You are on page 1of 130

Installation Guide

Afaria 7
DOCUMENT ID: DC-7-00-00
LAST REVISED: March 2012
Copyright

2012 by Sybase, Inc. All rights reserved.


This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or
technical notes. Information in this document is subject to change without notice. The software described herein is furnished
under a license agreement, and it may be used or copied only in accordance with the terms of that agreement.
Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior
written permission of Sybase, Inc.
Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and
the marks listed are trademarks of Sybase, Inc. A

indicates registration in the United States of America.


SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world.
Java and all Java-based marks are trademarks or registered trademarks of Oracle and/or its affiliates in the U.S. and other
countries.
Unicode and the Unicode Logo are registered trademarks of Unicode, Inc.
All other company and product names used herein may be trademarks or registered trademarks of the respective companies
with which they are associated.
Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS
52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies.
Sybase, Inc., One Sybase Drive, Dublin, CA 94568
Contents
Installation User Assumptions.............................................1
Afaria Technical Support ......................................................3
Sybase Social Media Channels............................................5
Locating Product Documentation........................................7
Afaria Architecture ...............................................................9
Afaria Server .................................................................10
Additional Afaria Components ......................................11
Installation Options.............................................................13
Installing a Standard Environment ................................13
Afaria Reinstallation......................................................13
Afaria Upgrade..............................................................14
Afaria Appliance Installation.........................................14
System Requirements and Release Notes........................15
Afaria 7 Upgrade..................................................................17
Eligible Upgrade Path and Environment .......................17
Entering or Updating Your License Key ........................17
Discontinued Platform Support .....................................18
Afaria Single Server Upgrade.......................................18
Afaria Server Farm Upgrade.........................................19
Automatic Actions .........................................................19
Device IDs ...........................................................19
Assigned User Groups .........................................20
Discontinued Channel Types ...............................20
Session Manager Channels .................................21
iOS Device Configuration Policies .......................21
Portal Application Packages ................................22
Preparing to Install Afaria...................................................23
Creating a Domain User Account for Operating Afaria
..................................................................................23
Updating Passwords and Domain User
Accounts for Afaria..........................................23
Installation Guide iii
Syntax Examples for Updating Afaria Server
Password.........................................................24
Afaria Database Preparation........................................24
Estimating Your Database Size Requirements ....24
Creating an SQL iAnywhere Database and User
.........................................................................25
Configuring the iAnywhere SQL Anywhere
Database for Operations .................................25
Creating a SQL Server Database and User ........26
Configuring the SQL Server Database for
Operations .......................................................27
Apple Certificates for Managing Afaria Devices ...........27
Obtaining Root and Intermediate Certificates ......28
Obtaining an Apple APNS Certificate..................28
Obtaining a Google API Key .........................................33
Installing Afaria Server ........................................................35
Entering or Updating Your License Key ........................35
Starting the Setup Program..........................................35
Defining Server Type and Directory ..............................36
Selecting Microsoft SQL Server Database...................36
Selecting iAnywhere SQL Anywhere Database............37
Selecting Authentication Type.......................................37
Configuring LDAP Information.............................38
Completing the Installation...........................................39
Installing Afaria Server Farm........................................40
Installing Afaria API Service and Administrator ...............41
Verifying Afaria Administrator IIS Settings ....................42
Changing the IIS Connection Timeout Value................43
Starting Operations and Server Configuration.................45
Logging In to Afaria Administrator ................................45
Logging in as Added User ............................................45
Starting, Stopping, Restarting the Afaria Server ...........45
Verifying Afaria Server Settings for Device
Communication........................................................46
Verifying Afaria Server Settings After Installation.........46
Contents
iv Afaria
Server Configuration for Installation and Management
..................................................................................47
User Role Management ................................................48
Viewing the Server Roles .................................... 48
Adding or Editing a User Role............................. 48
Afaria Server Messaging.....................................................51
Addresses and Routing for Afaria SMS and SMTP
Messages .................................................................51
SMS and SMTP Message Address Syntax ..................51
SMS Gateway ...............................................................53
Installing SMS Gateway .......................................53
HTTPS Support Certificates ................................54
Configuring Afaria Server for SMS Gateway ....... 54
Setting Up SMS Modem .....................................55
Setting Up SMPP.................................................56
Setting Up SMTP..........................................................56
Installation and Configuration for Enrollment
Components....................................................................57
Installing Enrollment Server - Basic ..............................57
Configuring Afaria Server for Basic Enrollment Server
..................................................................................58
Configuring Afaria Server for Enrollment Codes ...........59
Configuring Certificate Authority for iOS Devices .........60
Configuring an Enterprise Root Certificate
Authority for iOS..............................................60
Tuning the Certificate Authority for Afaria............62
Installing the Afaria SCEP Plug-In Module on the
CA................................................................... 62
Configuring Afaria Server for iOS Certificate Authority
..................................................................................63
Importing Apple Root and Intermediate Certificates for
MDM Management ...................................................64
Configuring Afaria Server for iOS Notifications .............64
Configuring SSL Connections for Enrollment Server ....65
Configuring SSL Connections for iOS CA.................... 66
Contents
Installation Guide v
Adding iOS MDM Payload Signing for iOS...................66
Importing Apple Root and Intermediate
Certificates for MDM Payload Signing .............67
iOS MDM Payload Signing Certificate
Requirements ..................................................68
Reinstalling the Enrollment Server for iOS MDM
Payload Signing...............................................68
Configuring Afaria Server for iOS MDM Payload
Signing............................................................69
Configuring the Relay Server for iOS Certificate
Authority and Enrollment Server Connections .........69
Package Server ....................................................................71
Installing Package Server .............................................71
Configuring Afaria Server for Package Server ..............72
Configuring SSL Connections for Package Server .......72
Access Control for Email ...................................................75
Access Control Components .......................................75
Access Control Configurations for Microsoft Exchange
..................................................................................76
Access Control Configurations for IBM Lotus Domino
..................................................................................78
Setting Up Access Control for Email .............................81
Configuring the Afaria Filter Listener ...................81
Installing the ISAPI Filter Component ..................82
Installing the PowerShell Service Component .....83
Files Installed with and Generated by the Afaria Filter
..................................................................................84
Self-Service Portal ...............................................................87
Preparing to Install Self-Service Portal .........................87
Installing the Self-Service Portal ...................................87
Afaria Self-Service Portal Address ...............................89
Configuring Afaria Server for Self-Service Portal
Request Timeout ......................................................90
Editing Enrollment Codes for Self-Service Portal .........90
Relay Server .........................................................................91
Contents
vi Afaria
Relay Server Executable Components .........................92
Setting Up the Relay Server for Basic Operations ........92
Setting Up the Relay Server for Basic
Operations with IIS 7.5....................................92
Setting Up the Relay Server for Basic
Operations with IIS 6.0.................................. 100
Restarting the Relay Server Host ............................... 106
Relay Server Support for Server Components ........... 106
Relay Server Configuration FileExamples ....... 108
Configuring Relay Server for Afaria Server ........109
Configuring Relay Server for Enrollment Server
....................................................................... 112
Configuring Relay Server for iOS Certificate
Authority ........................................................ 113
Configuring Relay Server for Access Control .... 114
Configuring Relay Server for Package Server ... 115
Configuring Relay Server for Application
Onboarding Certificate Authority ................... 116
Launching the Relay Server Outbound Enabler ......... 117
Installing the Relay Server Outbound Enabler as
a Windows Service........................................118
Relay Server with SSL................................................118
Relay-Server-Related Logging................................... 119
Uninstalling Afaria Components......................................121
Uninstalling Afaria Server ........................................... 121
Contents
Installation Guide vii
Contents
viii Afaria
Installation User Assumptions
Afaria installation requires that you have knowledge of Window servers, Microsoft IIS,
database servers, your user directory manager, and the device types you plan to support.
Installation User Assumptions
Installation Guide 1
Installation User Assumptions
2 Afaria
Afaria Technical Support
Sybase provides industry-leading support and a variety of downloads to help you get the most
out of your Sybase products and solutions.
For information about Sybase Customer Service and Support, visit www.sybase.com/
support.
If you have a technical support contract, you can locate your local technical support center at
www.sybase.com/contactus/support.
For Afaria customers with a maintenance agreement, visit METS at http://
frontline.sybase.com/support.
Afaria Technical Support
Installation Guide 3
Afaria Technical Support
4 Afaria
Sybase Social Media Channels
Sybase is active on a number of social media channels, such as Twitter, blogs, and YouTube.
Visit us online for our social media channels at www.sybase.com/resources/socialmedia.
Sybase Social Media Channels
Installation Guide 5
Sybase Social Media Channels
6 Afaria
Locating Product Documentation
Locate documentation for help with installing and using the product. Documentation is on the
product installation image.
1. Start the setup program (setup.exe).
2. Click Documentation.
3. Click the item of interest.
Readme includes information about finding system requirements and release notes
on the technical support site and information about what is located on the product
installation image.
Installation guide the English version of Afaria Installation Guide .
Documentation folder opens the \Documentation folder on the installation
image. All product documentation is available in English. Some documents may be
available in additional languages.
Locating Product Documentation
Installation Guide 7
Locating Product Documentation
8 Afaria
Afaria Architecture
Afaria uses a distributed architecture that provides complete functionality and enterprise-
grade security while managing mobile devices and computers.
The Afaria architecture uses the enterprise network behind your firewall for components that
require the highest security, uses the DMZ for proxy components, and uses public entities in
the Internet for publicly available services, such as commercial application markets.
Figure 1: Afaria Architecture Internet, DMZ, and Enterprise Network
Afaria Architecture
Installation Guide 9
Internet Afaria devices and public entities.
Afaria devices user devices, such as smartphones and computers that Afaria
manages. Devices either have an Afaria application installed or have a native capability
that Afaria uses to interact with the hosting device. Devices connect to Afaria servers or
their proxies using HTTP and SSL.
Public entities and services entities that support device management and features,
such as the Apple Push Notification Service (APNS) for managing iOS devices, or a
commercial application market for Afaria application policies.
DMZ relay or proxy servers, such as a Microsoft Forefront Threat Management Gateway
server or a Sybase iAnywhere

relay server to enforce firewall rules and receive device


communication before relaying it to an Afaria server in the enterprise network. For Afaria
Access Control for Email, an optional feature, the e-mail proxy server hosts the access
control filter to allow or block incoming requests based on access control policy
information from Afaria. Using relay servers in the DMZ to relay communication is
optional, but recommended to increase enterprise network security.
Enterprise network Afaria component servers and the email network require
connectivity to the Afaria server, and sometimes the database. When relay servers are
configured for Afaria components, Afaria servers receive incoming communication from
the relay servers, rather than directly from the Internet.
You can consolidate some or all Afaria server components onto fewer servers, or onto a
single server.
If Afaria devices are resident within the enterprise network, you can configure them to
make direct connections to Afaria servers.
Afaria Server
The Afaria server program is central to Afaria operations. The Afaria server has no user
interface; settings and features are available through the Afaria Administrator Web
application.
The Afaria server can operate as a single, standalone server, or as multiple servers in a server
farm. The Afaria server communicates with the Afaria database and additional components or
devices as necessary.
Standalone Afaria server a single Afaria server operating as the only Afaria server in an
Afaria installation. The server has a one-to-one relationship with the Afaria database.
Afaria server farm multiple Afaria servers operating together in an Afaria installation.
The servers have a many-to-one relationship with the Afaria database. A server farm
includes one master Afaria server and one or more farm servers.
See also
Creating a Domain User Account for Operating Afaria on page 23
Afaria Database Preparation on page 24
Afaria Architecture
10 Afaria
Additional Afaria Components on page 11
Additional Afaria Components
The Afaria Administrator, database, and additional server components support the Afaria
server for operations.
Supporting components:
Afaria Administrator the Afaria server interface, a Web console that you can access
with any supported Web browser. Afaria uses role-based access policies to control user
rights. Rights are associated with functions in the user interface and with individual
tenants.
Afaria Administrator, the console the Web console that provides an interface for the
Afaria server. Use Afaria Administrator to define the server configuration; define roles
for Afaria Administrator users; manage Afaria devices, groups, and policies; and
monitor system activity.
Afaria administrator, the individual the person that installs and operates the Afaria
product.
Afaria database Sybase's SQL Anywhere or Microsoft SQL database that stores Afaria
procedures; configuration properties; device, group, and policy data; and all message and
activity logging. For Afaria server components, access to the database is either direct to the
database or indirect through the Afaria server.
Certificate authority for iOS operations, as defined by Apple to support iOS mobile
device management (MDM), Afaria requires a Microsoft certificate authority (CA). The
CA uses native Simple Certificate Enrollment Protocol (SCEP) to issue certificates to
devices for all inbound MDM communication. The CA also hosts the optional Afaria
SCEP plug-in that further increases security by verifying that devices are in the Afaria
database before allowing payload delivery.
Enrollment server required for handheld device enrollment and iOS operations. The
enrollment server retrieves enrollment policies and starts the enrollment process for
devices requesting enrollment. For iOS, the enrollment server also delivers management
payloads.
Self-service portal lets end users enroll their device in Afaria management, and lets users
view their device information and issue commands, such as to reset a password. The portal
is optional for enrollment and allows users to install application policies with support from
the Package server.
Relay server proxy for HTTP and HTTPS connections from the Internet to an Afaria
component server, such as the Afaria server or the enrollment server. The relay server is
optional, but recommended for increased enterprise network security.
Package server for application policies, serves Afaria application packages to devices.
For application onboarding, serves certificates and device provisioning data to calling
Afaria Architecture
Installation Guide 11
third-party applications. The portal package server does not serve commercial
applications to devices.
Email server for Afaria Access Control for Email, an optional feature, the server hosts
the access control PowerShell service, which polls the Afaria server for current access
control policies, and delivers that information to the email proxy in the DMZ.
See also
Installing Enrollment Server - Basic on page 57
Configuring Afaria Server for Package Server on page 72
Configuring Relay Server for Access Control on page 114
Configuring the Relay Server for iOS Certificate Authority and Enrollment Server
Connections on page 69
Afaria Architecture
12 Afaria
Installation Options
Install Afaria on a server that does not have the Afaria software installed, or to reinstall to a
different installation path.
Installing a Standard Environment
Complete a standard installation to install Afaria with a separately installed database, Afaria
server, and Afaria Administrator Web console. A standard environment is appropriate for
installations with one or multiple Afaria servers.
Prerequisites
Before the installation, create a Windows user account for operations and establish your
database environment.
Task
1. On your planned Afaria server, enter your license key and complete the Afaria server
installation.
If your installation is planned to have only one Afaria server, the server is a standalone
server. If your installation is planned for a farm, the first server installed is the master or
main server.
2. On your planned administrator server, complete the Afaria API Service and Administrator
installation.
3. Complete procedures for getting started with operations.
4. (Server farm) For each additional server, prepare for the install by creating a Windows user
account for operations, enter your license key, and complete the Afaria server
installation.
The additional servers in a farm are called farm servers.
5. Install and configure additional components.
Afaria Reinstallation
Reinstallation is re-running an installation on an Afaria server or administrator server that
already has the same version of Afaria installed. Reinstalling is appropriate for repairing
problems associated with corrupted or deleted files, and for making certain types of changes to
your current installation.
Reinstall Afaria when changing your database version or type, changing the authentication
type, adding newly licensed features or capacity, or repairing Afaria.
Installation Options
Installation Guide 13
Afaria Upgrade
Upgrade is running an installation on an Afaria server or administrator server that has a
version of Afaria installed that is on the supported upgrade path. An upgrade is defined as
upgrading the complete environment; the devices must upgrade along with the server and
administrator components.
Afaria Appliance Installation
Install the Afaria Appliance on a VMware host with minimal interaction, as most of the
settings are preconfigured.
During the setup, you configure only a few computer-specific and security settings. Once
installed, this Afaria installation supports device enrollment and management.
For complete details installation and configuration details for the Afaria Appliance, see
document Afaria Appliance Installation Guide.
Installation Options
14 Afaria
System Requirements and Release Notes
Before you install your Afaria components, ensure that your environment complies with the
system requirements. Complying with system requirements and reviewing the information in
the release notes helps you to take full advantage of features and operate your system
appropriately.
Complete system requirements are delivered with your order fulfillment. They are also
available in the product release notes available on the technical support site. The release notes
include information about known product issues.
Note: Using terminal services or comparable means is not a viable method for installation.
System Requirements and Release Notes
Installation Guide 15
System Requirements and Release Notes
16 Afaria
Afaria 7 Upgrade
Before beginning an upgrade, validate all prerequisite and system requirements, and create an
Afaria system backup. A system backup includes the database, application software, and
application data.
Eligible Upgrade Path and Environment
Upgrading to Afaria 7 is supported only for Afaria 6.6 FP1 2011_06 systems on a supported
Windows Server 2008 server.
The Afaria 7 setup program prevents these environments from upgrading:
Afaria instances on servers that are not supported for Afaria 7, such as Windows Server
2003.
Afaria versions earlier than Afaria 6.6 FP1 2011_06.
Afaria instances integrated with an Oracle database.
Entering or Updating Your License Key
Enter or update your license key, which defines available setup menu options, any time you
receive a new key.
Perform the update on each Afaria server.
1. Start the setup program (setup.exe).
2. In the Set Up menu, click License Key.
3. Type your license key into the key box, then click Licensing Details to review your
licensing information.
The maximum number of concurrent sessions supported per server depends on your
licensing. The ability to run the maximum number of licensed concurrent sessions
depends upon the amount of memory, the speed, and number of the processors on your
server.
4. Click Apply to save the license key and return to the setup menu with your licensed options
available.
5. On the setup menu, click Install > Install Server and complete the server installation.
The reinstallation updates the server as necessary to support the license change.
6. Click Next.
Afaria 7 Upgrade
Installation Guide 17
Discontinued Platform Support
Prepare for discontinued support of several device and channel types in Afaria 7.
Recommendations for items that have been discontinued in Afaria 7:
Device type Symbian delete devices and data prior to upgrading.
Device type Java delete devices and data prior to upgrading.
Data Security Manager for Windows
1. Unencrypt devices and uninstall Data Security Manager client.
2. Delete channels.
Data Security Manager for Handhelds
1. Unencrypt devices and uninstall Data Security Manager client.
2. Delete channels.
Antivirus/Firewall policies
1. Disable policies in group profiles to remove the Antivirus/Firewall client from devices.
2. Delete policies.
OMA DM policies
1. Run session to remove policies from devices.
2. Disable policies in group profiles.
3. Delete policies.
Application Control policies
1. Disable policies in group profiles to remove the Application Control client from
devices.
2. Delete policies.
License Manager delete License Manager data and settings.
API object model plan for discontinued use. Afaria 7 introduces a new API service
model.
Afaria Single Server Upgrade
Upgrade an Afaria installation that includes a single Afaria server.
1. Stop Afaria services.
2. Upgrade the server.
Do not start the Afaria server service at this time.
3. Upgrade the Afaria Administrator application.
4. Start Afaria server service.
Afaria 7 Upgrade
18 Afaria
5. Upgrade additional servers, such as the enrollment server (formerly "provisioning
server").
6. Connect devices for upgrade.
Afaria Server Farm Upgrade
Upgrade an Afaria installation that includes multiple Afaria servers.
1. Stop all Afaria services on a master (main) and on all farm servers.
Do not start the main server and all farm servers until all components are upgraded.
2. Upgrade the main Afaria server.
Do not start the Afaria server service at this time.
3. Upgrade the farm servers.
Do not start the Afaria server service at this time.
4. Install the Afaria API and upgrade Afaria Administrator application.
5. Upgrade additional servers, such as the enrollment server (formerly "provisioning
server"), package server, Self-service portal.
6. Start Afaria server service on main server, then start the Afaria server service on the farm
server(s).
7. Start the remaining Afaria services on all server(s).
8. Verify Afaria Client Service is running on all farm servers and replication is successful.
9. Connect devices for upgrade.
Automatic Actions
Upgrading to Afaria 7 includes actions to support the new management model.
The Afaria management model has changed from one that used group profiles as a container
for assignments, monitor/action pairs, allowed channels, policies, and packages. The new
model is improved for usability to use only policies and groups to manage devices.
Device IDs
In Afaria 7, the device ID is a required field for new devices. It is a column in the device grid.
The upgrade to Afaria 7 processes device IDs and client names:
If the device ID is blank in Afaria 6.6 FP1 2011_06, then the upgrade copies client names
into the device ID fields.
If the device ID is non-blank in Afaria 6.6 FP1 2011_06, then the upgrade leaves the device
ID untouched.
Afaria 7 Upgrade
Installation Guide 19
Afaria customers who rely on client name instead of device ID for searches, custom views, and
other operations, consider the impact to your continued operations.
Assigned User Groups
In Afaria 7, user groups are available and NT/LDAP groups are no longer used.
The upgrade to Afaria 7 processes NT/LDAP groups. For each group profile with one or more
NT/LDAP groups assigned in Afaria 6.6 FP1 2011_06, the upgrade:
Creates a new user group that contains all of the NT or LDAP groups assigned to that
profile.
Names the group to reflect the NT/LDAP group names, such as "Upgrade_grp1_grp2."
In the group note field, includes the name and path of each NT/LDAP group.
If subsequent group profile processing has an identical set of NT/LDAP groups assigned, the
upgrade does not create a duplicate user group.
Discontinued Channel Types
In Afaria 7, all channels other than Session Manager channels are discontinued. Inventory
Manager and Configuration Manager channels are discontinued as channels but the features
remain present in Afaria 7 configuration policies.
The upgrade to Afaria 7 processes Inventory and Configuration Manager channels:
Create an Afaria configuration policy for each channel using a naming convention to
reflect its origin:
If it was assigned to a group profile <ChannelName>-<ProfileName>-<ChannelID
If it was not assigned to a group profile <ChannelName>
Description is preserved.
Priority value is preserved.
For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit"
schedules are created.
Authentication and published states are preserved.
The upgrade to Afaria 7 processes remaining discontinued channels:
Backup Manager
Delete any existing Backup Manager channels.
Leave backed up data in ABD folder.
Document Manager
Delete any existing Document Manager channels.
Leave data in source locations.
Leave files in differencing and compression caches. They will eventually age out.
Software Manager for Windows, Windows Mobile, Symbian, and Palm
Afaria 7 Upgrade
20 Afaria
Delete any existing Software Manager channels.
Remove package tracking information.
Patch Manager
Delete any existing Patch Manager channels.
Delete the patches pulled down from Microsoft site to the path configured on the Afaria
server.
Session Manager Channels
In Afaria 7, all Session Manager channels continue, but are delivered in session policies.
The upgrade to Afaria 7 processes Session Manager channels:
Create an Afaria session policy for each channel using a naming convention to reflect its
origin:
If it was assigned to a group profile <ChannelName>-<ProfileName>-<ChannelID
If it was not assigned to a group profile <ChannelName>
Description is preserved.
Priority value is preserved.
For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit"
schedules are created.
Channel encryption is discontinued in Afaria 7. We recommend users run secure sessions
instead.
Authentication, published, and default channel states are preserved.
iOS Device Configuration Policies
In Afaria 7, all iOS Device Configuration policies continue, but become configuration
policies.
The upgrade to Afaria 7 processes iOS device configuration policies:
Create an Afaria configuration policy for each channel using a naming convention to
reflect its origin:
If it was assigned to a group profile <PolicyName>-<ProfileName
If it was not assigned to a group profile <PolicyName>
Description is preserved.
Priority value is preserved.
Group assignment is preserved.
A policy with an assignment is published.
A policy without an assignment is unpublished.
Enabled or disabled state in group profile is preserved as enabled or disabled in the
payload.
Afaria 7 Upgrade
Installation Guide 21
Portal Application Packages
In Afaria 7, all portal application packages continue, but become application policies.
The upgrade to Afaria 7 processes portal application packages:
Create an Afaria application policy for each package using a naming convention to reflect
its origin:
If it was assigned to a group profile <AppName>-<ProfileName
If it was not assigned to a group profile <AppName>
Description is preserved.
Priority value is preserved.
Group assignment is preserved.
A package with an assignment is published.
A package without an assignment is unpublished.
Required or optional state is preserved.
Enabled or disabled state in group profile is preserved as published or unpublished in
policy, respectively.
Afaria 7 Upgrade
22 Afaria
Preparing to Install Afaria
Before starting Afaria installation and configuration, prepare for the installation process. For
example, prepare the database, and obtain Apple Certificates.
Creating a Domain User Account for Operating Afaria
Create a domain Windows account to install the Afaria server, farm server, and related servers.
If applicable, the account is also used to run the Windows service.
The main Afaria server, farm servers, and other related servers and components must use the
same domain user account name and password.
Note: If you plan on installing SSP with LDAP, ensure the domain user you create has
permission to access the Active Directory server.
1. On the planned server, create a Windows domain user account with these attributes:
Log on as Service if the server uses a Windows service, Afaria starts automatically
after reboot
2. On the planned server, add the domain user as an administrator in the user group.
3. Record the account credentials you will use when prompted as you install the Afaria
server, Afaria Administrator programs, and additional components.
4. (Active Directory environment) On the domain controller, update the user account
properties (AccountName > Properties > Account > Log On To) to ensure the Log On
To list of log on workstations is either unrestricted or includes the planned Afaria
Administrator server and all planned Afaria Administrator browser computers.
Updating Passwords and Domain User Accounts for Afaria
As needed and without reinstalling the Afaria server, change the domain user account and
password associated with the Afaria server service, or the user password associated with the
database.
The main Afaria server and all farm servers must use the same user account name and
password.
1. Close all Afaria programs.
2. Using a command line, run the setup program (setup.exe) with parameters to change
the service account or password.
The setup program accepts parameters in any order. Available parameters:
-Maintenance required for all commands.
Preparing to Install Afaria
Installation Guide 23
-ServiceAccount= name required if changing the user account and password
associated with the Afaria server service.
-ServicePassword=password required if changing the user account and password
associated with the Afaria server service.
-DatabasePassword=password required if changing the database user account
password.
3. Allow the program to run to completion.
The Afaria setup program runs silently, and may take several minutes to complete. You
may not know when it has finished unless you watch the task list or run the setup from a
batch file. To check for errors, see C:\silent.log.
Syntax Examples for Updating Afaria Server Password
When updating the user account and password on an Afaria server, the Afaria setup program
accepts parameters in any order.
Examples:
setup -Maintenance -DatabasePassword=password
setup -Maintenance -ServiceAccount=name -ServicePassword=password
setup -Maintenance -DatabasePassword=password -ServicePassword=password2
Afaria Database Preparation
The Afaria server uses a database to log system activity and data. All servers in a farm access
the same database, unless you install the Afaria Appliance, in which case you must to install
and configure your database before installing the Afaria server. The Afaria Appliance includes
database installation and configuration.
The product supports using iAnywhere SQL Anywhere

or Microsoft SQL Server for the


Afaria database; however, configure only one type of database.
Refer to the system requirements for complete database support information.
Estimating Your Database Size Requirements
To understand your weekly disk space requirements for operations with all logging enabled,
estimate your database size. Plan disk availability based on requirements.
1. Estimate values:
Number of sessions per day
Average session size
2. Apply the estimates to the daily formula for estimated growth per day:
(# of sessions per day) * (average session size) = estimated growth per day
Preparing to Install Afaria
24 Afaria
3. Apply the daily estimate to the weekly formula for estimated growth per week:
(estimated growth per day) * 7 = estimated growth per week
For example, to determine the weekly disk space growth for 1000 daily sessions with an
average session size of 60KB:
(1000 sessions per day) * (60KB average session size) * 7 days = 420MB
So in this example, the database is estimated to grow by 420MB per week.
Consider these items for calculating estimates:
Add 1MB of data per week to the estimate for each device that reports inventory.
Session channels with 100 events add an average of 40KB in database growth per session
in additional log data.
Creating an SQL iAnywhere Database and User
If you plan to use Sybase iAnywhere SQL Anywhere database with Afaria, create the database
for operations, and an associated user to provide a user context to access the database.
The database name should remain the same throughout the Afaria server installation and
configuration process.
1. Create a database. Use default configuration settings with the exception of these
attributes:
Install jConnect metadata support disabled.
Page size 8192 KB minimum.
2. Create a database user for the Afaria service to use for database access. Assign the database
administrator (DBA) authority to the user.
3. Connect to the new database using these network database server properties:
Identification database user name and password that you created for Afaria database
access.
Database indicate the Afaria database server name and start line dbsrv11.exe, as
well as the database name and file.
Do not start the database using start line dbeng11.exe, which is for non-network
database servers and does not support enough database connections for the Afaria
service.
Sybase strongly recommends that you have only one instance of dbsrv11.exe per
database.
Configuring the iAnywhere SQL Anywhere Database for Operations
For Sybase iAnywhere SQL Anywhere operations, prepare your database environment for
sustainability and availability.
To create a Windows service that automatically starts the database whenever the Afaria server
is restarted:
Preparing to Install Afaria
Installation Guide 25
1. In Sybase Central, select the Services tab and run the New Services wizard.
2. Name the service.
3. Select the Network Database Server service type.
4. Accept the default executable, dbsrv11.exe.
5. Specify the parameters to run only the TCP/IP network driver (-x) for the database name
and path (-n).
For example, -x tcpip -n afariadb c:\afaria\afaria.db
6. Select default Local system account and Allow service to interact with desktop for
running the service.
7. Select start-up type Automatic.
8. Select to restart the service now.
Upon completion of the wizard, create a system event to back up and truncate the log.
Sybase recommends a log size of 50MB for an initial setting.
Creating a SQL Server Database and User
For Microsoft SQL Server database operations with Afaria, create the database and an
associated user to provide a user context to access the database.
The database name should remain the same throughout the Afaria server installation and
configuration process.
1. Create a database with these attributes:
Datafiles Automatically Grow File, Unrestricted Filegrowth.
Transaction Log Minimum size 25 MB, Automatically Grow File, Unrestricted
Filegrowth.
2. Create a role called db_executor with the execute right.
3. For the user you plan to use for Afaria operations with the database, ensure the user has
these attributes for your Afaria database:
Default schema dbo
Role db_ddladmin
Role db_datawriter
Role db_datareader
Role db_executor
Password does not contain the semicolon (;) character
Example SQL Script for Creating a SQL User for Afaria Database Operations
This example script creates a new role with the execute right for a database named Afaria and
assigns the user JBrowne all the required attributes the user needs for Afaria operations.
--For a database named Afaria and a login named JBrowne, create a
User named
JBrowne and grant the user the appropriate rights.
Preparing to Install Afaria
26 Afaria
USE Afaria
GO
--Create a new role for executing stored procedures
CREATE ROLE db_executor
--Grant stored procedure execute rights to the role
GRANT EXECUTE TO db_executor
GO
--Assign user to dbo and required roles
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name =
N'JBrowne')
BEGIN
CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA =
dbo
EXEC sp_addrolemember db_ddladmin, JBrowne
EXEC sp_addrolemember db_datawriter, JBrowne
EXEC sp_addrolemember db_datareader, JBrowne
EXEC sp_addrolemember db_executor, JBrowne
END;
When you install the Afaria server, use the credentials from a user like this one if you choose
SQL authentication for the Afaria database. If using Windows integrated authentication
instead of SQL authentication, the Windows user requires the same rights and roles.
Configuring the SQL Server Database for Operations
For Microsoft SQL Server operations, prepare your database environment for sustainability
and availability.
Verify that logs are truncated on checkpoint:
1. Right-click the database and select Properties.
2. In the Properties window, click the Options tab.
3. In the Recovery section, click the Model list box and select Simple.
Apple Certificates for Managing Afaria Devices
Using Afaria to manage iOS devices requires an Apple Push Notification Service (APNS)
certificate, an Apple, Inc. Root certificate, and an Apple Application Integration certificate.
These certificates allow Afaria to communicate securely with iOS devices and uniquely
identify your enterprise Afaria installation as a trusted vendor for mobile device management
(MDM).
An enterprise uses a Macintosh or Windows computer, the Apple Push Certificates Portal, and
the Sybase Apple CSR signing site to obtain the push, root, and application integration
certificates, then installs the certificates for Afaria operations.
Preparing to Install Afaria
Installation Guide 27
See also
Configuring Afaria Server for iOS Notifications on page 64
Obtaining Root and Intermediate Certificates
Once per Afaria environment, obtain root and application integration certificates to install in
your Afaria environment, so that any APNS certificates you or your tenant customers install
have a valid chain to the root. You will install the certificates when you are installing and
configuring for iOS operations.
1. Go to the Apple Root Certification Authority site at http://www.apple.com/
certificateauthority.
2. Download Apple Inc. Root Certificate.
3. Download Application Integration.
See also
Completing and Exporting the APNS Certificate on page 31
Adding Apple Certificates to AfariaYou can use the Afaria certificate installation utility or
Windows Microsoft Management Console (MMC) to install the Apple root, application
integration, and push certificates on your Afaria server. After the installs, you will be able to
manage your iOS devices.
Obtaining an Apple APNS Certificate
For a system tenant or non-system tenant, obtain an Apple APNS Certificate to validate your
iOS MDM request to the Apple APNS service. You will install the certificate when you
configure the Afaria server for iOS notifications.
Obtain a certificate based on the Afaria tenant implementation:
If you are an enterprise using only system tenant, obtain one Apple push certificate for the
system tenant.
If you are an enterprise, using multiple tenants to separate operations obtain one Apple
push certificate for the system tenant.
If you are a hosting enterprise using multiple tenants to separate multiple customers,
ensure each customer obtains their own Apple push certificate for their tenant. Do not
obtain a push certificate for the system tenant, as it will become the back up certificate for
tenants that do not obtain a certificate.
Requirements for Obtaining Apple an APNS Certificate
To obtain an Apple Push Notification Service (APNS) certificate, you must have a Web
browser and an Apple ID.
Computer with administrator rights Macintosh OS X workstation or Windows server.
Preparing to Install Afaria
28 Afaria
Web browser Safari or Mozilla Firefox.
Apple ID as issued to your enterprise (recommended) or to you as an individual by Apple
to associate with the certificates. An Apple iOS Developer Program membership is not
required to obtain an Apple ID.
General Apple Certificate Tasks for Afaria iOS MDM
From your Mac or Windows server and the Sybase Apple CSR signing site, create your
certificate signing request (CSR) to deliver to Apple and get a push certificate and download
the root and application integration certificates.
1. Creating a Certificate Signing Request
On either a Macintosh or Windows server, start the certificate signing request that will
become your enterprises APNS certificate (push certificate). Use the same server to finish
the request later.
2. Getting Your CSR Signed by SAP Sybase
As a required part of the Apple certificate process, submit your enterprise CSR to the SAP
Sybase Apple CSR signing site.
3. Getting an APNS Certificate from the Apple Portal
Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria-
based Apple Push Notification Service requests.
4. Completing and Exporting the APNS Certificate
On the Macintosh or Windows server that originated the certificate signing request,
complete the request and export the APNS certificate for Afaria operations.
5. Obtaining Root and Intermediate Certificates
Once per Afaria environment, obtain root and application integration certificates to install
in your Afaria environment, so that any APNS certificates you or your tenant customers
install have a valid chain to the root. You will install the certificates when you are installing
and configuring for iOS operations.
6. Adding Apple Certificates to Afaria
You can use the Afaria certificate installation utility or Windows Microsoft Management
Console (MMC) to install the Apple root, application integration, and push certificates on
your Afaria server. After the installs, you will be able to manage your iOS devices.
Creating a Certificate Signing Request
On either a Macintosh or Windows server, start the certificate signing request that will become
your enterprises APNS certificate (push certificate). Use the same server to finish the request
later.
See also
Getting Your CSR Signed by SAP Sybase on page 31
Preparing to Install Afaria
Installation Guide 29
Creating a Certificate Signing Request on Macintosh
On any Macintosh server in your enterprise, use the Keychain Access utility to create your
CSR.
1. On your server, open Applications > Utilities > Keychain Access.
2. In the left pane, select Keychain > Login, and Category > Certificates.
3. From the menu, select Keychaine Access > Certificate Assistant > Request a
Certificate from a Certificate Authority.
4. On the Certificate Information page, enter the e-mail address and common name, select
Save to disk and Let me specify key pair information, then click Continue.
5. Save the file (.CSR) and record the location.
The CSR request is created and ready for signing.
Creating a Certificate Signing Request on Windows
On any Windows server in your enterprise, use the IIS Manager utility to create your CSR.
1. On your server, open Internet Information Services (IIS) Manager.
2. From the Connections column, select the server.
3. In the center pane, in the IIS section, double-click Server Certificates.
4. In the right pane, click Create Certificate Request.
5. On the Distinguished Name Properties page, enter:
Common name name of the person generating the request.
Organization legally registered name of your organization.
Organizational unit name of the department within the organization.
City/locality organizations city location.
State/province organizations state location.
Country/region two-letter ISO code for organizations country location.
6. On the Cryptographic Service Provider Properties page, select:
Cryptographic Service Provider Microsoft RSA SChannel.
Bit length 2048 or greater.
7. On the File Name page, define the path and file name (.TXT).
8. Save the file and record the location.
The CSR request is created and ready for signing.
Preparing to Install Afaria
30 Afaria
Getting Your CSR Signed by SAP Sybase
As a required part of the Apple certificate process, submit your enterprise CSR to the SAP
Sybase Apple CSR signing site.
1. Go to the Sybase Mobile Enterprise Technical Support site's Apple CSR signing page at
http://frontline.sybase.com/support/applecert.asp.
2. Upload your CSR certificate to the Web site.
The CSR may be in .CSR (Macintosh) or .TXT (Windows) format.
3. After the upload is complete, download your signed CSR (.SCSR).
The signed CSR is ready for upload to the Apple Push Certificates Portal site to get an APNS
Certificate.
See also
Creating a Certificate Signing Request on page 29
Getting an APNS Certificate from the Apple Portal
Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria-based
Apple Push Notification Service requests.
1. From your computer and using a Web browser (Sybase recommends Safari) go to the
Apple Push Certificates Portal site at https://identity.apple.com/pushcert.
2. Log in using your Apple ID credentials.
3. Click Create a Certificate.
4. After accepting the terms of use, click Choose File and select the signed CSR (.SCSR)
received from the Sybase Apple CSR signing site.
5. Click Upload.
After uploading your certificate, a new Apple-signed push certificate for mobile device
management for vendor Sybase appears on the Certificates for Third-Party Servers page.
6. Click Download to save it locally in .PEM format.
You now have an APNS certificate from Apple that is incomplete state. Complete the
certificate on the server that originated the CSR.
Completing and Exporting the APNS Certificate
On the Macintosh or Windows server that originated the certificate signing request, complete
the request and export the APNS certificate for Afaria operations.
See also
Obtaining Root and Intermediate Certificates on page 28
Preparing to Install Afaria
Installation Guide 31
Completing and Exporting the APNS Certificate on Macintosh
On the Macintosh server that originated the certificate signing request, complete the request
and export the APNS certificate for Afaria operations.
1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple
Push Certificates Portal.
2. Double-click the file to install and complete the certificate request.
The Keychain Access utility displays.
3. In the Keychain Access utility, in the left pane, select Keychain > Login, and Category >
Keys.
4. Verify that the certificate, identified by the common name you assigned it, appears with a
key value in the Kind column.
5. Right-click the private key and select Export.
6. Save the file in .p12 or .pfx format.
7. Enter and record a password of your choice to export the certificate.
You now have an APNS certificate from Apple, which is now ready to be added to the Afaria
Server.
Completing and Exporting the APNS Certificate on Windows
On the Windows server that originated the certificate signing request, complete the request
and export the APNS certificate for Afaria operations.
1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple
Push Certificates Portal.
2. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
3. From the Connections column, select the server.
4. In the center pane, in the IIS section, double-click Server Certificates.
5. In the right pane, click Complete Certificate Request.
6. Select the .pem certificate from the Apple Push Certificates Portal.
7. Enter a common name for tracking the certificate and click OK.
8. To export the APNS certificate to the correct format, right-click the certificate and select
Export.
9. Specify a path to save the certificate file in .pfx format.
10. Enter a password, and then click OK.
You now have an APNS certificate from Apple, which is now ready to be added to the Afaria
Server.
Preparing to Install Afaria
32 Afaria
Obtaining a Google API Key
To create enrollment policies for Afaria device enrollment, the Google URL Shortener API
must be accompanied by an API key that identifies your organization as the calling entity.
If you are planning to use TinyURL as your only URL shortening service, you need not have a
Google API key.
1. Go to developers.google.com
2. In the Developer Tools group, click API Console.
3. After logging in, create a new API project or using an existing project, navigate to the list
of all services, and activate the URL Shortener API.
4. Navigate to the API Access page, locate the Simple API Access item.
5. Record the API key for use in Afaria configuration for enrollment codes.
Next
Google APIs Web site http://code.google.com/apis/console
Google URL Shortener API getting started http://code.google.com/apis/urlshortener/v1/
getting_started.html
See also
Configuring Afaria Server for Enrollment Codes on page 59
Preparing to Install Afaria
Installation Guide 33
Preparing to Install Afaria
34 Afaria
Installing Afaria Server
Install the Afaria server as the first server component in your Afaria installation.
This section is intended as as a sequence of steps to follow from start to finish.
Entering or Updating Your License Key
Enter or update your license key, which defines available setup menu options, any time you
receive a new key.
Perform the update on each Afaria server.
1. Start the setup program (setup.exe).
2. In the Set Up menu, click License Key.
3. Type your license key into the key box, then click Licensing Details to review your
licensing information.
The maximum number of concurrent sessions supported per server depends on your
licensing. The ability to run the maximum number of licensed concurrent sessions
depends upon the amount of memory, the speed, and number of the processors on your
server.
4. Click Apply to save the license key and return to the setup menu with your licensed options
available.
5. On the setup menu, click Install > Install Server and complete the server installation.
The reinstallation updates the server as necessary to support the license change.
6. Click Next.
Starting the Setup Program
Start the Afaria server setup program and install an Afaria server.
Prerequisites
Install, configure, and start your database for Afaria server. Establish a user account for
installing and operating Afaria server.
Task
1. Start the setup program (setup.exe).
2. On the setup menu, click Install.
Installing Afaria Server
Installation Guide 35
3. Click Install Afaria Server .
The End User License Agreement dialog displays.
4. Click Yes or No to indicate your acceptance or rejection, then click Next to continue with
the installation wizard, and specify the server installation type (master or farm) and
directory.
The installation continues only when you accept the agreement.
Defining Server Type and Directory
Select options for master or standalone server setup, directory selection, and service account.
1. On the Confirm Master or Standalone Server install page, click Next.
If you are installing a main or standalone server, continue selecting the authentication type.
If you are installing a farm server, complete the installation.
2. On the Directory Selection dialog, accept the default location or click Browse to navigate
to a new location and click Next to continue with the installation wizard, and database
definition.
The default directory is C:\Program Files (x86)\Afaria\.
Selecting Microsoft SQL Server Database
If you selected Microsoft SQL Server, continue with the Microsoft SQL Server Setup dialog.
1. One the Select Database Engine dialog, select the applicable database.
2. Select the Microsoft SQL Server.
3. On the Service Account dialog, specify the account name and password you created for
operating Afaria.
This account should be the same domain account that is used across Afaria servers and
components.
4. Select either Windows Authentication to use a Windows administrator account with SQL
Server privileges or SQL Server Authentication to use the SQL Server account with its
associated password that you set up for Afaria.
5. Click Next to continue.
6. On the SQL Server Database dialog, select the database you configured for Afaria.
If you are installing a farm server, you must select the database for the existing Afaria
server.
If you are reinstalling the Afaria server as standalone, you must select a new database.
7. Continue with selecting server authentication options.
Installing Afaria Server
36 Afaria
Selecting iAnywhere SQL Anywhere Database
If you selected iAnywhere SQL Anywhere, continue with the SQL Anywhere Server Setup
dialog.
Prerequisites
If you are using SQL Anywhere iAnywhere server, manually restart the database server to
pick up the most up-to-date client drivers.
Task
1. On the SQL Anywhere Server Database dialog, enter the Database name and click
Next.
2. Select the SA Server Name from the list.
The list populates only with names of SQL Anywhere servers on the same subnet. To
locate a SQL Anywhere server outside the subnet, select Edit Host/Port. The Host name
may be a machine name or IP address.
3. Select a login type and click Next to continue:
Integrated login select this option to integrate your Windows login with your SQL
Anywhere login.
SA user login enter the login information for the database user with DBA authority
that you created for your Afaria database.
4. On the SQL Anywhere Server database dialog, select the database you created for Afaria,
then click Next to continue.
The Afaria installation program validates the database you specify. If you type the
database name incorrectly or type the name of the wrong database, you may see a
Request to start/stop database denied error.
5. Continue with selecting server authentication options.
Selecting Authentication Type
Select the user authentication type for connecting devices; either Windows authentication or
SQL Server Authentication. Local authentication is always enabled.
1. In the SQL Set Up dialog, select the applicable authentication type and click Next to
continue.
a) Select Windows Authentication and choose either NT or LDAP. For NT domain or
local authentication, click NT domain-based and retain <none> as the domain. For
NT domain authentication, click NT domain-based and enter the domain. As the
Installing Afaria Server
Installation Guide 37
administrator, you must also be a member of this domain. Use commas to separate
multiple domains. Click Next.
For LDAP authentication select LDAP-based, click Configure LDAP and proceed to
Configuring LDAP Information topic.
b) Select SQL Server Authentication and define the SQL Server Login and
authentication. This username and password should be in the domain and be the same
name used throughout the installation of Afaria and its components. Click Next.
2. Complete the installation.
If you do not choose a domain during installation, you can add a domain for
authentication on the Server Configuration > Properties > Security page
To allow users to use blank passwords, additional operating system settings are
required. See the Administration Reference to learn more about the requirements for
allowing blank passwords.
Configuring LDAP Information
Configure LDAP settings to support LDAP user authentication and channel assignments.
1. In the LDAP Server Login Information dialog, enter the login information.
Server Address enter your LDAP server address as either a fully qualified domain
name, such as afaria.mycompany.com, or as an IP address.
Port Number Afaria automatically defaults to the LDAP standard port 389. If you
enter another port number, you must enter a number greater than 1024.
Server Type select your LDAP server type.
Use SSL select to enable SSL communication with your LDAP server.
SSL Port Number define the LDAP server port for SSL communications.
Anonymous Login select Anonymous Login to allow the Afaria server to
communicate with the LDAP server without using a dedicated LDAP user account for
the server. If using anonymous login, configure your LDAP server to allow a search of
the directory structure for users, user groups, and organizational units and all of their
attributes.
User DN if not using anonymous login, enter the user DN (distinguished name) for
the LDAP account the Afaria server uses to communicate with the LDAP server. If you
do not know the user name for the account, click Search User. You must have an LDAP
proxy user configured for an anonymous login to be able to search for users.
You can enter a name using a wildcard character to search for the correct User DN. For
example, you can enter *mith or *mit* to search for Smith.
Password enter the password for the LDAP account the Afaria server uses to
communicate with the LDAP server.
2. In the LDAP Root Directory dialog, select a root directory that contains all of the groups,
organizational units, and users the server requires for authentication and assignments.
3. In the LDAP User Characteristics dialog, select a characteristic.
Installing Afaria Server
38 Afaria
LDAP Class Name for Users select or enter the LDAP Class Name for Users.
User Name Attribute select or enter the user name attribute to use in the LDAP
environment. When client users connect to the server, they enter the user ID as the user
name you specify.
4. In the LDAP Container Settings dialog, select a membership basis for assigning channels
to users.
Support OU membership select to assign channels to users based on their
organizational unit (OU).
Support OU and group membership select to assign session policies to users based on
both their OU and groups.
5. Complete the installation.
Completing the Installation
Continue with the Ready To Start Installation dialog box to complete installation.
1. On the Ready to Start Installation dialog, click Install.
The Setup Complete dialog opens when the installation is complete.
2. If you receive a message that a file is in use, choose an appropriate action.
Abort quits the installation.
If you are reinstalling and you abort the installation, you may find that some of the files
have been updated and some have not, leaving the installation in an undesirable state.
Re-run the installation program to restore stability and normal operations. If normal
operations do not resume, uninstall the program and install it again.
Retry close the application using the file specified, and then click Retry to install the
file again. If the installation does not continue, click Ignore.
Ignore continues the process but requires you to restart the computer to complete the
installation.
You may be prompted to restart your computer when the file copying process is completed.
After the restart, the installation program continues from the point at which it was
interrupted.
3. Select whether to start the service at this time.
To allow connections immediately, start the service. To continue with additional
installations and configuration, do not start the service.
4. Click Finish.
Installing Afaria Server
Installation Guide 39
Installing Afaria Server Farm
For a farm environment, install additional servers after installing the main Afaria server and
the Afaria Administration Web console.
Prerequisites
Ensure all farm servers are in the same domain and the domain username and password
matches the ones specified for Afaria Administrator and API services.
Task
For each planned farm server:
1. Start the setup program (setup.exe).
2. Enter the license key.
3. Start the server installation.
4. Complete the installation, using the same domain user account, database, and options as
the main Afaria server.
You must select the database for the existing Afaria server.
5. Start Afaria server service on the main server, then on the farm servers.
Installing Afaria Server
40 Afaria
Installing Afaria API Service and Administrator
Install Afaria API Server and Administrator on either the Afaria server or a different server.
1. Start the setup program (setup.exe) in the Afaria installation directory.
2. On the setup menu, click Install.
3. Click Install Afaria and API Service Administrator, and click Next.
4. On the Select Database engine dialog, select the applicable iAnywhere SQL Anywhere or
Microsoft SQL database you configured previously and click Next.
5. On the SQL Anywhere Server Set Up dialog, select a Server Name and confirm the
existing or enter the applicable field values.
All the database fields will be pre-populated if the Afaria server is installed on the same
machine. If not, you will need to enter them manually.
6. On the SQL Anywhere Server Database dialog, enter the Database name and click
Next.
7. On the Directory Selection dialog, change the default install path, if desired and click
Next . Create a directory for the installation if required.
8. On the Service Account dialog, define the domain or local account associated with the
Afaria API Service and Administrator Next.
The account credentials should be the same as those used for the Afaria server install.
9. Click Install to start the Afaria API Service installation set up and click Next on the
resulting welcome dialog.
10. On the Set Up complete dialog, celect to start the service now or later.
The Administrator installation will stop the API Service automatically if required.
11. On the Select Virtual Directory dialog, define the virtual directory for Afaria
Administrator in IIS. If you created a directory, select it from the list. If you have not
created a directory, type the name for the directory to create it.
The directory appears in the IIS directory under Default Web Site.
12. On the Select Physical Directory dialog, enter or browse to the Physical directory
to install Afaria Administrator files.
If you are installing Afaria Administrator on the same server as the Afaria server, install
Afaria Administrator in a different directory.
13. On the Domain Selection dialog, enter the domain for selecting Afaria Administrator users
to administer the Afaria server. To limit selection to only local users, keep <none> as the
domain.
14. On the Ready To Start Installation dialog, click Install to begin the installation. The Setup
Complete dialog box opens at completion.
Installing Afaria API Service and Administrator
Installation Guide 41
The Afaria Administrator installation will stop the API Service prior to installation, if
required.
15. If you receive a message that a file is in use, choose an appropriate action.
Abort quits the installation.
If you are reinstalling and you abort the installation, you may find that some of the files
have been updated and some have not, leaving the installation in an undesirable state.
Re-run the installation program to restore stability and normal operations. If normal
operations do not resume, uninstall the program and install it again.
Retry close the application using the file specified, and then select Retry to install the
file again. If the installation does not continue, select Ignore.
Ignore continues the process but requires you to restart the computer to complete the
installation.
You may be prompted to restart your computer when the file copying process is
completed. After the restart, the installation program continues from the point at which
it was interrupted.
16. On the Setup Complete dialog, and click Finish.
An Afaria Administrator shortcut appears on the desktop.
17. If you used a predefined virtual directory for this installation rather than allowing the setup
program to create one for you, verify the API Service and Afaria Administrator settings in
the directory before operating the Afaria Administrator program.
Verifying Afaria Administrator IIS Settings
If you used a predefined virtual directory when installing Afaria Administrator (instead of
allowing the setup program to create one for you, or if you are having problem accessing
Afaria Administrator from a browser) verify the Afaria API Server and Administrator and IIS
settings.
1. From the Afaria Administrator, select Start > Administrative Tools > Internet
Information Services (IIS) Management.
2. Click the Basic Settings link on the right toolbar.
3. In the Edit Application dialog, verify that the physical path is the one you set during
installation.
4. Open Default Document and verify that default.aspx appears in the list.
5. Open Authentication and ensure that only Windows authentication is enabled.
6. Click Back and click Browse on the right toolbar.
Note: If you have stopped and restarted IIS at any time before opening Afaria
Administrator, ensure that when you restarted IIS that the WWW Publishing Service also
started. If it is not started, you can reset IIS, or you can restart it manually. This service
must be running for you to open Afaria Administrator.
Installing Afaria API Service and Administrator
42 Afaria
Changing the IIS Connection Timeout Value
Change the IIS connection timeout value to prevent the Afaria server from disconnecting with
an inactive browser user. Disconnected sessions can result in data loss.
1. From the Afaria home page, select Administrative Tools > Internet Information
Services (IIS) Manager.
2. Right-click Default Website on the left pane.
3. In the connections section, increase the timeout value to meet your needs, then click
OK.
When you change this value, it impacts all the Default Web Site members. Ensure you have
determined an acceptable value for all sites.
Installing Afaria API Service and Administrator
Installation Guide 43
Installing Afaria API Service and Administrator
44 Afaria
Starting Operations and Server Configuration
To get started with Afaria after completing the installation, complete tasks that prepare for,
and validate, basic operations.
Logging In to Afaria Administrator
Use the default user credentials to log in to the Afaria Administrator application.
By default and after installation, the only user that can log in to the Afaria Administrator
application is the user who installed the product. If you are in a different user context, the
application prompts you for the installing user credentials.
Open your browser and enter the Afaria Administrator address:
http://<AfariaAdministratorAddress>/
<AfariaAdministratorVirtualDirectory>
If your current user context differs from the user context for installing the product, then the
Enter Network Password dialog opens. Enter the installing user name, password, and domain
and click OK. Domain is not required when logging in to a local machine.
Logging in as Added User
Use your Windows user credentials to log in as an added user.
Log in to Afaria a second time, using your Windows user credentials. You can switch your user
context by using the Logon As User feature.
1. From the Afaria Homepage, click Logon As User. The Connect To dialog opens.
2. Supply your Windows user credentials and click OK.
The default page opens with content appropriate for your user role. Your user context
appears on the banner.
Starting, Stopping, Restarting the Afaria Server
Use Start, Stop, or Restart commands to control the state of the Afaria Server.
Server/client sessions can run only when the server is started. You can conduct other
operations, such as reviewing logs or reports, performing server configuration, or performing
administration and user support tasks when the server is in a stopped or started state. Some
configuration changes require you to restart the server to take effect.
Starting Operations and Server Configuration
Installation Guide 45
1. From the Afaria Homepage, click the role link that is associated with the server to start.
The Server Status page opens.
The page includes a dynamic link that changes between Start Server or Stop or Restart
Server, depending on the current state of the server.
2. Click the Start Server or Stop or Restart Server link to open the Current Status dialog.
The dialog is dynamic based on the current state of the server and the relevant actions.
Click on the appropriate action:
Start start a stopped server.
Stop stop a started server.
Restart stop then start a started server.
Verifying Afaria Server Settings for Device Communication
Verify server-device connection settings for connecting Android, BlackBerry, Windows
Mobile, and Windows devices for communications.
After you configure Afaria server for device communications, review your settings for
correctness in Afaria Administrator.
1. On the Server page, click Configuration, expand the Communication list, and click
Device Communication.
2. Review the device communication settings for validity, namely: Protocols and ports,
Certificate settings, and the Address for Device communication.
Verifying Afaria Server Settings After Installation
Verify specific security and Afaria server farm settings that you entered during the installation
process.
After you install Afaria Server, review your security (NT or LDAP) and server farm settings
for correctness in Afaria Administrator.
1. On the Server page, click Configuration, expand the Server list, and click Server
Farm.
Review the settings for the server farm you set up for validity, namely: Name, State, IP
Address, Type and Replication Address.
2. Choose Security from the list.
Review and validate the settings for the NT or LDAP domain you set up.
Starting Operations and Server Configuration
46 Afaria
Server Configuration for Installation and Management
Documentation for Afaria Server configuration properties, as defined in the Afaria
Administrator Server Configuration page, are located in different documentation references,
based on their purpose as properties for general operations or for optional features.
Properties documented in the Installation Guide basic for core operations, such as for
configuration for the SMS gateway or connectivity for the access control server:
Device communication
Access control server
Enrollment code
Relay server
Security
SMS gateway
SMTP
Enrollment server
iOS notification
Package server
Properties documented in the Administration Reference optional based on the features
you license or choose to use, or performance optimizations, such as for defining access
control policies for users:
Tenants
Schedules
Logging option and cleanup
Outbound notifications
Google C2DM for Android
Device Activity
For session policies:
Bandwidth throttling
File compression
File differencing
User defined fields
iOS branding
For access control, options for known and unknown device policies
For device activity management:
General settings to enable and notify users
Roaming
Thresholds for data views
Device activity log cleanup
Starting Operations and Server Configuration
Installation Guide 47
See also
Installing Enrollment Server - Basic on page 57
Configuring Afaria Server for Package Server on page 72
Configuring Relay Server for Access Control on page 114
Configuring the Relay Server for iOS Certificate Authority and Enrollment Server
Connections on page 69
User Role Management
The Afaria Administrator application uses role management to control access to the
application and its individual features and tenants. Use the installing user's credentials to log
into the Afaria Administrator application the first time.
By default, after installation, the only user that can log in to the Afaria Administrator
application is the user that installed the product. If you are in a different user context, the
application prompts you for installing the users credentials.
These are predefined user roles:
Administrators role for access to perform various administrative tasks and policies,
which includes control over role assignments and adding and removing servers. By
default, the role allows unrestricted access to the server.
Help Desk role for server operations, such as for individuals who perform administrative
operations and provide support for users.
You can edit the predefined roles or add new roles as needed.
Viewing the Server Roles
View the server roles.
1. On the Home page banner, click Server to open the Server Dashboard page.
2. On the left toolbar, click Role to open the Server > Role page.
3. (Optional) To inspect a role's details, select a role and click Edit in the top toolbar, then
click Cancel after inspection.
Adding or Editing a User Role
Add or edit a user role by defining the features and tenants for the role, and the users to assign
to the role.
1. On the Home page banner, click Server to open the Server Dashboard page.
2. On the left toolbar, click Role to open the Server > Role page.
3. On the top toolbar, click Add, or select a role and click Edit in the top toolbar, to add or edit
a server role, respectively.
Starting Operations and Server Configuration
48 Afaria
4. On the Role tab, enter a new role name and assign access policies for the sections Devices,
groups, and policies pages, Remote actions on devices, Server pages, and Server
configuration pages.
5. On the Tenants tab, select all or specific tenants to which the users you add to the role are
allowed access.
Every Afaria installation has a system tenant, but you can create additional tenants.
6. On the Users tab, click Add to add users to a role by specifying the DomainName
\UserName.
7. Click Save.
Starting Operations and Server Configuration
Installation Guide 49
Starting Operations and Server Configuration
50 Afaria
Afaria Server Messaging
Short Message Service (SMS) is configured on the Afaria server for the delivery of SMS
messages from the Afaria server to devices that may or may not be Afaria devices.
The Afaria Server supports SMS messaging protocols SMTP and SMS Gateway, including
SMPP and SMS Modem.
Afaria uses the SMS gatewayfor devices and Afaria Clients that support SMS messaging
to deliver outbound notifications and remote wipe commands.
Afaria uses the SMTP to send e-mail communications and e-mail-based Short Message
Service (SMS) messages related to Afaria operations.
Addresses and Routing for Afaria SMS and SMTP Messages
Both the Afaria SMS Gateway and the SMTP server use addresses to deliver their respective
Afaria-initiated messages to recipients.
Addresses are used in multiple Afaria contexts, including but not limited to:
Notification messages to devices for message broadcasts, provisioning, or client
deployment
Alert notifications to an administrator contact
Security commands to Afaria clients
SMS and SMTP Message Address Syntax
The address determines how the Afaria Server routes the message.
Use this syntax to format addresses:
<prefix>[<routing information>]
where < > encloses a parameter value, and [ ] indicates an optional parameter.
SMSC address requirements your Short Message Service Center (SMSC) configuration
entities may have specific address requirements for successful routing. For example, a service
provider or carrier modem may require you to format all mobile numbers in their respective
international format and may stipulate that the leading + symbol is or is not part of the
requirement. It is your responsibility to understand the requirements for your SMSC entities,
and it is your responsibility to create your address entries appropriately.
SMSC name the name of your SMSC entity has a direct impact on how Afaria routes Afaria-
initiated messages.
Afaria Server Messaging
Installation Guide 51
Prefix Routing Infor-
mation
Examples Afaria Routing Logic
Prefix = <mobile number>
<pre-
fix>
+ null = 5554122212
15554122212
+15554122212
+445555121212
IF any SMS gateway SMPP
service is defined,
THEN send via SMPP service,
ELSE IF any SMS gateway en-
tity is defined,
THEN send via SMS gateway
entity,
ELSE discard message.
<pre-
fix>
+ <routing infor-
mation>
= +15554122212@allcel-
lular
5554122212@mobile-
today.com
IF <routing information> = an
SMS gateway SMPP service
name,
THEN send via SMPP service,
ELSE IF <routing information>
= an SMS gateway modem
name,
THEN send via modem,
IF any SMS gateway SMPP
service is defined,
THEN send via SMPP service,
ELSE IF any SMS gateway en-
tity is defined,
THEN send via SMS gateway
entity,
ELSE send via SMTP server.
Prefix = <recipient identifier>
<pre-
fix>
+ null = john.doe
jdoe
Invalid, discard message.
Afaria Server Messaging
52 Afaria
Prefix Routing Infor-
mation
Examples Afaria Routing Logic
<pre-
fix>
+ <routing infor-
mation>
= john.doe@mobileto-
day.com
jdoe@allcellular
jdoe@egroup.gov
Send via SMTP server.
SMS Gateway
Afaria uses the SMS gateway to deliver outbound notifications, remote wipe commands, and
any other Afaria communication that is addressed for SMS routing to supported Afaria
devices.
The Afaria solution leverages the Cygwin product libraries and tools and other open source
tools to implement its SMS Gateway. The Cygwin product is a set of libraries and tools
developed by Cygnus Solutions that creates a Unix-emulating environment on a Windows
operating system.
Due to the nature of open source licensing practices, cited in the GNU General Public License,
Sybase cannot distribute, install, or license the libraries and tools as part of a commercial
product delivery. Therefore, you must obtain and install the required items on behalf of your
organization to enable the SMS gateway operations in Afaria.
Installing SMS Gateway
Install SMS Gateway on the Afaria server to deliver outbound notifications and remote wipe
commands.
1. Run the setup program (setup.exe).
2. On the setup menu, click Additional Installations and Resources > Access SMS
Gateway Resources.
3. On the Afaria third-party component dependency reference page, find version information
and download instructions for obtaining the Cygwin components.
SMS gateway operations use only some of the Cygwin product components. Therefore,
these installation steps describe a manual process for installing only the component that
the SMS gateway requires, rather than using the Cygwin installation program.
4. Use a decompression utility to decompress the BZ2 download packages from within the
<download folder> folder. For each installation package file with file extension
BZ2, the decompression yields one extracted file with file extension .tar.
5. Extract the decompressed packages into the same download folder. The file extraction
creates these folders:
Afaria Server Messaging
Installation Guide 53
<download folder>\usr contains additional, nested folders.
<download folder>\etc contents are not used for SMS gateway operations.
6. Modify the Afaria Server environment to include the required libraries and tools by either
including <download folder>\usr\bin in the default system path or by copying
these <download folder>\usr\bin files into the Afaria folder
<AfariaInstallation>\bin\SMSGateway:
cygcrypto-0.9.8.dll
cygiconv-2.dll
cygssl-0.9.8.dll
cygwin1.dll
cygxml2-2.dll
cygz.dll
The default value for <AfariaInstallation> is C:\Program Files\Afaria.
HTTPS Support Certificates
HTTPS support for SMS Gateway requires you to install a certificate that is known to both
Windows and Linux.
SMS Gateway runs on the Afaria server and is encapsulated within an emulated Linux
operating system environment; the Afaria server runs on a Windows operating system. A
certificate is required for proper communication between the two separate operating systems
on the same server.
1. Obtain a certificate and key that identify the Afaria server in PEM format.
Ensure that the common name attribute on the certificate is the name of the Afaria server,
exactly as the name is defined in the Gateway Host field on the SMS Gateway
configuration page.
2. Certificate for Windows import the PEM-formatted certificate and its associated key as a
visible Windows Trusted Root Certificate Authority. The Windows Trusted Root is
accessible only to the Afaria Server.
3. Certificate for Linux complete the Cert file and Key file fields on the SMS Gateway
Interface configuration page to point to the certificate and key files. The files must reside
on the Afaria Server. The SMS Gateway uses these references to access the certificates, as
it cannot access certificates as imported into the Windows Trusted Root Certificate
Authority.
Configuring Afaria Server for SMS Gateway
SMS Gateway configuration settings and data elements establish connectivity between the
Afaria server hosting the SMS Gateway and the Afaria SMS Gateway.
In a farm environment, the Afaria server is always the main server.
To successfully start the SMS Gateway, you must define SMS Gateway properties and at least
one SMSC server configuration entity.
Afaria Server Messaging
54 Afaria
1. On the Server page, click the Configuration icon on the left panel, expand the Server list,
and select SMS Gateway.
The SMS Gateway page appears with the Gateway tab enabled.
2. Enter the Port number for the first Afaria server port number dedicated to SMS gateway
communication. The server uses this port and the next two consecutive ports. For example,
if you select port 3000, then the SMS gateway uses ports 3000, 3001, and 3002.
3. Enter the Access Phrase for all communications from an Afaria server to the SMS gateway.
SMS gateway ignores all communications requests that do not include this phrase.
4. Click the Character Set SMS Gateway uses to compose SMS messages. The appearance
of the message at the client depends on device support for a given character set. Devices
that support ASCII but are sent a Unicode-based message show messages padded with
extra characters.
5. (Optional) Click Enable HTTPS Support to enable HTTPS support for secure
communications from the Afaria server to the SMS gateway.
6. Enter the Certificate File path and file name on the main Afaria server for the PEM-
formatted certificate file. The SMS Gateway uses this file to verify the identity of the
Afaria server.
7. Enter the Key File path and file name on the main Afaria server for the PEM-formatted key
file. The SMS Gateway uses the file to verify the identity of the Afaria server.
8. Define an SMSC server configuration entity.
Setting Up SMS Modem
For each SMS modem from your providers, add and configure Afaria server for
communication.
Prerequisites
Follow the instructions from your modem provider to connect the modem to the Afaria server.
Task
SMS modems are typically carrier specific, as each modem uses a carriers Subscriber Identity
Module (SIM) card. They use the associated carrier's network to deliver SMS messages to an
SMSC; messages take an indirect path to the SMSC. Modems can often support basic SMS
message (example: text messages) delivery to different carrier networks.
1. On the Server page, click the Configuration icon, select the Modem tab, and click
Add.
You see a new line of configuration fields.
2. Select Enable to enable communications with this entity. Unselect the check box to
suspend communications but retain the configuration values.
3. Enter the Name.
The name you enter directly impacts how Afaria routes Afaria-initiated messages.
Afaria Server Messaging
Installation Guide 55
4. Select an Afaria server COM port;
ports 116 are valid for the SMS Gateway operations.
5. Complete the required port, source, and destination properties guided by the definitions in
the SMPP Configuration Properties topic.
6. Click Save.
Setting Up SMPP
You can configure Short Message Peer-to-Peer (SMPP) entities for use with SMS Gateway on
the Afaria server.
Short Message Peer-to-Peer (SMPP) is a protocol for delivering SMS messages directly to a
Short Message Service Center (SMSC) or SMSC aggregator.
SMPP services are typically carrier agnostic. Message routing from the SMS gateway is direct
to the SMSC, rather than over a carrier network. As a result, an SMPP service can typically
deliver most SMS messages to any carrier network.
Note: You can create multiple SMPP entities, but the Afaria server uses only those that you
enable.
1. On the Server page, click the Configuration icon, select the SMPP tab, and click Add.
2. Select Enable to enable communications with this entity. Unselect the check box to
suspend communications but retain the configuration values.
3. Enter the Name of the service.
The name you enter directly impacts how Afaria routes Afaria-initiated messages.
4. As defined by your SMPP service provider, define the remaining property values.
5. Click Save.
Setting Up SMTP
You can use the SMTP page to configure your SMTP server to send e-mail communications
and e-mail-based Short Message Service (SMS) messages related to Afaria operations.
1. On the Server page, click Configuration.
2. Enter the name of the SMTP Server.
This field can contain either the IP address or the host name of the SMTP server that you
use to send SMS messages.
3. Enter the user ID for the SMTP server account that you use to send SMS messages
4. Enter the reply address that appears on the SMS messages.
5. Click Restart Server for the changes to take effect.
Afaria Server Messaging
56 Afaria
Installation and Configuration for Enrollment
Components
To support device enrollment for Android, BlackBerry, iOS, and Windows Mobile devices,
install and configure the Afaria enrollment server. In addition for iOS device support,
configure a certificate authority (CA).
The enrollment server retrieves enrollment policies from the database for all device types, and
delivers payloads for iOS devices.
The certificate authority is a required part of Apple-defined iOS MDM management.
Installing Enrollment Server - Basic
To support device enrollment for Android, BlackBerry, iOS, and Windows Mobile devices,
install and configure the Afaria enrollment server. Record the address and virtual directory
values as you complete the installation; you will need them for subsequent configuration
tasks.
Install the server first in its basic implementation, without payload-signing enabled. Payload
signing is an advanced feature for iOS device support.
1. On the installation image, start the setup program (setup.exe).
2. On the setup menu, click Additional Installations and Resources > Enrollment
Server.
3. On the Specify Credentials page, accept or define the account name and password used to
run the Afaria service on the Afaria server.
The enrollment server uses these credentials to contact the Afaria server for database
credentials.
4. On the Specify Virtual Directory Names page, accept or define these settings:
Unauthorized virtual directory name user-defined name, populated with a default
value.
The unauthorized directory accepts an initial device connection and processes any
required user authentication.
Authorized virtual directory name user-defined name, populated with a default
value.
The authorized directory accepts device connections in the connection series after the
device connects to the unauthorized directory.
5. On the Specify Server Address page, accept or define the address for the Afaria server.
The enrollment server uses this address to reach the Afaria server.
Installation and Configuration for Enrollment Components
Installation Guide 57
6. On the Specify Certificates for Signing page, unselect Sign Messages to disable the
feature; it is not part of the basic implementation.
7. Only if you are a self-signing entity and managing iOS devices, on the Specify SSL
Certificate page, select the certificate that is bound to IIS for SSL.
By selecting the certificate, Afaria can traverse the certificate chain and ensure that iOS
devices that need intermediate certificate for operations, get them seamlessly from the
enrollment server.
Your Apple APNS certificate is not valid for this step.
8. Follow the setup wizard to completion.
The enrollment server installation is now complete, and you can observe service
AfariaiPhoneServer in the Windows service list. The installation process also populates the
Enrollment Server configuration page with corresponding values if the Afaria server is on the
same server.
See also
Relay Server on page 91
Additional Afaria Components on page 11
Server Configuration for Installation and Management on page 47
Configuring Relay Server for Enrollment Server on page 112
Configuring Relay Server for iOS Certificate Authority on page 113
Launching the Relay Server Outbound Enabler on page 117
Configuring Afaria Server for Basic Enrollment Server
Configure the Afaria server for the enrollment server, as installed with payload-signing
disabled, without enabling SSL on the HTTPS port, and without enabling relay server.
1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand
the Component list, and click Enrollment Server.
2. Accept or define the IP or fully qualified server address devices use to connect to the
enrollment server.
The address must be externally accessible.
3. Accept or define the unauthorized and authorized virtual directory names, as defined
during the enrollment server installation.
The unauthorized directory accepts an initial device connection and processes any
required user authentication.
The authorized directory accepts device connections in the connection series after the
device connects to the unauthorized directory.
4. Only if you are required to use a proxy for the Apple APNS and feedback servers, click
APNS/Feedback Configuration and change the predefined settings to your proxy server.
Installation and Configuration for Enrollment Components
58 Afaria
APNS domain and port for sending notifications.
Feedback domain and port for soliciting feedback, as defined by Apple.
The feedback service is an aid for gaining feedback about devices that no longer have
MDM control installed. Afaria captures feedback data in Afaria table
A_iphone_feedback_log. If feedback is received about a device having removed control,
Afaria updates the known device state and adds an entry to the Messages log identifying
the device and indicating that control is removed.
5. Click Save.
Configuring Afaria Server for Enrollment Codes
Enable at least one URL shortening service before creating enrollment policies.
Prerequisites
To enable the Google URL service, you need a Google API key, as issued by Google to your
enterprise, as part of the Google API program.
Task
Service terms are between your enterprise and the service provider. You must accept the terms
of service to enable a service.
1. On the Server page, click the Configuration icon on the left toolbar, expand the Server list
and select Enrollment Code.
TinyURL service
Google URL service (including the API Key)
2. (Optional) Click the test links to verify connectivity and a call to the service.
3. To change how long an enrollment code is valid for iOS and Android device enrollment,
under Self-service portal enrollment requests, specify how long a user request is valid to
use for enrollment in days, hours and minutes.
Self-Service Portal enrollment for other device types does not include a validity time
window.
4. Click Save.
See also
Obtaining a Google API Key on page 33
Installation and Configuration for Enrollment Components
Installation Guide 59
Configuring Certificate Authority for iOS Devices
Configure a Microsoft certificate authority (CA) as a required component for iOS device
management.
Consult these essential references before and during configuration:
Afaria system requirements to learn about requirements for your CA operating system
and connectivity within the Afaria environment.
Microsoft documentation resources to learn about CAs and how to add roles and comply
with the Afaria system requirements. For example, the Microsoft SCEP Implementation
White Paper (www.microsoft.com/download/en/details.aspx?id=1607).
Configuring an Enterprise Root Certificate Authority for iOS
Configure the enterprise root CA by defining the Active Directory Certificate Service (ADCS)
and Network Device Enrollment Service (NDES) roles.
Prerequisites
The Server needs to be a member of a domain with an Active Directory Domain Controller.
You must also be logged on to the CA server as a user that is a member of the domain.
Task
1. Add the Active Directory Certificate Service (ADCS) Role.
2. Add the Network Device Enrollment Service (NDES) Role.
Adding the Active Directory Certificate Service (ADCS) Role
Add the ADCS role as part of the iOS certificate authority (CA) configuration.
1. On the CA, open the Server Manager Programs >Administrative Tools > Server
Manager > Roles.
2. Click Add Roles to launch a wizard.
3. On the Server Roles page, enable Active Directory Certificate Service.
4. On the Role Services page, enable Certification Authority Web Enrollment.
A pop-up window may open to prompt you to install IIS. If so, install it.
5. Click Add Required Role Services and click Next.
The Certification Authority Web Enrollment check box is now enabled.
6. On the Specify Set Up Type page, enable Enterprise.
7. On the Specify CA Type page, enable Root CA.
8. On the Set up Private Key page, enable Create a new private key.
Installation and Configuration for Enrollment Components
60 Afaria
9. Verify the pre-populated settings on the Configure Cryptography for CA settings.
10. On the Configure CA name page, confirm the Common Name for this CA and note it for
later.
11. On the Set Validity page, select the validity period for the certificate as appropriate your
enterprise.
12. On the Configure Certificate Database page, confirm the path of the certificate
database.
13. On the Web Server IIS introductory page, click Next to proceed to the setup.
14. On the Select Role Service page, click Next to confirm the default IIS settings.
15. On the Confirm Installation Selections page, review the details of the ADCS configuration
and IIS installation and then click Install.
16. Click Close to complete the wizard and restart the server.
Adding the Network Device Enrollment Service (NDES) Role
Add the NDES role as part of the iOS certificate authority (CA) configuration.
Prerequisites
Add the ADCS role to the CA.
Task
1. On the CA, open the Server Manager > Roles > Active Directory Certificate Services >
Add role services.
2. On the Select Role Services page, enable Network Device Enrollment Service.
3. On the Specify User Account page, enable Specify a User Account, click Browse to find
the account in your local IIS users group, and click Next.
4. Enter your credentials in the Windows Security dialog and click OK and click Next.
If the user does not match the required IIS prerequisites, an error message displays.
5. On the Specify Registration Authority Information page, enter the applicable Registration
Authority Information, which will be required later during device configuration.
Do not use special or localized characters.
6. On the Configure Cryptography for Registration Authority page, accept the defaults and
click Install.
7. On the Confirm Installation Selections page, review the details of the NDES configuration
and click Install.
8. Click Close.
9. Under Role Services, verify that the following services appear in the installed list:
Certification Authority
Certification Authority Web Enrollment
Installation and Configuration for Enrollment Components
Installation Guide 61
Network Device Enrollment Service
Click the refresh link at the bottom if you installed a service but do not see it in the list.
Tuning the Certificate Authority for Afaria
Configure the SCEP challenge phrase and certificate request handling on the certificate
authority (CA) to increase security for iOS connections and ensure that certificates are issued
automatically.
The challenge configuration changes allow Afaria to act as a proxy for requesting challenge
phrases and optimize challenge phrase properties for Afaria operations. The request handling
change allows the CA to issue certificates automatically, rather than putting them into a
pending state that would require administrator action.
Warning! The tuning registry changes impact all IIS operations.
1. On the CA, using Windows Server Manager, on the SCEP administrator virtual directory
(IIS Manager > Default Web Site > CertServ > mscep_admin), set authentication.
Anonymous authentication enabled and using the same credentials as the SCEP
application pool.
Windows authentication enabled.
2. Create a registry entry to change the challenge phrase default behavior to increase the
maximum number of passwords that are valid simultaneously to 100.
Key [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\MSCEP1\PasswordMax]
Value "PasswordMax"=dword:100
3. Create a registry entry to change the challenge phrase default behavior to decrease the time
period that each password is valid to 10 minutes.
Key Key [HKEY_LOCAL_MACHINE\Software\Microsoft
\Cryptography\MSCEP1\PasswordValidity]
Value "PasswordValidity"=dword:0A
4. To configure certificate request handling in Server Manager, select your CA in the ADCS
node, right-click Properties > Policy Module > Properties and select to follow the
template or automatically issue, rather than to set it to pending.
Installing the Afaria SCEP Plug-In Module on the CA
Install the optional Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module on
the certificate authority (CA) to filter certificate requests.
The module enhances security by blocking devices that are not known to the Afaria database
from obtaining an enrollment certificate.
Installation and Configuration for Enrollment Components
62 Afaria
1. On the CA server, start the setup program (setup.exe) from the Afaria product
image.
2. On the setup menu, click Additional Installations and Resources > Install Afaria
SCEP Plug-In Module.
3. Enter database type and credentials.
4. Choose an installation path and install the Afaria SCEP policy module.
5. On the CA, open Active Directory Certificate Services (ADCS).
6. On your CA node, select the Properties and the Policy Module tab, then select
XSSCEPPolicyModule.dll.
7. Restart ADCS.
8. (Optional) Power off, and then on, the CA server.
Due to a known issue reported for the Microsoft CA restart ADCS operations, Sybase
recommends turning the power off, and then on, to correctly enable the Afaria SCEP
module.
After startup, the CA issues certificates only to the devices that are defined in the Afaria
database.
Configuring Afaria Server for iOS Certificate Authority
Configure Afaria to use the iOS certificate authority (CA) for iOS devices, without enabling
SSL on the HTTPS port, and without enabling relay server.
For iOS devices, the CA delivers certificates to devices during enrollment. If the optional
Afaria SCEP module is installed, the CA verifies whether the requesting device is defined in
Afaria and fulfills requests only for verified devices.
1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand
the Component list, and click Enrollment Server.
2. Enter the CA server address.
The IP or the fully qualified address that devices use to connect to the CA server. The
address must be externally accessible.
3. (Optional) Click Certificate request and enter information to populate the certificate that
the CA delivers to the iOS device.
4. (Optional) Click Certificate test to test the CA connection from the testing server
location.
This test is valid only if the testing server can access the CA address, as defined in the
address field. Accessibility to the CA may differ from the testing server and the connecting
devices.
5. Click Use SCEP challenge to configure the SCEP challenge properties for the account
you used when you tuned the iOS CA and create the SCEP application pool user, which
must have administrative privileges on the CA.
Installation and Configuration for Enrollment Components
Installation Guide 63
SCEP Challenge Domain
SCEP Challenge User
Password
6. Click Save.
7. Restart the Afaria server service.
Importing Apple Root and Intermediate Certificates for MDM
Management
Import Apple root and application integration certificates as trusted root certificates so that
any APNS certificates you install and configure for Afaria MDM management have a valid
chain to a trusted root.
1. Copy your Apple root and intermediate certificates to a location accessible from the Afaria
server.
2. On the Afaria server desktop, launch the Microsoft Management Console (MMC) by
selecting Start > Run and entering MMC.
3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open
the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options:
Computer account
Local computer
4. On the console root tree, select Certificates (Local computer) > Trusted Root
Certification Authorities > Certificates.
5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and
import the Apple Inc. Root certificate (.CER).
6. Launch the import wizard again and import the Apple Application Integration certificate
(.CER).
7. Review the certificate list for the imported certificates.
Configuring Afaria Server for iOS Notifications
Add your Apple-issued push certificate for iOS device management to the Afaria server and
define the text to send to devices for SMS-based outbound notifications. The Apple Push
Notification Service (APNS) certificate, as issued by Apple to your enterprise, uniquely
indentifies an Afaria server and its associated enterprise to the APNS.
Consider the configuration of your enterprise tenant environment before operating Afaria:
If you are an enterprise using only system tenant, install your Apple push certificate on the
system tenant.
Installation and Configuration for Enrollment Components
64 Afaria
If you are an enterprise, using multiple tenants to separate operations install your Apple
push certificate on the system tenant.
If you are a hosting enterprise using multiple tenants to separate multiple customers,
ensure each customer installs their own Apple push certificate on their tenant. Do not
install a push certificate on the system tenant; it is the back up certificate for tenants that do
not have a certificate.
1. On the Afaria Administrator Server page, click the Configuration icon on the left toolbar,
expand the Server list and select iOS Notification.
2. Click Browse and navigate to and select the push certificate.
3. On the iOS Notification page, enter the password for the certificate.
4. Click Install to install the certificate.
The certificate is installed to the local machine personal certificate store on the Afaria
server. The MDM certificate name populates the page. The Current Push Service is the
topic name, as defined by Apple on the certificate.
(System tenant) If your Apple root and intermediate certificates are not installed, the
interface prompts you to install them.
(Non-system tenant) If Apple root and intermediate certificates are not installed, the
interface opens an error. Notify your system tenant administrator.
5. (Optional) In the Default Notification Messages group, change the messages for the
outbound notification messages, used when manually applying a policy to, or configuring
the Afaria application for, a device that has removed MDM control. Click Add text to end
of notification message to append the text to the end of the message or leave it unselected
to have it display at the beginning.
6. Click Save.
See also
Apple Certificates for Managing Afaria Devices on page 27
Configuring SSL Connections for Enrollment Server
Configure the Afaria server for enrollment server SSL connections when preferred or required
for network security.
Prerequisites
This task assumes that you have a valid SSL certificate from a known certificate authority for
your enrollment server's IIS server.
Installation and Configuration for Enrollment Components
Installation Guide 65
Task
1. On the Afaria Administrator Enrollment Server page, in the Enrollment Server group,
click Use HTTPS on Enrollment Server connections.
2. Ensure that the server address uses the fully qualified address or IP address, as declared on
the associated SSL certificate.
3. If you enabled the enrollment server's SSL on a port other than default port 443, update the
server address to include the port suffix using the syntax <Address>[:<port>].
4. Restart the Afaria server service.
Configuring SSL Connections for iOS CA
(Optional) Configure the Afaria server for iOS certificate authority (CA) server SSL
connections when preferred or required for network security.
Prerequisites
This task assumes that you have a valid SSL certificate from a known certificate authority for
your CA's IIS server.
Task
1. On the Afaria Administrator Enrollment server page, in the CA group, click Use HTTPS
on Certificate Authority connections.
2. Ensure that the server address uses the fully qualified address or IP address, as declared on
the associated SSL certificate.
3. If you enabled the CA's SSL on a port other than default port 443, update the server address
to include the port suffix using the syntax <Address>[:<port>].
4. Restart the Afaria server service.
Adding iOS MDM Payload Signing for iOS
Add payload signing to ensure that payloads are not tampered with during delivery. You can
use your Apple APNS certificate for signing.
Prerequisites
Install, configure, and verify the iOS implementation before adding signing.
Installation and Configuration for Enrollment Components
66 Afaria
Task
1. Copy the Apple root and application integration certificates and your Apple Push
Notification Service (APNS) certificate to the enrollment server.
2. On the enrollment server, import your Apple root and application integration certificates
as trusted root certificates.
3. Reinstall the enrollment server to enable signing and import your APNS certificate.
4. Use the Afaria Administrator Enrollment Server page to enable signing.
5. Restart the Afaria server.
6. Enroll one or more test devices and observe the user interface to determine whether the
certificate is untrusted or trusted.
The expected result, after a possible user authentication prompt, is either:
Signed, but untrusted the Apple Profile Service dialog is exposed to the user and
indicates status Not Verified.
Signed and trusted the Apple Profile Service dialog is exposed to the user and
indicates status Verified.
7. If untrusted and you require trust, deploy a root certificate to the client that matches the
root certificate that the enrollment server is using and retry the enrollment.
Importing Apple Root and Intermediate Certificates for MDM Payload
Signing
Import Apple root and application integration certificates as trusted root certificates so that the
APNS certificates you install for MDM payload signing has a valid chain to a trusted root.
1. Copy your Apple root and intermediate certificates to a location accessible from the
enrollment server.
2. On the enrollment server desktop, launch the Microsoft Management Console (MMC) by
selecting Start > Run and entering MMC.
3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open
the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options:
Computer account
Local computer
4. On the console root tree, select Certificates (Local computer) > Trusted Root
Certification Authorities > Certificates.
5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and
import the Apple Inc. Root certificate (.CER).
6. Launch the import wizard again and import the Apple Application Integration certificate
(.CER).
7. Review the certificate list for the imported certificates.
Installation and Configuration for Enrollment Components
Installation Guide 67
iOS MDM Payload Signing Certificate Requirements
The certificate must be an IP Security (IPSec) certificate in the x.509 standard and meet Afaria
requirements, regardless of whether you get your certificate from a known certificate
authority (CA) or if you operate as a self-signing entity and create your own signing
certificate.
The IPSec signing certificate must meet these property requirements:
Subject define the subject name as type common name.
General define the common name CN and record the value for future use.
Extensions for key usage, add options for digital signature and key encipherment; for
extended key (also known as application policies) usage, add all available options.
Private key select key size 2048 and make the private key exportable. The key type is
allowed for exchanges.
The Apple APNS certificate does meet requirements for signing.
Reinstalling the Enrollment Server for iOS MDM Payload Signing
Reinstall the enrollment server to enable signing for all iOS MDM payloads.
Prerequisites
Copy your Apple Push Notification Service (APNS) certificate to the enrollment server.
Task
1. On the enrollment server, close all running programs.
2. On the installation image, start the setup program (setup.exe).
3. On the setup menu, click Additional Installations and Resources > Enrollment
Server.
4. On each setup page before the Specify Certificates for Signing page, accept current
values.
5. On the Specify Certificates for Signing page, click Sign Messages to enable the feature
and define the signing attributes:
Certificate Filename the path and file name for the Apple root certificate.
Signing Certificate Filename the path and file name to the Apple Push Notification
Service (APNS) certificate.
Signing Certificate Password enter and confirm the password associated with the
APNS certificate.
6. Follow the setup wizard to completion.
Installation and Configuration for Enrollment Components
68 Afaria
Data is validated at the conclusion of the setup program as the process attempts to install the
certificate and modify access permissions to the certificate for ongoing operations. If you
encounter errors at this point, retry the installation.
Configuring Afaria Server for iOS MDM Payload Signing
Configure the Afaria server to to enable signing for all iOS MDM payloads.
Prerequisites
Complete the basic enrollment installation and configuration, and reinstall the enrollment
server for iOS MDM payload signing.
Task
1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand
the Component list, and click Enrollment Server.
2. Enter the signing certificate name, which is the common name for the signing certificate,
as defined on the certificate and during enrollment server installation.
3. (Optional) Click Encrypt payload to encrypt the signed payloads.
4. Click Save.
5. Restart the Afaria server.
6. Provision one or more test devices and observe the user interface to determine whether the
certificate is untrusted or trusted.
The expected result, after a possible user authentication prompt, is either:
Signed, but untrusted the Apple Profile Service dialog is exposed to the user and
indicates status Not Verified.
Signed and trusted the Apple Profile Service dialog is exposed to the user and
indicates status Verified.
7. If untrusted and you require trust, deploy a root certificate to the device that matches the
root certificate that the enrollment server is using and retry the provisioning.
Configuring the Relay Server for iOS Certificate Authority
and Enrollment Server Connections
(Optional) Set up relay server to increase your enterprise network security. A relay server is
installed in the DMZ and operates as a proxy for HTTP and HTTPS sessions between two
components, such as between the iOS certificate authority and devices, or between the
enrollment server and devices. The server component makes an outbound connection to the
relay server, so you need not open inbound ports for the connection.
See also
Relay Server on page 91
Installation and Configuration for Enrollment Components
Installation Guide 69
Additional Afaria Components on page 11
Server Configuration for Installation and Management on page 47
Installation and Configuration for Enrollment Components
70 Afaria
Package Server
The Afaria enterprise package server serves packages not hosted by another entity to iOS and
Android devices, and serves certificates for application onboarding to iOS, Android, and
BlackBerry devices.
Installing Package Server
Install the package server to deliver Afaria enterprise application packages to Android and
iOS devices.
Record values as you complete the installation; you will need them for subsequent
configuration tasks.
You can install the package server on the same server as the Afaria Administrator server or on a
separate server.
1. On the installation image, start the setup program (setup.exe).
2. Click Install.
3. On the setup menu, click Additional Installations and Resources > Package Server.
4. On the Directory Selection page, accept the default location or click Browse to navigate to
a new location.
5. On the Welcome page, click next, accept the default location or click Browse to navigate
to a new location.
6. On the Specify Credentials page, specify the account name and password used to run the
Afaria service on the Afaria server.
The package server uses these credentials to contact the Afaria server for database
credentials.
7. On the Specify Virtual Directory Name, accept the default virtual directory name or type in
a new virtual directory name.
Use Windows Authentication select to require Windows Authentication for access to
the package server.
8. On the Specify Server Address page, type in the IP or fully qualified domain name of the
Afaria server.
9. On the Ready to Start Installation page, click Install.
10. Follow the wizard to completion.
See also
Creating a Domain User Account for Operating Afaria on page 23
Package Server
Installation Guide 71
Configuring Relay Server for Package Server on page 115
Launching the Relay Server Outbound Enabler on page 117
Configuring Afaria Server for Package Server
Configure the Afaria server for the package server, without enabling SSL on the HTTPS port,
and without enabling relay server.
For application onboarding certificate provisioning, the server facilitates obtaining device
certificates as required from the CA.
1. On the Afaria Administrator Server page, click Configuration on the left toolbar, expand
the Component list, and click Package Server.
2. Accept or define the virtual directory name, as defined during the package server
installation..
3. In the Package Server Direct Access group, accept or define the IP or fully qualified server
address devices use to connect to the package server.
The address must be externally accessible.
4. Click Save.
See also
Relay Server on page 91
Additional Afaria Components on page 11
Server Configuration for Installation and Management on page 47
Configuring SSL Connections for Package Server
Configure the Afaria server for package server SSL connections when preferred or required
for network security.
Prerequisites
This task assumes that you have a valid SSL certificate from a known certificate authority for
your package server's IIS server.
Task
1. On the Afaria Administrator Package Server page, in the Package Server group, click Use
HTTPS on Package Server connections.
2. Ensure that the server address uses the fully qualified address or IP address, as declared on
the associated SSL certificate.
Package Server
72 Afaria
3. If you enabled the package server's SSL on a port other than default port 443, update the
server address to include the port suffix using the syntax <Address>[:<port>].
4. Restart the Afaria server service.
Package Server
Installation Guide 73
Package Server
74 Afaria
Access Control for Email
Afaria Access Control for Email adds a layer of protection to your enterprise e-mail platforms
by filtering mobile device synchronization requests according to your access control policies.
Access control discards any synchronization requests that do not meet the policies you define
on the Afaria server and save on the Afaria database. Access control policies include the list of
known devices, their associated policies, and any defined polices for unknown devices.
In addition to mobile device synchronization requests, access control can prevent
synchronization requests initiated by alternate means, such as:
Web browser client
E-mail client installed on a companion PC
iAnywhere Mobile Office client
See also
Configuring Relay Server for Access Control on page 114
Access Control Components
Access control uses the Afaria filter and the Afaria filter listener.
Afaria filter Afaria filter is a two-components entity, the Internet Server Application
Programming Interface (ISAPI) filter and the PowerShell service.
ISAPI filter accepts inbound synchronization requests from mobile clients. Then,
the ISAPI filter receives instructions from the PowerShell service on how to handle
each request.
The ISAPI filter must reside on the server that accepts inbound client requests. For
greater security, install it on a proxy server located in your DMZ.
PowerShell service calls out the ISAPI filter and provides it with the allow or block
synchronization instructions, which are based on the access control policy you define.
The PowerShell service also queries the Afaria server at defined intervals to obtain an
updated access control policy list.
The PowerShell service must reside on a server that can initiate an outbound
connection to both the Afaria server (or its optional relay server proxy) and the ISAPI
filter host. For greater security, install it on a separate server within your enterprise
firewall, as it manipulates user and device data from the Afaria environment.
Afaria filter listener resides on the Afaria server. When requested by the PowerShell
service, the listener queries the Afaria database to obtain an updated access control policy
list and forwards it to the PowerShell service.
Access Control for Email
Installation Guide 75
The Afaria server service starts the Afaria filter listener.
Access Control Configurations for Microsoft Exchange
Access control integrates Microsoft Exchange environments, offering two highly secure
configurations.
Both configurations avoid communication from the DMZ to the internal network and securely
keep your user and device data behind the firewall. The second configuration differs from the
first configuration in that it includes an additional proxy server in the internal network.
Figure 2: Configuration 1
1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks
over the air with the Microsoft Exchange Server.
2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and
listens for inbound connections from the PowerShell service.
3. In the internal network, the PowerShell service resides on the Client Access Server, which
is a component of Microsoft Exchange Server. The PowerShell service has a copy of the
Access Control for Email
76 Afaria
access control policy list. Based on the list, it forwards the appropriate instruction (allow or
deny the synchronization request) to the ISAPI filter.
4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service
queries the Afaria server to obtain an updated access control policy list from the Afaria
database.
5. (Optional) The relay server transfers connections initiated by the PowerShell service to the
Afaria server.
Figure 3: Configuration 2
1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks
over the air with the Microsoft Exchange Server.
2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and
listens for inbound connections from the PowerShell service.
3. In the internal network, the PowerShell service of the Afaria filter resides on a server that is
a proxy to the Client Access Server. The PowerShell service has a copy of the access
control policy list. Based on the list, it forwards the appropriate instruction (allow or deny
the synchronization request) to the ISAPI filter.
Access Control for Email
Installation Guide 77
4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service
queries the Afaria server to obtain an updated Access Control policy list from the Afaria
database.
5. (Optional) The relay server transfers connections initiated by the PowerShell service to the
Afaria server.
If it is acceptable and preferred to have incoming client connections, user data, and device
data, on the same server, install both the ISAPI filter and the PowerShell service as a unified
component on a single server.
Access Control Configurations for IBM Lotus Domino
Access control integrates with IBM Lotus Domino environments, offering two highly secure
configurations.
Both configurations avoid communication from the DMZ to the internal network and securely
keep your user and device data behind the firewall. The second configuration differs from the
first configuration in that it includes an additional proxy server in the internal network.
Access Control for Email
78 Afaria
Figure 4: Configuration 1
1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks
over the air with the IBM Lotus Domino e-mail server.
2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and
listens for inbound connections from the PowerShell service.
3. In the internal network, the PowerShell service resides on the e-mail server. The
PowerShell service has a copy of the access control policy list. Based on the list, it
forwards the appropriate instruction (allow or deny the synchronization request) to the
ISAPI filter.
4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service
queries the Afaria server to obtain an updated access control policy list from the Afaria
database.
5. (Optional) The relay server transfers connections initiated by the PowerShell service to the
Afaria server.
Access Control for Email
Installation Guide 79
Figure 5: Configuration 2
1. A mobile device submits a request to synchronize messages, calendar, contacts, and tasks
over the air with the IBM Lotus Domino e-mail server.
2. In the DMZ, the ISAPI filter resides on a proxy server. It receives the device's request and
listens for inbound connections from the PowerShell service.
3. In the internal network, the PowerShell service resides on a server that is a proxy to the
e-mail server. The PowerShell service has a copy of the access control policy list. Based on
the list, it forwards the appropriate instruction (allow or deny the synchronization request)
to the ISAPI filter.
4. Based on a retry rate that you define on the Afaria Administrator, the PowerShell service
queries the Afaria server to obtain an updated access control policy list from the Afaria
database.
5. (Optional) The relay server transfers connections initiated by the PowerShell service to the
Afaria server.
If it is acceptable and preferred to have incoming client connections, user data, and device
data, on the same server, install both the ISAPI filter and the PowerShell service as a unified
component on a single server.
Access Control for Email
80 Afaria
Setting Up Access Control for Email
Set up access control by preparing devices, configuring the Afaria filter listener, and installing
the ISAPI and PowerShell components of the Afaria filter.
Prerequisites
Choose the configuration to use for access control.
Task
1. Prepare supported devices by enrolling them in Afaria Device Management.
2. On the Afaria Administrator, configure settings for the Afaria filter listener.
3. Install the ISAPI filter and its associated PowerShell proxy service.
4. Install the PowerShell service component.
5. On the Afaria Administrator, define access control policy for each device type and for
known and unknown devices.
On the Home page Server tile, click Configuration and navigate to the Component >
Access Control Option page.
The default access control policy for all known devices is to always allow synchronization
requests.
The policies for access control for known and unknown devices go into effect, and the devices
you prepared are identified as known devices.
To add the optional relay server to your configuration, see Installing Afaria > Setting Up Relay
Server > Configuring Relay Server for Access Control.
See also
Creating a Domain User Account for Operating Afaria on page 23
Launching the Relay Server Outbound Enabler on page 117
Configuring the Afaria Filter Listener
Define the parameters of the Afaria filter listener, including protocol type and port number
used for connections.
The Afaria filter listener resides on the Afaria Server and, upon request, provides the
PowerShell service component of the Afaria filter with a refreshed client and policy list.
1. On the Afaria Administrator, select Configuration in the Server tile and navigate to the
Server > Access Control Server page.
2. If using HTTP, select Use HTTP on port and enter the port number for listening to
requests.
Access Control for Email
Installation Guide 81
Ensure that the port does not conflict with any other ports that the Afaria server uses.
3. If using HTTPS, select Use HTTPS on port and define the parameters of the HTTPS
connection.
a) Enter the port number for listening to requests.
Ensure that the port does not conflict with any other ports that the Afaria server uses.
b) Enter the HTTPS host name or the IP address that the PowerShell service component
of the Afaria filter uses to reach the Afaria server.
c) Click Browse to select the host's SSL certificate.
The certificate must reside in the Afaria server's personal certificate store.
4. Click Save and restart the Afaria server service.
Installing the ISAPI Filter Component
Install the ISAPI filter component of the Afaria filter on the server that accepts inbound
requests from mobile devices.
Prerequisites
Verify that Microsoft PowerShell is installed on the system where the ISAPI filter will reside.
Task
The ISAPI filter must reside on the server that accepts inbound client requests. For greater
security, install the ISAPI filter and its associated PowerShell proxy service on a supported
proxy server located in your DMZ.
The ISAPI filter is removable.
1. From the Afaria installation image, copy one of these folders:
If you have a 32-bit operating system, ISAPI.
If you have a 64-bit operating system, ISAPI_x64.
2. Store the folder in a temporary directory on the local drive.
3. Open the folder and run the setup executable file to open the Afaria Filter Setup program
wizard.
4. Select installation type ISAPI filter and PowerShell proxy service.
5. Follow the installation wizard until the installation is complete.
The wizard includes these primary pages:
Blocking Options defines whether to block or allow synchronization requests that are
initiated from sources other than handheld synchronization clients.
Proxy Settings address for the current server and the port designated for the
PowerShell proxy service to accept an incoming connection from the server that is
planned to host the filter's PowerShell service component.
Access Control for Email
82 Afaria
6. (Optional) Verify the installation of the ISAPI filter:
If you installed the filter on a Microsoft Forefront Threat Management Gateway, open
the management console, select System > Web Filters, and verify that the Web filter
or add-in XSISAPI Filter is present.
If you installed the filter on a Microsoft Internet Security and Acceleration Server,
open the management console, select ServerName > Configuration > Add-ins > Web
Filters, and verify that the Web filter or add-in XSISAPI Filter is present.
In a Microsoft Exchange environment, open the IIS Server's default web site, select
Properties > ISAPI filters, and verify that XSISAPI.DLL is present.
7. (Optional) Verify the installation of the associated PowerShell proxy service by opening
the Microsoft Management Console and observing that service XSISAPI Reverse Pipe
Service is present and started.
Installing the PowerShell Service Component
Install the PowerShell service component of the Afaria filter on a server that can initiate an
outbound connection to the Afaria Server.
Prerequisites
Verify that Microsoft PowerShell and Microsoft Data Access Components (MDAC) are
installed on the system where the PowerShell service component will reside.
Task
The PowerShell component must reside on a server that can to initiate an outbound connection
to the Afaria server and to the server where you installed the ISAPI filter component. Install
the component on a server within your enterprise firewall, as it manipulates user and device
data from the Afaria environment
The PowerShell service component is removable.
1. From the Afaria installation image, copy one of these folders:
If you have a 32-bit operating system, ISAPI.
If you have a 64-bit operating system, ISAPI_x64.
2. Store the folder in a temporary directory on the local drive.
3. Open the folder and run the setup executable file to open the Afaria Filter Setup program
wizard.
4. Select installation type PowerShell service only.
5. Follow the installation wizard until the installation is complete.
The wizard includes these primary pages:
Proxy Settings address for the server hosting the ISAPI filter component and the
associated PowerShell proxy service.
Access Control for Email
Installation Guide 83
Server Settings address for the Afaria server.
Specify Credentials specify the account name and password that runs the installed
service.
Note: The user account credentials that you supply for running the filter's PowerShell
component must be a member of the same domain as the e-mail server. If it is not,
contact Sybase Customer Service and Support for assistance.
6. (Optional) Verify the installation of the PowerShell service by opening the Microsoft
Management Console and observing that service XSISAPI is present and started.
Files Installed with and Generated by the Afaria Filter
Files installed with the Afaria filter, and files generated during access control operations.
Files Installed with the PowerShell Service Component
Installing the PowerShell service component of the Afaria filter adds these files:
AfariaISAPIFilterUninstall.ini
AfariaIsapiSetup.exe
XSISAPIReversePipe.exe
XSSrvAny.exe
PipeServer.ps1
HTTPSClient.ps1
If you are using the 64-bit version of the PowerShell component, the files are installed in C:
\Windows\SysWOW64\inetsrv.
If you are using the 32-bit version of the PowerShell component, the files are installed in C:
\WINDOWS\system32\inetsrv.
Files Installed with the ISAPI Filter Component
Installing the ISAPI filter component of the Afaria filter adds these files in C:\WINDOWS
\system32\inetsrv:
AfariaISAPIFilterUninstall.ini
AfariaISAPIFilter.exe
XSISAPI.dll
XSISAPIReversePipe.exe
XSSrvAny.exe
If you installed both components of the Afaria filter on the Exchange Server's IIS Server, the
files are added to IIS_InstallDir and IIS_InstallDir\bin.
Access Control for Email
84 Afaria
Files Generated During Access Control operations
Executable XSSrvAny.exe launches PipeServer.ps1and HTTPSClient.ps1. In
turn, each of these create an event in the Windows Application Event log. The entries indicate
the start action and its log file location. Consider this example event log entry:
XSISAPI PowerShell HTTPS Client was successfully started. Logfile is
C:\Documents and Settings\Default User\Application Data\XSISAPI
\XSISAPIHTTPS_Log.txt.
Afaria filter operations use and generate the following files on your IIS Server. The path for the
files is described in the PiPServer.ps1 and HTTPSClient.ps1 start-up Windows
Application Event log entries.
Devices.xml list of Afaria Exchange access control clients known and managed by
Afaria synchronization policies.
(Temporary file) NewDevices.xml iOS or Android devices that have connected to
the Exchange Server for synchronization must send a unique Exchange identifying value
to the Afaria server.
HTTPS.txt log file for HTTPSClient.ps1 operations. List of connections from the
IIS Server by the Afaria polling agent, back to the Afaria server to refresh the
Devices.xml list.
Pipe.txt log file for PipeServer.ps1 operations. List of client synchronization
requests indicating synchronization status 1 for allowed or 0 for denied.
Access Control for Email
Installation Guide 85
Access Control for Email
86 Afaria
Self-Service Portal
(Optional) Self-Service Portal (SSP) allows end users to enroll their device in Afaria
management, view their device information and issue commands, such as password reset.
The portal is for deployment inside the enterprise network with an Microsoft Forefront Threat
Management Gateway instance in the DMZ configured to accept device connections and pass
traffic to the portal.
Note: For iOS devices using a non-custom version of the Afaria Client (obtained from the App
Store), the portal is the only method of obtaining iOS Enterprise Applications marked as
Optional. The Afaria Client does not display iOS Enterprise Applications on the apps tab, but
will prompt the user to install any Required Enterprise Applications.
Preparing to Install Self-Service Portal
Configure tenants and enrollment policies prior to installing the portal.
1. Refer to document Administration Reference for tenant and enrollment policy
configuration information.
2. Add and configure the applicable tenants.
3. Set up enrollment policies for tenants.
The portal displays enrollment codes and associated information during the installation.
Expired and/or disabled codes do not display.
See also
Creating a Domain User Account for Operating Afaria on page 23
Installing the Self-Service Portal
Install one or more portals in the enterprise network. To separate tenants, or associate different
enrollment codes with different groups of users, install more than one portal on a server.
Prerequisites
Prepare your Afaria server configuration and enviornment prior to installing the portal,
including defining tenants and configuring enrollment policies.
Task
Consider these items when installing the portal:
Self-Service Portal
Installation Guide 87
The portal is for deployment inside the enterprise network with an Microsoft Forefront
Threat Management Gateway instance in the DMZ configured to accept device
connections and pass traffic to the portal.
You can install the portal on a server without any other Afaria components.
The portal can co-exist with the Afaria server.
The portal can co-exist with the Afaria Administrator server, package server, or enrollment
server; however, uninstalling any one of those servers also removes the portal.
If you plan to install using LDAP authentication, rather than Windows integrated
authentication, the installing domain user account must have Active Directory access
account permissions for ongoing operations. It is recommended that you use a dedicated
domain user account for this purpose.
To change a portal's authentication type, reinstall the the portal and select the other type. If
changing to LDAP, ensure that the installing user credentials meets the LDAP user account
requirements.
1. On the planned server, from the release image's EUSSP folder, start the setup program
(setup.exe).
2. On the Authentication Method page, select a method for authenticating users that connect
to the portal.
Windows - Windows integrated authentication, as a property of IIS operations. The
user is prompted on the device for user credentials. The appropriate entry may vary by
network environment, but is often formed as <Domain>\<UserName> or just
<UserName>. Valid for connecting iOS devices and Windows computers.
LDAP - the user is prompted on the portal's default page for user name and password.
Valid for connecting Android, BlackBerry, or iOS devices, and Windows computers.
Note: You can use a Windows computer to help enroll a Windows Mobile device, but
you cannot connect a Windows Mobile device to the portal.
3. On the Specify Server Address page, define the address for the Afaria server.
4. On the Specify Afaria API Server Address page, define the address for the Afaria
Administrator server with the port for API server and enter API service credentials.
The API server resides on the Afaria Administrator server. The default port for installing
API server 7982.
5. On the Enrollment Code page, select one tenant for the installation, and select one policy/
code pair for each device type that you plan to support.
6. Follow the setup wizard to completion.
7. Verify that the correct enrollment codes appear in the web.config file located in the
Afaria instalation directory at C:\Program Files (x86)\AfariaEUSSP\
[Your EUSSP]\web.config.
<add key="EUSSPRegPath" value="EUSSP\eussp"/><add
key="iOSCode" value=""/><add key="AndroidCode" value=""/><add
Self-Service Portal
88 Afaria
key="WMProCode" value=""/><add key="WMStdCode" value=""/><add
key="WMCECode" value=""/><add key="Win32Code" value=""/>
Afaria Self-Service Portal Address
The address for end-users to access the portal uses the portal's server address and the virtual
directory you define during installation. To use a different enrollment code , you can add the
code to the address.
You can inspect the codes that you selected during a portal installation by opening the Web
site's configuration file in path <web.config. Look in the <configuration> element
for the <add> element with attribute key="EUSSPRegPath". For example:
<add key="EUSSPRegPath" value="EUSSP\sspdla"/><add
key="iOSCode" value="tc8bnyvk"/><add key="AndroidCode"
value=""/><add key="WMProCode" value=""/><add key="WMStdCode"
value=""/><add key="WMCECode" value=""/><add key="Win32Code"
value=""/>
The portal address for using an enrollment code that you selected during the portal installation
uses this syntax:
<protocol>://<PortalAddress>/ <VirtualDirectory>
For example:
HTTP://portal.company.com/ssp
HTTP://63.176.1.74/ssp14
HTTPS://portal.company.com/sspsales
The portal address for using an enrollment code other than the one you selected during the
portal installation uses this syntax:
<protocol>://<PortalAddress>/ <VirtualDirectory>/<TypeCode><EnrollmentCode>
Using these device type codes:
a Android
b BlackBerry
i iOS
p Windows Mobile Pro
s Windows Mobile Standard
For example:
For an Android code HTTP://portal.company.com/ssp/agclpfzjs
For an iOS code HTTP://63.176.1.74/ssp14/itc8bnyvk
Self-Service Portal
Installation Guide 89
For a Windows Mobile Smartphone code HTTPS://portal.company.com/sspsales/
stcthxyrk
Configuring Afaria Server for Self-Service Portal Request
Timeout
Configure the Afaria server to limit the amount of time SSP users have to complete device
enrollment, once started.
You may have already configured this setting when configuring for enrollment server.
1. On the Server page, click the Configuration icon on the left toolbar, expand the Server list
and select Enrollment Code.
2. In the Self-service portal enrollment requests area, set a time window, and click Save.
The default timeout is set to one hour.
Editing Enrollment Codes for Self-Service Portal
Edit existing or add new enrollment codes directly in the web.config file without
uninstalling the portal.
1. Open the web.config file located in the Afaria installation directory at C:\Program
Files (x86)\AfariaEUSSP\[Your EUSSP] .
2. In the EUSSPRegPath value line, edit, delete, or change the applicable enrollment
codes.
<add key="EUSSPRegPath" value="EUSSP\eussp"/><add
key="iOSCode" value=""/><add key="AndroidCode" value=""/
><add key="WMProCode" value=""/><add key="WMStdCode"
value=""/><add key="WMCECode" value=""/><add
key="Win32Code" value=""/>
Self-Service Portal
90 Afaria
Relay Server
The Afaria solution supports using a relay server to operate as a proxy for HTTP and HTTPS
sessions between Afaria server components and devices.
Note: Use of a relay server is not a requirement; it is bundled with the Afaria product on the
product installation image as an optional component.
A relay server lets you further secure your enterprise network by moving the session
connection point from within your firewall to your demilitarized zone (DMZ).
When you use a relay server, devices and Afaria server components never make a direct
connection. The relay server transfers session traffic from devices to the component, and from
the component to the devices. The Afaria server component initiates an outbound connection
through the enterprise firewall to the relay server, then waits for the relay server to send session
traffic. Devices can initiate a connection to the relay serveras if it were an Afaria server
componentand maintain their session with the relay server, which continues to relay traffic
until the session is complete.
The relay server component may be a single server or it may be a load-balanced server farm.
Afaria supports using the relay server with any of these Afaria server components:
Afaria server
Enrollment server
iOS certificate authority
Afaria filter used in Access Control for Email
Package server
Application Onboarding certificate authority
An Afaria sever component may be a single server or a farm. You can configure relay servers
to support more than one Afaria server component.
The Sybase

iAnywhere

relay server is designed as a scalable solution to support a number


of Sybase server-based solutions. Afaria is just one example of a supported solution.
See also
Installing Enrollment Server - Basic on page 57
Configuring Afaria Server for Package Server on page 72
Relay Server
Installation Guide 91
Configuring Relay Server for Access Control on page 114
Configuring the Relay Server for iOS Certificate Authority and Enrollment Server
Connections on page 69
Relay Server Executable Components
Relay server operations include two main executable components: the relay server host and
the relay server outbound enabler.
Relay server host (rshost.exe) the host resides on the relay server, and is
responsible for, accepting a single, inbound connection from the outbound enabler;
accepting multiple, inbound connections from Afaria devices; handling the associated
processes that occur on the relay server for Afaria sessions. Install the relay server using
files available on the Afaria product image. Define its configuration settings by modifying
a sample configuration file.
Relay server outbound enabler (rsoe.exe) the outbound enabler is the relay agent
on the Afaria server component, and is responsible for initiating an outbound connection
with the relay server. The Afaria setup program automatically installs the outbound
enabler on the Afaria server. To support components other than the Afaria server, copy the
binary for the rsoe.exe on the components. Define the relay server outbound enabler
configuration settings using the Afaria Administrator.
Afaria devices include configuration settings for using a relay server but do not require a
separate, executable component.
Setting Up the Relay Server for Basic Operations
To use the relay server to increase your enterprise network security, you must set up the relay
server for basic operations before you configure it to support any server components.
Setting Up the Relay Server for Basic Operations with IIS 7.5
For planned relay servers running Windows Server 2008 R2 (x64) with Internet Information
Services (IIS) 7.5, set up the relay server for basic operations before you configure it to support
any server components.
1. Copying Relay Server Files
Copy the relay server files from the Afaria product image to the machine where the relay
server will be installed.
2. Configuring IIS 7.5 for Relay Server Basic Operations
Relay Server
92 Afaria
To setup the relay server for basic operations, configuring IIS on your relay server.
3. Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
4. Installing the Relay Server Host as a Windows Service
Install the relay server host as a Windows service by running a service utility available in
the relay server installation folder.
Copying Relay Server Files
Copy the relay server files from the Afaria product image to the machine where the relay
server will be installed.
1. On the machine where you plan to install the relay server, create a new folder named
RelayServer. Its path will became your relay server installation path, for example,
C:\Program Files\RelayServer.
2. On the Afaria product image, navigate to:
<product image>\relay_server\64 Bit\ias_relay_server.
3. Copy the folder ias_relay_server from the product image to your relay server
installation path. Ensure that you copy the folder, rather than just the files in the folder.
Configuring IIS 7.5 for Relay Server Basic Operations
To setup the relay server for basic operations, configuring IIS on your relay server.
Prerequisites
From the server manager utility of your relay server, verify that these roles and features are
installed:
IIS
Web Server Service
Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
ISAPI Extensions
HTTP Logging
Request Monitor
Request Filtering
Static Content Compression
IIS Management Console
IIS Management Scripts and Tool
IIS 6 Management Compatibility
Relay Server
Installation Guide 93
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Scripting Tools
IIS 6 Management Console
Install any missing items.
Task
Complete the following tasks to configure IIS 7.5 for relay server basic operations:
See also
Editing the Relay Server Configuration File on page 97
Creating a Relay Server Application Pool on IIS 7.5
Use your relay servers IIS manager utility to create an IIS application pool for relay server
operations.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information (IIS) Manager.
2. From the Connections pane of the IIS manager utility, navigate to MachineName >
Application Pools.
3. Right-click Application Pools and select Add Application Pool.
4. Add an application pool with these attributes:
Name RelayServer
.NET Framework version .NET Framework v2.0.50727
Managed pipeline mode integrated
Start application pool immediately selected
The list of application pools shows the RelayServer application pool.
5. Right-click the newly created application pool and select Advanced Settings. Set these
properties:
General > Queue Length 65535
CPU > Limit Interval (minutes) 0
Process Model > Identity ApplicationPoolIdentity
Process Model > Idle Time-out (minutes) 0
Process Model > Maximum Worker Processes 20
Process Model > Ping Enabled false
Process Model > Ping Maximum Response Time (seconds) 90
Process Model > Ping Period (seconds) 30
Rapid-Fail Protection > Enabled false
Recycling > Disable Overlapped Recycle true
Relay Server
94 Afaria
Recycling > Regular Time Interval (minutes) 0
Creating a Web Application for the Relay Server on IIS 7.5
Use the IIS 7.5 manager utility to create a Web application for the relay server.
You can create the Web application for your relay server under the root directory of either the
default Web site or a custom web site. The custom Web site must use a different port than the
default Web site.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information Services (IIS) Manager.
2. From the Connections pane of the IIS manager utility, navigate to MachineName >
Sites.
3. Right-click the Web site you want to use (either default or custom) and selectAdd
Application.
4. Add a web application with these attributes:
Alias ias_relay_server
Application pool RelayServer
Physical path <relay server installation path>
\ias_relay_server
The web application ias_relay_server will be listed under the root directory of the Web site
you chose.
5. Edit the Request Filtering Settings for the ias_relay_server Web application.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click Request Filtering.
c) In the Actions pane, click Edit Feature Settings and edit these attributes:
Maximum allowed content length (bytes) 2147483647
Maximum query string (bytes) 65536
6. Edit the permissions for the ias_relay_server Web application.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click Handler Mapping.
c) In the Actions pane, click Edit Feature Permissions and ensure that only Script and
Execute are selected.
7. Verify that the ias_relay_server web application does not require SSL.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click SSL Settings and ensure that Require SSL is not
selected.
Relay Server
Installation Guide 95
Adding ISAPI extensions for Relay Server Operations
Use the IIS 7.5 manager utility to add two ISAPI extensions to your server to handle requests
from devices and the Afaria server.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information (IIS) Manager.
2. On the Connections pane of the IIS manager utility, highlight the machine name where the
relay server resides.
3. In the IIS group, double-click ISAPI and CGI Restrictions.
4. In the Actions pane, click Add to add two ISAPI restrictions with these settings:
ISAPI or CGI Path <relay server installation path>
\ias_relay_server\server\rs_server.dll
Description RS Server DLL
Allow extension path to execute selected
ISAPI or CGI Path <relay server installation path>
\ias_relay_server\client\rs_client.dll
Description RS Client DLL
Allow extension path to execute selected
The two ISAPI restrictions you added are listed in the ISAPI and CGI restrictions list of your
server.
Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
1. From a command prompt running with administrator privileges, navigate to the directory
where the adsutil.vbs script is located, for example, C:\Inetpub
\AdminScripts.
2. To run the script, issue:
cscript adsutil.vbs set w3svc/<Web Site ID>/
uploadreadaheadsize 0
where <Web Site ID> is the ID of the Web site used for the relay server. If you use the
default Web, the ID is 1.
The command returns the current value of the <uploadreadaheadsize> variable and updates
the the IIS configurations.
See also
Adding Web Service Extensions on IIS 6.0 on page 103
Relay Server
96 Afaria
Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
A sample configuration file is provided with the relay server files that you copied from your
Afaria product image.
1. Find the sample configuration file rs.config, located in <relay server
installation path>\ias_relay_server\server.
2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections
in the configuration file.
Note: The configuration file can contain only ASCII characters.
3. Save the edits.
4. Restart the relay server host.
See also
Configuring IIS 7.5 for Relay Server Basic Operations on page 93
Installing the Relay Server Host as a Windows Service on page 99
Configuring IIS 6.0 for Relay Server Basic Operations on page 100
Configuration File Definitions for Basic Operations with IIS 7.5
The relay server configuration file rs.config consists of several sections. Use sections
[options] and [relay_server] for relay server basic operations. The remaining sections are for
supported server components.
[options] general options for relay server operations.
start set value to auto to automatically start the relay server engine when an Afaria
server connects successfully.
For Windows Server 2008 R2 (IIS 7.5), this value is normally set to =NO when the
Relay Server is installed as a Windows Service.
verbosity controls the level of logging. Logs always include errors. Log levels 1 5
always include warnings.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
[relay_server] identifies your relay server and its respective ports for HTTP and HTTPS
communications. The relay servers ports must match the IIS server ports.
enable controls whether the relay server operates.
Relay Server
Installation Guide 97
yes operate.
no do not operate.
host relay server IP address or host name. The IP address must be the internal IP
address or DNS name that can be reached by the Afaria server or other supported server
components.
http_port TCP port matching the relay servers IIS setting for HTTP
communications. The port must be the internal TCP port that can be reached by the
Afaria server or other supported server components.
https_port set value to match the relay servers IIS setting for SSL communications.
description user-defined description.
Note: Values are case-sensitive.
Sample section of a relay server configuration file showing settings for basic operations.
#-------------------------------------
# Relay server
#-------------------------------------
[options]
start = no
verbosity = 1
# Note: When auto start is used, the default log file is
# <tmpdir>\ias_relay_server_host.log while rshost is active.
# The value of <tmpdir> is filled using the following
environment
variables
# searched in this order:
# SATMP
# TMP
# TMPDIR
# TEMP
#--------------------
# Relay server
#--------------------
[relay_server]
enable = yes
host = 123.45.6.78
http_port = 80
https_port = 443
description = Machine #1 in RS farm
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server
98 Afaria
Installing the Relay Server Host as a Windows Service
Install the relay server host as a Windows service by running a service utility available in the
relay server installation folder.
Prerequisites
In the [options] section of the relay server configuration file, set the value of start to =no.
Task
The relay server installation folder includes dbsvc.exe, a service utility that installs the
relay server host as a Windows service. Use the same utility to uninstall the service.
1. On the machine where you installed the relay server, execute this command at a command
prompt running with administrator privileges:
"<installation directory>\ias_relay_server\server
\dbsvc.exe" -as -s auto -sn RelayServer -w RelayServer
"<installation directory>\ias_relay_server\server
\rshost.exe" -q -f "<installation directory>
\ias_relay_server\server\rs.config" -o "<installation
directory>\ias_relay_server\server\log.txt".
For a complete list of the service utility's command line switches, execute:
"<installation directory>\ias_relay_server\server
\dbsvc.exe".
The command prompt displays a line confirming that the "RelayServer" service was
successfully created.
The RelayServer service is listed in the list of Windows services.
2. Change the login account of the newly created "RelayServer" service from Local System
to an account that is a member of the local Administrator group.
Next
To uninstall the "RelayServer" Windows service, execute this command at a command prompt
running with administrator privileges:
<installation directory>\ias_relay_server\server\dbsvc.exe"
d RelayServer.
See also
Editing the Relay Server Configuration File on page 97
Relay Server
Installation Guide 99
Setting Up the Relay Server for Basic Operations with IIS 6.0
For planned relay servers running Microsoft Internet Information Services (IIS) 6.0, set up the
relay server for basic operations before you configure it to support any server components.
1. Copying Relay Server Files
Copy the relay server files from the Afaria product image to the planned relay server to
make them available for use.
2. Configuring IIS 6.0 for Relay Server Basic Operations
Setting up the relay server for basic operations requires configuring the IIS of your relay
server.
3. Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
Copying Relay Server Files
Copy the relay server files from the Afaria product image to the planned relay server to make
them available for use.
1. On the Afaria product image, navigate to:
<product image>\relay_server\ias_relay_server.
2. Copy the folder ias_relay_server from the product image to the directory of the default
web site of your IIS server.
Directory path of IIS default web site: C:\Inetpub\wwwroot.
Ensure that you copy the folder, rather than just the files in the folder.
Configuring IIS 6.0 for Relay Server Basic Operations
Setting up the relay server for basic operations requires configuring the IIS of your relay
server.
Complete the following tasks to configure IIS 6.0 for relay server basic operations:
1. Registering the IIS User Account with ASP.NET on IIS 6.0
Register the IIS user account on the planned relay server with ASP.NET to assign it
appropriate rights for Afaria operations.
2. Creating a Server Application Pool on IIS 6.0
Create a server application pool and a server application directory on the planned relay
server to process requests from Afaria server components.
3. Creating a Client Application Pool on IIS 6.0
Create a client application pool and a client application directory on the planned relay
server to process requests from Afaria devices.
4. Adding Web Service Extensions on IIS 6.0
Relay Server
100 Afaria
Add Web service extensions to identify and allow requests from servers and devices.
5. Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
See also
Editing the Relay Server Configuration File on page 97
Registering the IIS User Account with ASP.NET on IIS 6.0
Register the IIS user account on the planned relay server with ASP.NET to assign it
appropriate rights for Afaria operations.
Afaria operations use the relay servers IIS built-in user account named
IUSR_<MachineName> for gaining anonymous access to IIS. This account must:
Have access to the IIS metabase and other directories used by IIS.NET
Be a member of the IIS built-in user group IIS_WPG
1. From the command prompt of the relay server, navigate to:
C:\Windows\Microsoft.Net\Framework\<Version>
If you are operating your IIS server with more than one version of ASP.NET, choose the
version that you are using to run your Web site.
2. Execute the ASP.NET registration command with the grant access option:
aspnet_regiis.exe -ga IUSR_<MachineName>
The command is an example of the registration command with the grant access option that
is valid for ASP.NET 4.0. The command for your version of ASP.NET may differ.
Creating a Server Application Pool on IIS 6.0
Create a server application pool and a server application directory on the planned relay server
to process requests from Afaria server components.
1. Create the server application pool.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Application Pools.
b) Right-click the Application Pools folder and select New > Application Pool.
c) Define the pool ID and click OK.
d) Assign these properties to the newly created server application pool:
Recycling > Recycle worker processes (in minutes) disabled.
Performance > Idle timeout disabled.
Performance > Request queue limit disabled.
Performance > Web garden a minimum of twice the number of servers making
requests.
Health > Enable pinging disabled.
Relay Server
Installation Guide 101
Health > Enable rapid-fail protection disabled.
2. Create the server application directory.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Web Sites > Default Web Site > ias_relay_server.
b) Right-click the Server folder and select Properties > Directory.
c) Click Create and select these application settings:
Execute permissions Scripts and Executables.
Application pool use the ID of the server application pool you created.
d) Click OK.
Creating a Client Application Pool on IIS 6.0
Create a client application pool and a client application directory on the planned relay server to
process requests from Afaria devices.
1. Create the client application application pool.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Application Pools..
b) Right-click the Application Pools folder and select New > Application Pool.
c) Define the pool ID and click OK.
d) Assign these properties to the the newly created application pool:
Recycling > Recycle worker processes (in minutes) disabled.
Performance > Idle timeout disabled.
Performance > Request queue limit disabled.
Performance > Web garden at least twice the number of servers making requests,
but not fewer than five. You may want to increase the value if device connections
are frequently dropped or if devices experience bad throughput during sessions.
Health > Enable pinging disabled.
Health > Enable rapid-fail protection disabled.
2. Create the client application directory:
a) On the IIS Manager utility of your relay server, navigate to Internet Information
Service > MachineName > Web Sites > Default Web Site > ias_relay_server.
b) Right-click the Client folder and select Properties > Directory.
c) Click Create and select these application settings:
Execute permissions Scripts and Executables.
Application pool use the pool ID of the client application pool you created.
d) Click OK.
Relay Server
102 Afaria
Adding Web Service Extensions on IIS 6.0
Add Web service extensions to identify and allow requests from servers and devices.
1. Add the Afaria server Web service as a valid extension:
a) In the IIS Manager utility's left pane, right-click the Web Service Extensions folder.
b) Select Add a new Web service extension.
c) Define the Web service extension settings:
Extension name user-defined name for the server extension.
Required files <installation directory>\ias_relay_server
\server\rs_server.dll.
Set extension status to Allowed enabled.
d) Click OK.
2. Add the Afaria Client Web service as a valid extension:
a) In the IIS Manager utilitys left pane, right-click the Web Service Extensions folder.
b) Select Add a new Web service extension.
c) Define the Web service extension settings:
Extension name user-defined name for the client extension.
Required files <installation directory>\ias_relay_server
\server\rs_client.dll.
Set extension status to Allowed enabled.
d) Click OK.
Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
1. From a command prompt running with administrator privileges, navigate to the directory
where the adsutil.vbs script is located, for example, C:\Inetpub
\AdminScripts.
2. To run the script, issue:
cscript adsutil.vbs set w3svc/<Web Site ID>/
uploadreadaheadsize 0
where <Web Site ID> is the ID of the Web site used for the relay server. If you use the
default Web, the ID is 1.
The command returns the current value of the <uploadreadaheadsize> variable and updates
the the IIS configurations.
See also
Adding Web Service Extensions on IIS 6.0 on page 103
Relay Server
Installation Guide 103
Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
A sample configuration file is provided with the relay server files that you copied from your
Afaria product image.
1. Find the sample configuration file rs.config, located in <relay server
installation path>\ias_relay_server\server.
2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections
in the configuration file.
Note: The configuration file can contain only ASCII characters.
3. Save the edits.
4. Restart the relay server host.
See also
Configuring IIS 7.5 for Relay Server Basic Operations on page 93
Installing the Relay Server Host as a Windows Service on page 99
Configuring IIS 6.0 for Relay Server Basic Operations on page 100
Configuration File Definitions for Basic Operations
The relay server configuration file rs.config consists of several sections. Use sections
[options] and [relay_server] for relay server basic operations. The remaining sections are for
supported server components.
[options] general options for relay server operations.
start set value to auto to automatically start the relay server engine when an Afaria
server connects successfully.
verbosity controls the level of logging. Logs always include errors. Log levels 1-5
always include warnings.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
[relay_server] identifies your relay server and its respective ports for HTTP and HTTPS
communications. The relay servers ports must match the IIS server ports.
enable controls whether the relay server operates.
yes operate.
Relay Server
104 Afaria
no do not operate.
host relay server IP address or host name. The IP address must be the internal IP
address or DNS name that can be reached by the Afaria server or other supported server
components.
http_port TCP port matching the relay servers IIS setting for HTTP
communications. The port must be the internal TCP port that can be reached by the
Afaria server or other supported server components.
https_port set value to match the relay servers IIS setting for SSL communications.
description user-defined description.
Note: Values are case-sensitive.
Sample section of a relay server configuration file showing settings for basic operations.
#-------------------------------------
# Relay server
#-------------------------------------
[options]
start = auto
verbosity = 1
# Note: When auto start is used, the default log file is
# <tmpdir>\ias_relay_server_host.log while rshost is active.
# The value of <tmpdir> is filled using the following
environment
variables
# searched in this order:
# SATMP
# TMP
# TMPDIR
# TEMP
#--------------------
# Relay server
#--------------------
[relay_server]
enable = yes
host = 123.45.6.78
http_port = 80
https_port = 443
description = Machine #1 in RS farm
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server
Installation Guide 105
Restarting the Relay Server Host
Restart the relay server host any time the relay server is already running and you change the
relay server configuration file or have another reason to restart the relay server engine.
The relay server starts automatically when configured to do so as part of its basic operations.
The automatic start feature is defined when you use the start=auto attribute in the relay
servers configuration file [options] section. IIS must be running before the automatic start
feature can take effect.
Restarting the relay server does not require that you restart IIS and does not cause any
disruption to other IIS applications.
1. From a command prompt running with administrator privileges, navigate to
<installation directory>\ias_relay_server\server.
2. Issue this command:
rshost.exe -u -qc -f rs.config
For a complete list of command line switches and their meaning, enter rshost at the
command prompt and press Enter.
Restarting the relay server updates its configuration, as defined in the configuration file.
Next
You may want to create a batch file for the commands and store it in a convenient location in
your relay server environment.
Relay Server Support for Server Components
To configure the relay server to support an Afaria server component, define the relay server
configuration file and configure settings on the Afaria Administrator.
Afaria supports using the relay server with any of these server components:
Afaria server
Enrollment server
iOS certificate authority server
Afaria filter used for Access Control for Email
Package server
Application Onboarding certificate authority
The relay server configuration file rs.config consists of several sections. Use
[backend_farm] and [backend_server] for each supported server component.
Relay Server
106 Afaria
[backend_farm] creates a single, case-sensitive identifier for a component server
environment, regardless of whether you are operating a single component server or a farm
of component servers.
enable controls whether the farm operates.
yes operate.
no do not operate.
id user-defined, case-sensitive value for identifying a server farm. Each farm in the
relay server configuration file must have a unique ID.
description user-defined description.
client_security specifies the secure communication protocol requirement for clients
connecting to the relay server. This is an optional section that is not represented in the
sample configuration file. Omitting the section results in the relay server enforcing the
default value.
on HTTPS is required.
off default. HTTPS is not required; HTTP and HTTPS are both valid connection
protocols.
backend_security specifies the secure communication protocol requirement for
component servers connecting to the relay server. Omitting the section results in the
relay server enforcing the default value.
on HTTPS is required.
off default. HTTPS is not required; HTTP and HTTPS are both valid connection
protocols.
[backend_server] identifies a single component server to the relay server. You must
have one [backend_server] section for each component server in your component server
environment.
enable controls whether the server operates.
yes operate.
no do not operate.
farm the case-sensitive farm value is the same for each server. Use the same farm ID
as from [backend_farm].
ID the ID value is unique for each server in the farm. If a server hosts more than one
supported server component, then all server IDs on the host must be unique. For
example, if a server hosts both an Afaria server and a package server, and both are
defined in separate farms in the relay server configuration file, then the server IDs used
for the two server components must be must be different.
mac mac address of the server component.
token the token is any string that you create. Use the same token value for each server
in a farm.
Note: Values are case-sensitive.
Relay Server
Installation Guide 107
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server Configuration FileExamples
Examples of the structure of the relay server configuration file based on the Afaria
environment supported.
Single Afaria server in an environment with a single relay server supporting a single Afaria
server, the configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] one instance.
[backend_server] one instance.
Afaria server farm with four servers in an environment with a single relay server supporting
an Afaria server farm with four servers, the configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] one instance.
[backend_server] four instances.
Afaria server farm with four servers plus a package server in an environment with a single
relay server supporting an Afaria server farm with four servers and a package server, the
configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] two instances.
[backend_server] five instances.
This is a sample section of a relay server configuration file showing settings for a single Afaria
server. Settings includes an instance of the [backend_farm] section and an instance of the
[backend_server] section. The sample does not include the sections for the relay server basic
operations.
#---------------
# Backend farms
#
# Notice that the case sensitive farmID must match the farmID set in
the
Afaria Administrator's
# relay server configuration page. Default value in Afaria is
farmID=Afaria.
#---------------
[backend_farm]
enable = yes
Relay Server
108 Afaria
id = farmID
description = Afaria Farm
#-----------------
# Backend servers
#
# id must match regKey HKLM\Software\Afaria\Afaria\Server
\TransmitterId
# on your afaria server
#-----------------
[backend_server]
enable = yes
farm = farmID
id = sc
token = zyyxpj22p
Configuring Relay Server for Afaria Server
To configure the relay server to support one or more Afaria servers, define the relay server
configuration file and configure settings on the Afaria Administrator.
Prerequisites
As all relay server communications must use HTTP or HTTPS protocol, configure the
Afaria server and devices to use HTTP or HTTPS.
Set up the relay server for basic operations.
Task
1. Configure the relay server configuration file rs.config to support one or more Afaria
servers.
Consider these items when defining the [backend_farm] and [backend_server] sections.
[backend_farm]
id user-defined, case-sensitive value for identifying the server farm. The farm ID you
define must match the farm ID you define on the Afaria Administrator Server >
Configuration > Relay Server page. On the Relay Server page, the default value is
afaria.
[backend_server]
id define the server ID value to match the TransmitterID value defined in each
Afaria servers registry key HKLM\Software\Afaria\Afaria\Server
\TransmitterId.
Token the farm token you define must match the farm token you define on the
Afaria Administrator Server > Configuration > Relay Server page.
2. On the Server > Configuration > Relay Server page of the Afaria Administrator,
configure settings for communications between the relay server and the Afaria server
component.
Relay Server
Installation Guide 109
Start the outbound enabler select this option to apply an automatic start-up
attribute to the outbound enabler service. Afaria logging captures the outbound
enablers restart and failure events.
Farm ID and Farm token a pair of case-sensitive, ASCII text strings that your relay
server uses to direct incoming client communication to your Afaria Server, either a
standalone server or server farm. The combination of the strings must be unique for a
given Afaria instance.
Farm ID value must match the corresponding value in your relay servers
configuration file and in your device configuration settings.
Farm token value must match the corresponding value in your relay servers
configuration file.
Server address and Server port the Afaria server IP address or localhost and
HTTP port that the Afaria server is using for communications. In a server farm
environment, you must enable HTTP on each Afaria server in the farm and use
"localhost" rather than the IP address.
RS address and RS port the relay server IP address or fully qualified domain name
and port that the outbound enabler service uses to connect to the relay server.
RS URL suffix text string used as an IIS parameter for invoking the relay servers
Afaria Server Web services, as per the relay server installation instructions for creating
the IIS application pool.
Maximum restarts the maximum number of times the outbound enabler attempts to
start if it stops unexpectedly.
Client URL prefix text string used as an IIS parameter for invoking the relay servers
Afaria client Web services, as per the relay server installation instructions for creating
the IIS application pool. This value is also required as a configuration value on Afaria
devices.
Use HTTPS enable the outbound enabler to communicate via SSL to the relay server.
Certificate path the path and file name on the Afaria server for the relay servers
certificate file. The certificate contains the relay servers identity and public key.
3. Restart the relay server host.
4. Restart the Afaria server service.
Relay Server
110 Afaria
Relay Server Bypass
Even after your relay server is operational, the Afaria Server continues to support direct device
connections. If it is appropriate for your environment, you may allow devices to continue to
connect to the Afaria server directly, bypassing the relay server.
Figure 6: Bypass Relay ServerSample 1
As the above diagram illustrates, if you have Afaria devices that are inside your organizations
firewall and want to connect, you can allow these devices to make direct connections with the
Afaria server using any of Afarias supported session protocols. These connections need not to
pass through the firewall, so the firewall can support higher security.
Figure 7: Bypass Relay ServerSample 2
As the above diagram illustrates, if you have Afaria devices that are outside your
organizations firewall and want to connect, you can allow these devices to make direct
connections with the Afaria server using any of Afarias supported session protocols as long as
your firewall permits the traffic.
Relay Server
Installation Guide 111
Configuring Relay Server for Enrollment Server
To configure the relay server to support one or more enrollment servers, define the relay server
configuration file and configure settings on the Afaria Administrator.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your enrollment servers.
Task
1. Configure the relay server configuration file rs.config to support one or more
enrollment servers
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the enrollment server
component.
a) In the Afaria Administrator, open the Server > Configuration > Enrollment Server
page.
b) In the Enrollment Server group, select Use Relay Server.
c) In the Relay Farm ID field, enter the farm ID identifying your enrollment server farm.
The value you enter must match the ID value you defined in the [backend_farm]
section.
d) In the relay server group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections
Server address address of the relay server
Client URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
e) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria server service from the Afaria Administrator.
5. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed an enrollment sever.
6. On each machine where you installed an enrollment server, launch the relay server
outbound enabler from the command prompt.
See also
Installing Enrollment Server - Basic on page 57
Relay Server
112 Afaria
Configuring Relay Server for iOS Certificate Authority
To configure the Relay Server to support one or more iOS certificate authority servers, define
the relay server configuration file and configure settings on the Afaria Administrator.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your iOS certificate authority.
Task
1. Configure the relay server configuration file rs.config to support one or more iOS
certificate authority servers.
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the iOS certificate
authority.
a) In the Afaria Administrator, open the Server > Configuration > Enrollment Server
page.
b) In the Certificate Authority (iOS only) group, select Use Relay Server.
c) In the Farm ID field, enter the farm ID identifying your iOS certificate authority farm.
The value you enter must match the ID value you defined in the [backend_farm]
section.
d) In the relay server group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections.
Server address address of the relay server
Client URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
e) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria server service from the Afaria Administrator.
5. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed an iOS certificate authority server.
6. On each machine where you installed an iOS certificate authority server, launch the relay
server outbound enabler from the command prompt.
See also
Installing Enrollment Server - Basic on page 57
Relay Server
Installation Guide 113
Configuring Relay Server for Access Control
To configure the Relay Server to support the Afaria filter used in Access Control for Email,
define the relay server configuration file, configure settings on the Afaria Administrator, and
reinstall the PowerShell component of the Afaria filter.
Prerequisites
Set up the relay server for basic operations.
Configure the relay server for your Afaria server, regardless of whether you plan to use the
relay server for device connections.
Task
The following steps describe how to add the relay server to your current configuration for
Access Control for Email. It is assumed that you have already installed the two components of
the Afaria filter and have configured Access Control on the Afaria Administrator.
1. Configure the relay server configuration file rs.config to support the Afaria filter.
In the [backend_farm] section, define the Afaria filter's farm ID by using
<AfariaServerFarmID>-IS, where <AfariaServerFarmID> is the same farm ID
you defined for the Afaria server. For example, if you define your Afaria server farm ID as
Afariafarm, then define your Afaria filter's farm ID as Afariafarm-IS.
2. On the Server > Configuration > Access Control Server page of the Afaria
Administrator, select Use Relay Server, then click Save.
3. Reinstall the PowerShell component of the Afaria filter. In the Server Settings page of the
installation wizard, enter the relay server address and farm ID.
The farm ID you enter must match the farm ID you defined for the Afaria server in the relay
server configuration file. The installation wizard automatically appends -IS to match the
farm ID defined for the Afaria filter.
4. Restart the machine where you reinstalled the PowerShell component.
5. Restart the relay server host.
6. In the Afaria Administrator, restart the Afaria server service.
See also
Relay Server on page 91
Additional Afaria Components on page 11
Server Configuration for Installation and Management on page 47
Access Control for Email on page 75
Relay Server
114 Afaria
Configuring Relay Server for Package Server
To configure the relay server to support one or more package servers, define the relay server
configuration file and configure settings on the Afaria Administrator.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your package servers.
Task
1. Configure the relay server configuration file rs.config to support one or more
package servers.
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the package server
component.
a) In the Afaria Administrator, open the Server > Configuration > Package Server
page.
b) In the Package Server (Indirect Access) group, select Use Relay Server and enter the
farm ID identifying your package server farm.
The value you enter must match the id value you defined in the [backend_farm]
section.
c) In the Indirect Access (Relay Server) group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections.
Server address address of the relay server
Client URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
d) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria server service from the Afaria Administrator.
5. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed a package server.
6. On each machine where you installed a package server, launch the relay server outbound
enabler from the command prompt.
See also
Installing Package Server on page 71
Relay Server
Installation Guide 115
Configuring Relay Server for Application Onboarding Certificate
Authority
To configure the relay server to support one or more Application Onboarding certificate
authority servers, define the relay server configuration file and configure settings on the Afaria
Administrator
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your Application Onboarding certificate authority servers.
Task
1. Configure the relay server configuration file rs.config to support one or more
Application Onboarding certificate authority servers.
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the Application
Onboarding certificate authority.
a) In the Afaria Administrator, open the Server > Configuration > Package Server
page.
b) In the Certificate Authority (for Package Server) group, select Use Relay Server and
enter the farm ID identifying your certificate authority farm.
The value you enter must match the ID value you defined in the [backend_farm]
section.
c) In the Indirect Access (Relay Server) group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections.
Server address address of the relay server
Client URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
d) Click Save.
3. Restart the relay server.
4. (Optional) Restart the Afaria server service from the Afaria Administrator.
5. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed a certificate authority server.
6. On each machine where you installed a certificate authority server, launch the relay server
outbound enabler from the command prompt.
Relay Server
116 Afaria
Launching the Relay Server Outbound Enabler
Launch the relay server outbound enabler (RSOE) from the command prompt of the server
component.
Prerequisites
1. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler.
2. Import the folder to the machine hosting the server component.
Task
The RSOE is the relay servers agent on a server component, such as the package server
and the enrollment server. It initiates an outbound connection with the relay server.
The executable file for the RSOE is rsoe.exe.
Sybase recommends matching the versions of the RSOE and the relay server.
1. From the command prompt of the machine hosting the server component, navigate to the
RSOutboundEnabler directory that you copied from the Afaria server.
2. To launch the RSOE, use the command line:
rsoe -cr param -f farm -id id [options]
-cr parameters for the relay server connection.
-f server component farm ID, as defined in the relay server configuration file.
-id unique ID identifying the server component, as defined in the relay server
configuration file.
For a complete list of command line switches and their meanings, enter rsoe at the
command prompt and press Enter.
If you include the security token when you define the [backend_server] section in the relay
server configuration file, you must use the -t switch when launching the RSOE.
When using the -cs switch, do not use localhost for the server address and do not use
spaces in the name.
This is a sample command line to launch the RSOE on a machine hosting the iOS certificate
authority:
rsoe.exe -cr "host=www.rs.com;port=80" -cs "host= <IP
Address>;port=80" -f CAFarmName -id CAID -t CAToken
Next
(Optional) Install the RSOE as a Windows service.
Relay Server
Installation Guide 117
Installing the Relay Server Outbound Enabler as a Windows Service
Install the relay server outbound enabler (RSOE) as a Windows service by running the
dbsvc.exe service utility at the command prompt.
Prerequisites
1. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler.
2. Import the folder to the machine hosting the server component.
Task
Each instance of the RSOE can be installed as a Windows service.
The RSOutboundEnabler folder includes dbsvc.exe, a service utility that installs the
RSOE as a Windows service.
On the machine hosting the server component, execute this command at a command prompt
running with administrator privileges:
dbsvc.exe -as -s auto -sn "AfariaRSOE" -w AfariaRSOE "<full
path>\RSOutboundEnabler\rsoe.exe" @"<full path>
\RSOutboundEnabler\rsoe.config"
For a complete list of the service utility's command line switches, enter dbsvc.exe at the
command prompt and press Enter.
The command prompt displays a line confirming that the "AfariaRSOE" service was
successfully created.
The "AfariaRSOE" service is listed in the list of Windows services of the machine hosting
the server component.
Relay Server with SSL
To configure the relay server to use SSL, you must install a trusted certificate on the server that
is running the relay servers Microsoft Internet Information Services (IIS) Server and the relay
server engine, rshost.exe.
You can configure Afaria devices to connect securely using the relay server address and
HTTPS protocol after you have installed the certificate. Connecting to the relay server with
SSL ensures that the traffic from devices to the relay server is encrypted. If your Afaria Server
and relay server are behind the same firewall, this configuration is all you need to secure your
data.
Encrypting traffic between the relay server and the Afaria Server requires that you export the
relay servers public key and copy the resulting file to the Afaria Server, then use the Afaria
Relay Server
118 Afaria
Administrators relay server page to enable HTTPS and specify the location of the public key
file. All traffic is encrypted after you restart the Afaria Server.
Relay-Server-Related Logging
Relay-server-related logging allows you to retreive connections and restart attemps occured
both on the Afaria server and the relay server.
Afaria-side logging Afaria logging captures the outbound enablers restart attempt
events; it does not capture relay server start events when started by the Afaria service, as
occurs when the "Start the outbound enabler" setting is selected.
Relay-server-side logging relay server logging captures events while rshost.exe is
active. When started using the relay servers configuration file setting for auto start, the log
is stored in the following relay server path:<tmpdir>
\ias_relay_server_host.log. The value of <tmpdir> is populated with the first-
available environmental variable, according to the search order SATMP, TMP, TMPDIR,
TEMP.
The relay server log captures connections from the Afaria Server to the relay server and
successful device connections. The log does not capture unsuccessful client connections.
1. To retrieve logging from the relay server to the Afaria server, unselect Start the outbound
enabler to prevent the outbound enabler from starting during Afarias next restart.
2. Restart the Afaria server service.
3. On the Afaria server, open a command prompt and navigate to <Afaria Server
Installation Directory>\bin\RSOutboundEnabler.
4. Restart the outbound enabler using this single, continuous command:
rsoe.exe -id <AfariaServerID> -f <FarmID> -t <Farm token> -
cs "host=localhost;port=<AfariaHTTPPort>;" -cr
"host=<RelayServerIP>;port=<RelayServerHTTPPort>;url_suffi
x=<RsURLSuffix>;url_prefix=<ClientURLPrefix>" -v
<LogVerbosity> -o <LogOutputPathFile>
<AfariaServerID> the Afaria server ID value. The ID value is defined in the Afaria
Servers registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId.
<FarmID> farm ID, as stored on the Relay Server configuration page.
<Farm token> farm token, as stored on the Relay Server configuration page.
<AfariaHTTPPort> Afarias HTTP port, as stored on the Client Communications
configuration page.
<RelayServerIP> relay server IP address.
<RelayServerHTTPPort> relay server HTTP port.
<RsURLSuffix> RS URL suffix, as stored on the Relay Server configuration page.
Relay Server
Installation Guide 119
<ClientURLPrefix> client URL Prefix, as stored on the Relay Server configuration
page.
<LogVerbosity> controls the level of logging. Logs always include errors. Logs
always include warning for levels 1-5.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
<LogOutputPathFile> Afaria Server path and file name for the log file.
For a complete list of command line switches and their meanings, enter rsoe at the
command prompt and press Enter.
This sample writes the log file to c:\outbound.log on the Afaria Server.
rsoe.exe -id got -f AfariaFarm -t Token_00 -cs
"host=localhost;port=80;" -cr
"host=10.14.229.21;port=80;url_suffix=/ias_relay_server/
server/rs_server.dll;url_prefix=/ias_relay_server/client/
rs_client.dll" -v 5 -o c:\outbound.log -af
Relay Server
120 Afaria
Uninstalling Afaria Components
Remove Afaria software components as needed by using the Microsoft Add/Remove
Programs utility.
For Afaria Administrator, enrollment server, and package server, uninstalling any of these
servers also uninstalls all Afaria Self-Server Portal instances at the same time.
Uninstalling Afaria Server
Uninstalling an Afaria server also uninstalls the Afaria Administrator, if installed on the same
server. Removing the Afaria server deletes the software component and all defined channels
but preserves the Afaria database.
1. If you are uninstalling a farm server, on the Afaria Administrator go to Server >
Configuration > Server Farm and set the state to hidden.
Hiding the farm server removes it from the server selector list.
2. On the server to uninstall, close all Afaria programs.
3. Stop all Afaria-related services.
4. Using the Microsoft Add/Remove Programs utility, select the component and remove
it.
The most common reasons for the step to fail are:
An Afaria program or related service is still running. Stop the programs and related
services and retry the step.
Windows Explorer or some other program is using at the Afaria installation directory.
Close all programs, then restart the machine and retry the step.
Afaria system folders are shared with device users. Remove the share from the folder
and run the retry the step.
5. If uninstalling a farm server, delete the server entry from the A_SERVER database
table.
If you do not delete this server from the database, it continues to appear on Server >
Configuration > Server Farm page as an available server.
Uninstalling Afaria Components
Installation Guide 121
Uninstalling Afaria Components
122 Afaria