Good Connect Server for Lync 2013 Installation and Administration Guide Product Version: 2.2 Doc Rev 1.4 Last Update: 5-Aug-15
Good ConnectTM
Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories.
Legal Information © Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents.
Good Connect™
ii
Table of Contents Overview
1
Requirements
2
System and Network Requirements
2
Good Dynamics Requirements
3
Microsoft .NET Framework 4.5
3
Microsoft Windows PowerShell 3.0 RTM
3
Microsoft Unified Communications Managed API 4.0 Runtime (64-bit)
3
SSL Certificate Requirements
4
Good Connect Database
7
Database Level Permissions
7
Setting Up an Oracle XE database
8
Setting Up Your Microsoft SQL Server 2008 R2
9
Preparing Your Lync Topology for Good Connect
10
Initial Installation of Good Connect Server
11
Preparing for Subsequent Good Connect Servers
12
Installing the Good Connect Server
12
Good Connect Windows Service
22
APNS Web Proxy Support
23
Setting Your Proxy Configuration Parameters
23
Storing User Credentials
23
Configuring for Global Catalog
24
Repairing/Upgrading the Good Connect Server
25
Repairing the Good Connect Server
25
Upgrading from Good Connect 1.2
25
Upgrading from Good Connect 2.1
25
Configuring Good Control
25
Entering the Server Pool Information and IM Platform Type
26
Listing Approved Server Hostnames and Ports
26
Controlling Browser and Map Behavior
27
Enabling Disclaimer
28
Good Connect™
iii
Disabling Conversation History Configuring Good Connect User Affinity
29 29
ABC Company Example
29
Enabling User Affinity
30
Configuring MS Exchange Conversation History (Optional)
31
Enabling SSL Support via Good Proxy
33
Creating the CSR
34
Send the New CSR to a Well-Known Third-Party CA
37
Binding the SSL Certificate
37
Configuring Good Connect Server to Use the New Certificate
38
Configuring Good Connect Clients to Send Requests Over SSL
39
Good Connect Cluster Configuration Maintenance
41
Troubleshooting
41
Appendix A – Good Connect Server Configuration File
43
Appendix B – Troubleshooting SSL Certificate Exceptions
46
Glossary
47
Good Connect™
iv
Overview
Overview This manual provides step-by-step instructions for installing version 2.2 of the Good Connect Server in your Lync 2013 environment. Be sure to carefully read and confirm that you meet all the listed requirements before starting the installation. There is also a detailed administration portion for reference when server installation is complete. The following diagram shows how the Good Connect Server works with both the enterprise IM infrastructure and the Good Dynamics (GD) servers behind the enterprise firewall. The Good Connect server then communicates with the Good Dynamics Network Operation Center (NOC) to securely reach the mobile device.
Good Connect™
1
Requirements
Requirements This section lists the requirements for the Good Connect Server software. Important: If you are upgrading from a previous version of Good Connect Server, you must use the same Windows Service Account used to install your current version of Good Connect Server. Caution: If you don’t install the required software, or fail to configure them correctly before starting the installation of the Good Connect Server, the Good Connect Server may fail or may behave in an unexpected manner.
System and Network Requirements You must meet the following requirements before installing the Good Connect server. l
Microsoft Windows Server 2008 R2 (64-bit) or Microsoft Windows Server 2012 (64-bit)
l
4 GB of RAM
l
20 GB disk space
l
4 core processor
l
The installing user must have local administrative privileges on the host computer.
l
The Good Connect Server must be in the same domain as Microsoft Lync Server 2013.
l
The Good Connect Server must be able to communicate with the Microsoft Active Directory.
l
The local Windows Firewall must be disabled. Note: A Group Firewall Policy causes the installer to fail prerequisite checks, even if the local firewall is disabled.
l
Disable local anti-virus software during installation
l
The following inbound ports must not be blocked by any firewall:
l
l
o
8080 from the Good Proxy server
o
49555 from the Lync server
The following outbound ports must not be blocked by any firewall: o
443 to the Good Technology NOC/Apple Push Notification Service
o
5061 to the Lync server
o
17080 to the Good Proxy server
o
17433 to the Good Proxy server
Good Connect also requires TCP/IP port access to the database used. o
1433 to the Microsoft SQL server default.
o
1521 to the Oracle XE server default
Good Connect™
2
Requirements
Good Dynamics Requirements l
At least version 1.3.26.40 of the Good Control server
l
At least version 1.3.26.10 of the Good Proxy server
You can download the Good Dynamics servers from the Good Developer Network (GDN).
Microsoft .NET Framework 4.5 l
Windows Server 2008 R2 This operating system version comes with .Net framework 3.5. Download and install .NET Framework 4.5.
l
Windows Server 2012 Enable Microsoft .NET Framework 4.5 feature using Server Manager.
Microsoft Windows PowerShell 3.0 RTM l
Windows Server 2008 R2 This operating system version comes with PowerShell 2.0. Install Powershell 3.0 by downloading and installing MS Update Package Windows6.1-KB2506143-x64 . Powershell 3.0 on 2008 R2 requires .Net framework 3.5 Service Pack 1 to be installed. Enable this feature using Server Manager.
l
Windows Server 2012 This operating system version comes with PowerShell 3.0. Enable the Windows PowerShell 3.0 feature using Server Manager.
Microsoft Unified Communications Managed API 4.0 Runtime (64-bit) Download UCMA 4.0. UcmaRuntimeSetup.exe also installs an additional installer named OCSCore.msi that is required by Good Connect Server. Find OCSCore.msi by navigating to following directory, launch and use the default settings in the wizard. (Note: By default, the ProgramData folder is hidden in Windows Explorer. You can change this in folder settings): C:\ProgramData\Microsoft\Lync Server\Deployment\cache\5.0.8308.0\Setup\OCSCore.msi l
Windows Server 2008 R2 UCMA 4.0 requires Desktop Experience on the Windows Server 2008 R2. Enable this feature using the Server Manager.
l
Windows Server 2012 UCMA 4.0 requires Media Foundation on the Windows Server 2012. Enable this feature using the Server Manager.
Good Connect™
3
Requirements
SSL Certificate Requirements Good Connect Server must form a mutual trust relationship for MTLS communications with the Lync server. Mutual trust requires a SSL certificate on the Good Connect computer meeting the following criteria: l
The private certificate issued by a trusted CA is stored in Console Root\Certificates\\Personal\Certificates.
l
The computer’s private certificate, as well as the Lync server’s internal computer certificate, must both be trusted by root certificates stored in Console Root\Certificates\\Trusted Root Certification Authorities\Certificates.
l
Any intermediate certificates for both the Good Connect Server’s private certificate and the Lync server’s internal computer certificate must be located in Console Root\Certificates\\Trusted Root Certification Authorities\Certificates.
l
The account used to run the Good Connect server application must have read access to the certificate store and the private key.
l
The Subject Name (SN) of the certificate must contain the Common Name (CN) for the Good Connect server's fully-qualified domain name; e.g., "CN=server.subdomain.domain.tld".
l
The certificate must be signed by a CA that is mutually-trusted by both the Lync server and the Good Connect server.
For more on SSL Certificate requirements see Certificate infrastructure requirements for Lync 2010. To create a certificate for Good Connect Server through your enterprise certificate authority (CA): 1. Launch the Microsoft Management Console (MMC). 2. Select File > Add/Remove Snap-in > Select Certificate. 3. Select Computer Account. 4. Click Next. 5. Select Local Computer. 6. Click Finish. 7. Select Certificates > Personal > Certificates Note: The final Certificates option is only available if there is at least one certificate in the MMC. If not, just select Personal. 8. Select Actions > All Tasks > Request New Certificate.
Good Connect™
4
Requirements
9. Click Next . 10. Select Active Directory Enrollment Policy and click Next.
11. Select Computer as the type of certificate, then click Enroll.
Good Connect™
5
Requirements
12. Click Finish when the enrollment process succeeds. The MMC now lists the new certificate. If you don’t see the new certificate, expand the tree view in the lefthand pane by clicking Console Root > Certificates (Local Computer) > Personal > Certificates. 13. Verify that your new certificate lists the fully qualified domain name of your Good Connect Server in the Subject attribute of your newly issued certificate as pictured below. This is the default behavior of the Certificate Authority. However, if your CA uses custom certificate templates, an administrator may need to explicitly add that field for inclusion.
14. Right click on the newly created certificate and select More Actions > All Tasks > Manage Private Keys.
15. Click Add in the Security tab of the Permissions dialog box to see the Select Users, Computers, Service Accounts or Groups dialog box.
Good Connect™
6
Requirements
13. Enter the Good Connect service account and click OK to grant permission to this certificate’s private key. 14. Click OK in the Permissions dialog box.
Good Connect Database Good Connect server requires a relational database, either existing in your environment or freshly installed for your Good Connect deployment. Currently supported databases include Oracle and Microsoft SQL Server. Important: The database must be installed and prepared before attempting to start your Good Connect server installation. In addition, SQL scripts included in your Good Connect installer package must be executed before you start the Good Connect Server installation. Microsoft and Oracle have visual and command line tools to assist you with database and schema creation. These include Microsoft Management Studio, sqlcmd, Oracle SQL Developer, sql*plus, etc. Supported Oracle versions include: l
Oracle 10g (Standard/Enterprise)
l
Oracle 11g (Express/Standard/Enterprise)
Note: Oracle Database 10.2 and 11.1 are no longer available for download. The software is available as a media or FTP request for those customers who own a valid Oracle Database product license for any edition. To request access to these releases, follow the instructions in Oracle Support Document 1071023.1 (Requesting Physical Shipment or Download URL for Software Media) from My Oracle Support. You must also download the Oracle Data Access Components (ODAC 11.2 Release 5 for Windows x64) and install the client libraries on the Good Connect server machine. Supported Microsoft SQL Server Versions: l
SQL Server 2008 SP 1 (Express/Standard/Enterprise)
l
SQL Server 2008 R2 (Express/Standard/Enterprise)
For POC deployments, you can download a trial of MS SQL Server 2008 R2 Express.
Database Level Permissions The database user for Good Connect requires the minimum set of database level permissions to:
Good Connect™
7
Requirements
1. Connect to the database over RCP/IP 2. Select/insert/update/delete to and from tables 3. Create/alter tables 4. Execute stored procedures Defined as the database level permissions, the minimum set includes: l
ALTER
l
CONNECT
l
CREATE TABLE
l
DELETE
l
EXECUTE
l
INSERT
l
SELECT
l
UPDATE
Failure to grant these minimum database level permissions to the database user for Good Connect will render the product inoperable and will be unsupported.
Exclusions These roles are not required by database user for Good Connect: l
DB_BACKUPOPERATOR
l
DB_ACCESSADMIN
l
DB_SECURITYADMIN
l
DB_DLLADMIN
l
DB_OWNER
The database user for Good Connect also does not require any of these instance roles: l
DBCREATOR
l
DISKADMIN
l
PROCESSADMIN
l
SECURITYADMIN
l
SERVERADMIN
l
SETUPADMIN
l
SYSADMIN
Setting Up an Oracle XE database Prior to running the installer, you must create a schema named “GoodConnect” in your instance, as well as a user account with privileges for executing schema, stored procedures and creating table for said schema.
Good Connect™
8
Requirements
To set up your Oracle database: 1. Select Start Menu > All Programs > Oracle Database Express Edition > Run SQL Command Line. 2. When prompted, enter connect system and provide the password. 3. Run the following commands: create user GoodConnect identified by password; grant connect, resource to GoodConnect; alter user GoodConnect default role all; grant create table to GoodConnect; @\Sql\Oracle\1_Balboa_Schema.sql; @\Sql\Oracle\1_Balboa_storedProcedures.sql; @\Sql\Oracle\2_Cardiff_Schema.sql; grant execute on GOODCONNECT.USP_CREATENEWADTABLE to GoodConnect; grant execute on GOODCONNECT.USP_SWITCHADTABLES to GoodConnect; grant execute on GOODCONNECT.UTILS to GoodConnect;
Setting Up Your Microsoft SQL Server 2008 R2 SQL Server Management Studio, which is bundled with the SQL Server 2008 R2 Express download, is required for setting up the Good Connect database. If your SQL Server installation does not include the SQL Server Management Studio software, click the link immediately above. Follow these instructions to set up the Good Connect database in SQL Server: 1. Install the SQL Server database per the directions in the installation wizard. Specify Windows Authentication mode or SQL Server and Windows Authentication mode under the Security section of Server Properties. 2. After installation, launch SQL Server Management Studio and log in. 3. Set up the login that will be used to manage the Good Connect database by expanding the Security item in the Object Explorer pane right-clicking Logins , then select New Login. Here, if you selected SQL Server and Windows Authentication mode in Step 1, enter "GoodConnect" as the Login name. Select SQL Server authentication and set a Password for this login—this password will be needed later when the Good Connect installer asks for Connect database information—then click OK to add the login. If you selected Windows authenticationin Step 1 because you want to use a Windows account to manage the database, enter the Windows account username in domain\username format as the Login name. This account should be the same as the service or administrator account setup to run the Good Connect server service. Click OK to add the login. 4. Right-click the Databases item in the Object Explorer pane, then select New Database, enter GoodConnect as the Database name, and set the login you configured in the previous step as the database Owner. Click OK to add the database. 5. Launch the SQL Server Configuration Manager by selecting Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server Configuration Manager.
Good Connect™
9
Preparing Your Lync Topology for Good Connect
6. Expand SQL Server Network Configuration and select Protocols for SQLEXPRESS, then enable TCP/IP and add TCP Port 1433 for IPAll. 1433 is merely a default port, which you can change as needed or desired, postinstallation.
7. Restart the Microsoft SQL Server service. 8. Run the following schema and stored procedure scripts. sqlcmd –S \SQLExpress –d GoodConnect –i 1_Balboa_Schema.sql sqlcmd –S \SQLExpress –d GoodConnect –i 1_Balboa_StoredProcedures.sql sqlcmd –S \SQLExpress –d GoodConnect –i 2_Cardiff_Schema.sql
Important: Execute the scripts in the order specified above to properly create the GoodConnect database schema and stored procedures. These scripts can be found in the installation directory within the ..\SQL\SQLServer folder.
Preparing Your Lync Topology for Good Connect Good Connect is a Microsoft Lync trusted-UCMA application. In order to establish trust with Microsoft Lync 2013, you must use the Lync Management Shell to do the following: l
Create a trusted application pool.
l
Designate trusted applications for the use of the Good Connect computer.
l
Create a trusted-computer entry for every Good Connect server in the environment.
Good Connect™
10
Preparing Your Lync Topology for Good Connect
l
Publish these changes to the Lync Topology.
l
Create a Trusted Endpoint for the Good Connect administrator.
Important: You must be a member of the RTCUniversalServerAdmins and Domain Admins security groups to provision and publish new applications in the Microsoft Lync topology. If you have a designated Lync administrator within your organization, it is ideally this person who should perform the steps listed next. You must complete the application provisioning process as described here. After the application provisioning process, the Lync administrator will need to delegate RTCUniversalReadOnlyAdmins permission to you, as the installer, in order to access the provisioning information during the Good Connect installation process.
Initial Installation of Good Connect Server The preparations described here are required only if you are installing the Good Connect server for the first time. See Preparing for Subsequent Good Connect Servers if you’ve already completed an initial setup of the Lync topology for the Good Connect. When you create a trusted application pool for the initial installation of Good Connect, you also create the trusted-computer entry. Subsequent installations of the Good Connect server do not require a new trusted application pool or designated trusted applications because these are added to the existing trusted application pool. Launch the Lync Management Shell and enter the commands listed below to do the following: 1. Create a Trusted Application Pool. 2. Designate a Trusted Application. 3. Publish the changes to the Lync Topology. Important: Please follow the naming conventions in bold, replacing with your Good Connect host name and with your organization's domain. PS> Get-CsSite
If your organization has more than one Site in its topology, look up the appropriate siteId number and the corresponding registrar value. You will need this information to create the Application Pool below. PS> New-CsTrustedApplicationPool -Force -Identity "pool_goodconnect." -Registrar -RequiresReplication $false -Site -ComputerFqdn "."
The value for can be either a Director pool or a Lync pool. Director pools direct (or redirect) user requests to the appropriate front-end server. If the director pool becomes unavailable, however, all pools will be inaccessible. PS> New-CsTrustedApplication -Force -ApplicationId "appid_goodconnect." TrustedApplicationPoolFqdn "pool_goodconnect." -Port 49555 PS> Enable-CsTopology PS> New-CsTrustedApplicationComputer -Identity "" -Pool "pool_ goodconnect."
Good Connect™
11
Installing the Good Connect Server
Preparing for Subsequent Good Connect Servers Follow the instructions here only if you’ve already installed the Good Connect server at least once before. If this is your first installation of the Good Connect server, follow the instructions in Initial Installation of Good Connect Server. Launch the Lync Management Shell and enter the commands listed below to create a trusted computer for the Good Connect trusted application pool. Important: As with your initial installation, please follow the naming conventions in bold, replacing with your Good Connect host name and with your organization’s domain. PS> New-CsTrustedApplicationComputer -Identity "." -Pool "pool_ goodconnect."
Installing the Good Connect Server Note: The Good Connect installer securely stores Web Proxy, Database, and Exchange service passwords in the Windows Credential Manager as the installer user. If the installer user is not the same as the Good Connect Windows Service account, you will need to manually add passwords to the Windows Credential Manager. To install the Good Connect server software: 1. Run the installer executable. 2. The introduction presented furnishes basic information about the installer and disk space needed. Review the information carefully, verify that your machine can support the storage requirement, then proceed by clicking Next. 3. Read the License and Services Agreementand accept the terms by clicking Next. 4. The installer now checks to make sure you meet the prerequisites detailed in Pre-Installation Requirements above. Failure to meet all the requirements will cause Good Connect to fail or behave improperly.
Good Connect™
12
Installing the Good Connect Server
5. Good Dynamics Host Information screen The Good Connect Server requires the hostname and port of the Good Dynamics Proxy server. If you choose HTTPS be aware that, at this time, Good Dynamics does not support internal CA issued SSL certificates within the Good Dynamics Proxy server. The certificate must come from a well-known 3rd Party certificate authority. See you GD Server Installation Guide for detailed instructions on how to do so.
Good Connect™
13
Installing the Good Connect Server
6. Database Server Settings screen. Good Connect requires a database to execute properly. Database configuration parameters can be set on this screen. Microsoft SQL Server 2008 R2
Good Connect™
14
Installing the Good Connect Server
MS SQL server can be authenticated in two ways: (a) integrated windows authentication or (b) SQL Server Authentication. Integrated Windows Authentication When a user connects through a Windows OS user account, SQL Server validates the account name and password using the Windows principal token in the operating system. The user’s credentials are confirmed by Windows OS and it is not necessary to provide username and password. Windows Integrated Authentication uses Kerberos security protocol that provides password policy enforcement, support for account lockout, and password expiration. A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows. SQL Server Authentication When using SQL Server Authentication, logins are created in Microsoft SQL Server directly which are not based on Windows OS user accounts. Both the username and the password are stored and managed in the SQL Server. Users connecting using SQL Server Authentication must provide their credentials when they connect. If you choose SQL Server Authentication, you must provide username and password.
Good Connect™
15
Installing the Good Connect Server
The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one that installs the Good Connect, you will need to manually add the database username and password to the Windows Credential Manager as described in the following steps: 1. Login into the Good Connect server as the run user (this is the domain user as defined in Good Connect Server Host Information screen). 2. Launch cmd.exe as Administrator. 3. Execute the cmd: cmdkey /generic:GoodConnectDatabase /user:dbadmin /pass:password Oracle XE Note: In order to use Oracle database, you must install the Oracle ODAC on the Good Connect server in order for the installer to test connectivity to the Oracle database server.
Good Connect™
16
Installing the Good Connect Server
7. Good Connect Server Host Information screen Each Good Connect server’s host information also needs to be entered in the Good Control console. The installer automatically enters the local hostname. If the installer cannot detect a hostname, you can enter one, however the hostname must resolve properly within your network’s DNS for it to operate correctly with Good Dynamics and Microsoft Lync. Good Connect server supports HTTP and HTTPS connections from the Good Connect client. HTTP Client Connections The default port for incoming client connections to the Good Connect Server is 8080. By default, the Good Connect installer will enable Connect server to respond to HTTP client requests.
Good Connect™
17
Installing the Good Connect Server
HTTPS Client Connections The Good Connect server supports client SSL connections to the Good Connect server. The Good Connect admin will need to follow the instructions prior to installation for enabling SSL for the Connect client. The instructions can be found in the Enabling SSL Support Between Good Dynamics Proxy and Good Connect Servers. After the setting up SSL, follow the instructions during installations: 1. Select Use GD SSL Binding 2. Enter Port and Certificate Friendly Name
Good Connect™
18
Installing the Good Connect Server
Each Good Connect server can host a maximum of 10000 concurrent sessions. A session constitutes any device actively connected into Good Connect and using the service. If you anticipate more than 10000 concurrent sessions, you should install a second Good Connect Server. Each Good Connect server’s host information also needs to be entered in the Good Control console. See Configuring Good Controlfor instructions on setting up Good Control. 8. Exchange Conversation History screen The Exchange Conversation History screen information enables Good Connect to archive conversations to Exchange via Exchange Web Services. Good Connect server supports four ???? different schema types for Exchange: l
Exchange 2010
l
Exchange 2010 SP1
l
Exchange 2010 SP2
If you are using Exchange 2010 SP3, select Exchange 2010 SP2.
Good Connect™
19
Installing the Good Connect Server
Prior to installation, Good Admin must follow steps in Section 9 to enable Exchange Conversation history. 9. Web Proxy screen If your Enterprise uses a web proxy to restrict access to the Internet, then you must select the Web Proxy checkbox.
Good Connect™
20
Installing the Good Connect Server
The Good Connect server supports the following web proxy types: None, NTLM, Digest, or Basic Authentication. Select the authentication type used by your Enterprise’s web proxy and enter the appropriate information. The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one which installs the Good Connect, you will need to manually add the web proxy username and password to the Windows Credential Manager as described in the following steps: 1. Login into the Good Connect server as the run user (this is the domain user as defined in Good Connect Server Host Information screen). 2. Launch cmd.exe as Administrator. 3. Execute the cmd: cmdkey /add:GoodConnectWebProxy /user:foouser /pass:foopass 10. Good Connect Server Location screen. Click Next unless you want to change the default installation directory location. 11. Pre-installation Summary screen Review the summary information and make sure the values are correct before clicking the Install button. 12. Installation screen
Good Connect™
21
Installing the Good Connect Server
13. Finalize screen The information gathered during this installation is available for review in the Good Connect Server’s configuration file.
Good Connect Windows Service After installation, the Good Connect Server is listed in the Microsoft Windows Services interface.
Good Connect can run as another domain user given the following: l
The alternate domain user must have access to the private key of the computer certificate. See SSL Certificate Requirements 10 for additional details.
l
The alternate domain user must be enabled to Log on as service through the Local Security Policy tool.
The following steps explain how to make sure your account has Log on as service privileges: 1. Run the Local Security Policy admin tool on the Good Connect host. 2. Expand the Local Policies folder in the navigation pane on the left. 3. Select the User Rights Assignments folder to see a list of policies in the right pane. 4. Double click the Log on as a service policy to add your account.
Good Connect™
22
Installing the Good Connect Server
APNS Web Proxy Support If the host machine for Good Connect server must work with a web proxy to access the Internet, and you did not install the Good Connect server with Web Proxy enabled, you will need to manually configure the web proxy. To do so, set the configuration parameters outlined below, then store the user credentials for "GoodConnectWebProxy" in Windows Credential Manager. Important: Make sure that Good Connect Server is Running As a user account which has been granted local administrator privileges.
Setting Your Proxy Configuration Parameters Edit the GoodConnectServer.exe.config file located by default in C:\Program Files\Good Technology\Good Connect Server. Note: You must restart the Good Connect Server after updating the parameters. l
GD_APN_PROXY_TYPE
l
GD_APN_PROXY_HTTP_HOST
l
GD_APN_PROXY_HTTP_PORT
See section Appendix A for the complete list of parameters, format, and expected values.
Storing User Credentials Please execute the following from the cmd prompt as a local administrator, replacing "username" and "password" with what is required: cmdkey /add:GoodConnectWebProxy /user: /pass:
If you don’t want to store the password value and would prefer to be prompted for it, omit the value so the command looks like this: cmdkey /add:GoodConnectWebProxy /user: /pass:
Again, make sure you are using a user account that has local administrator privileges. Good Connect™
23
Installing the Good Connect Server
Configuring for Global Catalog If your organization plans to support Good Connect users from multiple domains within the same forest, follow these instructions so users can be accessed from the Global Catalog. To configure Good Connect to use the Global Catalog: 1. Click the Attributes folder in the snap-in. 2. In the right panel, scroll down to the desired attribute, right-click it, and then click Properties. 3. Click to select the Replicate this attribute to the Global Catalog check box. 4. Click OK. 5. Confirm publication of the following attributes to the Global Catalog: l
msrtcsip-primaryuseraddress
l
mail
l
telephoneNumber
l
displayname
l
title
l
mobile
l
givenName
l
sn
l
sAMAccountName
6. Edit the GoodConnectServer.exe.config file in C:\Program Files\Good Technology\Good Connect Server as follows:
Note: You must restart the Good Connect Server after updating the parameters.
Good Connect™
24
Repairing/Upgrading the Good Connect Server
Repairing/Upgrading the Good Connect Server Repair and Upgrade options are available in the Good Connect 2.1 installer. These options are present when the install detects a previous installation of the Good Connect server. Note: Please make a backup copy of the config file prior to repair or upgrade. Custom configuration settings for EWS will not be copied over, you will need to copy them back into the configuration file after repair/upgrade.
Repairing the Good Connect Server The Good Connect 2.1 installer allows restoration of the Good Connect server installation. This process reverts the Good Connect Server executables and binary and configuration parameters to the values of the last successful installation. Any changes executed manually are discarded during the reparation process.
Upgrading from Good Connect 1.2 When upgrading from the 1.2 version of the Good Connect server, the following configuration information is preserved: l
GD hostname
l
GD port
l
Web Proxy Address
l
Web Proxy Port
l
Web Proxy Authentication Method
l
Web Proxy Domain
The installer does not create a backup of the configuration file (GoodConnectServer.exe.config). However if the installer finds gaslampdb.db3, a migration script will be executed to move offline/missed messages to the Good Connect database.
Upgrading from Good Connect 2.1 For upgrades with the Good Connect 2.1 version, the installer will create a backup copy of the configuration file. All the values (except passwords, which must be re-entered) will be pre-populated in the installer panels. Good administrators have the options of making changes during upgrade process.
Configuring Good Control There are two configuration steps you need to perform in Good Control.
Good Connect™
25
Configuring Good Control
Entering the Server Pool Information and IM Platform Type In the Good Control Server Info section of Good Connect enter the Hostname, Port for each Good Connect server, and Configuration information. This configuration information gets delivered to Good Connect clients and dictates the available servers a client may connect to. All servers listed in the Configuration information should also be listed in the table above the Configuration box. For each Good Connect server: l
Hostname:
l
Port:
After the listing all the Good Connect servers l
Configuration: PLATFORM=LYNC SERVERS=
Listing Approved Server Hostnames and Ports In Good Control’s Client Connections option under Settings define the allowed domains and servers that the Good Connect client application can connect to within the corporate network. We recommend you whitelist each individual Good Connect Server as shown in the example below.
Good Connect™
26
Configuring Good Control
Controlling Browser and Map Behavior Good Connect supports the option to control if the local device browser application can be used when tapping on a webpage URL and if the map application can be used when tapping on an address. The following steps explain how to disable this access by using Good Control’s Policy Sets option: 1. Select the policy set where you wish to disable access. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the App Settings tab. 5. Uncheck or disable either or both options to disable the respective access. 6. Click Update.
Good Connect™
27
Configuring Good Control
Enabling Disclaimer Good Connect supports the option to display a Corporate Policy disclaimer at the top over every new conversation within the Good Connect client. To enable this disclaimer using the Policy Sets option: 1. Select the policy set where you wish to add the disclaimer. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the Disclaimer tab. 5. Check or enable the Display Disclaimer option. 6. Type or paste in your disclaimer text into the textbox. 7. Click Update.
Good Connect™
28
Configuring Good Connect User Affinity
The Good Connect client will display this disclaimer on top of each new conversation window.
Disabling Conversation History Good Connect supports the option to disable storing conversation history on the Connect client and limit the length of a conversation to 40 messages. The following steps explain how to disable conversation history by using Good Control’s Policy Sets option: 1. Select the policy set where you wish to disable conversation history. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the Conversation History tab. 5. Uncheck or disable the “Save more than 40 messages in a conversation history on the device” option. 6. Click Update.
Configuring Good Connect User Affinity It is possible for a Good Connect administrator to pin a user to a cluster of Good Connect servers instead of letting the system randomly assign that user to a server from a master list.
ABC Company Example ABC company has two Lync pools, a West Coast pool which hosts users in the west coast offices and an East Coast pool which hosts users in the east coast offices. ABC company sets up a Good Connect server for each
Good Connect™
29
Configuring Good Connect User Affinity
pool, but only sets up one Good Control and Good Proxy cluster as shown below:
When Aaron Beard launches the Good Connect client, Good Control sends the list of servers to his client. In this case, the list of servers includes both the West Coast server and the East Coast server. The client randomly chooses a Good Connect server. Aaron has a chance of getting connected to the East Coast server instead of the West Coast server. Enabling user affinity allows Aaron to always connect to West Coast server.
Enabling User Affinity The following steps explain how to create a user affinity for a given Good Control server. 1. Create/Select the policy set for which you wish to create user affinity. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Check the Server Configuration. 5. Type or paste your connect server host in the textbox. 6. Select Platform (Lync or Sametime).
Good Connect™
30
Configuring MS Exchange Conversation History (Optional)
7. Click Update. 8. Select the User Accounts option and select Manage Users. 9. Select the user for whom you wish to set this policy. 10. Set the West Coast Connect Users policy set for the user.
Configuring MS Exchange Conversation History (Optional) Good Connect optionally supports saving instant messaging chats to MS Exchange’s “Conversation History”. As a prerequisite to enabling this functionality, the following configuration changes must be implemented: l
Auto-discovery must be enabled on the MS Exchange server.
l
Lync/Exchange integration must be enabled.
l
MS Exchange SSL certificates must be installed on the Good Connect server in order to establish secure communication.
Good Connect™
31
Configuring MS Exchange Conversation History (Optional)
Note: If the SSL certificate on the Good Connect server is incorrectly installed, the history logging to Exchange will fail. l
On the Good Connect Window Service account, setup the ApplicationImpersonation management role for the security principle. This is accomplished on the Exchange server in the Exchange Management Console using the New-ManagementRoleAssignment cmdlet. Note: The following command enables application impersonation for all users to the Good Connect service account; however every user may not be Lync enabled. Permissions can be granted only to a scope of mailboxes, if this is required. See Microsoft documentation for more details on Configuring Exchange Impersonation. New-ManagementRoleAssignment –Name ”ApplicationImpersonation - Good Connect” -Role “ApplicationImpersonation” –User
[email protected] l
Good Connect configuration parameters must exist in the configuration file. The 2.2 Good Connect Installer automatically handles adding these parameters during installation. l
EWS_HOST is the server, which host Exchange Web services (normally the Client Access Server). If this setting is null or missing, conversation history is disabled. If it is invalid, errors will occur and conversation history will not be saved. At least one message will be written to the windows event log.
l
Default value is 5. Describes how often history should be saved. A value of 0 means that history will be saved only when the conversation is terminated (chat window is closed).
l
EWS_VERSION – Default value is 2. It is a characteristic of the EWS interface that this setting must be no higher than the version in use, otherwise communications will fail. We require Exchange 2010 SP1, so the recommended setting is 2. l
0 for Exchange 2007 SP1
l
1 for Exchange 2010
l
2 for Exchange 2010 SP1
l
3 for Exchange 2010 SP2 or SP3
l
4 for Exchange 2013
When the MS Exchange server requires credential authentication from a remote server (in this case, the Good Connect server) follow the these instructions: 1. Login to the Good Connect server using the Good Connect Window Service account. 2. Open the Windows Vault and select "Manage your network credentials". 3. Create a new credential set under the application name "GoodConnectEWS".
Good Connect™
32
Enabling SSL Support via Good Proxy
If no credential set provided, the same credentials used by the service ("default credentials") will be used to authenticate with Exchange.
Enabling SSL Support via Good Proxy The Good Connect server can be configured to run securely using SSL (https). By default, this is not enabled. This section describes the requirements to set up the Good Connect server for SSL connections from Good Connect clients. The yellow highlight in the following figure show the path to the Good Connect server from the Good Connect client.
The Good Connect server requires a signed server SSL certificate from a third-party Certificate Authority (CA). Presently, the Good Dynamics (GD) SDK only supports the use of third-party certificates for GD applications. Good Connect is based on the GD SDK framework and is subject to this requirement. If you are using an enterprise CA, or are familiar with how to create a no-template legacy key Certificate Signing Request (CSR), please review this section for the required properties and recommended optional settings for creating the CSR. The processes covered in this section provides detailed steps to accomplish the following high-level tasks: 1. Creating the CSR. 2. Binding the SSL certificate. 3. Configuring the Good Connect server to use the new certificate. 4. Configuring the Good Connect client to start sending requests over SSL.
Good Connect™
33
Enabling SSL Support via Good Proxy
Creating the CSR Start by creating the CSR through the Microsoft management console (MMC) Certificates snap-in for the local computer hosting the Good Connect server. The following steps explain what is required to create the CSR. 1. Launch the Microsoft Management Console. 2. Select File > Add/Remove Snap-in > Select Certificate. 3. Select Computer Account, Next, Local Computer, Finish 4. Select Certificates > Personal > Certificates. Note that the final Certificates option is only available if there is at least one certificate in the MMC. If not, just select Personal. 5. Select More Actions.
6. From More Actions, click on the following: All Tasks > Advanced Operations > Create Custom Request.
7. Select the Legacy key template, using the PKCS #10 request format.
8. If you are prompted to use your Active Directory Enrollment Policy, click on Proceed without enrollment policy.
Good Connect™
34
Enabling SSL Support via Good Proxy
9. On the Certificate Information screen, click on the request’s Details and then click on Properties.
10. On the General tab, enter a value for the Friendly name, such as the hostname.
11. On the Subject tab, select the type Common name and enter the fully qualified domain name of your Good Connect server. In this example, the server1 is a member of the servers domain, which is a subdomain of domain.tld.
12. Select and enter the remaining subject types and values as illustrated here.
Good Connect™
35
Enabling SSL Support via Good Proxy
13. On the Extensions tab, expand the Key usage section and add Data encipherment.
14. On the same tab, expand the next section titled Extended Key Usage (application policies) and add Server Authentication.
15. On the Private Key tab, expand the section titled Key type and select Exchange.
16. On the same tab, expand the section titled Key options. a. Change the Key size to 2048. b. Enable Make private key exportable. c. Enable Allow private key to be archived.
Good Connect™
36
Enabling SSL Support via Good Proxy
17. Click on the OK button to proceed with generating the CSR, then click on Next and continue through to the end where you specify the .req (text file) to be created.
18. Edit the CSR request, copy the text and paste it in the VeriSign Validate a CSR validator to confirm there are no errors: https://ssl-tools.verisign.com/checker/
Send the New CSR to a Well-Known Third-Party CA You need to send the new CSR to a well-known third-party CA and purchase a certificate for your server. The third-party CA may also send you a file that contains the full certificate chain, including possible intermediate certificates. Please install all relevant certificate files that you receive on the server that generated the CSR.
Binding the SSL Certificate You must import the third-party CA signed certificate and any other required intermediate certificates prior to following the instructions in this section,.
Good Connect™
37
Enabling SSL Support via Good Proxy
This section details the steps needed to bind the third-party CA signed SSL certificate to the SSL port you wish to use on your Good Connect server. This port binding exercise must be completed prior to executing the steps in the following sections. Step 1: Copy the certificates thumbprint 1. Double-click on the certificate in the Certificate snap-in then click on Details to switch to that tab. 2. Change the Show value to Properties Only to filter out other details. 3. Click on Thumbprint to display the thumbprint value. 4. Copy the thumbprint value from the lower text box in this dialog window.
5. Paste the thumbprint into a text editor. 6. Use search and replace to find all spaces and delete them, so “ 08 82 41 2f…” becomes “0882412f…” 7. Copy this modified version of the thumbprint value into the clipboard for the next step. Step 2: Open the cmd prompt as an administrator and type the following as one line: netshhttp add sslcert ipport=0.0.0.0: certhash= appid={AD67330E-7F41-472283E2-F6DF9687BC71} 1. Replace “” with the thumbprint copied from step 1. 2. Replace “” with the port number you wish to use, such as 8082. 3. Copy and paste the remainder of the parameters listed here: netshhttp add sslcert ipport=0.0.0.0: certhash= appid={AD67330E-7F41-472283E2-F6DF9687BC71} Step 3: Confirm the certificate binding by executing the following command: netsh http show sslcert
Configuring Good Connect Server to Use the New Certificate The steps detailed in this section require you to make configuration changes to the Good Connect server. Please make a backup copy of your Good Connect server configuration file before making any changes. For
Good Connect™
38
Enabling SSL Support via Good Proxy
documentation purposes, we will assume that you have installed the Good Connect server in the default location. Please alter the drive:\path\ information to match your actual implementation. 1. Navigate to the C:\Program Files\Good Technology\Good Connect Server\ directory. 2. Edit the GoodConnectServer.exe.config file to administer the following changes. The sections included below contain portions of the configuration file, showing the relative scope where the highlighted text should be inserted. All other sections in the configuration document not listed below do not change.
3. Restart the Good Connect server service for these changes to take effect.
Configuring Good Connect Clients to Send Requests Over SSL This section describes what you need to change to enable client SSL connections. The changes required here are administered entirely within the Good Control application configuration: 1. If previously installed without SSL, you will need to change the servers you have listed on the Manage Application page, in the Servers tab (illustrated below) or if you are using User Affinity in the Application Policies tab of the Policy Set (also illustrated below) you have defined. a. You will need to add each server’s fully qualified domain name with the new SSL port. b. If you had previously installed Good Connect server with non-SSL ports, you will need to remove those entries from this table.
Good Connect™
39
Enabling SSL Support via Good Proxy
2. The format and port information for the servers you have listed after SERVERS= will need to have https:// added, in addition to using the new SSL port. For example, if you have a cluster of two servers, both using port 8082 for SSL, you would update SERVERS as follows: SERVERS=https://server1.domain.tld:8082,https://server2.domain.tld:8082 Changing servers in the Manage Application page, in the Servers tab.
Changing servers in Application Policy in the Policy Sets, for User Affinity implementation.
Good Connect™
40
Good Connect Cluster Configuration Maintenance
Good Connect Cluster Configuration Maintenance Always ensure that the Good Connect servers listed in the Good Control application configuration for Good Connect identifies installed Good Connect servers in that cluster. If you add a server to the Good Connect cluster, please correlate the timing of both the server’s installation with updating the Good Control application configuration for Good Connect, to include that additional server after it has been installed and is up and running. If you temporarily remove a server from the cluster for maintenance, it is not necessary to change the Good Control application configuration for Connect. The Good Connect client will detect that the server is offline and will automatically connect to another Good Connect server in the cluster. If you permanently remove a server from the cluster, first shut down the Good Connect server, then remove it from the Good Control application configuration.
Troubleshooting The best place to diagnose issues is the log file in the Good Connect Server folder: C:\Program Files\Good Technology\Good Connect Server\Application-log.txt Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionFailureException: Unable to establish a connection. ---> System.Net.Sockets.SocketException: No such host is known.
The hostname value in the configuration file for the key OCS_ SERVER does not exist or is not recognized as a valid server.
Correct OCS_ SERVER value in the configuration file.
DeregisterReason=None
The port number specified in OCS_ PORT_TLS is not valid.
Correct OCS_ PORT_TLS value in the
ResponseCode=480 ResponseText=Temporarily Unavailable
Good Connect™
41
Troubleshooting
Microsoft.Rtc.Signaling.RegisterException: The endpoint was unable to register. See the ErrorCode for specific reason.
ErrorCode=-2146233088 FailureReason=RemoteDisconnected
configuration file.
OCS_TRANSPORT was specified as TLS, Change the OCS_ however the port number provided PORT_TLS to was TCP. 5061.
LocalEndpoint=10.120.165.137:5060 RemoteEndpoint=10.120.167.109:55118 RemoteCertificate= Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x80131500) --> Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Remote disconnected while outgoing tls negotiation was in progress --> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host. Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionFailureException: Failed to listen on any address and port supplied.
UCMA_APPLICATION_PORT number specified in the configuration file is either blocked by a firewall or used by another application.
Unblock port if it is a firewall issue or choose another port number.
Failed to start GoodConnectServer: WCFGaslampServiceLibrary.OCSCertificateNotFoundException: Certificate not found.
The certificate's subjectName must contain the local host's FQDN and the private key for the cert must be enabled for the user which executes the Good Connect Server.
Enable private keys for this cert for the user running the Good Connect Server.
Good Connect™
42
Appendix A – Good Connect Server Configuration File
Appendix A – Good Connect Server Configuration File After installation, you can update Good Connect configuration file at \Good Technology\Good Connect Server\GoodConnectServer.exe.config Note: You must restart the Good Connect Server after updating the parameters. Parameter Name
Required
Description
UCMA_ APPLICATION_NAME
Yes
Name of application as defined through the installation provisioning process. Generated during application provisioning
UCMA_GRUU
Yes
GRUU - Globally Routable User-Agent URI that uniquely defines the Session Initiation Protocol (SIP) URI for the application.
UCMA_ APPLICATION_PORT
Yes
The fixed port used by the Good Connect Server to receive messages from the 49555 enterprise IM server.
OCS_SERVER
Yes
FQDN (Full Qualified Domain Name) of the Microsoft Lync Front-End server or Front-End server pool.
GD_HOST
Yes
Good Dynamics Proxy host.
GD_PORT
Yes
Good Dynamics Proxy port.
BASE_ADDRESS
Yes
URL for the Good Connect Server which takes the form of http://goodconnect.mycompany.com:8080/
BUILD_VERSION
Yes
The version number of the Good Connect Server build.
Auto-populated
SESSION_TIMEOUT_ SECS
Yes
The number of seconds a client is allowed to remain idle
86,400 (24 hours)
ACTIVE_DIRECTORY_ CACHE_ REFRESH_SECS
Yes
The number of seconds the Good Connect Server waits before synchronizing with the Active Directory. Any value smaller than 7200 is ignored in favor of 7200 seconds.
86,400 (24 hours)
GD_USE_SSL
Yes
Determines whether or not the Good Connect Server uses the Good Dynamics False secure port (17433) or unsecure port (17080).
APN_SOUND
Yes
Play sound when an Apple device receives a push notification.
APN_BADGE
Yes
Determines whether or not to use the badge graphic for Apple push notifications.
True
APN_ALERT
Yes
Apple push notification message string that notifies a user that there are unread messages.
“You have number unread
Good Connect™
Default
Generated during application provisioning
17080
43
Appendix A – Good Connect Server Configuration File
Parameter Name
Required
Description
Default messages.”
APN_SLEEP_TIME
Yes
The number of milliseconds the Good Connect Server waits in between queued Apple push notifications.
100
ACTIVE_DIRECTORY_ SEARCH_ RESULT_MAX
Yes
The upper limit on the number of hits from a search of the Global Address List (GAL).
150
GD_APN_PROXY_ TYPE
No
Web Proxy Authentication Mechanisms. Acceptable values are:
“”
l
“” (empty string for no proxy)
l
“Basic No Auth”
l
“Basic”
l
“Digest”
GD_APN_HTTP_URL
Yes
WebService URL for Good Dynamics Apple Push Notification Service (APNS)
GD_APN_PROXY_ AUTH_DOMAIN
No
Web Proxy Domain
Deprecated.
GD_APN_PROXY_ AUTH_USERNAME
No
Web Proxy Username
Deprecated.
GD_APN_PROXY_ AUTH_PASSWORD
No
Web Proxy Password
Deprecated.
GD_APN_PROXY_ HTTP_HOST
No
Web Proxy Host
GD_APN_PROXY_ HTTP_PORT
No
Web Proxy Port
GD_APNS_ BLACKLIST_RETRY_ NO
Yes
Specifies # of retries after the server receives APNS response where the token 3 has been blacklisted.
DB_TYPE
Yes
SQLSERVER or ORACLE depending on what database is used.
DB_AUTHTYPE
Yes
USE_INTEGRATEDAUTH when the specifying windows integrated authentication, otherwise SQL Server authentication will be used.
DB_HOST
No
Only valid if DB_TYPE=ORACLE
DB_PORT
No
Only valid if DB_TYPE=ORACLE
DB_SERVICE
No
Only valid if DB_TYPE=ORACLE, Oracle database instance name.
GASLAMP_ USERNAME
Yes
Window Service account.
DB_INIT_CATALOG
No
SQL Server database name, Only valid if DB_TYPE=SQLSERVER
Good Connect™
GoodConnect.
44
Appendix A – Good Connect Server Configuration File
Parameter Name
Required
Description
Default Set by installer, do not change.
LYNC_DB_ No CONNECTIONSTRING
SQL Server connection string for the Lync/OCS database.
DB_SESSION_ TIMEOUT_SECS
Yes
Time limit for search Lync/OCS database as defined by LYNC_DB_ CONNECTIONSTRING.
EWS_HOST
No
FQDN of the Exchange server to which the Good Connect Server will write conversation history
EWS_HISTORY_ INTERVAL_MINUTES
No
Defines the number of interval in minutes Good Connect server will wait before writing to Conversation history. 0 means that conversation history is written only after conversation has been terminated.
5
EWS_VERSION
No
Version of Exchange server.
2
300
0 for Exchange 2007 SP1 1 for Exchange 2010 2 for Exchange 2010 SP1 3 for Exchange 2010 SP2 or SP3 4 for Exchange 2013 DB_RECONNECT_ WAITTIME_SEC
Yes
# of seconds to wait before reconnecting attempt to database.
300
DB_RECONNECT_ TRY_NUM
Yes
# of times Connect server to retry reconnecting to database after a failure to connect to database
3
AD_USERS_SOURCE
No
Parameter indicates if Good Connect server should read AD or GC for SIPenabled users. Value can be “GC” or “LDAP”. Default is LDAP if empty.
AD_USERS_SOURCE_ Yes, if DOMAIN users source is GC
Domain for the for AD or GC to query. This value should be in LDAP format
EWS_HOST
No
FQDN of the Exchange server to which the Good Connect Server will write conversation history
EWS_HISTORY_ INTERVAL_MINUTES
No
Defines the number of interval in minutes Good Connect server will wait before writing to Conversation history. 0 means that conversation history is written only after conversation has been terminated.
Good Connect™
i.e. DC=GOOD,DC=COM
5
45
Appendix B – Troubleshooting SSL Certificate Exceptions
Appendix B – Troubleshooting SSL Certificate Exceptions If the SSL certificate requirements defined in SSL Certificate Requirements have been meet and you are still getting the following error: Description: The process was terminated due to an unhandled exception. Exception Info: Microsoft.Rtc.Internal.Sip.TLSException
Then, it is possible that the SSL certificate has not been created with the correct CSP and key spec. Follow the steps below to check CSP and key spec on the SSL certificate. 1. Open cmd/powershell on Good Connect server. 2. Execute command: certutil.exe -v -store "my" "" > c:\temp\ssl.txt 3. Open c:\temp\ss.txt with your favorite editor and search for “CERT_KEY_PROV_INFO_PROP_ID”. You should see: CERT_KEY_PROV_INFO_PROP_ID(2): Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0-cd24435fe903 Provider = Microsoft RSA SChannel Cryptographic Provider ProviderType = c Flags = 20 KeySpec = 1 -- AT_KEYEXCHANGE Provider, provider type and keyspec must be exactly the values listed above. If not, you will need to reissue a new SSL certificate with appropriate provider and key spec values.
Good Connect™
46
Glossary
Glossary A
Access Key Part of the activation key that is different for every GD application activation. Access keys consist of 15 letters and numbers. Access keys are generated by the enterprise GC server.
Activation Key All the credentials necessary for activation of a GD application for an end user. The necessary credentials are a provisioning ID and an access key.
AD Active Directory
ADSI Active Directory Services Interface
ADT Plugin Android Development Tools Plugin
Affinities The feature that enables enterprises to allocate their GP servers between their GC servers and their application servers. Allocation can be an absolute division, or based on a priority order, or both.
Application Policies The feature that enables GD application developers to add policies that are specific to their application to a GC server. Application policies are defined by developers, using an XML file format.
Application-Based Service A GD shared service that is provided by GD applications. An application-based service uses Good Dynamics AppKinetics for communication.
Authentication Delegation The feature for transferring authentication of the end user from one application to another. An application for which authentication is delegated does not display its unlock screen, and does not have its own security password. Authentication delegation can be used between two GD applications, and between GD applications and the GFE mobile client. Authentication delegation is controlled by the enterprise administrator through the management console of the respective software product, either GC or GFE Good Mobile Control.
Good Connect™
47
Glossary
C
CIFS Common Internet File System - the standard way that computer users share files across corporate intranets and the Internet. An enhanced version of the Microsoft open, cross-platform Server Message Block (SMB) protocol, CIFS is a native file-sharing protocol in Windows.
CLI Command Line Interface
COTS Commercial Off the Shelf HTTP Proxy D
DC Direct Connect
DMZ Demilitarized Zone
DMZ proxy for Direct Connect HTTP proxy in the enterprise perimeter network that relays DC connections. F
FQDN fully qualified domain name G
GC Good Control server. The GD server component which hosts the web-enabled Good Control management console, or GC console, for managing permissions and settings for Good Dynamics applications. GC resides on a machine belonging to your organization.
GD Good Dynamics. Good product that gives companies a set of development tools to create their own secure apps built on the technology used to create GFE.
Good Connect™
48
Glossary
GD Application ID The unique identifier used throughout GD to identify the application for the purposes of entitlement, publishing and service provider registration.
GD Authentication Token mechanism A token-based single sign-on feature that enables an end user to be authenticated by an application server without the need for entry of any further credentials.
GD Direct Connect The feature for relaying GD communication through a proxy in the enterprise perimeter network (also known as DMZ or demilitarised zone) instead of through the GD NOC. This feature also enables GP servers to be deployed in the enterprise perimeter network, instead of behind the firewall.
GD Enterprise Servers Two GD components installed behind the enterprise firewall: Good Control (GC) and Good Proxy (GP).
GD NOC Good Dynamics Network Operations Centre - provides a secure communications infrastructure between the GD Runtime on the mobile device and the GD enterprise servers behind the firewall.
GD Runtime The component that is embedded in a mobile application to enable its connection to the GD platform and container. Every GD application includes an instance of the Good Dynamics Runtime. Alternative form: Good Dynamics Runtime
GD SDK Good Dynamics Software Development Kit. The products that enable developers to build GD applications from source code in the native programming languages of the mobile platform. Native source code includes, for example, Objective-C on iOS, and Java on Android. Other forms: Good Dynamics SDK Good Dynamics Software Development Kit
GD Shared Services Framework for collaboration that includes Application-Based Services and Server- Based Services. Both types of service use a consumer-provider model. The consumer is always a GD application. The provider of an application-based service will also be a GD application. The provider of a server-based service will be an application server. Alternative forms: GD Shared Services Good Dynamics Shared Services Framework GD Shared Services Framework Shared Services Framework
Good Connect™
49
Glossary
GD Wrapped Application An application in which the GD Runtime has been embedded by using the GD Wrapping process. Other form: Good Dynamics Wrapped Application
GD Wrapping The product for embedding the GD Runtime in a mobile application executable without requiring access to application source code. Other form: Good Dynamics Wrapping
GDN Good Developer Networking. A web portal to support app development. • Download the Good Dynamics SDK • Download the Good Dynamics Servers • Access technical support, the Good Community, and other resources • Get notifications for technical updates • Get access to Good Dynamics enabled applications • Connect with developers and Good ISV partners
GEMS Good Enterprise Mobility Server
GFE Good for Enterprise
GNP Good Notification Push. Protocol that allows notification messages to be pushed from an application server to GD app.
Good Dynamics AppKinetics™ Mechanism for secure exchange of application data between two mobile applications on the same mobile device. AppKinetics data exchange uses a consumer-provider model. One application in the exchange provides a service that is consumed by the other.
GP Good Proxy. The GD server component which provides a secure bridge between the GC server and your enterprise application servers, if any exist, and delivers messages to and from GD applications. GP resides on a machine belonging to your organization.
GRP Good Relay Protocol. Protocol for end-to-end secure communications between the GD app and the GP server.
GUID Globally Unique Identifier - is a unique reference number used as an identifier and typically refers to various implementation of the universally unique identifier (UUID) standard. See UUID.
Good Connect™
50
Glossary
GW Good Wrapping. The GD server component which can be used to wrap non-GD iOS applications with GD technology, allowing you to secure your applications without the need for additional programming or access to source code. GW resides on a machine belonging to your organization. H
HTML/CSS/JS Hypertext Markup Language, Cascading Style Sheet, and JavaScript, which are the languages used to code applications in the Adobe PhoneGap MEAP. I
IDE Integrated Development Environment
IOPS Input/Output Operations Per Second (pronounced eye-ops) is a common performance measurement used to benchmark computer storage devices like hard disk drives (HDD), solid state drives (SSD), and storage area networks (SAN). As with any benchmark, IOPS numbers published by storage device manufacturers do not guarantee real-world application performance.
ISV Indepdent Software Vendor - a third-party software developer or reseller who has executed a partnership agreement with Good. J
JKS Java keystore
JSON JavaScript Object Notation, the format used for AppKinetics service definitions files. JSON is a standard. K
KCD Kerberos Constrained Delegation. A single sign-on feature that enables an end user to be authenticated by an application server that uses Kerberos, without the need for entry of further credentials.
Good Connect™
51
Glossary
KDC Key Distribution Center. A logical component of the Kerberos infrastructure L
LDAP Lightweight Directory Access Protocol - a directory service protocol that runs on a layer above the TCP/IP stack
LUN In computer storage, a logical unit number, or LUN, is a number used to identify a logical unit, which is a device addressed by the SCSI protocol or Storage Area Network protocols which encapsulate SCSI, such as Fibre Channel or iSCSI.
LUSE Logical Unit Size Expansion M
MAM Mobile Application Management
MMC Microsoft Management Console
MyTerm
O
OWA Outlook Web Access P
Provisioning ID Part of the activation key that is the same for all GD applications activated by the same end user at the same enterprise. The provisioning ID is typically the end user’s enterprise email address.
Good Connect™
52
Glossary
R
Relay Server Server in the NOC that provides communications between the GD app and GP servers.
Repository In GEMS-Docs, a repository is shared data source designated by a Display Name, a Storage Type (File Share or SharePoint), and a Path. Each repository is defined with user access permissions. Repositories can be further organized into Lists. When a repository is member of a list, it can inherent the user access permissions defined for the whole list.
RTT Round trip time S
SDK Software Development Kit. Typically a set of software development tools that allows for the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar platform.
Server Clustering A feature within GD that enables enterprises to deploy groups of servers as single nodes in their GD infrastructure. The following servers can be deployed in clusters using this feature: GP, GC, application servers.
Server-Based Service A GD shared service that is provided by application servers. A server-based service could use any communication technology, including HTTP or TCP sockets.
Service Discovery Feature that enables a prospective consumer of a shared service to query for available providers of the service. The result of a service discovery query will be a list of GD applications, for an application-based service, or a list of servers, for a server- based service. Alternative forms: AppKinetics Service Discovery
Service provider registration Activity of adding a GD application or application server to the list of providers of a particular service. The list of service providers is hosted in the GD NOC.
Good Connect™
53
Glossary
Share In GEMS-Docs, a share is synonomous with a repository and can be one of two storage types: File Share or SharePoint. See Repository.
SPN Service Principal Name
SSL secure socket layer T
TLS transport layer security U
UI User Interface
UPN - User Principal Name In Active Directory, this is the name of the system user in email address format
UUID Universally Unique Identifier - an identifier standard used in software construction. A UUID is simply a 128-bit value. The meaning of each bit is defined by any of several variants. For humanreadable display, many systems use a canonical format using hexadecimal text with inserted hyphen characters. For example: de305d54-75b4-431b-adb2-eb6b9e546014 The intent of UUIDs is to enable distributed systems to uniquely identify information without significant central coordination.
UX User Experience
Good Connect™
54
