name of the SMTP server that you use to send SMS messages. 3. Enter the user ID for the SMTP server account that you use to send SMS messages 4. Enter the reply address that appears on the SMS messages. 5. Click Restart Server for the changes to take effect. Afaria Server Messaging 56 Afaria Installation and Configuration for Enrollment Components To support device enrollment for Android, BlackBerry, iOS, and Windows Mobile devices, install and configure the Afaria enrollment server. In addition for iOS device support, configure a certificate authority (CA). The enrollment server retrieves enrollment policies from the database for all device types, and delivers payloads for iOS devices. The certificate authority is a required part of Apple-defined iOS MDM management. Installing Enrollment Server - Basic To support device enrollment for Android, BlackBerry, iOS, and Windows Mobile devices, install and configure the Afaria enrollment server. Record the address and virtual directory values as you complete the installation; you will need them for subsequent configuration tasks. Install the server first in its basic implementation, without payload-signing enabled. Payload signing is an advanced feature for iOS device support. 1. On the installation image, start the setup program (setup.exe). 2. On the setup menu, click Additional Installations and Resources > Enrollment Server. 3. On the Specify Credentials page, accept or define the account name and password used to run the Afaria service on the Afaria server. The enrollment server uses these credentials to contact the Afaria server for database credentials. 4. On the Specify Virtual Directory Names page, accept or define these settings: Unauthorized virtual directory name user-defined name, populated with a default value. The unauthorized directory accepts an initial device connection and processes any required user authentication. Authorized virtual directory name user-defined name, populated with a default value. The authorized directory accepts device connections in the connection series after the device connects to the unauthorized directory. 5. On the Specify Server Address page, accept or define the address for the Afaria server. The enrollment server uses this address to reach the Afaria server. Installation and Configuration for Enrollment Components Installation Guide 57 6. On the Specify Certificates for Signing page, unselect Sign Messages to disable the feature; it is not part of the basic implementation. 7. Only if you are a self-signing entity and managing iOS devices, on the Specify SSL Certificate page, select the certificate that is bound to IIS for SSL. By selecting the certificate, Afaria can traverse the certificate chain and ensure that iOS devices that need intermediate certificate for operations, get them seamlessly from the enrollment server. Your Apple APNS certificate is not valid for this step. 8. Follow the setup wizard to completion. The enrollment server installation is now complete, and you can observe service AfariaiPhoneServer in the Windows service list. The installation process also populates the Enrollment Server configuration page with corresponding values if the Afaria server is on the same server. See also Relay Server on page 91 Additional Afaria Components on page 11 Server Configuration for Installation and Management on page 47 Configuring Relay Server for Enrollment Server on page 112 Configuring Relay Server for iOS Certificate Authority on page 113 Launching the Relay Server Outbound Enabler on page 117 Configuring Afaria Server for Basic Enrollment Server Configure the Afaria server for the enrollment server, as installed with payload-signing disabled, without enabling SSL on the HTTPS port, and without enabling relay server. 1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand the Component list, and click Enrollment Server. 2. Accept or define the IP or fully qualified server address devices use to connect to the enrollment server. The address must be externally accessible. 3. Accept or define the unauthorized and authorized virtual directory names, as defined during the enrollment server installation. The unauthorized directory accepts an initial device connection and processes any required user authentication. The authorized directory accepts device connections in the connection series after the device connects to the unauthorized directory. 4. Only if you are required to use a proxy for the Apple APNS and feedback servers, click APNS/Feedback Configuration and change the predefined settings to your proxy server. Installation and Configuration for Enrollment Components 58 Afaria APNS domain and port for sending notifications. Feedback domain and port for soliciting feedback, as defined by Apple. The feedback service is an aid for gaining feedback about devices that no longer have MDM control installed. Afaria captures feedback data in Afaria table A_iphone_feedback_log. If feedback is received about a device having removed control, Afaria updates the known device state and adds an entry to the Messages log identifying the device and indicating that control is removed. 5. Click Save. Configuring Afaria Server for Enrollment Codes Enable at least one URL shortening service before creating enrollment policies. Prerequisites To enable the Google URL service, you need a Google API key, as issued by Google to your enterprise, as part of the Google API program. Task Service terms are between your enterprise and the service provider. You must accept the terms of service to enable a service. 1. On the Server page, click the Configuration icon on the left toolbar, expand the Server list and select Enrollment Code. TinyURL service Google URL service (including the API Key) 2. (Optional) Click the test links to verify connectivity and a call to the service. 3. To change how long an enrollment code is valid for iOS and Android device enrollment, under Self-service portal enrollment requests, specify how long a user request is valid to use for enrollment in days, hours and minutes. Self-Service Portal enrollment for other device types does not include a validity time window. 4. Click Save. See also Obtaining a Google API Key on page 33 Installation and Configuration for Enrollment Components Installation Guide 59 Configuring Certificate Authority for iOS Devices Configure a Microsoft certificate authority (CA) as a required component for iOS device management. Consult these essential references before and during configuration: Afaria system requirements to learn about requirements for your CA operating system and connectivity within the Afaria environment. Microsoft documentation resources to learn about CAs and how to add roles and comply with the Afaria system requirements. For example, the Microsoft SCEP Implementation White Paper (www.microsoft.com/download/en/details.aspx?id=1607). Configuring an Enterprise Root Certificate Authority for iOS Configure the enterprise root CA by defining the Active Directory Certificate Service (ADCS) and Network Device Enrollment Service (NDES) roles. Prerequisites The Server needs to be a member of a domain with an Active Directory Domain Controller. You must also be logged on to the CA server as a user that is a member of the domain. Task 1. Add the Active Directory Certificate Service (ADCS) Role. 2. Add the Network Device Enrollment Service (NDES) Role. Adding the Active Directory Certificate Service (ADCS) Role Add the ADCS role as part of the iOS certificate authority (CA) configuration. 1. On the CA, open the Server Manager Programs >Administrative Tools > Server Manager > Roles. 2. Click Add Roles to launch a wizard. 3. On the Server Roles page, enable Active Directory Certificate Service. 4. On the Role Services page, enable Certification Authority Web Enrollment. A pop-up window may open to prompt you to install IIS. If so, install it. 5. Click Add Required Role Services and click Next. The Certification Authority Web Enrollment check box is now enabled. 6. On the Specify Set Up Type page, enable Enterprise. 7. On the Specify CA Type page, enable Root CA. 8. On the Set up Private Key page, enable Create a new private key. Installation and Configuration for Enrollment Components 60 Afaria 9. Verify the pre-populated settings on the Configure Cryptography for CA settings. 10. On the Configure CA name page, confirm the Common Name for this CA and note it for later. 11. On the Set Validity page, select the validity period for the certificate as appropriate your enterprise. 12. On the Configure Certificate Database page, confirm the path of the certificate database. 13. On the Web Server IIS introductory page, click Next to proceed to the setup. 14. On the Select Role Service page, click Next to confirm the default IIS settings. 15. On the Confirm Installation Selections page, review the details of the ADCS configuration and IIS installation and then click Install. 16. Click Close to complete the wizard and restart the server. Adding the Network Device Enrollment Service (NDES) Role Add the NDES role as part of the iOS certificate authority (CA) configuration. Prerequisites Add the ADCS role to the CA. Task 1. On the CA, open the Server Manager > Roles > Active Directory Certificate Services > Add role services. 2. On the Select Role Services page, enable Network Device Enrollment Service. 3. On the Specify User Account page, enable Specify a User Account, click Browse to find the account in your local IIS users group, and click Next. 4. Enter your credentials in the Windows Security dialog and click OK and click Next. If the user does not match the required IIS prerequisites, an error message displays. 5. On the Specify Registration Authority Information page, enter the applicable Registration Authority Information, which will be required later during device configuration. Do not use special or localized characters. 6. On the Configure Cryptography for Registration Authority page, accept the defaults and click Install. 7. On the Confirm Installation Selections page, review the details of the NDES configuration and click Install. 8. Click Close. 9. Under Role Services, verify that the following services appear in the installed list: Certification Authority Certification Authority Web Enrollment Installation and Configuration for Enrollment Components Installation Guide 61 Network Device Enrollment Service Click the refresh link at the bottom if you installed a service but do not see it in the list. Tuning the Certificate Authority for Afaria Configure the SCEP challenge phrase and certificate request handling on the certificate authority (CA) to increase security for iOS connections and ensure that certificates are issued automatically. The challenge configuration changes allow Afaria to act as a proxy for requesting challenge phrases and optimize challenge phrase properties for Afaria operations. The request handling change allows the CA to issue certificates automatically, rather than putting them into a pending state that would require administrator action. Warning! The tuning registry changes impact all IIS operations. 1. On the CA, using Windows Server Manager, on the SCEP administrator virtual directory (IIS Manager > Default Web Site > CertServ > mscep_admin), set authentication. Anonymous authentication enabled and using the same credentials as the SCEP application pool. Windows authentication enabled. 2. Create a registry entry to change the challenge phrase default behavior to increase the maximum number of passwords that are valid simultaneously to 100. Key [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography \MSCEP1\PasswordMax] Value "PasswordMax"=dword:100 3. Create a registry entry to change the challenge phrase default behavior to decrease the time period that each password is valid to 10 minutes. Key Key [HKEY_LOCAL_MACHINE\Software\Microsoft \Cryptography\MSCEP1\PasswordValidity] Value "PasswordValidity"=dword:0A 4. To configure certificate request handling in Server Manager, select your CA in the ADCS node, right-click Properties > Policy Module > Properties and select to follow the template or automatically issue, rather than to set it to pending. Installing the Afaria SCEP Plug-In Module on the CA Install the optional Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module on the certificate authority (CA) to filter certificate requests. The module enhances security by blocking devices that are not known to the Afaria database from obtaining an enrollment certificate. Installation and Configuration for Enrollment Components 62 Afaria 1. On the CA server, start the setup program (setup.exe) from the Afaria product image. 2. On the setup menu, click Additional Installations and Resources > Install Afaria SCEP Plug-In Module. 3. Enter database type and credentials. 4. Choose an installation path and install the Afaria SCEP policy module. 5. On the CA, open Active Directory Certificate Services (ADCS). 6. On your CA node, select the Properties and the Policy Module tab, then select XSSCEPPolicyModule.dll. 7. Restart ADCS. 8. (Optional) Power off, and then on, the CA server. Due to a known issue reported for the Microsoft CA restart ADCS operations, Sybase recommends turning the power off, and then on, to correctly enable the Afaria SCEP module. After startup, the CA issues certificates only to the devices that are defined in the Afaria database. Configuring Afaria Server for iOS Certificate Authority Configure Afaria to use the iOS certificate authority (CA) for iOS devices, without enabling SSL on the HTTPS port, and without enabling relay server. For iOS devices, the CA delivers certificates to devices during enrollment. If the optional Afaria SCEP module is installed, the CA verifies whether the requesting device is defined in Afaria and fulfills requests only for verified devices. 1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand the Component list, and click Enrollment Server. 2. Enter the CA server address. The IP or the fully qualified address that devices use to connect to the CA server. The address must be externally accessible. 3. (Optional) Click Certificate request and enter information to populate the certificate that the CA delivers to the iOS device. 4. (Optional) Click Certificate test to test the CA connection from the testing server location. This test is valid only if the testing server can access the CA address, as defined in the address field. Accessibility to the CA may differ from the testing server and the connecting devices. 5. Click Use SCEP challenge to configure the SCEP challenge properties for the account you used when you tuned the iOS CA and create the SCEP application pool user, which must have administrative privileges on the CA. Installation and Configuration for Enrollment Components Installation Guide 63 SCEP Challenge Domain SCEP Challenge User Password 6. Click Save. 7. Restart the Afaria server service. Importing Apple Root and Intermediate Certificates for MDM Management Import Apple root and application integration certificates as trusted root certificates so that any APNS certificates you install and configure for Afaria MDM management have a valid chain to a trusted root. 1. Copy your Apple root and intermediate certificates to a location accessible from the Afaria server. 2. On the Afaria server desktop, launch the Microsoft Management Console (MMC) by selecting Start > Run and entering MMC. 3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options: Computer account Local computer 4. On the console root tree, select Certificates (Local computer) > Trusted Root Certification Authorities > Certificates. 5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and import the Apple Inc. Root certificate (.CER). 6. Launch the import wizard again and import the Apple Application Integration certificate (.CER). 7. Review the certificate list for the imported certificates. Configuring Afaria Server for iOS Notifications Add your Apple-issued push certificate for iOS device management to the Afaria server and define the text to send to devices for SMS-based outbound notifications. The Apple Push Notification Service (APNS) certificate, as issued by Apple to your enterprise, uniquely indentifies an Afaria server and its associated enterprise to the APNS. Consider the configuration of your enterprise tenant environment before operating Afaria: If you are an enterprise using only system tenant, install your Apple push certificate on the system tenant. Installation and Configuration for Enrollment Components 64 Afaria If you are an enterprise, using multiple tenants to separate operations install your Apple push certificate on the system tenant. If you are a hosting enterprise using multiple tenants to separate multiple customers, ensure each customer installs their own Apple push certificate on their tenant. Do not install a push certificate on the system tenant; it is the back up certificate for tenants that do not have a certificate. 1. On the Afaria Administrator Server page, click the Configuration icon on the left toolbar, expand the Server list and select iOS Notification. 2. Click Browse and navigate to and select the push certificate. 3. On the iOS Notification page, enter the password for the certificate. 4. Click Install to install the certificate. The certificate is installed to the local machine personal certificate store on the Afaria server. The MDM certificate name populates the page. The Current Push Service is the topic name, as defined by Apple on the certificate. (System tenant) If your Apple root and intermediate certificates are not installed, the interface prompts you to install them. (Non-system tenant) If Apple root and intermediate certificates are not installed, the interface opens an error. Notify your system tenant administrator. 5. (Optional) In the Default Notification Messages group, change the messages for the outbound notification messages, used when manually applying a policy to, or configuring the Afaria application for, a device that has removed MDM control. Click Add text to end of notification message to append the text to the end of the message or leave it unselected to have it display at the beginning. 6. Click Save. See also Apple Certificates for Managing Afaria Devices on page 27 Configuring SSL Connections for Enrollment Server Configure the Afaria server for enrollment server SSL connections when preferred or required for network security. Prerequisites This task assumes that you have a valid SSL certificate from a known certificate authority for your enrollment server's IIS server. Installation and Configuration for Enrollment Components Installation Guide 65 Task 1. On the Afaria Administrator Enrollment Server page, in the Enrollment Server group, click Use HTTPS on Enrollment Server connections. 2. Ensure that the server address uses the fully qualified address or IP address, as declared on the associated SSL certificate. 3. If you enabled the enrollment server's SSL on a port other than default port 443, update the server address to include the port suffix using the syntax <Address>[:<port>]. 4. Restart the Afaria server service. Configuring SSL Connections for iOS CA (Optional) Configure the Afaria server for iOS certificate authority (CA) server SSL connections when preferred or required for network security. Prerequisites This task assumes that you have a valid SSL certificate from a known certificate authority for your CA's IIS server. Task 1. On the Afaria Administrator Enrollment server page, in the CA group, click Use HTTPS on Certificate Authority connections. 2. Ensure that the server address uses the fully qualified address or IP address, as declared on the associated SSL certificate. 3. If you enabled the CA's SSL on a port other than default port 443, update the server address to include the port suffix using the syntax <Address>[:<port>]. 4. Restart the Afaria server service. Adding iOS MDM Payload Signing for iOS Add payload signing to ensure that payloads are not tampered with during delivery. You can use your Apple APNS certificate for signing. Prerequisites Install, configure, and verify the iOS implementation before adding signing. Installation and Configuration for Enrollment Components 66 Afaria Task 1. Copy the Apple root and application integration certificates and your Apple Push Notification Service (APNS) certificate to the enrollment server. 2. On the enrollment server, import your Apple root and application integration certificates as trusted root certificates. 3. Reinstall the enrollment server to enable signing and import your APNS certificate. 4. Use the Afaria Administrator Enrollment Server page to enable signing. 5. Restart the Afaria server. 6. Enroll one or more test devices and observe the user interface to determine whether the certificate is untrusted or trusted. The expected result, after a possible user authentication prompt, is either: Signed, but untrusted the Apple Profile Service dialog is exposed to the user and indicates status Not Verified. Signed and trusted the Apple Profile Service dialog is exposed to the user and indicates status Verified. 7. If untrusted and you require trust, deploy a root certificate to the client that matches the root certificate that the enrollment server is using and retry the enrollment. Importing Apple Root and Intermediate Certificates for MDM Payload Signing Import Apple root and application integration certificates as trusted root certificates so that the APNS certificates you install for MDM payload signing has a valid chain to a trusted root. 1. Copy your Apple root and intermediate certificates to a location accessible from the enrollment server. 2. On the enrollment server desktop, launch the Microsoft Management Console (MMC) by selecting Start > Run and entering MMC. 3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options: Computer account Local computer 4. On the console root tree, select Certificates (Local computer) > Trusted Root Certification Authorities > Certificates. 5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and import the Apple Inc. Root certificate (.CER). 6. Launch the import wizard again and import the Apple Application Integration certificate (.CER). 7. Review the certificate list for the imported certificates. Installation and Configuration for Enrollment Components Installation Guide 67 iOS MDM Payload Signing Certificate Requirements The certificate must be an IP Security (IPSec) certificate in the x.509 standard and meet Afaria requirements, regardless of whether you get your certificate from a known certificate authority (CA) or if you operate as a self-signing entity and create your own signing certificate. The IPSec signing certificate must meet these property requirements: Subject define the subject name as type common name. General define the common name CN and record the value for future use. Extensions for key usage, add options for digital signature and key encipherment; for extended key (also known as application policies) usage, add all available options. Private key select key size 2048 and make the private key exportable. The key type is allowed for exchanges. The Apple APNS certificate does meet requirements for signing. Reinstalling the Enrollment Server for iOS MDM Payload Signing Reinstall the enrollment server to enable signing for all iOS MDM payloads. Prerequisites Copy your Apple Push Notification Service (APNS) certificate to the enrollment server. Task 1. On the enrollment server, close all running programs. 2. On the installation image, start the setup program (setup.exe). 3. On the setup menu, click Additional Installations and Resources > Enrollment Server. 4. On each setup page before the Specify Certificates for Signing page, accept current values. 5. On the Specify Certificates for Signing page, click Sign Messages to enable the feature and define the signing attributes: Certificate Filename the path and file name for the Apple root certificate. Signing Certificate Filename the path and file name to the Apple Push Notification Service (APNS) certificate. Signing Certificate Password enter and confirm the password associated with the APNS certificate. 6. Follow the setup wizard to completion. Installation and Configuration for Enrollment Components 68 Afaria Data is validated at the conclusion of the setup program as the process attempts to install the certificate and modify access permissions to the certificate for ongoing operations. If you encounter errors at this point, retry the installation. Configuring Afaria Server for iOS MDM Payload Signing Configure the Afaria server to to enable signing for all iOS MDM payloads. Prerequisites Complete the basic enrollment installation and configuration, and reinstall the enrollment server for iOS MDM payload signing. Task 1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand the Component list, and click Enrollment Server. 2. Enter the signing certificate name, which is the common name for the signing certificate, as defined on the certificate and during enrollment server installation. 3. (Optional) Click Encrypt payload to encrypt the signed payloads. 4. Click Save. 5. Restart the Afaria server. 6. Provision one or more test devices and observe the user interface to determine whether the certificate is untrusted or trusted. The expected result, after a possible user authentication prompt, is either: Signed, but untrusted the Apple Profile Service dialog is exposed to the user and indicates status Not Verified. Signed and trusted the Apple Profile Service dialog is exposed to the user and indicates status Verified. 7. If untrusted and you require trust, deploy a root certificate to the device that matches the root certificate that the enrollment server is using and retry the provisioning. Configuring the Relay Server for iOS Certificate Authority and Enrollment Server Connections (Optional) Set up relay server to increase your enterprise network security. A relay server is installed in the DMZ and operates as a proxy for HTTP and HTTPS sessions between two components, such as between the iOS certificate authority and devices, or between the enrollment server and devices. The server component makes an outbound connection to the relay server, so you need not open inbound ports for the connection. See also Relay Server on page 91 Installation and Configuration for Enrollment Components Installation Guide 69 Additional Afaria Components on page 11 Server Configuration for Installation and Management on page 47 Installation and Configuration for Enrollment Components 70 Afaria Package Server The Afaria enterprise package server serves packages not hosted by another entity to iOS and Android devices, and serves certificates for application onboarding to iOS, Android, and BlackBerry devices. Installing Package Server Install the package server to deliver Afaria enterprise application packages to Android and iOS devices. Record values as you complete the installation; you will need them for subsequent configuration tasks. You can install the package server on the same server as the Afaria Administrator server or on a separate server. 1. On the installation image, start the setup program (setup.exe). 2. Click Install. 3. On the setup menu, click Additional Installations and Resources > Package Server. 4. On the Directory Selection page, accept the default location or click Browse to navigate to a new location. 5. On the Welcome page, click next, accept the default location or click Browse to navigate to a new location. 6. On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server. The package server uses these credentials to contact the Afaria server for database credentials. 7. On the Specify Virtual Directory Name, accept the default virtual directory name or type in a new virtual directory name. Use Windows Authentication select to require Windows Authentication for access to the package server. 8. On the Specify Server Address page, type in the IP or fully qualified domain name of the Afaria server. 9. On the Ready to Start Installation page, click Install. 10. Follow the wizard to completion. See also Creating a Domain User Account for Operating Afaria on page 23 Package Server Installation Guide 71 Configuring Relay Server for Package Server on page 115 Launching the Relay Server Outbound Enabler on page 117 Configuring Afaria Server for Package Server Configure the Afaria server for the package server, without enabling SSL on the HTTPS port, and without enabling relay server. For application onboarding certificate provisioning, the server facilitates obtaining device certificates as required from the CA. 1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand the Component list, and click Package Server. 2. Accept or define the virtual directory name, as defined during the package server installation.. 3. In the Package Server Direct Access group, accept or define the IP or fully qualified server address devices use to connect to the package server. The address must be externally accessible. 4. Click Save. See also Relay Server on page 91 Additional Afaria Components on page 11 Server Configuration for Installation and Management on page 47 Configuring SSL Connections for Package Server Configure the Afaria server for package server SSL connections when preferred or required for network security. Prerequisites This task assumes that you have a valid SSL certificate from a known certificate authority for your package server's IIS server. Task 1. On the Afaria Administrator Package Server page, in the Package Server group, click Use HTTPS on Package Server connections. 2. Ensure that the server address uses the fully qualified address or IP address, as declared on the associated SSL certificate. Package Server 72 Afaria 3. If you enabled the package server's SSL on a port other than default port 443, update the server address to include the port suffix using the syntax <Address>[:<port>]. 4. Restart the Afaria server service. Package Server Installation Guide 73 Package Server 74 Afaria Access Control for Email Afaria Access Control for Email adds a layer of protection to your enterprise e-mail platforms by filtering mobile device synchronization requests according to your access control policies. Access control discards any synchronization requests that do not meet the policies you define on the Afaria server and save on the Afaria database. Access control policies include the list of known devices, their associated policies, and any defined polices for unknown devices. In addition to mobile device synchronization requests, access control can prevent synchronization requests initiated by alternate means, such as: Web browser client E-mail client installed on a companion PC iAnywhere Mobile Office client See also Configuring Relay Server for Access Control on page 114 Access Control Components Access control uses the Afaria filter and the Afaria filter listener. Afaria filter Afaria filter is a two-components entity, the Internet Server Application Programming Interface (ISAPI) filter and the PowerShell service. ISAPI filter accepts inbound synchronization requests from mobile clients. Then, the ISAPI filter receives instructions from the PowerShell service on how to handle each request. The ISAPI filter must reside on the server that accepts inbound client requests. For greater security, install it on a proxy server located in your DMZ. PowerShell service calls out the ISAPI filter and provides it with the allow or block synchronization instructions, which are based on the access control policy you define. The PowerShell service also queries the Afaria server at defined intervals to obtain an updated access control policy list. The PowerShell service must reside on a server that can initiate an outbound connection to both the Afaria server (or its optional relay server proxy) and the ISAPI filter host. For greater security, install it on a separate server within your enterprise firewall, as it manipulates user and device data from the Afaria environment. Afaria filter listener resides on the Afaria server. When requested by the PowerShell service, the listener queries the Afaria database to obtain an updated access control policy list and forwards it to the PowerShell service. Access Control for Email Installation Guide 75 The Afaria server service starts the Afaria filter listener. Access Control Configurations for Microsoft Exchange Access control integrates Microsoft Exchange environments, offering two highly secure configurations. Both configurations avoid communication from the DMZ to the internal network and securely keep your user and device data behind the firewall. The second configuration differs from the first configuration in that it includes an additional proxy server in the internal network. Figure 2: Configuration 1 1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks over the air with the Microsoft Exchange Server. 2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and listens for inbound connections from the PowerShell service. 3. In the internal network, the PowerShell service resides on the Client Access Server, which is a component of Microsoft Exchange Server. The PowerShell service has a copy of the Access Control for Email 76 Afaria access control policy list. Based on the list, it forwards the appropriate instruction (allow or deny the synchronization request) to the ISAPI filter. 4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service queries the Afaria server to obtain an updated access control policy list from the Afaria database. 5. (Optional) The relay server transfers connections initiated by the PowerShell service to the Afaria server. Figure 3: Configuration 2 1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks over the air with the Microsoft Exchange Server. 2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and listens for inbound connections from the PowerShell service. 3. In the internal network, the PowerShell service of the Afaria filter resides on a server that is a proxy to the Client Access Server. The PowerShell service has a copy of the access control policy list. Based on the list, it forwards the appropriate instruction (allow or deny the synchronization request) to the ISAPI filter. Access Control for Email Installation Guide 77 4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service queries the Afaria server to obtain an updated Access Control policy list from the Afaria database. 5. (Optional) The relay server transfers connections initiated by the PowerShell service to the Afaria server. If it is acceptable and preferred to have incoming client connections, user data, and device data, on the same server, install both the ISAPI filter and the PowerShell service as a unified component on a single server. Access Control Configurations for IBM Lotus Domino Access control integrates with IBM Lotus Domino environments, offering two highly secure configurations. Both configurations avoid communication from the DMZ to the internal network and securely keep your user and device data behind the firewall. The second configuration differs from the first configuration in that it includes an additional proxy server in the internal network. Access Control for Email 78 Afaria Figure 4: Configuration 1 1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks over the air with the IBM Lotus Domino e-mail server. 2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and listens for inbound connections from the PowerShell service. 3. In the internal network, the PowerShell service resides on the e-mail server. The PowerShell service has a copy of the access control policy list. Based on the list, it forwards the appropriate instruction (allow or deny the synchronization request) to the ISAPI filter. 4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service queries the Afaria server to obtain an updated access control policy list from the Afaria database. 5. (Optional) The relay server transfers connections initiated by the PowerShell service to the Afaria server. Access Control for Email Installation Guide 79 Figure 5: Configuration 2 1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks over the air with the IBM Lotus Domino e-mail server. 2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and listens for inbound connections from the PowerShell service. 3. In the internal network, the PowerShell service resides on a server that is a proxy to the e-mail server. The PowerShell service has a copy of the access control policy list. Based on the list, it forwards the appropriate instruction (allow or deny the synchronization request) to the ISAPI filter. 4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service queries the Afaria server to obtain an updated access control policy list from the Afaria database. 5. (Optional) The relay server transfers connections initiated by the PowerShell service to the Afaria server. If it is acceptable and preferred to have incoming client connections, user data, and device data, on the same server, install both the ISAPI filter and the PowerShell service as a unified component on a single server. Access Control for Email 80 Afaria Setting Up Access Control for Email Set up access control by preparing devices, configuring the Afaria filter listener, and installing the ISAPI and PowerShell components of the Afaria filter. Prerequisites Choose the configuration to use for access control. Task 1. Prepare supported devices by enrolling them in Afaria Device Management. 2. On the Afaria Administrator, configure settings for the Afaria filter listener. 3. Install the ISAPI filter and its associated PowerShell proxy service. 4. Install the PowerShell service component. 5. On the Afaria Administrator, define access control policy for each device type and for known and unknown devices. On the Home page Server tile, click Configuration and navigate to the Component > Access Control Option page. The default access control policy for all known devices is to always allow synchronization requests. The policies for access control for known and unknown devices go into effect, and the devices you prepared are identified as known devices. To add the optional relay server to your configuration, see Installing Afaria > Setting Up Relay Server > Configuring Relay Server for Access Control. See also Creating a Domain User Account for Operating Afaria on page 23 Launching the Relay Server Outbound Enabler on page 117 Configuring the Afaria Filter Listener Define the parameters of the Afaria filter listener, including protocol type and port number used for connections. The Afaria filter listener resides on the Afaria Server and, upon request, provides the PowerShell service component of the Afaria filter with a refreshed client and policy list. 1. On the Afaria Administrator, select Configuration in the Server tile and navigate to the Server > Access Control Server page. 2. If using HTTP, select Use HTTP on port and enter the port number for listening to requests. Access Control for Email Installation Guide 81 Ensure that the port does not conflict with any other ports that the Afaria server uses. 3. If using HTTPS, select Use HTTPS on port and define the parameters of the HTTPS connection. a) Enter the port number for listening to requests. Ensure that the port does not conflict with any other ports that the Afaria server uses. b) Enter the HTTPS host name or the IP address that the PowerShell service component of the Afaria filter uses to reach the Afaria server. c) Click Browse to select the host's SSL certificate. The certificate must reside in the Afaria server's personal certificate store. 4. Click Save and restart the Afaria server service. Installing the ISAPI Filter Component Install the ISAPI filter component of the Afaria filter on the server that accepts inbound requests from mobile devices. Prerequisites Verify that Microsoft PowerShell is installed on the system where the ISAPI filter will reside. Task The ISAPI filter must reside on the server that accepts inbound client requests. For greater security, install the ISAPI filter and its associated PowerShell proxy service on a supported proxy server located in your DMZ. The ISAPI filter is removable. 1. From the Afaria installation image, copy one of these folders: If you have a 32-bit operating system, ISAPI. If you have a 64-bit operating system, ISAPI_x64. 2. Store the folder in a temporary directory on the local drive. 3. Open the folder and run the setup executable file to open the Afaria Filter Setup program wizard. 4. Select installation type ISAPI filter and PowerShell proxy service. 5. Follow the installation wizard until the installation is complete. The wizard includes these primary pages: Blocking Options defines whether to block or allow synchronization requests that are initiated from sources other than handheld synchronization clients. Proxy Settings address for the current server and the port designated for the PowerShell proxy service to accept an incoming connection from the server that is planned to host the filter's PowerShell service component. Access Control for Email 82 Afaria 6. (Optional) Verify the installation of the ISAPI filter: If you installed the filter on a Microsoft Forefront Threat Management Gateway, open the management console, select System > Web Filters, and verify that the Web filter or add-in XSISAPI Filter is present. If you installed the filter on a Microsoft Internet Security and Acceleration Server, open the management console, select ServerName > Configuration > Add-ins > Web Filters, and verify that the Web filter or add-in XSISAPI Filter is present. In a Microsoft Exchange environment, open the IIS Server's default web site, select Properties > ISAPI filters, and verify that XSISAPI.DLL is present. 7. (Optional) Verify the installation of the associated PowerShell proxy service by opening the Microsoft Management Console and observing that service XSISAPI Reverse Pipe Service is present and started. Installing the PowerShell Service Component Install the PowerShell service component of the Afaria filter on a server that can initiate an outbound connection to the Afaria Server. Prerequisites Verify that Microsoft PowerShell and Microsoft Data Access Components (MDAC) are installed on the system where the PowerShell service component will reside. Task The PowerShell component must reside on a server that can to initiate an outbound connection to the Afaria server and to the server where you installed the ISAPI filter component. Install the component on a server within your enterprise firewall, as it manipulates user and device data from the Afaria environment The PowerShell service component is removable. 1. From the Afaria installation image, copy one of these folders: If you have a 32-bit operating system, ISAPI. If you have a 64-bit operating system, ISAPI_x64. 2. Store the folder in a temporary directory on the local drive. 3. Open the folder and run the setup executable file to open the Afaria Filter Setup program wizard. 4. Select installation type PowerShell service only. 5. Follow the installation wizard until the installation is complete. The wizard includes these primary pages: Proxy Settings address for the server hosting the ISAPI filter component and the associated PowerShell proxy service. Access Control for Email Installation Guide 83 Server Settings address for the Afaria server. Specify Credentials specify the account name and password that runs the installed service. Note: The user account credentials that you supply for running the filter's PowerShell component must be a member of the same domain as the e-mail server. If it is not, contact Sybase Customer Service and Support for assistance. 6. (Optional) Verify the installation of the PowerShell service by opening the Microsoft Management Console and observing that service XSISAPI is present and started. Files Installed with and Generated by the Afaria Filter Files installed with the Afaria filter, and files generated during access control operations. Files Installed with the PowerShell Service Component Installing the PowerShell service component of the Afaria filter adds these files: AfariaISAPIFilterUninstall.ini AfariaIsapiSetup.exe XSISAPIReversePipe.exe XSSrvAny.exe PipeServer.ps1 HTTPSClient.ps1 If you are using the 64-bit version of the PowerShell component, the files are installed in C: \Windows\SysWOW64\inetsrv. If you are using the 32-bit version of the PowerShell component, the files are installed in C: \WINDOWS\system32\inetsrv. Files Installed with the ISAPI Filter Component Installing the ISAPI filter component of the Afaria filter adds these files in C:\WINDOWS \system32\inetsrv: AfariaISAPIFilterUninstall.ini AfariaISAPIFilter.exe XSISAPI.dll XSISAPIReversePipe.exe XSSrvAny.exe If you installed both components of the Afaria filter on the Exchange Server's IIS Server, the files are added to IIS_InstallDir and IIS_InstallDir\bin. Access Control for Email 84 Afaria Files Generated During Access Control operations Executable XSSrvAny.exe launches PipeServer.ps1and HTTPSClient.ps1. In turn, each of these create an event in the Windows Application Event log. The entries indicate the start action and its log file location. Consider this example event log entry: XSISAPI PowerShell HTTPS Client was successfully started. Logfile is C:\Documents and Settings\Default User\Application Data\XSISAPI \XSISAPIHTTPS_Log.txt. Afaria filter operations use and generate the following files on your IIS Server. The path for the files is described in the PiPServer.ps1 and HTTPSClient.ps1 start-up Windows Application Event log entries. Devices.xml list of Afaria Exchange access control clients known and managed by Afaria synchronization policies. (Temporary file) NewDevices.xml iOS or Android devices that have connected to the Exchange Server for synchronization must send a unique Exchange identifying value to the Afaria server. HTTPS.txt log file for HTTPSClient.ps1 operations. List of connections from the IIS Server by the Afaria polling agent, back to the Afaria server to refresh the Devices.xml list. Pipe.txt log file for PipeServer.ps1 operations. List of client synchronization requests indicating synchronization status 1 for allowed or 0 for denied. Access Control for Email Installation Guide 85 Access Control for Email 86 Afaria Self-Service Portal (Optional) Self-Service Portal (SSP) allows end users to enroll their device in Afaria management, view their device information and issue commands, such as password reset. The portal is for deployment inside the enterprise network with an Microsoft Forefront Threat Management Gateway instance in the DMZ configured to accept device connections and pass traffic to the portal. Note: For iOS devices using a non-custom version of the Afaria Client (obtained from the App Store), the portal is the only method of obtaining iOS Enterprise Applications marked as Optional. The Afaria Client does not display iOS Enterprise Applications on the apps tab, but will prompt the user to install any Required Enterprise Applications. Preparing to Install Self-Service Portal Configure tenants and enrollment policies prior to installing the portal. 1. Refer to document Administration Reference for tenant and enrollment policy configuration information. 2. Add and configure the applicable tenants. 3. Set up enrollment policies for tenants. The portal displays enrollment codes and associated information during the installation. Expired and/or disabled codes do not display. See also Creating a Domain User Account for Operating Afaria on page 23 Installing the Self-Service Portal Install one or more portals in the enterprise network. To separate tenants, or associate different enrollment codes with different groups of users, install more than one portal on a server. Prerequisites Prepare your Afaria server configuration and enviornment prior to installing the portal, including defining tenants and configuring enrollment policies. Task Consider these items when installing the portal: Self-Service Portal Installation Guide 87 The portal is for deployment inside the enterprise network with an Microsoft Forefront Threat Management Gateway instance in the DMZ configured to accept device connections and pass traffic to the portal. You can install the portal on a server without any other Afaria components. The portal can co-exist with the Afaria server. The portal can co-exist with the Afaria Administrator server, package server, or enrollment server; however, uninstalling any one of those servers also removes the portal. If you plan to install using LDAP authentication, rather than Windows integrated authentication, the installing domain user account must have Active Directory access account permissions for ongoing operations. It is recommended that you use a dedicated domain user account for this purpose. To change a portal's authentication type, reinstall the the portal and select the other type. If changing to LDAP, ensure that the installing user credentials meets the LDAP user account requirements. 1. On the planned server, from the release image's EUSSP folder, start the setup program (setup.exe). 2. On the Authentication Method page, select a method for authenticating users that connect to the portal. Windows - Windows integrated authentication, as a property of IIS operations. The user is prompted on the device for user credentials. The appropriate entry may vary by network environment, but is often formed as <Domain>\<UserName> or just <UserName>. Valid for connecting iOS devices and Windows computers. LDAP - the user is prompted on the portal's default page for user name and password. Valid for connecting Android, BlackBerry, or iOS devices, and Windows computers. Note: You can use a Windows computer to help enroll a Windows Mobile device, but you cannot connect a Windows Mobile device to the portal. 3. On the Specify Server Address page, define the address for the Afaria server. 4. On the Specify Afaria API Server Address page, define the address for the Afaria Administrator server with the port for API server and enter API service credentials. The API server resides on the Afaria Administrator server. The default port for installing API server 7982. 5. On the Enrollment Code page, select one tenant for the installation, and select one policy/ code pair for each device type that you plan to support. 6. Follow the setup wizard to completion. 7. Verify that the correct enrollment codes appear in the web.config file located in the Afaria instalation directory at C:\Program Files (x86)\AfariaEUSSP\ [Your EUSSP]\web.config. <add key="EUSSPRegPath" value="EUSSP\eussp"/><add key="iOSCode" value=""/><add key="AndroidCode" value=""/><add Self-Service Portal 88 Afaria key="WMProCode" value=""/><add key="WMStdCode" value=""/><add key="WMCECode" value=""/><add key="Win32Code" value=""/> Afaria Self-Service Portal Address The address for end-users to access the portal uses the portal's server address and the virtual directory you define during installation. To use a different enrollment code , you can add the code to the address. You can inspect the codes that you selected during a portal installation by opening the Web site's configuration file in path <web.config. Look in the <configuration> element for the <add> element with attribute key="EUSSPRegPath". For example: <add key="EUSSPRegPath" value="EUSSP\sspdla"/><add key="iOSCode" value="tc8bnyvk"/><add key="AndroidCode" value=""/><add key="WMProCode" value=""/><add key="WMStdCode" value=""/><add key="WMCECode" value=""/><add key="Win32Code" value=""/> The portal address for using an enrollment code that you selected during the portal installation uses this syntax: <protocol>://<PortalAddress>/ <VirtualDirectory> For example: HTTP://portal.company.com/ssp HTTP://63.176.1.74/ssp14 HTTPS://portal.company.com/sspsales The portal address for using an enrollment code other than the one you selected during the portal installation uses this syntax: <protocol>://<PortalAddress>/ <VirtualDirectory>/<TypeCode><EnrollmentCode> Using these device type codes: a Android b BlackBerry i iOS p Windows Mobile Pro s Windows Mobile Standard For example: For an Android code HTTP://portal.company.com/ssp/agclpfzjs For an iOS code HTTP://63.176.1.74/ssp14/itc8bnyvk Self-Service Portal Installation Guide 89 For a Windows Mobile Smartphone code HTTPS://portal.company.com/sspsales/ stcthxyrk Configuring Afaria Server for Self-Service Portal Request Timeout Configure the Afaria server to limit the amount of time SSP users have to complete device enrollment, once started. You may have already configured this setting when configuring for enrollment server. 1. On the Server page, click the Configuration icon on the left toolbar, expand the Server list and select Enrollment Code. 2. In the Self-service portal enrollment requests area, set a time window, and click Save. The default timeout is set to one hour. Editing Enrollment Codes for Self-Service Portal Edit existing or add new enrollment codes directly in the web.config file without uninstalling the portal. 1. Open the web.config file located in the Afaria installation directory at C:\Program Files (x86)\AfariaEUSSP\[Your EUSSP] . 2. In the EUSSPRegPath value line, edit, delete, or change the applicable enrollment codes. <add key="EUSSPRegPath" value="EUSSP\eussp"/><add key="iOSCode" value=""/><add key="AndroidCode" value=""/ ><add key="WMProCode" value=""/><add key="WMStdCode" value=""/><add key="WMCECode" value=""/><add key="Win32Code" value=""/> Self-Service Portal 90 Afaria Relay Server The Afaria solution supports using a relay server to operate as a proxy for HTTP and HTTPS sessions between Afaria server components and devices. Note: Use of a relay server is not a requirement; it is bundled with the Afaria product on the product installation image as an optional component. A relay server lets you further secure your enterprise network by moving the session connection point from within your firewall to your demilitarized zone (DMZ). When you use a relay server, devices and Afaria server components never make a direct connection. The relay server transfers session traffic from devices to the component, and from the component to the devices. The Afaria server component initiates an outbound connection through the enterprise firewall to the relay server, then waits for the relay server to send session traffic. Devices can initiate a connection to the relay serveras if it were an Afaria server componentand maintain their session with the relay server, which continues to relay traffic until the session is complete. The relay server component may be a single server or it may be a load-balanced server farm. Afaria supports using the relay server with any of these Afaria server components: Afaria server Enrollment server iOS certificate authority Afaria filter used in Access Control for Email Package server Application Onboarding certificate authority An Afaria sever component may be a single server or a farm. You can configure relay servers to support more than one Afaria server component. The Sybase
iAnywhere
relay server is designed as a scalable solution to support a number
of Sybase server-based solutions. Afaria is just one example of a supported solution. See also Installing Enrollment Server - Basic on page 57 Configuring Afaria Server for Package Server on page 72 Relay Server Installation Guide 91 Configuring Relay Server for Access Control on page 114 Configuring the Relay Server for iOS Certificate Authority and Enrollment Server Connections on page 69 Relay Server Executable Components Relay server operations include two main executable components: the relay server host and the relay server outbound enabler. Relay server host (rshost.exe) the host resides on the relay server, and is responsible for, accepting a single, inbound connection from the outbound enabler; accepting multiple, inbound connections from Afaria devices; handling the associated processes that occur on the relay server for Afaria sessions. Install the relay server using files available on the Afaria product image. Define its configuration settings by modifying a sample configuration file. Relay server outbound enabler (rsoe.exe) the outbound enabler is the relay agent on the Afaria server component, and is responsible for initiating an outbound connection with the relay server. The Afaria setup program automatically installs the outbound enabler on the Afaria server. To support components other than the Afaria server, copy the binary for the rsoe.exe on the components. Define the relay server outbound enabler configuration settings using the Afaria Administrator. Afaria devices include configuration settings for using a relay server but do not require a separate, executable component. Setting Up the Relay Server for Basic Operations To use the relay server to increase your enterprise network security, you must set up the relay server for basic operations before you configure it to support any server components. Setting Up the Relay Server for Basic Operations with IIS 7.5 For planned relay servers running Windows Server 2008 R2 (x64) with Internet Information Services (IIS) 7.5, set up the relay server for basic operations before you configure it to support any server components. 1. Copying Relay Server Files Copy the relay server files from the Afaria product image to the machine where the relay server will be installed. 2. Configuring IIS 7.5 for Relay Server Basic Operations Relay Server 92 Afaria To setup the relay server for basic operations, configuring IIS on your relay server. 3. Editing the Relay Server Configuration File Edit the relay server configuration file to configure the relay server's basic operations. 4. Installing the Relay Server Host as a Windows Service Install the relay server host as a Windows service by running a service utility available in the relay server installation folder. Copying Relay Server Files Copy the relay server files from the Afaria product image to the machine where the relay server will be installed. 1. On the machine where you plan to install the relay server, create a new folder named RelayServer. Its path will became your relay server installation path, for example, C:\Program Files\RelayServer. 2. On the Afaria product image, navigate to: <product image>\relay_server\64 Bit\ias_relay_server. 3. Copy the folder ias_relay_server from the product image to your relay server installation path. Ensure that you copy the folder, rather than just the files in the folder. Configuring IIS 7.5 for Relay Server Basic Operations To setup the relay server for basic operations, configuring IIS on your relay server. Prerequisites From the server manager utility of your relay server, verify that these roles and features are installed: IIS Web Server Service Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors ISAPI Extensions HTTP Logging Request Monitor Request Filtering Static Content Compression IIS Management Console IIS Management Scripts and Tool IIS 6 Management Compatibility Relay Server Installation Guide 93 IIS 6 Metabase Compatibility IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console Install any missing items. Task Complete the following tasks to configure IIS 7.5 for relay server basic operations: See also Editing the Relay Server Configuration File on page 97 Creating a Relay Server Application Pool on IIS 7.5 Use your relay servers IIS manager utility to create an IIS application pool for relay server operations. 1. Navigate to Start > Control Panel > System and Security > Administrative Tools and double-click Internet Information (IIS) Manager. 2. From the Connections pane of the IIS manager utility, navigate to MachineName > Application Pools. 3. Right-click Application Pools and select Add Application Pool. 4. Add an application pool with these attributes: Name RelayServer .NET Framework version .NET Framework v2.0.50727 Managed pipeline mode integrated Start application pool immediately selected The list of application pools shows the RelayServer application pool. 5. Right-click the newly created application pool and select Advanced Settings. Set these properties: General > Queue Length 65535 CPU > Limit Interval (minutes) 0 Process Model > Identity ApplicationPoolIdentity Process Model > Idle Time-out (minutes) 0 Process Model > Maximum Worker Processes 20 Process Model > Ping Enabled false Process Model > Ping Maximum Response Time (seconds) 90 Process Model > Ping Period (seconds) 30 Rapid-Fail Protection > Enabled false Recycling > Disable Overlapped Recycle true Relay Server 94 Afaria Recycling > Regular Time Interval (minutes) 0 Creating a Web Application for the Relay Server on IIS 7.5 Use the IIS 7.5 manager utility to create a Web application for the relay server. You can create the Web application for your relay server under the root directory of either the default Web site or a custom web site. The custom Web site must use a different port than the default Web site. 1. Navigate to Start > Control Panel > System and Security > Administrative Tools and double-click Internet Information Services (IIS) Manager. 2. From the Connections pane of the IIS manager utility, navigate to MachineName > Sites. 3. Right-click the Web site you want to use (either default or custom) and selectAdd Application. 4. Add a web application with these attributes: Alias ias_relay_server Application pool RelayServer Physical path <relay server installation path> \ias_relay_server The web application ias_relay_server will be listed under the root directory of the Web site you chose. 5. Edit the Request Filtering Settings for the ias_relay_server Web application. a) In the Connections pane, highlight the ias_relay_server application. b) In the IIS group, double-click Request Filtering. c) In the Actions pane, click Edit Feature Settings and edit these attributes: Maximum allowed content length (bytes) 2147483647 Maximum query string (bytes) 65536 6. Edit the permissions for the ias_relay_server Web application. a) In the Connections pane, highlight the ias_relay_server application. b) In the IIS group, double-click Handler Mapping. c) In the Actions pane, click Edit Feature Permissions and ensure that only Script and Execute are selected. 7. Verify that the ias_relay_server web application does not require SSL. a) In the Connections pane, highlight the ias_relay_server application. b) In the IIS group, double-click SSL Settings and ensure that Require SSL is not selected. Relay Server Installation Guide 95 Adding ISAPI extensions for Relay Server Operations Use the IIS 7.5 manager utility to add two ISAPI extensions to your server to handle requests from devices and the Afaria server. 1. Navigate to Start > Control Panel > System and Security > Administrative Tools and double-click Internet Information (IIS) Manager. 2. On the Connections pane of the IIS manager utility, highlight the machine name where the relay server resides. 3. In the IIS group, double-click ISAPI and CGI Restrictions. 4. In the Actions pane, click Add to add two ISAPI restrictions with these settings: ISAPI or CGI Path <relay server installation path> \ias_relay_server\server\rs_server.dll Description RS Server DLL Allow extension path to execute selected ISAPI or CGI Path <relay server installation path> \ias_relay_server\client\rs_client.dll Description RS Client DLL Allow extension path to execute selected The two ISAPI restrictions you added are listed in the ISAPI and CGI restrictions list of your server. Updating the Relay Server IIS Configuration Run the adsutil.vbs script to update the IIS server configurations. 1. From a command prompt running with administrator privileges, navigate to the directory where the adsutil.vbs script is located, for example, C:\Inetpub \AdminScripts. 2. To run the script, issue: cscript adsutil.vbs set w3svc/<Web Site ID>/ uploadreadaheadsize 0 where <Web Site ID> is the ID of the Web site used for the relay server. If you use the default Web, the ID is 1. The command returns the current value of the <uploadreadaheadsize> variable and updates the the IIS configurations. See also Adding Web Service Extensions on IIS 6.0 on page 103 Relay Server 96 Afaria Editing the Relay Server Configuration File Edit the relay server configuration file to configure the relay server's basic operations. A sample configuration file is provided with the relay server files that you copied from your Afaria product image. 1. Find the sample configuration file rs.config, located in <relay server installation path>\ias_relay_server\server. 2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections in the configuration file. Note: The configuration file can contain only ASCII characters. 3. Save the edits. 4. Restart the relay server host. See also Configuring IIS 7.5 for Relay Server Basic Operations on page 93 Installing the Relay Server Host as a Windows Service on page 99 Configuring IIS 6.0 for Relay Server Basic Operations on page 100 Configuration File Definitions for Basic Operations with IIS 7.5 The relay server configuration file rs.config consists of several sections. Use sections [options] and [relay_server] for relay server basic operations. The remaining sections are for supported server components. [options] general options for relay server operations. start set value to auto to automatically start the relay server engine when an Afaria server connects successfully. For Windows Server 2008 R2 (IIS 7.5), this value is normally set to =NO when the Relay Server is installed as a Windows Service. verbosity controls the level of logging. Logs always include errors. Log levels 1 5 always include warnings. 0 no logging. 1 session-level logging. 2 request-level logging. 3 packet-level logging, terse. 4 packet-level logging, verbose. 5 transport-level logging. [relay_server] identifies your relay server and its respective ports for HTTP and HTTPS communications. The relay servers ports must match the IIS server ports. enable controls whether the relay server operates. Relay Server Installation Guide 97 yes operate. no do not operate. host relay server IP address or host name. The IP address must be the internal IP address or DNS name that can be reached by the Afaria server or other supported server components. http_port TCP port matching the relay servers IIS setting for HTTP communications. The port must be the internal TCP port that can be reached by the Afaria server or other supported server components. https_port set value to match the relay servers IIS setting for SSL communications. description user-defined description. Note: Values are case-sensitive. Sample section of a relay server configuration file showing settings for basic operations. #------------------------------------- # Relay server #------------------------------------- [options] start = no verbosity = 1 # Note: When auto start is used, the default log file is # <tmpdir>\ias_relay_server_host.log while rshost is active. # The value of <tmpdir> is filled using the following environment variables # searched in this order: # SATMP # TMP # TMPDIR # TEMP #-------------------- # Relay server #-------------------- [relay_server] enable = yes host = 123.45.6.78 http_port = 80 https_port = 443 description = Machine #1 in RS farm Restart the relay server engine (rshost.exe) any time you make changes to the configuration file. Relay Server 98 Afaria Installing the Relay Server Host as a Windows Service Install the relay server host as a Windows service by running a service utility available in the relay server installation folder. Prerequisites In the [options] section of the relay server configuration file, set the value of start to =no. Task The relay server installation folder includes dbsvc.exe, a service utility that installs the relay server host as a Windows service. Use the same utility to uninstall the service. 1. On the machine where you installed the relay server, execute this command at a command prompt running with administrator privileges: "<installation directory>\ias_relay_server\server \dbsvc.exe" -as -s auto -sn RelayServer -w RelayServer "<installation directory>\ias_relay_server\server \rshost.exe" -q -f "<installation directory> \ias_relay_server\server\rs.config" -o "<installation directory>\ias_relay_server\server\log.txt". For a complete list of the service utility's command line switches, execute: "<installation directory>\ias_relay_server\server \dbsvc.exe". The command prompt displays a line confirming that the "RelayServer" service was successfully created. The RelayServer service is listed in the list of Windows services. 2. Change the login account of the newly created "RelayServer" service from Local System to an account that is a member of the local Administrator group. Next To uninstall the "RelayServer" Windows service, execute this command at a command prompt running with administrator privileges: <installation directory>\ias_relay_server\server\dbsvc.exe" d RelayServer. See also Editing the Relay Server Configuration File on page 97 Relay Server Installation Guide 99 Setting Up the Relay Server for Basic Operations with IIS 6.0 For planned relay servers running Microsoft Internet Information Services (IIS) 6.0, set up the relay server for basic operations before you configure it to support any server components. 1. Copying Relay Server Files Copy the relay server files from the Afaria product image to the planned relay server to make them available for use. 2. Configuring IIS 6.0 for Relay Server Basic Operations Setting up the relay server for basic operations requires configuring the IIS of your relay server. 3. Editing the Relay Server Configuration File Edit the relay server configuration file to configure the relay server's basic operations. Copying Relay Server Files Copy the relay server files from the Afaria product image to the planned relay server to make them available for use. 1. On the Afaria product image, navigate to: <product image>\relay_server\ias_relay_server. 2. Copy the folder ias_relay_server from the product image to the directory of the default web site of your IIS server. Directory path of IIS default web site: C:\Inetpub\wwwroot. Ensure that you copy the folder, rather than just the files in the folder. Configuring IIS 6.0 for Relay Server Basic Operations Setting up the relay server for basic operations requires configuring the IIS of your relay server. Complete the following tasks to configure IIS 6.0 for relay server basic operations: 1. Registering the IIS User Account with ASP.NET on IIS 6.0 Register the IIS user account on the planned relay server with ASP.NET to assign it appropriate rights for Afaria operations. 2. Creating a Server Application Pool on IIS 6.0 Create a server application pool and a server application directory on the planned relay server to process requests from Afaria server components. 3. Creating a Client Application Pool on IIS 6.0 Create a client application pool and a client application directory on the planned relay server to process requests from Afaria devices. 4. Adding Web Service Extensions on IIS 6.0 Relay Server 100 Afaria Add Web service extensions to identify and allow requests from servers and devices. 5. Updating the Relay Server IIS Configuration Run the adsutil.vbs script to update the IIS server configurations. See also Editing the Relay Server Configuration File on page 97 Registering the IIS User Account with ASP.NET on IIS 6.0 Register the IIS user account on the planned relay server with ASP.NET to assign it appropriate rights for Afaria operations. Afaria operations use the relay servers IIS built-in user account named IUSR_<MachineName> for gaining anonymous access to IIS. This account must: Have access to the IIS metabase and other directories used by IIS.NET Be a member of the IIS built-in user group IIS_WPG 1. From the command prompt of the relay server, navigate to: C:\Windows\Microsoft.Net\Framework\<Version> If you are operating your IIS server with more than one version of ASP.NET, choose the version that you are using to run your Web site. 2. Execute the ASP.NET registration command with the grant access option: aspnet_regiis.exe -ga IUSR_<MachineName> The command is an example of the registration command with the grant access option that is valid for ASP.NET 4.0. The command for your version of ASP.NET may differ. Creating a Server Application Pool on IIS 6.0 Create a server application pool and a server application directory on the planned relay server to process requests from Afaria server components. 1. Create the server application pool. a) On the IIS manager utility of your relay server, navigate to Internet Information Service > MachineName > Application Pools. b) Right-click the Application Pools folder and select New > Application Pool. c) Define the pool ID and click OK. d) Assign these properties to the newly created server application pool: Recycling > Recycle worker processes (in minutes) disabled. Performance > Idle timeout disabled. Performance > Request queue limit disabled. Performance > Web garden a minimum of twice the number of servers making requests. Health > Enable pinging disabled. Relay Server Installation Guide 101 Health > Enable rapid-fail protection disabled. 2. Create the server application directory. a) On the IIS manager utility of your relay server, navigate to Internet Information Service > MachineName > Web Sites > Default Web Site > ias_relay_server. b) Right-click the Server folder and select Properties > Directory. c) Click Create and select these application settings: Execute permissions Scripts and Executables. Application pool use the ID of the server application pool you created. d) Click OK. Creating a Client Application Pool on IIS 6.0 Create a client application pool and a client application directory on the planned relay server to process requests from Afaria devices. 1. Create the client application application pool. a) On the IIS manager utility of your relay server, navigate to Internet Information Service > MachineName > Application Pools.. b) Right-click the Application Pools folder and select New > Application Pool. c) Define the pool ID and click OK. d) Assign these properties to the the newly created application pool: Recycling > Recycle worker processes (in minutes) disabled. Performance > Idle timeout disabled. Performance > Request queue limit disabled. Performance > Web garden at least twice the number of servers making requests, but not fewer than five. You may want to increase the value if device connections are frequently dropped or if devices experience bad throughput during sessions. Health > Enable pinging disabled. Health > Enable rapid-fail protection disabled. 2. Create the client application directory: a) On the IIS Manager utility of your relay server, navigate to Internet Information Service > MachineName > Web Sites > Default Web Site > ias_relay_server. b) Right-click the Client folder and select Properties > Directory. c) Click Create and select these application settings: Execute permissions Scripts and Executables. Application pool use the pool ID of the client application pool you created. d) Click OK. Relay Server 102 Afaria Adding Web Service Extensions on IIS 6.0 Add Web service extensions to identify and allow requests from servers and devices. 1. Add the Afaria server Web service as a valid extension: a) In the IIS Manager utility's left pane, right-click the Web Service Extensions folder. b) Select Add a new Web service extension. c) Define the Web service extension settings: Extension name user-defined name for the server extension. Required files <installation directory>\ias_relay_server \server\rs_server.dll. Set extension status to Allowed enabled. d) Click OK. 2. Add the Afaria Client Web service as a valid extension: a) In the IIS Manager utilitys left pane, right-click the Web Service Extensions folder. b) Select Add a new Web service extension. c) Define the Web service extension settings: Extension name user-defined name for the client extension. Required files <installation directory>\ias_relay_server \server\rs_client.dll. Set extension status to Allowed enabled. d) Click OK. Updating the Relay Server IIS Configuration Run the adsutil.vbs script to update the IIS server configurations. 1. From a command prompt running with administrator privileges, navigate to the directory where the adsutil.vbs script is located, for example, C:\Inetpub \AdminScripts. 2. To run the script, issue: cscript adsutil.vbs set w3svc/<Web Site ID>/ uploadreadaheadsize 0 where <Web Site ID> is the ID of the Web site used for the relay server. If you use the default Web, the ID is 1. The command returns the current value of the <uploadreadaheadsize> variable and updates the the IIS configurations. See also Adding Web Service Extensions on IIS 6.0 on page 103 Relay Server Installation Guide 103 Editing the Relay Server Configuration File Edit the relay server configuration file to configure the relay server's basic operations. A sample configuration file is provided with the relay server files that you copied from your Afaria product image. 1. Find the sample configuration file rs.config, located in <relay server installation path>\ias_relay_server\server. 2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections in the configuration file. Note: The configuration file can contain only ASCII characters. 3. Save the edits. 4. Restart the relay server host. See also Configuring IIS 7.5 for Relay Server Basic Operations on page 93 Installing the Relay Server Host as a Windows Service on page 99 Configuring IIS 6.0 for Relay Server Basic Operations on page 100 Configuration File Definitions for Basic Operations The relay server configuration file rs.config consists of several sections. Use sections [options] and [relay_server] for relay server basic operations. The remaining sections are for supported server components. [options] general options for relay server operations. start set value to auto to automatically start the relay server engine when an Afaria server connects successfully. verbosity controls the level of logging. Logs always include errors. Log levels 1-5 always include warnings. 0 no logging. 1 session-level logging. 2 request-level logging. 3 packet-level logging, terse. 4 packet-level logging, verbose. 5 transport-level logging. [relay_server] identifies your relay server and its respective ports for HTTP and HTTPS communications. The relay servers ports must match the IIS server ports. enable controls whether the relay server operates. yes operate. Relay Server 104 Afaria no do not operate. host relay server IP address or host name. The IP address must be the internal IP address or DNS name that can be reached by the Afaria server or other supported server components. http_port TCP port matching the relay servers IIS setting for HTTP communications. The port must be the internal TCP port that can be reached by the Afaria server or other supported server components. https_port set value to match the relay servers IIS setting for SSL communications. description user-defined description. Note: Values are case-sensitive. Sample section of a relay server configuration file showing settings for basic operations. #------------------------------------- # Relay server #------------------------------------- [options] start = auto verbosity = 1 # Note: When auto start is used, the default log file is # <tmpdir>\ias_relay_server_host.log while rshost is active. # The value of <tmpdir> is filled using the following environment variables # searched in this order: # SATMP # TMP # TMPDIR # TEMP #-------------------- # Relay server #-------------------- [relay_server] enable = yes host = 123.45.6.78 http_port = 80 https_port = 443 description = Machine #1 in RS farm Restart the relay server engine (rshost.exe) any time you make changes to the configuration file. Relay Server Installation Guide 105 Restarting the Relay Server Host Restart the relay server host any time the relay server is already running and you change the relay server configuration file or have another reason to restart the relay server engine. The relay server starts automatically when configured to do so as part of its basic operations. The automatic start feature is defined when you use the start=auto attribute in the relay servers configuration file [options] section. IIS must be running before the automatic start feature can take effect. Restarting the relay server does not require that you restart IIS and does not cause any disruption to other IIS applications. 1. From a command prompt running with administrator privileges, navigate to <installation directory>\ias_relay_server\server. 2. Issue this command: rshost.exe -u -qc -f rs.config For a complete list of command line switches and their meaning, enter rshost at the command prompt and press Enter. Restarting the relay server updates its configuration, as defined in the configuration file. Next You may want to create a batch file for the commands and store it in a convenient location in your relay server environment. Relay Server Support for Server Components To configure the relay server to support an Afaria server component, define the relay server configuration file and configure settings on the Afaria Administrator. Afaria supports using the relay server with any of these server components: Afaria server Enrollment server iOS certificate authority server Afaria filter used for Access Control for Email Package server Application Onboarding certificate authority The relay server configuration file rs.config consists of several sections. Use [backend_farm] and [backend_server] for each supported server component. Relay Server 106 Afaria [backend_farm] creates a single, case-sensitive identifier for a component server environment, regardless of whether you are operating a single component server or a farm of component servers. enable controls whether the farm operates. yes operate. no do not operate. id user-defined, case-sensitive value for identifying a server farm. Each farm in the relay server configuration file must have a unique ID. description user-defined description. client_security specifies the secure communication protocol requirement for clients connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off default. HTTPS is not required; HTTP and HTTPS are both valid connection protocols. backend_security specifies the secure communication protocol requirement for component servers connecting to the relay server. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off default. HTTPS is not required; HTTP and HTTPS are both valid connection protocols. [backend_server] identifies a single component server to the relay server. You must have one [backend_server] section for each component server in your component server environment. enable controls whether the server operates. yes operate. no do not operate. farm the case-sensitive farm value is the same for each server. Use the same farm ID as from [backend_farm]. ID the ID value is unique for each server in the farm. If a server hosts more than one supported server component, then all server IDs on the host must be unique. For example, if a server hosts both an Afaria server and a package server, and both are defined in separate farms in the relay server configuration file, then the server IDs used for the two server components must be must be different. mac mac address of the server component. token the token is any string that you create. Use the same token value for each server in a farm. Note: Values are case-sensitive. Relay Server Installation Guide 107 Restart the relay server engine (rshost.exe) any time you make changes to the configuration file. Relay Server Configuration FileExamples Examples of the structure of the relay server configuration file based on the Afaria environment supported. Single Afaria server in an environment with a single relay server supporting a single Afaria server, the configuration file includes these sections: [options] one instance. [relay_server] one instance. [backend_farm] one instance. [backend_server] one instance. Afaria server farm with four servers in an environment with a single relay server supporting an Afaria server farm with four servers, the configuration file includes these sections: [options] one instance. [relay_server] one instance. [backend_farm] one instance. [backend_server] four instances. Afaria server farm with four servers plus a package server in an environment with a single relay server supporting an Afaria server farm with four servers and a package server, the configuration file includes these sections: [options] one instance. [relay_server] one instance. [backend_farm] two instances. [backend_server] five instances. This is a sample section of a relay server configuration file showing settings for a single Afaria server. Settings includes an instance of the [backend_farm] section and an instance of the [backend_server] section. The sample does not include the sections for the relay server basic operations. #--------------- # Backend farms # # Notice that the case sensitive farmID must match the farmID set in the Afaria Administrator's # relay server configuration page. Default value in Afaria is farmID=Afaria. #--------------- [backend_farm] enable = yes Relay Server 108 Afaria id = farmID description = Afaria Farm #----------------- # Backend servers # # id must match regKey HKLM\Software\Afaria\Afaria\Server \TransmitterId # on your afaria server #----------------- [backend_server] enable = yes farm = farmID id = sc token = zyyxpj22p Configuring Relay Server for Afaria Server To configure the relay server to support one or more Afaria servers, define the relay server configuration file and configure settings on the Afaria Administrator. Prerequisites As all relay server communications must use HTTP or HTTPS protocol, configure the Afaria server and devices to use HTTP or HTTPS. Set up the relay server for basic operations. Task 1. Configure the relay server configuration file rs.config to support one or more Afaria servers. Consider these items when defining the [backend_farm] and [backend_server] sections. [backend_farm] id user-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the farm ID you define on the Afaria Administrator Server > Configuration > Relay Server page. On the Relay Server page, the default value is afaria. [backend_server] id define the server ID value to match the TransmitterID value defined in each Afaria servers registry key HKLM\Software\Afaria\Afaria\Server \TransmitterId. Token the farm token you define must match the farm token you define on the Afaria Administrator Server > Configuration > Relay Server page. 2. On the Server > Configuration > Relay Server page of the Afaria Administrator, configure settings for communications between the relay server and the Afaria server component. Relay Server Installation Guide 109 Start the outbound enabler select this option to apply an automatic start-up attribute to the outbound enabler service. Afaria logging captures the outbound enablers restart and failure events. Farm ID and Farm token a pair of case-sensitive, ASCII text strings that your relay server uses to direct incoming client communication to your Afaria Server, either a standalone server or server farm. The combination of the strings must be unique for a given Afaria instance. Farm ID value must match the corresponding value in your relay servers configuration file and in your device configuration settings. Farm token value must match the corresponding value in your relay servers configuration file. Server address and Server port the Afaria server IP address or localhost and HTTP port that the Afaria server is using for communications. In a server farm environment, you must enable HTTP on each Afaria server in the farm and use "localhost" rather than the IP address. RS address and RS port the relay server IP address or fully qualified domain name and port that the outbound enabler service uses to connect to the relay server. RS URL suffix text string used as an IIS parameter for invoking the relay servers Afaria Server Web services, as per the relay server installation instructions for creating the IIS application pool. Maximum restarts the maximum number of times the outbound enabler attempts to start if it stops unexpectedly. Client URL prefix text string used as an IIS parameter for invoking the relay servers Afaria client Web services, as per the relay server installation instructions for creating the IIS application pool. This value is also required as a configuration value on Afaria devices. Use HTTPS enable the outbound enabler to communicate via SSL to the relay server. Certificate path the path and file name on the Afaria server for the relay servers certificate file. The certificate contains the relay servers identity and public key. 3. Restart the relay server host. 4. Restart the Afaria server service. Relay Server 110 Afaria Relay Server Bypass Even after your relay server is operational, the Afaria Server continues to support direct device connections. If it is appropriate for your environment, you may allow devices to continue to connect to the Afaria server directly, bypassing the relay server. Figure 6: Bypass Relay ServerSample 1 As the above diagram illustrates, if you have Afaria devices that are inside your organizations firewall and want to connect, you can allow these devices to make direct connections with the Afaria server using any of Afarias supported session protocols. These connections need not to pass through the firewall, so the firewall can support higher security. Figure 7: Bypass Relay ServerSample 2 As the above diagram illustrates, if you have Afaria devices that are outside your organizations firewall and want to connect, you can allow these devices to make direct connections with the Afaria server using any of Afarias supported session protocols as long as your firewall permits the traffic. Relay Server Installation Guide 111 Configuring Relay Server for Enrollment Server To configure the relay server to support one or more enrollment servers, define the relay server configuration file and configure settings on the Afaria Administrator. Prerequisites Set up the relay server for basic operations. Ensure that IIS is running on your enrollment servers. Task 1. Configure the relay server configuration file rs.config to support one or more enrollment servers Consider this item when defining the [backend_farm] section: id user-defined, case-sensitive value for identifying the server farm. 2. Configure settings for communications between the relay server and the enrollment server component. a) In the Afaria Administrator, open the Server > Configuration > Enrollment Server page. b) In the Enrollment Server group, select Use Relay Server. c) In the Relay Farm ID field, enter the farm ID identifying your enrollment server farm. The value you enter must match the ID value you defined in the [backend_farm] section. d) In the relay server group, define these settings: If using HTTPS, select Use HTTPS on Relay Server connections Server address address of the relay server Client URL prefix IIS path to rs_client.dll, as defined in the machine hosting the relay server. The default value may differ from your relay server's IIS path. e) Click Save. 3. Restart the relay server host. 4. (Optional) Restart the Afaria server service from the Afaria Administrator. 5. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler and import it to each machine where you installed an enrollment sever. 6. On each machine where you installed an enrollment server, launch the relay server outbound enabler from the command prompt. See also Installing Enrollment Server - Basic on page 57 Relay Server 112 Afaria Configuring Relay Server for iOS Certificate Authority To configure the Relay Server to support one or more iOS certificate authority servers, define the relay server configuration file and configure settings on the Afaria Administrator. Prerequisites Set up the relay server for basic operations. Ensure that IIS is running on your iOS certificate authority. Task 1. Configure the relay server configuration file rs.config to support one or more iOS certificate authority servers. Consider this item when defining the [backend_farm] section: id user-defined, case-sensitive value for identifying the server farm. 2. Configure settings for communications between the relay server and the iOS certificate authority. a) In the Afaria Administrator, open the Server > Configuration > Enrollment Server page. b) In the Certificate Authority (iOS only) group, select Use Relay Server. c) In the Farm ID field, enter the farm ID identifying your iOS certificate authority farm. The value you enter must match the ID value you defined in the [backend_farm] section. d) In the relay server group, define these settings: If using HTTPS, select Use HTTPS on Relay Server connections. Server address address of the relay server Client URL prefix IIS path to rs_client.dll, as defined in the machine hosting the relay server. The default value may differ from your relay server's IIS path. e) Click Save. 3. Restart the relay server host. 4. (Optional) Restart the Afaria server service from the Afaria Administrator. 5. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler and import it to each machine where you installed an iOS certificate authority server. 6. On each machine where you installed an iOS certificate authority server, launch the relay server outbound enabler from the command prompt. See also Installing Enrollment Server - Basic on page 57 Relay Server Installation Guide 113 Configuring Relay Server for Access Control To configure the Relay Server to support the Afaria filter used in Access Control for Email, define the relay server configuration file, configure settings on the Afaria Administrator, and reinstall the PowerShell component of the Afaria filter. Prerequisites Set up the relay server for basic operations. Configure the relay server for your Afaria server, regardless of whether you plan to use the relay server for device connections. Task The following steps describe how to add the relay server to your current configuration for Access Control for Email. It is assumed that you have already installed the two components of the Afaria filter and have configured Access Control on the Afaria Administrator. 1. Configure the relay server configuration file rs.config to support the Afaria filter. In the [backend_farm] section, define the Afaria filter's farm ID by using <AfariaServerFarmID>-IS, where <AfariaServerFarmID> is the same farm ID you defined for the Afaria server. For example, if you define your Afaria server farm ID as Afariafarm, then define your Afaria filter's farm ID as Afariafarm-IS. 2. On the Server > Configuration > Access Control Server page of the Afaria Administrator, select Use Relay Server, then click Save. 3. Reinstall the PowerShell component of the Afaria filter. In the Server Settings page of the installation wizard, enter the relay server address and farm ID. The farm ID you enter must match the farm ID you defined for the Afaria server in the relay server configuration file. The installation wizard automatically appends -IS to match the farm ID defined for the Afaria filter. 4. Restart the machine where you reinstalled the PowerShell component. 5. Restart the relay server host. 6. In the Afaria Administrator, restart the Afaria server service. See also Relay Server on page 91 Additional Afaria Components on page 11 Server Configuration for Installation and Management on page 47 Access Control for Email on page 75 Relay Server 114 Afaria Configuring Relay Server for Package Server To configure the relay server to support one or more package servers, define the relay server configuration file and configure settings on the Afaria Administrator. Prerequisites Set up the relay server for basic operations. Ensure that IIS is running on your package servers. Task 1. Configure the relay server configuration file rs.config to support one or more package servers. Consider this item when defining the [backend_farm] section: id user-defined, case-sensitive value for identifying the server farm. 2. Configure settings for communications between the relay server and the package server component. a) In the Afaria Administrator, open the Server > Configuration > Package Server page. b) In the Package Server (Indirect Access) group, select Use Relay Server and enter the farm ID identifying your package server farm. The value you enter must match the id value you defined in the [backend_farm] section. c) In the Indirect Access (Relay Server) group, define these settings: If using HTTPS, select Use HTTPS on Relay Server connections. Server address address of the relay server Client URL prefix IIS path to rs_client.dll, as defined in the machine hosting the relay server. The default value may differ from your relay server's IIS path. d) Click Save. 3. Restart the relay server host. 4. (Optional) Restart the Afaria server service from the Afaria Administrator. 5. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler and import it to each machine where you installed a package server. 6. On each machine where you installed a package server, launch the relay server outbound enabler from the command prompt. See also Installing Package Server on page 71 Relay Server Installation Guide 115 Configuring Relay Server for Application Onboarding Certificate Authority To configure the relay server to support one or more Application Onboarding certificate authority servers, define the relay server configuration file and configure settings on the Afaria Administrator Prerequisites Set up the relay server for basic operations. Ensure that IIS is running on your Application Onboarding certificate authority servers. Task 1. Configure the relay server configuration file rs.config to support one or more Application Onboarding certificate authority servers. Consider this item when defining the [backend_farm] section: id user-defined, case-sensitive value for identifying the server farm. 2. Configure settings for communications between the relay server and the Application Onboarding certificate authority. a) In the Afaria Administrator, open the Server > Configuration > Package Server page. b) In the Certificate Authority (for Package Server) group, select Use Relay Server and enter the farm ID identifying your certificate authority farm. The value you enter must match the ID value you defined in the [backend_farm] section. c) In the Indirect Access (Relay Server) group, define these settings: If using HTTPS, select Use HTTPS on Relay Server connections. Server address address of the relay server Client URL prefix IIS path to rs_client.dll, as defined in the machine hosting the relay server. The default value may differ from your relay server's IIS path. d) Click Save. 3. Restart the relay server. 4. (Optional) Restart the Afaria server service from the Afaria Administrator. 5. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler and import it to each machine where you installed a certificate authority server. 6. On each machine where you installed a certificate authority server, launch the relay server outbound enabler from the command prompt. Relay Server 116 Afaria Launching the Relay Server Outbound Enabler Launch the relay server outbound enabler (RSOE) from the command prompt of the server component. Prerequisites 1. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler. 2. Import the folder to the machine hosting the server component. Task The RSOE is the relay servers agent on a server component, such as the package server and the enrollment server. It initiates an outbound connection with the relay server. The executable file for the RSOE is rsoe.exe. Sybase recommends matching the versions of the RSOE and the relay server. 1. From the command prompt of the machine hosting the server component, navigate to the RSOutboundEnabler directory that you copied from the Afaria server. 2. To launch the RSOE, use the command line: rsoe -cr param -f farm -id id [options] -cr parameters for the relay server connection. -f server component farm ID, as defined in the relay server configuration file. -id unique ID identifying the server component, as defined in the relay server configuration file. For a complete list of command line switches and their meanings, enter rsoe at the command prompt and press Enter. If you include the security token when you define the [backend_server] section in the relay server configuration file, you must use the -t switch when launching the RSOE. When using the -cs switch, do not use localhost for the server address and do not use spaces in the name. This is a sample command line to launch the RSOE on a machine hosting the iOS certificate authority: rsoe.exe -cr "host=www.rs.com;port=80" -cs "host= <IP Address>;port=80" -f CAFarmName -id CAID -t CAToken Next (Optional) Install the RSOE as a Windows service. Relay Server Installation Guide 117 Installing the Relay Server Outbound Enabler as a Windows Service Install the relay server outbound enabler (RSOE) as a Windows service by running the dbsvc.exe service utility at the command prompt. Prerequisites 1. On your Afaria server, copy the entire directory <Afaria Server Installation Directory>\Server\bin\RSOutboundEnabler. 2. Import the folder to the machine hosting the server component. Task Each instance of the RSOE can be installed as a Windows service. The RSOutboundEnabler folder includes dbsvc.exe, a service utility that installs the RSOE as a Windows service. On the machine hosting the server component, execute this command at a command prompt running with administrator privileges: dbsvc.exe -as -s auto -sn "AfariaRSOE" -w AfariaRSOE "<full path>\RSOutboundEnabler\rsoe.exe" @"<full path> \RSOutboundEnabler\rsoe.config" For a complete list of the service utility's command line switches, enter dbsvc.exe at the command prompt and press Enter. The command prompt displays a line confirming that the "AfariaRSOE" service was successfully created. The "AfariaRSOE" service is listed in the list of Windows services of the machine hosting the server component. Relay Server with SSL To configure the relay server to use SSL, you must install a trusted certificate on the server that is running the relay servers Microsoft Internet Information Services (IIS) Server and the relay server engine, rshost.exe. You can configure Afaria devices to connect securely using the relay server address and HTTPS protocol after you have installed the certificate. Connecting to the relay server with SSL ensures that the traffic from devices to the relay server is encrypted. If your Afaria Server and relay server are behind the same firewall, this configuration is all you need to secure your data. Encrypting traffic between the relay server and the Afaria Server requires that you export the relay servers public key and copy the resulting file to the Afaria Server, then use the Afaria Relay Server 118 Afaria Administrators relay server page to enable HTTPS and specify the location of the public key file. All traffic is encrypted after you restart the Afaria Server. Relay-Server-Related Logging Relay-server-related logging allows you to retreive connections and restart attemps occured both on the Afaria server and the relay server. Afaria-side logging Afaria logging captures the outbound enablers restart attempt events; it does not capture relay server start events when started by the Afaria service, as occurs when the "Start the outbound enabler" setting is selected. Relay-server-side logging relay server logging captures events while rshost.exe is active. When started using the relay servers configuration file setting for auto start, the log is stored in the following relay server path:<tmpdir> \ias_relay_server_host.log. The value of <tmpdir> is populated with the first- available environmental variable, according to the search order SATMP, TMP, TMPDIR, TEMP. The relay server log captures connections from the Afaria Server to the relay server and successful device connections. The log does not capture unsuccessful client connections. 1. To retrieve logging from the relay server to the Afaria server, unselect Start the outbound enabler to prevent the outbound enabler from starting during Afarias next restart. 2. Restart the Afaria server service. 3. On the Afaria server, open a command prompt and navigate to <Afaria Server Installation Directory>\bin\RSOutboundEnabler. 4. Restart the outbound enabler using this single, continuous command: rsoe.exe -id <AfariaServerID> -f <FarmID> -t <Farm token> - cs "host=localhost;port=<AfariaHTTPPort>;" -cr "host=<RelayServerIP>;port=<RelayServerHTTPPort>;url_suffi x=<RsURLSuffix>;url_prefix=<ClientURLPrefix>" -v <LogVerbosity> -o <LogOutputPathFile> <AfariaServerID> the Afaria server ID value. The ID value is defined in the Afaria Servers registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId. <FarmID> farm ID, as stored on the Relay Server configuration page. <Farm token> farm token, as stored on the Relay Server configuration page. <AfariaHTTPPort> Afarias HTTP port, as stored on the Client Communications configuration page. <RelayServerIP> relay server IP address. <RelayServerHTTPPort> relay server HTTP port. <RsURLSuffix> RS URL suffix, as stored on the Relay Server configuration page. Relay Server Installation Guide 119 <ClientURLPrefix> client URL Prefix, as stored on the Relay Server configuration page. <LogVerbosity> controls the level of logging. Logs always include errors. Logs always include warning for levels 1-5. 0 no logging. 1 session-level logging. 2 request-level logging. 3 packet-level logging, terse. 4 packet-level logging, verbose. 5 transport-level logging. <LogOutputPathFile> Afaria Server path and file name for the log file. For a complete list of command line switches and their meanings, enter rsoe at the command prompt and press Enter. This sample writes the log file to c:\outbound.log on the Afaria Server. rsoe.exe -id got -f AfariaFarm -t Token_00 -cs "host=localhost;port=80;" -cr "host=10.14.229.21;port=80;url_suffix=/ias_relay_server/ server/rs_server.dll;url_prefix=/ias_relay_server/client/ rs_client.dll" -v 5 -o c:\outbound.log -af Relay Server 120 Afaria Uninstalling Afaria Components Remove Afaria software components as needed by using the Microsoft Add/Remove Programs utility. For Afaria Administrator, enrollment server, and package server, uninstalling any of these servers also uninstalls all Afaria Self-Server Portal instances at the same time. Uninstalling Afaria Server Uninstalling an Afaria server also uninstalls the Afaria Administrator, if installed on the same server. Removing the Afaria server deletes the software component and all defined channels but preserves the Afaria database. 1. If you are uninstalling a farm server, on the Afaria Administrator go to Server > Configuration > Server Farm and set the state to hidden. Hiding the farm server removes it from the server selector list. 2. On the server to uninstall, close all Afaria programs. 3. Stop all Afaria-related services. 4. Using the Microsoft Add/Remove Programs utility, select the component and remove it. The most common reasons for the step to fail are: An Afaria program or related service is still running. Stop the programs and related services and retry the step. Windows Explorer or some other program is using at the Afaria installation directory. Close all programs, then restart the machine and retry the step. Afaria system folders are shared with device users. Remove the share from the folder and run the retry the step. 5. If uninstalling a farm server, delete the server entry from the A_SERVER database table. If you do not delete this server from the database, it continues to appear on Server > Configuration > Server Farm page as an available server. Uninstalling Afaria Components Installation Guide 121 Uninstalling Afaria Components 122 Afaria