GEMS Installation and Configuration Guide for Administrators

Size: px
Start display at page:

Download "GEMS Installation and Configuration Guide for Administrators"

Transcription

1 GEMS Installation and Configuration Guide for Administrators Product Version: 1.5 Doc Rev 4.4 Issued: 3-Aug-15 Last Updated: 25-Aug-15 Good Enterprise Mobility Server TM

2 Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good ). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided as is and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information Copyright All rights reserved. All use is subject to license terms posted at GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents. Good Enterprise Mobility Server ii

3 Revision History Log begins 3-Aug-15 for GEMS 1.5 GA Date Description 3-Aug-15 Initial GEMS 1.5 edition published (Rev 4.1) 5-Aug Aug-15 Added respective HA and DR configuration guidance for each primary GEMS service Added.NET Framework as a core requirement, regardless of whether Connect and Presence are configured; updated Appendix A checklists accordingly 17-Aug-15 Clarified "Enabling KCD on the GEMS Host" under "Configuring Kerberos Constrained Delegation (KCD) for GEMS-Docs" Added clarification on service account naming restrictions 18-Jul-15 Updated Appendix A with corrections/clarification in accordance with field feedback Caveat added to Appendix J, limiting its applicability to GEMS 1.3.x and earlier Added "Configuring Docs for a Server Already Hosting GEMS" under "Upgrading" 20-Aug-15 Added "EWS Namespace Configuration" to PNS Prerequisites Added UCMA 4.0 prerequisites to 4.11 in Appendix A - Connect and Presence 21-Aug Aug-15 Amplified "Enabling KCD on the GEMS Host" to require OS privilege for GoodAdmin on all machines running GEMS Docs. Added "Using the Docs Self-Service Web Console" under "Managing Repositories" Good Enterprise Mobility Server iii

4 Table of Contents Introducing Good Enterprise Mobility Server (GEMS) 1 Enhanced Notifications 1 Architecture 2 GEMS Prerequisites 4 Upgrade Notes 4 Supported Upgrades 5 Additional Considerations 5 Core Requirements 5 System and Network Requirements 5 Good Dynamics Requirements 8 Configuring the Java Runtime Environment 8 Setting Up a Windows Service Account for GEMS 9 Database Requirements 10 Push Notification Service (PNS) Prerequisites 11 Supported Exchange Versions 11 EWS Proxy Support 12 EWS Namespace Configuration 13 Create an Exchange Mailbox for the Service Account 14 Grant Application Impersonation Permission to the Service Account 14 Set Authentication for the EWS Protocol 14 Set Up Exchange Autodiscover 15 PNS Database Requirements 15 Connect Prerequisites 16 Microsoft Lync Server Requirements 17 Preparing the Lync Topology for GEMS 23 SSL Certificate Requirements for Lync and Presence 25 Database Requirements 32 Presence Prerequisites 33 Good Enterprise Mobility Server iv

5 Docs Service Prerequisites 33 Server Software and Operating System Requirements 33 Database Requirements 33 Directory Lookup Service Prerequisites 33 Follow-Me Service Prerequisites 34 Certificate Lookup Service Prerequisites 34 Installing GEMS 34 Upgrading 35 Configuring Docs for a Server Already Hosting GEMS 36 Docs Upgrade from GEMS 1.4 or Good Share 36 Additional Required Actions During Upgrade 37 Downloading and Running the GEMS Installer 37 Configuring GEMS Core 42 Configuring Your Dashboard Administrators 43 Replacing the Auto-Generated Self-Signed SSL Certificate 44 Importing CA Certificates for GEMS 44 Enabling GEMS HTTP (Optional) 45 Configuring GEMS Services 46 Configuring the Push Notification (Mail) Service 46 Enabling Exchange ActiveSync (EAS) 46 Configuring PNS (Mail) in the GEMS Dashboard 47 Configuring Good Control 55 Configuring GEMS-PNS for HA 58 Configuring GEMS-PNS for DR 59 Device Verification and Testing 59 Adjusting the Push Notification Cutoff Time 60 PNS Logging and Diagnostics 61 Configuring the Connect Service 65 Configuring Connect in the GEMS Dashboard 65 Configuring Good Control for Connect 74 Good Enterprise Mobility Server v

6 Configuring GEMS-Connect for HA 82 Configuring GEMS-Connect for DR 83 Using Friendly Names for Certificates in Connect 84 Enabling SSL Support Via Good Proxy 86 Configuring Support for the Global Catalog 94 Configuring Windows Services 95 Connect Service Logging and Diagnostics 97 Configuring the Presence Service 99 Configuring Presence in the GEMS Dashboard 99 Configuring Good Control for Presence 100 Configuring GEMS-Presence for HA 102 Configuring GEMS-Presence for DR 103 Using Friendly Names for Certificates in Presence 104 Logging and Diagnostics 106 Updating the Connect and Presence Services Using Lync Director 106 Configuring the Docs Service 107 Configuring Docs in the GEMS Dashboard 107 Configuring Good Control for the Docs Service 113 Troubleshooting the Docs Service 116 Configuring GEMS-Docs for HA 116 Configuring GEMS-Docs for DR 117 Managing Repositories 118 Admin-Defined Shares 119 User-Defined Shares 124 User Repository Rights 126 Using the Docs Self-Service Web Console 127 Windows Folder Redirection (Native) 129 Local Folder Synchronization Offline Folders (Native) 131 Configuring Support for SharePoint Online/OneDrive for Business 134 SharePoint Online Authentication Setup 136 Good Enterprise Mobility Server vi

7 Troubleshooting SharePoint Issues 137 Configuring Office Web Apps Server (OWAS) for Docs Service Support 137 GEMS-Docs Service and Good Work Support for OWAS 138 OWAS Deployment 139 Troubleshooting 140 Configuring Kerberos Constrained Delegation (KCD) for GEMS-Docs 140 Finding the Application Pool Identity and Port 142 Applying the GEMS Service Account in Active Directory for the Apps and Files 143 Adding KCD in Active Directory 144 Adding KCD for User File Shares 147 Enabling KCD on the GEMS Host 148 Configuring Good Launcher 149 Verify Good Enterprise Services in Good Control 150 Adding GEMS to the Good Enterprise Services Entitlement App 151 Adding the GES Entitlement App to an App Group 153 Configuring the Certificate Lookup Service 154 Maintaining GEMS Cluster Identification in Good Control 155 Device Provisioning and Activation 155 Uninstalling GEMS 157 Removing a Single GEMS Instance 157 Removing a Connect Instance 158 Appendix A Pre-Installation Checklists 159 Push Notifications 160 Connect and Presence 164 Docs 168 Appendix B Importing/Configuring Certificates in the GEMS Java Keystore 171 Importing a Certificate 171 Default Location 171 Default Password 171 Keystore File Reference 171 Good Enterprise Mobility Server vii

8 Certificate Format 172 Importing the Certificate 172 Configuring HTTPS for GEMS to Good Proxy 173 Workaround 173 Resolution 173 Appendix C Understanding the GEMS-Connect Configuration File 175 Appendix D Fine-Tuning Your Java Memory Settings 179 Appendix E IIS SSL Offloading 180 Appendix F GEMS Windows Event Log Messages 186 Appendix G File Types Supported by GEMS-Docs 189 Appendix H Obtaining a Google Cloud Messaging API Key 191 Creating a Google API Project 191 Adding the API Key to Good Control 194 Appendix I Advanced Launcher Setup 196 Deploying Multiple GEMS 196 Configuring User Affinity 196 Additional Considerations 197 Troubleshooting Launcher Performance 198 Appendix J Changing the GEMS Dashboard and Web Console Login 200 Appendix K Migrating Your Good Share Database to GEMS-Docs 201 Client App Support Considerations 201 Migrating with Continued Support for Good Share 201 Migrating to Good Work Only 202 Noteworthy Feature Differences (GEMS-Docs versus Good Share) 202 Appendix L Configuring AlwaysOn Support for SQL Server Setting Up SQL AlwaysOn 203 Testing Database Failover 208 Configuring Your GEMS Services Databases for AlwaysOn Availability 209 Glossary 211 Good Enterprise Mobility Server viii

9 Introducing Good Enterprise Mobility Server (GEMS) Introducing Good Enterprise Mobility Server (GEMS) Leveraging a services-based approach to integrated enterprise mobility, Good Enterprise Mobility Server (GEMS) consolidates the Good Connect and Good Mobile Messaging servers into modules on a standardized architecture. The integrated services offered by GEMS currently comprise Connect, Presence, Push Notifications, Docs, Follow-Me (for Good Launcher), Directory (GAL) Lookup, and Analytics. The Push Notifications Service (PNS) accepts push registration requests from hand-held mobile devices ios, Android etc. and then communicates with Microsoft Exchange via its Exchange Web Services (EWS) protocol to monitor the user's enterprise mailbox for changes. The Connect service boosts user communication and collaboration with secure instant messaging, corporate directory lookup, and user presence from an easy-to-use interface on IT-provisioned mobile devices. The Presence service furnishes real-time presence status to third-party Good Dynamics applications giving them a powerful add-in for mobile collaboration. The Docs service lets your mobile workers access, sync, and share their enterprise file server and SharePoint documents natively, without the need for VPN software, firewall reconfiguration, or duplicate data stores. A Directory Lookup service gives users the ability to look up first name, last name, and picture from your organization's Global Address List (GAL) and display it within the Good Launcher. The Follow-Me service supports the Good Launcher on Good Work, and will soon be available on other GD apps like Good Connect and Good Access, keeping the Launcher in-sync across multiple devices. A new Certificate Lookup service retrieves S/MIME digital certificates from the user's Active Directory account and matches the requested key usage. Only the recipient's public certificate is retrieved for matching. The Analytics service, currently in developer preview and initially comprising an App Usage module, provides traffic and usage metrics for evaluating the effectiveness and impact of the mobile app deployments comprising your GD-GEMS ecosystem which apps are being used, by whom, for what, how frequently, and for how long. A browser-based administration console called the GEMS Dashboard gives you the flexibility to configure all server components and services after installation completes. GEMS Web Console, also browser-based, provides real-time monitoring and logging of device connectivity, traffic load and throughput in real time. "Services," in the context of Good Dynamics (GD), refer to concrete atomic business-level functionality that can be consumed by a plurality of GD Applications. Examples of this are "Look up this contact in the directory", "Subscribe to Presence for these contacts", "Save this file to SharePoint", and so forth. The Good Dynamics Services Framework allows client applications on an authenticated device to discover and utilize services by providing API publication, as well as life cycle and visibility management of services via the Good Developer Network (GDN). Enhanced Notifications GEMS 1.3 introduced a greatly improved end-user experience for new notifications in the ios Notification Center. Notifications now display reliably when Good Work is suspended in the background or even when it is Good Enterprise Mobility Server 1

10 Introducing Good Enterprise Mobility Server (GEMS) not running at all. This results in an end-user experience wherein they can reliably know which messages they have received without having to enter the Good Work app. In GEMS 1.4, an improved VIP Notification service was introduced with the following enhancements: Rules can be set for Sender, Subject, and Priority fields of an Automatic passing of rules from Good Work clients to GEMS Rules can be synchronized across devices Custom sound files can be associated with the rules. GEMS 1.5 extends the rules-based notification model with additional refinements and enhancements, including: Badge count for Good Work updated by the GEMS Push (Mail) Notification service; updating continues even when the app is in offline or background mode. Subfolder Notifications for Good Work that send new and changed mail notifications for selected subfolders. Web Proxy support for notifications when connecting to O365 Exchange in NTLM, Basic, or Digest authentication mode. Architecture At a high level, the GEMS architecture looks like this: From this architectural view, the diagram does not show how the Good Work application connects to Exchange for accessing . It does, however, show how each GEMS service is accessed by Good Work on end-user Good Enterprise Mobility Server 2

11 Introducing Good Enterprise Mobility Server (GEMS) devices, which is the GEMS role to expose secure device-facing services used by Good Work and make them available to other GD-powered apps, as well. These services currently include Push Registration, Follow-Me, Presence, Directory Lookup, and Docs. Communicating via the protocols shown, the feature modules of GEMS integrate with your backend systems of record using a shared SQL Server running multiple databases for Core/ , Connect, and Docs. For High Availability (HA), GEMS is deployed as a cluster, with all of its device-facing services provided by all instances in the cluster and made available to client devices through the Good Dynamics (GD) infrastructure. Each GD-powered client app connects through a GP cluster deployed on-premise. Entitlement to use GEMS services is managed through Good Control. A slightly different view looks like this again at a high level: Note: While it is possible to consolidate Good Control/Good Proxy and GEMS on the same server, such a configuration will require more memory and CPU on the single server. A single server approach is feasible in a proof-of-concept (POC) environment only. Moreover, if using a single server, you are likely to encounter a port conflict between Good Dynamics and the Lync Presence Provider (LPP). To rectify this conflict on a single machine, start Good Control and Good Proxy after Good Presence. Another important point to note in the diagram above is that the GEMS-PNS service is utilizing the same database server as Good Control. The database server can be local to Good Control, as depicted, or remote. Good Enterprise Mobility Server 3

12 GEMS Prerequisites These diagrams and the balance of this document assume that necessary supporting infrastructure components like Microsoft Exchange, Microsoft Lync, Active Directory, and Good Control/Good Proxy are present and configured to support existing enterprise network operations. This guide, therefore, restricts itself to step-by-step instructions and guidance for installing GEMS and its Connect, Presence, Docs, and Push Notification services. The overall process comprises: Preparing the Service Environment Setting Up a Windows Service Account Installing GEMS Configuring GEMS Services Device Provisioning and Activation Before attempting installation, be sure to carefully read and confirm that you meet all of the listed requirements. GEMS Prerequisites Successful GEMS installation and configuration requires that a supporting infrastructure comprising necessary hardware and software components is already place. These prerequisites include: Core Requirements Push Notifications Service (PNS) Requirements Connect Requirements Presence Requirements Docs Requirements Directory Lookup Requirements Follow-Me Requirements Certificate Lookup Requirements Based on the services you have chosen to deploy, only after verifying that each of the respective prerequisites are in place and operating properly should you begin the GEMS service installation and configuration procedures prescribed. Important: If you don t install the required software or fail to configure the requirements correctly prior to beginning installation of GEMS, the server may fail or behave in an unexpected manner. Upgrade Notes If you are upgrading from an earlier version of GEMS, please review the following information and then complete the steps below. If this is your first GEMS installation, skip the upgrade steps. Good Enterprise Mobility Server 4

13 GEMS Prerequisites Supported Upgrades GEMS 1.4 GA ( ) ðgems GA 1.5 ( ) GEMS 1.4 SR 1 ( ) ðgems 1.5 GA ( ) GEMS 1.5 Beta-2 ( ) ð GEMS 1.5 GA ( ) Additional Considerations 1. Upgrades will create a new SSL certificate. 2. A new option has been added to bypass SSL checking for Exchange mail notifications. 3. When upgrading instances in a cluster, use the GEMS installer to upgrade each GEMS instance in turn. 4. For upgrade situations in which there are multiple GEMS instances pointing to a shared (common) database, new features will not be available until all GEMS instances have been upgraded. In a mixed-version environment, each GEMS instance will continue to function with the earlier version s features. Running in a mixed-version environment for an extended period of time is not recommended. 5. Special characters are now disallowed in the GEMS service account name. Important: The account name is a different property than the account password, which excludes the use of ';', '/' only, whereas the service account name excludes the use of all special characters. If you are upgrading from a GEMS version in which you included special characters in the service account name, you will need to change the service account name, omitting any special characters, before proceeding with GEMS upgrade. Core Requirements Certain basic requirements must be satisfied, in place, and correctly functioning regardless of the service modules PNS, Connect, or Presence you are deploying. The core requirements include: System and Network Requirements Good Dynamics Requirements Configuring the Java Runtime Environment (JRE) Setting Up a Windows Service Account for GEMS Database Requirements System and Network Requirements Verify that the designated GEMS machine and its associated environment meet the following (minimum) system and network requirements, bearing in mind that different services and combinations of services Connect, Presence, and/or Mail and their respective traffic and use patterns will strongly influence your actual requirements. Refer to the GEMS Deployment Planning Guide for additional scalability and sizing guidance, as well as high availability and disaster recovery recommendations. Good Enterprise Mobility Server 5

14 GEMS Prerequisites Hardware 1 4-core / 2.4 GHz CPU or higher 16 GB RAM 50 GB disk space 100 / 1000 Ethernet Card Software Java Runtime Environment (JRE) 7 Update 67 or higher Java 7 update for Microsoft Windows (64-bit), available for download directly from Oracle. GEMS 1.5 now supports Java 8. Operating System Because GEMS uses Microsoft's Unified Communications Managed API (UCMA) to integrate Microsoft Lync with the GEMS Connect and Presence services, the latter also used by the Mail component of Good Work, the OS version required to run GEMS is dependent upon the version of Microsoft Lync deployed. Per guidance from Microsoft, use the following criteria to determine the version of MS Windows Server supported by GEMS: For MS Lync 2010 Deployments use Windows Server in one of these 64-bit versions: o o 2008 R R2 SP1 For MS Lync 2013 Deployments use Windows Server in one of these 64-bit versions: o o 2008 R2 SP R2 If Lync is not utilized in your environment, the above OS requirements are still required from an installation standpoint. Due to a limitation in the installer, you will need to choose a version of Lync during the installation process, even though Lync may not be used in your environment. Supported Microsoft Exchange versions include: Exchange 2010 SP 2 RU4 2 Exchange 2013 Microsoft O365 Hosted Exchange (2010 SP 1+) Supported Microsoft Lync versions include: Lync 2010 (requires.net 3.5 SP1 and.net 4.5) Lync 2013 (requires.net 4.5 or 4.5.1) 1 See GEMS Deployment Planning and Upgrade Guide for scalability and sizing guidelines for your specific enterprise traffic and use profile. 2 A plus sign ('+') indicates support for service packs and updates released subsequent to the core version. Good Enterprise Mobility Server 6

15 GEMS Prerequisites Supported Browsers The GEMS Dashboard and the Docs Console are compatible with the following browsers: Internet Explorer (IE) 10 and IE 11; IE 9 is not supported Firefox 32, 31, 30 Chrome Administration Rights User performing the installation must have local administrative privileges on the host machine GEMS must be able to connect with Microsoft Exchange for PNS GEMS must be in the same domain as the Microsoft Lync Server for Connect GEMS must be able to communicate with the enterprise s Microsoft Active Directory GEMS must have "logon as a service" right Local antivirus software must be disabled during installation Local Windows firewall must be disabled Important: A Group Firewall Policy will cause the installer to fail its prerequisite checks, even if the local firewall is disabled. Inbound TCP Ports (open and ready for GEMS; not blocked by any firewall) 8080 from the Good Proxy (GP) server; or 8082, if SSL is required for inbound GP communications 8443 from the Good Proxy server for Push Notifications, Presence, and Docs from the Lync Server for the Connect Service from the Lync Server for the Presence Service Outbound TCP Ports (not blocked by any firewall) 443 to Good NOC (gdweb.good.com) 443 to Microsoft Exchange 443 to Google Cloud Management (for Android Push Notification) 443 or 80 to Microsoft SharePoint 443 to Microsoft Office Web Apps Server (OWAS) 5061 to the Microsoft Lync Server to the Good Proxy server to the Good Proxy server to the Microsoft SQL Server (default) 1 GEMS requires visibility of all Good Proxy servers (17080/17433), regardless of whether KCD is enabled or not, so that if one Good Proxy fails, GEMS can communicate with the next Good Proxy in the cluster for authentication tokens, etc. Good Enterprise Mobility Server 7

16 GEMS Prerequisites 1434 UDP to the MS Lync database (for initial setup only) TCP: Random port in this range to the Lync database (for initial setup only) Important: Mobile devices must be able to connect to the Apple (APNS) and Google (GCM) messaging servers in order to properly receive push notifications from GEMS. If your wifi network restricts outbound access, please refer to the following articles and make sure the proper outbound ports are open for your mobile devices. Ports for APNS: https://support.apple.com/en-us/ht Ports for GCM: https://developers.google.com/cloud-messaging/http Internal Ports (used by GEMS): 8080, 8082 for use by the Connect Server 8101 for SSH connectivity to GEMS 8443 for GEMS-PNS and Presence 8099 for use by the.net Component Manager 8060 for use by the Lync Presence Provider (LPP) TCP/IP Port Access to the Database 1433 to the Microsoft SQL Server default Good Dynamics Requirements The following minimum GD Server versions should be appropriately installed and configured according to the instructions in the GD Servers Installation Guide. Good Control (GC) Server Good Proxy (GP) Server For best performance results, the most current software version available is strongly recommended and is available from the Good Developer Network. Important: Your Good Dynamics Server(s) must be operating prior to installation of GEMS. Configuring the Java Runtime Environment JRE 7 Updates 67 or later for Windows x64 or JRE 8 is integral to GEMS support of intranet applications and other e-business solutions that are the foundation of corporate computing. After installing the JRE, the JAVA_HOME system environment variable must be set. Good Enterprise Mobility Server 8

17 GEMS Prerequisites To set the JAVA_HOME system environment variable for GEMS: 1. First, edit the system environment variables: a. Select Computer from the Start menu, then click on System Properties. b. Click on the Advanced tab, then click the Environment Variables... button. 2. If the JAVA_HOME variable does not exist under PATH, create it and set it to the Java install folder; make sure C:\Program Files\Java\jre7 is appended to the Value string and that the path is set to the 64-bit JRE. 3. Click OK and you're done. Setting Up a Windows Service Account for GEMS For the required service account, "GoodAdmin" is recommended. In fact, you can use the same Windows Service Account to install all GEMS service modules; e.g., Of utmost importance here is to make sure the service account has the appropriate administrative privileges for all the GEMS service modules you plan to configure and deploy. Permissions for individual service modules may not require the same privilege level as others. Consequently, as you add services to GEMS, you will want to adjust the permissions accordingly. Important: If you use this same account for GEMS Connect and Presence, you will need to give "GoodAdmin" the RTCUniversalReadOnlyAdmins privilege. Creating an Active Directory Account for GEMS Services Set the following attributes for the Good-GEMS AD Account: The account name (UID, distinct from the account password) must be strictly alphanumeric; no special characters are allowed; the recommended account name for GEMS is "GoodAdmin" Account Password (distinct from the account name above ) must not contain these characters: ';', '/'. Good Enterprise Mobility Server 9

18 GEMS Prerequisites Password Expires option must be set to Never for this account. This account (GoodAdmin) should be a member of local administrator group on the GEMS host machine. Database Requirements The following versions of MS SQL Server are supported: SQL Server 2014 and 2014 SP1 (64-bit) SQL Server 2012 and 2012 SP1 (Standard/Enterprise) SQL Server 2008 and 2008 R2 (Standard/Enterprise) SQL Express 2008 R2 with Management Tools If you have not yet installed a supported version of Microsoft SQL Server, please obtain one from the Microsoft Download Center. MS SQL Server 2008 R2 is recommended. For MS SQL Server 2008 R2 setup guidance, see SQL Server Setup. For test lab guidance on setting up SQL Server 2012 Enterprise Edition, click here. To allow SQL Server Express to accept remote connections: 1. Login to the database server through Remote Desktop Connections. 2. Click Start > Programs > Microsoft SQL Server 2008/2012 >SQL Server Configuration Manager. 3. Select SQL Server Network Configuration, then double-click Protocols for SQLEXPRESS. 4. Right-click TCP/IP and select Properties, then scroll down to IPAll and make sure (a) TCP Dynamic Ports is blank and (b) TCP Port is set to Click OK. Good Enterprise Mobility Server 10

19 GEMS Prerequisites Push Notification Service (PNS) Prerequisites GEMS-PNS requires a database, and that you set up a Windows Service Account for GEMS in support of your Exchange environment. Supported Exchange Versions In general, EWS push notifications are sent (or pushed) by the server to a client-side web service via a callback address. Push notifications are ideally suited for tightly coupled clients like Good Work and other GEMSsupported apps to which the server has reliable access and the client is IP addressable. When GEMS-PNS is configured, EWS events are sent asynchronously from the mailbox server to the client. The GEMS version(s) listed in the following table are compatible with the Microsoft Exchange versions indicated. GEMS Version Exchange Version Supported 1.5 (in-cloud and on-premise) Exchange 2007 No Exchange 2010 SP 2 RU Exchange Microsoft O365 Hosted Exchange* (Exchange 2010 SP 1+) Yes Yes Yes Yes 1.4 (in-cloud and on-premise) Exchange 2007 No Exchange 2010 SP 2 RU Exchange Microsoft O365 Hosted Exchange* (Exchange 2010 SP 1+) Yes Yes Yes Yes 1.3 (in-cloud and on-premise) Exchange 2007 No Exchange 2010 SP 1+ Exchange Microsoft O365 Hosted Exchange* (Exchange 2010 SP 1+) Yes Yes Yes Yes 1 Plus sign indicates support for subsequent service packs and updates to the core version. 2 Plus sign indicates support for subsequent service packs and updates to the core version. Good Enterprise Mobility Server 11

20 GEMS Prerequisites GEMS Version Exchange Version Supported 1.2 (in-cloud and on-premise) Exchange 2007 No Exchange 2010 SP 1+ Exchange Microsoft O365 Hosted Exchange* (Exchange 2010 SP 1+) Yes Yes Yes Yes * Certified Rackspace If you are deploying GEMS in a mixed environment, wherein GEMS and Exchange are not co-located, there are additional requirements/prerequisites which may apply. These scenarios include: Cloud-based GEMS ð On-Premise Exchange a. You must expose EWS and Autodiscover from your on-premise Exchange to the Internet on port 443. b. Both Basic Authentication and Windows Authentication are supported for EWS and Autodiscover. On-Premise GEMS ð Cloud-based Exchange a. You must expose EWS and Autodiscover from Cloud-based Exchange to On-Premise GEMS on port 443. b. Although both Basic Authentication and Windows Authentication are supported by GEMS, be advised that certain cloud vendors for instance, O365 and Rackspace only support Basic Authentication. Please check with your specific cloud vendor for details. On-Premise GEMS ð On-Premise and Cloud-based Exchange (i.e., Hybrid Exchange setup) a. You must expose EWS and Autodiscover from Cloud-based Exchange to On-Premise GEMS on port 443. b. Although both Basic Authentication and Windows Authentication are supported by GEMS, be advised that certain cloud vendors for instance, O365 and Rackspace only support Basic Authentication. Please check with your specific cloud vendor for details. c. A GoodAdmin mailbox must first be created on premise and then migrated to the cloud d. The GoodAdmin User Principal Name (UPN) must match its SMTP address e. The GoodAdmin account must have Impersonation rights on both the On-Premise and O365 Exchange systems. For details, see KB2725. For additional information on configuring EWS and Autodiscover for external access, refer to the pertinent Microsoft articles on TechNet: Configuring the Autodiscover Service for Internet Access Configuring EWS for External Access EWS Proxy Support Simply put, Exchange Web Services (EWS) lets client applications communicate with the Exchange server using SOAP messages sent by HTTP. Proxying occurs when a client access server (CAS) role sends traffic to another CAS role two common situations being: Good Enterprise Mobility Server 12

21 GEMS Prerequisites CAS to CAS communication between two AD sites CAS to CAS communication between Exchange 2010 and 2007 or 2003 More to the point, the following CAS protocols/services are proxy enabled: Exchange Web Services (EWS) and the availability service (part of EWS) Exchange ActiveSync (EAS) Outlook Web App (OWA) and Exchange Control Panel (ECP) POP3 / IMAP Proxy support is available for the GEMS versions indicated in the following implementations as defined below: GEMS Versions Remote Endpoint Proxy Support Transparent Anonymous Basic NTLM 1.1 NOC Yes Yes Yes No 1.2, 1.3, 1.4, 1.5 NOC Yes Yes Yes Yes 1.1, 1.2, 1.3, 1.4, 1.5 Remote O365 Yes No No No 1.1, 1.2, 1.3, 1.4, 1.5 On-prem Exchange n/a n/a n/a n/a Transparent also known as an intercepting proxy, inline proxy, or forced proxy, it intercepts normal communication at the network layer without requiring any special client configuration. GEMS doesn't need to be aware of the existence of a transparent proxy, which is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router. Anonymous also known as an anonymizer, attempts to make activity on the Internet untraceable by acting as an intermediary and privacy shield between the client and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Basic is based on the model that a client must authenticate itself with a user name and password for each realm. The server services the request if it is resent with an Authorization header that includes a valid user name and password. NTLM challenges users who request content for proof of their credentials. The proxy then sends the proof of the user's credentials directly to the Windows domain controller to be validated. If the credentials are valid, the proxy serves the requested content and stores the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an authentication failed message to the user. EWS Namespace Configuration If you have Exchange servers deployed in multiple Active Directory sites, a unique internal EWS URL must be configured for each site in order for GEMS Push Notifications to work properly. For example, assume there are two Active Directory sites and each site has two CAS servers, such that: Site 1: cas1, cas2 Site 2: cas3, cas4 Good Enterprise Mobility Server 13

22 GEMS Prerequisites In which case, at least two unique internal EWS URLs are needed one for Site 1 and one for Site 2 so that the URLs look something like the following: Site1: https://site1cas.domain.com/ews/exchange.asmx Site2: https://site2cas.domain.com/ews/exchange.asmx It is also valid to configure a unique internal EWS URL for each CAS server. Before modifying the internal EWS URL for your CAS servers, however, first check which AD site the CAS servers are in and what the current internal EWS URL is set toby running the following from a CMD prompt on the Exchange server: nltest /dsgetdc:mydomain.com The DC Site Name output parameter indicates the AD site. For more information on how to use the NLTEST command, please see KB For information on how to check the internal EWS URL on a CAS server, see KB Create an Exchange Mailbox for the Service Account Using the Exchange Management Console or Exchange shell, create a mailbox for the GoodAdmin service account. If you are not familiar with how to create a mailbox on Exchange, please refer to the respective Microsoft Exchange resource for additional details and tutorials: Exchange Server 2010 Exchange Server 2013 Grant Application Impersonation Permission to the Service Account In order for the GEMS Push Notification service to monitor mailboxes for updates, the GEMS Push Notification service account (GoodAdmin), must have impersonation permissions. Execute the following Exchange Shell command to apply Application Impersonation permissions to the GoodAdmin service account: New-ManagementRoleAssignment -Name:GoodAppImpersonation -Role:ApplicationImpersonation -User:GoodAdmin Important: Do not omit this step. For more information on how to restrict Application Impersonation rights to specific users, organizational units, or security groups, please see the MSDN article "How to: Configure impersonation." Set Authentication for the EWS Protocol The GEMS Push Notification service supports Basic, NTLM and Windows Authentication when connecting with Exchange via EWS. Basic authentication is turned off by default on the Exchange server. Optionally, if Basic authentication is in fact desired, the command that follows can be used to update Exchange to use Basic authentication for EWS connectivity. Regardless of authentication method used on Exchange for EWS, however, no extra configuration is necessary for GEMS. Good Enterprise Mobility Server 14

23 GEMS Prerequisites Execute the following Exchange Shell command to configure Basic authentication for the EWS protocol on Exchange: Set-WebServicesVirtualDirectory -Identity "Contoso\EWS(Default Web Site)" -BasicAuthentication $true Note: Replace "Contoso\EWS (Default Web Site)" highlighted above in yellow with the proper identity for the EWS virtual directory. Be sure to enclose the string in quotes. Set Up Exchange Autodiscover Ensure that your Exchange Autodiscover is setup correctly. This is very important! The Autodiscover feature in Exchange is often overlooked during setup but is an important factor in ensuring smooth day to day running of your Exchange environment. Its main function is to provide the mail client with all the configuration options it needs, sharing only the user's address and password. This is particularly useful for remote users and smartphone users, who no longer have to enter advanced settings like server names and domains. It is also vital for the correct functioning of features such as Out Of Office and the Offline Address Book in Outlook. Use EWSEditor to test if there are any doubts. Note: Please reference KB5558 for additional details on using EWSEditor. Please see also "Exchange Autodiscover" by Jaap Wesselius (2010) for more helpful information on Exchange Autodiscover. PNS Database Requirements You will need to create a (blank) SQL database for GEMS-PNS. The recommended name for this database is "GEMS-EWS." Important: Make sure the Collate property is set to CI (case insensitive). Good Enterprise Mobility Server 15

24 GEMS Prerequisites To check the case sensitivity of the GEMS PNS database, run this SQL query: SELECT DATABASEPROPERTYEX('dbname', 'Collation') Replace dbname with the name of your GEMS PNS database (i.e., GEMS-EWS, then check the return value. If the value is: SQL_Latin1_General_CP1_CI_AS, the database is case insensitive SQL_Latin1_General_CP1_CS_AS, the database is case sensitive. To change the GEMS PNS case type to insensitive, use the following command: alter database [dbname] collate SQL_Latin1_General_CP1_CI_AS During installation, you will be prompted to specify the database server and SQL instance. When this information is entered, the GEMS installer will automatically create the schema required by GEMS PNS. Connect Prerequisites Among the most important prerequisites for the Connect IM service is the availability of an established Microsoft Lync environment. These requirements comprise: MS Lync 2010 Requirements MS Lync 2013 Requirements Good Enterprise Mobility Server 16

25 GEMS Prerequisites Database Requirements Preparing the Lync Topology for GEMS-Connect SSL Certificate Requirements for Lync Microsoft Lync Server Requirements Antivirus software should be OFF for computers running GEMS with Connect-Presence. The respective GEMS prerequisites for Lync 2010 and Lync 2013 are included in the following topics: Microsoft Lync 2010 Requirements Microsoft Lync 2013 Requirements Note: Even if you're not using Lync, however, for planned deployments of GEMS-PNS running on Windows 2008 R2, you will need to install.net Framework 4.5. Microsoft Lync 2010 Requirements If you have deployed or are deploying Microsoft Lync 2010, the following components are required on the GEMS machine to properly support Lync connectivity and operations. Important: For GEMS support of Lync 2010,.NET Framework 3.5 SP1 and.net Framework 4.5 must both be installed. Windows Management Framework 3.0/PowerShell 3.0 Built on the Microsoft.NET Framework, Windows PowerShell 3.0 is a command-line shell and scripting language designed for system admin and automation. Windows Server 2012 comes with PowerShell 3.0 already installed. Enable the Windows PowerShell 3.0 feature using Windows Server Manager. If you are using Windows 2008 R2 SP1, however, you must install Windows Management Framework 3.0, which includes Windows PowerShell 3.0. To install Windows Management Framework 3.0: 1. Go to Windows Management Framework Review the information on the web page, then click Download. 3. Select Windows6.1-KB x64.msu and click Next. 4. Close all Windows PowerShell windows. 5. Uninstall any other version of Windows Management Framework Run the Windows6.1-KB x64.msu executable. 7. Open Windows PowerShell (x86) and run the following command to enable execution of remote-signed scripts: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned If you need to troubleshoot the installation, refer to the WMF 3.0 Release Notes. Good Enterprise Mobility Server 17

26 GEMS Prerequisites For more complete information about Windows Management Framework 3.0 and Windows PowerShell 3.0, visit the following Microsoft resources: Windows PowerShell Web site Windows PowerShell Online Help Windows PowerShell Blog Windows PowerShell Software Development Kit (SDK) Windows Management Framework 3.0 Compatibility Update.NET Framework 3.5 SP1 Microsoft.NET Framework 3.5 SP1 is a cumulative update containing many new features that incrementally build upon.net Framework 2.0, 3.0, 3.5, and includes.net Framework 2.0 service pack 2 and.net Framework 3.0 service pack 2 cumulative updates. Windows Server 2008 R2 comes with.net Framework 3.5 SP1 already installed. Enable the.net 3.5 Framework feature using Windows Server Manager. If you are using Windows Server 2008 SP2, however, you must install.net Framework 3.5 SP1. Always make sure you have the latest service pack and critical updates for the version of Windows Server running on your machine. To look for recent Windows Server 2008 updates: Click the Start button, click All Programs, and then click Windows Update. To install Microsoft.NET Framework 3.5 SP1: 1. Go to Microsoft.NET Framework 3.5 Service Pack 1 (Full Package). 2. Review the information on the web page, then click Download near the top of the page. 3. When the download is complete, click Finish. If you prefer to download the bootstrapper, rather than the full package, go to.net Framework 3.5 Service Pack 1 (Bootstrapper). For additional information about.net Framework 3.5 SP1, visit the following Microsoft resources:.net Framework 3.0 SP1 KB Article.NET Framework 3.5 SP1 Update Good Enterprise Mobility Server 18

27 GEMS Prerequisites.NET Framework 4.5 Microsoft.NET Framework 4.5 is a highly compatible, in-place update to.net Framework 4. It includes significant language and framework enhancements, the blending of control flow in synchronous code, a responsive UI, and web app scalability..net Framework 4.5 adds substantial improvements to other functional areas such as ASP.NET, Managed Extensibility Framework, Windows Communication Foundation, Windows Workflow Foundation, and Windows Identity Foundation, in addition to delivering better performance, reliability, and security. Windows Server 2012 comes with.net Framework 4.5 already installed. Enable the.net 4.5 Framework feature using Windows Server Manager. If you are using Windows Server 2008 R2, however, you must install.net Framework 4.5. Always make sure you have the latest service pack and critical updates for the version of Windows Server running on your machine. To look for recent Windows Server 2008 R2 updates: Click the Start button, click All Programs, and then click Windows Update. To install Microsoft.NET Framework 4.5: 1. Go to the Microsoft.NET Framework Review the information on the web page, then click Download near the top of the page. 3. To install the software immediately, click Run. 4. To install the software later, click Save. Then, when you actually do the install, make sure the server machine is connected to the Internet. For additional information about.net Framework 4.5, visit the following Microsoft resources:.net Framework Developer Center.NET Framework 4.5 Language Pack 64-bit UCMA 3.0 Runtime Microsoft s Unified Communications Managed API (UCMA) 3.0 is a managed-code platform which developers use to build applications that provide access to and control over Microsoft Enhanced Presence information, instant messaging, telephone and video calls, and audio/video conferencing. Note: You must have elevated permissions to install UCMA 3.0 Runtime. A reboot is required to install and enable Windows Media Format after UCMA 3.0 Runtime setup is finished. Good Enterprise Mobility Server 19

28 GEMS Prerequisites To install the UCMA 3.0 Runtime: 1. Go to Unified Communications Managed API 3.0 Runtime in the Microsoft Download.NET Framework 3.5 SP1 Center and click Download. 2. Launch UcmaRuntimeSetup.exe and accept the End-User License Agreement (EULA). The setup wizard will install all the necessary components. 3. Follow the onscreen instructions to complete the installation. The setup program installs English versions of the Speech Recognition and Text-to-Speech engines. The final screen of the installer provides a link that can be used to download additional engines for other languages. Included in the setup is an additional installer called OCSCore.msi that is also required for GEMS. Find OCSCore.msi by navigating to the following directory: C:\ProgramData\Microsoft\Lync Server\Deployment\cache\ \Setup\OCSCore.msi By default, the ProgramData folder is hidden, so it might not appear in Windows Explorer. You can change this (unhide it) in folder settings. 4. Launch OCSCore.msi and use the default settings in the wizard. To ensure that you have the latest cumulative update from Microsoft and thereby avoid performance issues: 1. Open Windows Update in Control Panel. 2. In addition to installing any listed updates for Windows, click Find out more next to Get updates for other Microsoft products. 3. Shortly, you'll receive the cumulative list of update patches. 4. Be sure to select Lync Server 2010 Core Components along with any UCMA 3.0 updates. Good Enterprise Mobility Server 20

29 GEMS Prerequisites 5. Verify that the latest update is now installed in Programs and Features. The required Lync Server 2010, Core Components version is Microsoft Lync 2013 Requirements If you have deployed or are deploying Microsoft Lync 2013, the following components are required on the GEMS machine to properly support Lync connectivity and operations: Windows Management Framework 3.0/PowerShell 3.0 Built on the Microsoft.NET Framework, Windows PowerShell 3.0 is a command-line shell and scripting language designed for system admin and automation. Windows Server 2012 comes with PowerShell 3.0 already installed. Enable the Windows PowerShell 3.0 feature using Windows Server Manager. If you are using Windows 2008 R2 SP1, however, you must install Windows Management Framework 3.0, which includes Windows PowerShell 3.0. To install Windows Management Framework 3.0: 1. Go to Windows Management Framework Review the information on the web page, then click Download. 3. Select Windows6.1-KB x64.msu and click Next. 4. Close all Windows PowerShell windows. 5. Uninstall any other version of Windows Management Framework Run the Windows6.1-KB x64.msu executable. 7. Open Windows PowerShell (x86) and run the following command to enable execution of remote-signed scripts: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned If you need to troubleshoot the installation, refer to the WMF 3.0 Release Notes. For more complete information about Windows Management Framework 3.0 and Windows PowerShell 3.0, visit the following Microsoft resources: Windows PowerShell Web site Windows PowerShell Online Help Windows PowerShell Blog Good Enterprise Mobility Server 21

30 GEMS Prerequisites Windows PowerShell Software Development Kit (SDK) Windows Management Framework 3.0 Compatibility Update.NET Framework 4.5 Microsoft.NET Framework 4.5 is a highly compatible, in-place update to.net Framework 4. It includes significant language and framework enhancements, the blending of control flow in synchronous code, a responsive UI, and web app scalability..net Framework 4.5 adds substantial improvements to other functional areas such as ASP.NET, Managed Extensibility Framework, Windows Communication Foundation, Windows Workflow Foundation, and Windows Identity Foundation, in addition to delivering better performance, reliability, and security. Windows Server 2012 comes with.net Framework 4.5 already installed. Enable the.net 4.5 Framework feature using Windows Server Manager. If you are using Windows Server 2008 R2, however, you must install.net Framework 4.5. Always make sure you have the latest service pack and critical updates for the version of Windows Server running on your machine. To look for recent Windows Server 2008 R2 updates: Click the Start button, click All Programs, and then click Windows Update. To install Microsoft.NET Framework 4.5: 1. Go to the Microsoft.NET Framework Review the information on the web page, then click Download near the top of the page. 3. To install the software immediately, click Run. 4. To install the software later, click Save. Then, when you actually do the install, make sure the server machine is connected to the Internet. For additional information about.net Framework 4.5, visit the following Microsoft resources:.net Framework Developer Center.NET Framework 4.5 Language Pack 64-bit UCMA 4.0 Runtime Microsoft s Unified Communications Managed API (UCMA) 4.0 is a managed-code platform which developers use to build applications that provide access to and control over Microsoft Enhanced Presence information, instant messaging, telephone and video calls, and audio/video conferencing. Good Enterprise Mobility Server 22

31 GEMS Prerequisites Note: You must have elevated permissions to install UCMA 4.0 Runtime. A reboot is required to install and enable Windows Media Format after UCMA 4.0 Runtime setup is finished. UCMA 4.0 requires Desktop Experience on Windows Server 2008 R2 SP1. Enable this feature using Windows Server Manager. UCMA 4.0 requires Media Foundation on Windows Server Enable this feature using Windows Server Manager. To install the UCMA 4.0 Runtime: 1. Go to Unified Communications Managed API 4.0 Runtime in the Microsoft Download Center and click Download. 2. Launch UcmaRuntimeSetup.exe and accept the End-User License Agreement (EULA). The setup wizard will install all the necessary components. 3. Follow the onscreen instructions to complete the installation. The setup program installs English versions of the Speech Recognition and Text-to-Speech engines. The final screen of the installer provides a link that can be used to download additional engines for other languages. Included in the setup is an additional installer called OCSCore.msi that is also required for GEMS. Find OCSCore.msi by navigating to the following directory: C:\ProgramData\Microsoft\Lync Server\Deployment\cache\ \Setup\OCSCore.msi By default, the ProgramData folder is hidden, so it might not appear in Windows Explorer. You can change this (unhide it) in folder settings. 4. Launch OCSCore.msi and use the default settings in the wizard. Preparing the Lync Topology for GEMS The Connect service and Lync Presence Provider (LPP) are Microsoft Lync trusted-ucma applications. In order to establish trust with Microsoft Lync, you must first use the Lync Management Shell to complete the following: Create a trusted application pool. Designate trusted applications for the use of the GEMS computer. Create a trusted-computer entry for every GEMS in the environment. Publish these changes to the Lync Topology. Create a Trusted Endpoint for the GEMS-Presence Service. Important: You must be a member of the RTCUniversalServerAdmins and Domain Admins security groups to provision and publish new applications in the Microsoft Lync Topology. If you have a designated Lync administrator within your organization, that person should perform all subsequent preparation steps for this procedure. You must complete the application provisioning process described in the following instructions: Good Enterprise Mobility Server 23

32 GEMS Prerequisites Preparing to install GEMS for the first time Preparing subsequent GEMS machines After updating the Lync topology, the Lync administrator must delegate RTCUniversalReadOnlyAdmins permission to the GEMS service account in order for the GEMS Dashboard to access the provisioning information during the GEMS configuration process. Preparing the Initial GEMS Machine Preparations vary if the Lync Topology has already been set up for GEMS. Hence, the preparation instructions included here apply only if you are installing GEMS for the first time. If GEMS is already installed in your environment, see Preparing Additional GEMS Machines. Otherwise, when you create a trusted application pool for the installation of GEMS, you also create the trustedcomputer entry. Subsequent installations of GEMS machines do not require a new trusted application pool or designated trusted applications. Because these are merely added to the existing trusted application pool, you only need to create trusted application computers. To prepare your topology, you must: 1. Create a Trusted Application Pool. 2. Create a Trusted Application for GEMS Connect. 3. Publish changes to the Lync Topology. To accomplish these tasks, first launch the Lync Management Shell by selecting: Start > All Programs > Microsoft Lync Server [2010 or 2013] > Lync Management Shell. Next, enter the following commands (highlighted areas represent recommended values): PS> Get-CsSite If your organization has more than one site in its topology, look up the appropriate siteid number and the corresponding registrar value and jot them down. You will need this information to create the application pool. PS> New-CsTrustedApplicationPool -Force -Identity "pool_gems.mycompany.com" -Registrar <registrar> -RequiresReplication $false -Site <siteid number> -ComputerFqdn "FQDN of GEMS machine" PS> New-CsTrustedApplication -Force -ApplicationId "appid_connect.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com" -Port PS> New-CsTrustedApplication -Force -ApplicationId "appid_presence.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com" -Port Create the second application (appid_presence.mycompany.com) only if you are deploying the GEMS Presence service. PS> New-CsTrustedApplicationEndpoint -ApplicationId "appid_presence.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com" -SipAddress "sip:presence_<gems host Create an application endpoint only if you are deploying the GEMS Presence service. PS> Enable-CsTopology Good Enterprise Mobility Server 24

33 GEMS Prerequisites This completes topology preparations for your initial GEMS machine. If you are deploying additional GEMS machines, see Prepping Additional GEMS Machines. If you are installing only one GEMS machine, proceed to Installing GEMS. Preparing Additional GEMS Machines The instructions presented here apply only if you have already installed at least one GEMS. If you are installing GEMS for the first time, refer to the instructions in Preparing the Initial GEMS Machine Prepare your Lync Topology for additional GEMS machines by launching the Lync Management Shell via Start > All Programs > Microsoft Lync Server [2010 or 2013] > Lync Management Shell. Next, you need to create a trusted computer for the GEMS trusted application pool. To do so, enter the following command line: PS> New-CsTrustedApplicationComputer -Identity "<FQDN of GEMS machine>" -Pool "<name of GEMS pool previously created>" If this GEMS host will be running the Presence service, you must also create an application endpoint. This is done with the following commands: PS> New-CsTrustedApplicationEndpoint -ApplicationId "appid_presence.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com" -SipAddress "sip:presence_<gems host PS> Enable-CsTopology With the Lync topology now prepped for the new GEMS, you may proceed to Installing GEMS after reviewing the section on creating/acquiring a valid SSL certificate. Creating an Additional Trusted Application Pool One GEMS-Connect server can be associated with only one Trusted Application Pool. In a high availability or disaster recovery scenario, it is recommended that you create an additional trusted application pool in your Front-End HA/DR pool for your GEMS-Connect HA/DR instances. The steps for creating an additional trusted application pool are exactly the same as creating your first trusted application pool for GEMS-Connect with the exception that trusted application pool names must be unique. Therefore, if you named your first trusted application pool "pool1_gems.mycompany.com", then your second trusted application pool name must be different i.e., "pool2_gems.mycompany.com". SSL Certificate Requirements for Lync and Presence If your enterprise doesn t already have one or one designated for use by GEMS you must obtain and install a digital certificate. Your enterprise can sign its own digital certificates, acting as its own certificate authority (CA), or you can submit a certificate request to a well-known, third-party CA. Although you can preinstall the root authority for your own CA on each user s device, to forestall the continuous tedium and management, especially as new employees come and go, it makes sense to get an independent CA-validated certificate. Good Enterprise Mobility Server 25

34 GEMS Prerequisites Mutual TLS (MTLS) Certificates Connect and LPP connections to Lync rely on mutual TLS (MTLS 1 ) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other. In Lync Server 2010 deployments, certificates issued by the enterprise CA that are still in their validity period and not revoked by the issuing CA are automatically considered valid by all internal clients and servers because all members of an Active Directory domain trust the Enterprise CA in that domain. In federated scenarios, the issuing CA must be trusted by both federated partners. Each partner can use a different CA, if desired, so long as that CA is also trusted by the other partner. This trust is most easily accomplished by the Edge Servers having the partner s root CA certificate in their trusted root CAs, or by use of a third-party CA that is trusted by both parties. Hence, GEMS must form a mutual trust relationship for MTLS communications supporting its network server environment. Mutual trust requires a valid SSL certificate that meets the following criteria: The private certificate issued for GEMS by a trusted CA must be stored in the GEMS machine s Console Root\Certificates local_host_name\personal\certificate folder. The GEMS computer s private certificate and the Lync Server s internal computer certificate must both be trusted by root certificates in GEMS s Console Root\Certificate local_host_name\trusted Root Certification Authorities\Certificates folder. Intermediate certificates for both the GEMS private certificate and the Lync Server s internal computer certificate must be located in the GEMS Console Root\Certificates local_host_name\trusted Root Certification Authorities\Certificates folder (similar to the one pictured next). Important: The account used to run GEMS must have read access to the certificate store and the private key. You can assign read rights to the private key by right-clicking on the certificate. The Subject Name (SN) of the certificate must contain the Common Name (CN) for GEMS s fully qualified domain name (FQDN), such that CN=server.subdomain.domain.tld. The Subject Alternative Name (SAN) must contain the DNS for the trusted pool for the GEMS machine, as well 1 For more on TLS and MTLS for Lync Server 2010, see Good Enterprise Mobility Server 26

35 GEMS Prerequisites as the GEMS machine FQDN. SANs let you protect multiple host names with a single SSL certificate. The certificate must be signed by a CA that is mutually trusted by both the Lync Server and GEMS. For more complete information regarding Microsoft Lync SSL certificate requirements, visit the MSDN Office Dev Center s Lync page. For instructions on creating a certificate for GEMS, see Creating and Adding the GEMS SSL Certificate. Creating and Adding the GEMS SSL Certificate for Lync These certificate request procedures are based on a Windows Server 2012 certificate authority but will also work for earlier versions of Windows Server. Please make sure to execute the steps that follow on the Certificate Authority server. If you are deploying the Connect Service only, skip to Requesting a GEMS Certificate from a Local AD Certificate Authority. However, if you are deploying the GEMS Presence service, you will need a Subject Alternative Name (SAN) certificate. A SAN SSL Certificate, also known as Unified Communications SSL Certificate (UCC SSL), is mainly used by Microsoft Exchange 2007 (or newer) for Unified Messaging. This certificate allows multiple server or domain names to use the same secure SSL certificate, whereas a normal SSL Certificate protects only one FQDN. In a SAN certificate, several alternatives of common names can be placed in the Alternative Name field. Note: Any existing and appropriate SAN certificate, for example your Exchange SAN certificate, can be used to create a template, or you can create a new template from any existing template, which can then be used to create and configure the required certificate for a given service. The name of the template is often the only way to distinguish its purpose. The certificate common name (CN), friendly names, and other properties must be unique. This is important when deploying the final name of the issued certificate, which should always match the designated service name. For a quick primer on generating SSL certificates with subject alternative names, see TechNet's "How to generate a certificate with subject alternative names (SAN)." If you are configuring only for Connect (without Presence), skip to Requesting a GEMS Certificate from a Local AD Certificate Authority. Otherwise, continue with the guidance that follows for creating a SAN certificate template. Creating a SAN Certificate Template To create a SAN certificate template: 1. Open a CMD window and type MMC to open the MMC window. 2. Click File> Add/Remove Snap-in and then click Add > Certificate Templates. 3. In the center panel, right-click Computer, then Duplicate Template. Good Enterprise Mobility Server 27

36 GEMS Prerequisites 4. In the General tab, change the name to Computer SAN Cert, or something like it. Just be sure to make note of it for future reference. 5. In the Subject Name tab, select Supply in the request. 6. Click Apply, then click OK. To add the SAN Certificate Template to the CA In order for requesters to see the new template, it must first be added to the CA using the following steps: 1. Open the Certificate Authority utility and right-click on Certificate Templates. 2. Select New > Certificate Template to Issue. Good Enterprise Mobility Server 28

37 GEMS Prerequisites 3. Select the template that was created above in Creating a SAN Certificate Template. Requesting a GEMS Certificate from a Local AD Certificate Authority Use the following procedure if you are requesting a certificate for the GEMS machine from a local AD certificate authority. On the GEMS machine: 1. Open a CMD window and type mmc. 2. Click File > Add/Remove Snap-In. 3. Select Add Certificate > Computer Account > Local computer. 4. Right-click Personal, then select Certificate (or Personal) > All Tasks > Request New Certificate. 5. Click Certificate Enrollment, then click Next and Next again. 6. If you are only deploying the GEMS Connect Service, choose a Computer certificate request template. Otherwise, choose the Computer-SAN Cert certificate request template. If there is no Computer SAN certificate request template, refer to Creating a SAN Certificate Template above. Good Enterprise Mobility Server 29

38 GEMS Prerequisites 7. If you chose a regular Computer certificate request, click Enroll and you re done. Otherwise, you will need to supply both the Common Name (CN) and the Subject Alternative Name (SAN). 8. If you choose a Computer-SAN Cert, you will need to supply both the Common Name (CN) and the Subject Alternative Name (SAN). Click on the More information is required... link to enter this information. 9. In the Certificate Properties popup: a. Under the Subject tab, change the Subject name Type to Common Name. b. For Value, enter the FQDN of the GEMS machine. c. Click Add. d. Change the Alternative name Type to DNS. e. Add two Values, one with the FQDN of the GEMS machine and the other with the FQDN of the GEMS Lync pool. Good Enterprise Mobility Server 30

39 GEMS Prerequisites f. Click Apply, then click OK. g. Click Enroll. After creating the certificate, make sure the Subject Name and Subject Alternative Name are correct. To do this, simply double-click on the certificate, then click the Details tab. Correctly reflecting the name you gave it or chose, the Subject Name should look something like this: Good Enterprise Mobility Server 31

40 GEMS Prerequisites And the Subject Alternative Name should look like this: 10. Right-click the certificate, then select All Tasks > Manage Private Keys. 11. Under the Security tab, add the service account and grant it read access to the certificate. Database Requirements You will need to create a (blank) SQL database for GEMS-Connect. The recommended name for this database is "GEMS-CONNECT." Good Enterprise Mobility Server 32

41 GEMS Prerequisites During installation, you will be prompted to specify the database server and SQL instance. When this information is entered, the GEMS installer will automatically create the schema required by GEMS Connect. Presence Prerequisites The Presence service has the same predeployment requirements as the Connect service. Please refer to the complete list of Connect Prerequisites. Docs Service Prerequisites The Docs service requires its own SQL database like other GEMS services. And, while having many of the GEMS core requirements in common, it has additional dependencies not required by the other services. These include: Server Software and Operation System Requirements Database Requirements Server Software and Operating System Requirements In addition to core requirements for all GEMS services, the following prerequisites apply the Docs service: Network Capabilities and Resources The GEMS host must be a domain member and have access to Active Directory Network shares must be accessible from the server SharePoint sites must be accessible from the server; supported SharePoint versions include: o 2007/2010/2013 o SharePoint Online If KCD is not enabled, users using network shares must have Allow Logon Locally rights in the local security policy on the GEMS host. Database Requirements A blank SQL database is also required for a new installation of the GEMS-Docs Service in accordance with the supported SQL Server version specified under Core Requirements. The name of the database is arbitrary, but "GEMS-DOCS" is recommended. The installer will extend the schema during the installation process. If you are migrating an existing database from Good Share, see Appendix K. Directory Lookup Service Prerequisites GEMS Directory Lookup requires a database, and that you set up a Windows Service Account for GEMS in support of your Exchange environment (see Supported Exchange Versions). In this regard, the prerequisites for this service are essentially identical to the Push Notification service, and include (see Note 1): Creating an Exchange Mailbox for the service account Granting Application Impersonation permissions to the service account Setting Authentication for the EWS protocol Good Enterprise Mobility Server 33

42 Installing GEMS Setting up Exchange Autodiscover Setting up a SQL database Note 1: Required unless already completed for PNS or another service, in which case the same service account Exchange environment settings should be used. Follow-Me Service Prerequisites GEMS Follow-Me requires a database, and that you set up a Windows Service Account for GEMS in support of your Exchange environment (see Supported Exchange Versions). In this regard, the prerequisites for this service are essentially identical to the Push Notification service, and include): Creating an Exchange Mailbox for the service account Granting Application Impersonation permissions to the service account Setting Authentication for the EWS protocol Setting up Exchange Autodiscover Setting up a SQL database Note: Each of the above is required unless already completed for PNS or another service, in which case the same service account, Exchange environment settings, and EWS database can be shared. Certificate Lookup Service Prerequisites GEMS Certificate Lookup requires a database, and that you set up a Windows Service Account for GEMS in support of your Exchange environment (see Supported Exchange Versions). In this regard, the prerequisites for this service are essentially identical to the Push Notification service, and include): Creating an Exchange Mailbox for the service account Granting Application Impersonation permissions to the service account Setting Authentication for the EWS protocol Setting up Exchange Autodiscover Setting up a SQL database Note: Each of the above is required unless already completed for PNS or another service, in which case the same service account, Exchange environment settings, and EWS database can be shared. Installing GEMS A successful GEMS installation hinges on all prerequisites for each service you are deploying being in place. These include, respectively: Core Prerequisites PNS Prerequisites Good Enterprise Mobility Server 34

43 Installing GEMS Connect Prerequisites Presence Prerequisites Docs Prerequisites Directory Lookup Prerequisites Follow-Me Prerequisites Certificate Lookup Prerequisites It is strongly recommended that installation be done with the GEMS service account. Important: Before proceeding, verify that you have created the blank databases specified for PNS, Connect, and Docs, respectively. Upon verifying that all prerequisites have been satisfied, download and unzip the GEMS installer package, then continue with the steps below. Upgrading If you are upgrading from am earlier version of GEMS, the installer will detect previously installed versions of GEMS and request the system (current dashboard) password for your existing GEMS deployment. See Appendix J for guidance on changing/resetting the password before upgrading to GEMS 1.5. Caution: As indicated in Upgrade Notes, special characters are disallowed in the GEMS service account name. If you are upgrading from a GEMS version in which you included special characters in the service account name, you will need to change the service account name, omitting any special characters, before proceeding with the GEMS upgrade. Tip: During an upgrade, when prompted to enter database information for the Mail/Core and Connect DBs, remember to enter the database details that apply to your current (pre-1.5) GEMS deployment. Good Enterprise Mobility Server 35

44 Installing GEMS Important: Upgrade support is currently limited to upgrading from build Configuring Docs for a Server Already Hosting GEMS Do not reinstall GEMS 1.5 if you are configuring the Docs service for the first time on a server already hosting GEMS (i.e., GEMS 1.5 is already installed and running). You only need to create a blank GEMS-Docs database and then run the latest SQL script in accordance with the guidance below. The "latest" script is the first one listed. After script execution completes, login to the GEMS Dashboard, navigate to Docs > Database and specify the database location in accordance with the instructions for Database found under Configuring Docs in the GEMS Dashboard. Docs Upgrade from GEMS 1.4 or Good Share When upgrading from GEMS 1.4 or Good Share, choose the action appropriate for your existing database: Existing DB is not on same physical database server as GEMS-Docs 1.5 DB Do not enter database values for Docs when requested by the Installer. Instead, run the script(s) in the table below corresponding to your existing version. You can then return to the GEMS Dashboard to enter the corresponding Docs database values. Existing DB is on the same physical database server as GEMS-Docs 1.5 DB Do enter the database values requested by the Installer. Important: If you enter DB information for Docs in the Installer, the Installer will look for that existing database. Therefore, you must make sure the database currently exists before running the GEMS Installer. Database scripts are located in: GoodEnterpriseMobilityServerSetup zip\GoodEnterpriseMobilityServer\Docs\Sql\serverdocsdbscripts sql.zip\serverdocs-dbscripts \sqlserver\ Run the following SQL query to determine your existing Docs database version: select DBSchemaVersion from MiscItems Existing Docs DB Version Upgrade Script(s) to Run /sqlserver_upgrade_from_203_to_204.sql /sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql /sqlserver_upgrade_from_201_to_202.sql 203/sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql /sqlserver_upgrade_from_200_to_201.sql 202/sqlserver_upgrade_from_201_to_202.sql 203/sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql Good Enterprise Mobility Server 36

45 Installing GEMS Existing Docs DB Version Upgrade Script(s) to Run /sqlserver_upgrade_from_95_to_200.sql 201/sqlserver_upgrade_from_200_to_201.sql 202/sqlserver_upgrade_from_201_to_202.sql 203/sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql 91 95/sqlserver_upgrade_from_91_to_95.sql 200/sqlserver_upgrade_from_95_to_200.sql 201/sqlserver_upgrade_from_200_to_201.sql 202/sqlserver_upgrade_from_201_to_202.sql 203/sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql 88 91/sqlserver_upgrade_from_88_to_91.sql 95/sqlserver_upgrade_from_91_to_95.sql 200/sqlserver_upgrade_from_95_to_200.sql 201/sqlserver_upgrade_from_200_to_201.sql 202/sqlserver_upgrade_from_201_to_202.sql 203/sqlserver_upgrade_from_202_to_203.sql 204/sqlserver_upgrade_from_203_to_204.sql Additional Required Actions During Upgrade During upgrade from GEMS 1.4, the Installer does not pre-populate the database name in the installation screen. Instead, the Docs database must be manually entered in the installer screen. This is in addition to entering the required database info in the GEMS 1.5 Dashboard upon going to Docs > Database. Also, after upgrading to v1.5, launch the GEMS Dashboard and go to Docs > Database and enter valid credentials. This is required so a process which runs approximately every 3 minutes will continue the database upgrade process related to updating user data. This process can take up to 10 minutes to complete. Downloading and Running the GEMS Installer To download and run GEMS Setup: 1. Download the installation zip package from the GEMS product page. 2. Unpack the contents of the zip and run GoodEnterpriseMobilityServerSetup.<version>.exe. 3. Choose either Lync Server 2010 or Lync Server 2013, then click Next. Good Enterprise Mobility Server 37

46 Installing GEMS Note: If you have a Lync environment, select the appropriate version. Otherwise, accept the default, even if you don't use Lync. The installer now runs a check of required components. 4. If all Prerequisites indicate Pass, click Next. If not, make a note of the failed components so that any issues can be resolved during the configuration process, then click Next. Good Enterprise Mobility Server 38

47 Installing GEMS 5. Accept the default installation path or click Browse to change it. 6. Accept the license agreement by clicking the checkbox, then click Next. 7. Specify the following database information GEMS in accordance with the prerequisites for Mail/Core and Connect: a. DB Server FQDN\SQL Server Instance b. Mail/Core DB Name c. Connect DB Name d. Docs DB Name 8. Enable Windows Authentication by clicking its checkbox. 9. If you choose not to use Windows Authentication, enter the SQL Username and Password. Good Enterprise Mobility Server 39

48 Installing GEMS 10. Accept or change the Server FQDN (Certificate Common Name) of the SSL Certificate for GEMS, then click Install. It typically takes 3-5 minutes for the installer to finish. Good Enterprise Mobility Server 40

49 Installing GEMS 11. When complete, click Configure to launch the GEMS Dashboard: Good Enterprise Mobility Server 41

50 Configuring GEMS Core Note: If the GEMS Dashboard fails to launch automatically in your browser, open your browser and manually enter "https://localhost:8443/dashboard" in the address bar. HTTP access is allowed only from the localhost. Google's Chrome browser is recommended. 12. Login as a member of the local administrator group and you are taken to the GEMS Dashboard home page. Note: The Analytics service is a developer preview only and is not intended for production environments.. You're now ready to set your GEMS dashboard administrators based on Active Directory membership groups and then select a service to configure. The Mail service is required to run the Good Work mobile collaboration app. The Presence service furnishes the Lync Presence Provider (LPP) to Good Work and other Good Dynamics applications, while the Connect service provides both presence and instant messaging services on client devices provisioned with the Good Connect app. The Docs service enables SharePoint and File Share access by Good Work clients. Analytics is an optional service currently in developer preview. Configuring GEMS Core The first phase in the configuration process is to set up the server irrespective of the services you choose to put in place. This includes: Configuring Your GEMS Dashboard Administrators Installing the GEMS SSL Certificate Installing CA Certificates for GEMS Enabling GEMS HTTP (optional) Good Enterprise Mobility Server 42

51 Configuring GEMS Core Configuring Your Dashboard Administrators GEMS Administrators are added via Active Directory groups. Groups in Active Directory are directory objects that reside within a domain and organizational unit container objects. Active Directory provides a set of default groups upon installation, and also gives you the option of creating groups. Adding a group of administrators to your GEMS settings gives the entire group GEMS Dashboard permissions. Remember that a group can be a single individual or many, and that you can add more than one group, but any group added must be part of your security groups. Group members can then login to the dashboard using their Active Directory credentials (UID/PWD/Domain). Users who are members of the Local Administrator group on the server will also be able to login. See Groups under Understanding Active Directory for more information on group creation and management. Otherwise, click GEMS Configuration under GEMS Systems Settings on the Dashboard home page to get started. To add dashboard administrators: 1. Under SETTINGS, click Dashboard Administrators. 2. On the ACTIVE DIRECTORY page, click Add Group. 3. Provide the following information: a. Active Directory Group the name of an existing enterprise AD Group. b. Dashboard Role Currently, Admin is the only available dashboard role. c. Admin Role Only Console is currently available. Good Enterprise Mobility Server 43

52 Configuring GEMS Core 4. Click Save. 5. Repeat from Step 2 above to add more groups. Replacing the Auto-Generated Self-Signed SSL Certificate By default, GEMS is remotely accessible using the HTTPS protocol only. Consequently, during installation, a GEMS Java keystore is created named gems.jks and placed in <GEMS Machine Path>\Good Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc\keystores\. However, if you have a previously created self-signed certificate, then your existing certificate and certificate password are retained. The default password for the gems.jks keystore is "changeit." For instructions on importing certificates into the GEMS Java keystore, please see Appendix B. Note: Unless you import a publicly verifiable certificate into the GEMS Java keystore, please be aware of the following: 1. Access to the GEMS Dashboard from a browser will show an untrusted SSL certificate. 2. You must either upload the GEMS certificate to Good Control or you will need to disable SSL checking on the Good Work client (see "Adding the JSON Configuration for EAS" in the Good Work Product Guide). Importing CA Certificates for GEMS Be default, GEMS only knows about public CA certificates. If GEMS needs to communicate with a server that does not have a public CA certificate (Exchange, for instance), then you must import the non-public CA certificate into the GEMS host Java keystore. The list of servers to which GEMS may connect, includes: GEMS ð Exchange GEMS ð ADFS GEMS ð Good Proxy GEMS ð SharePoint GEMS ð Office Web Apps Server (OWAS) Good Enterprise Mobility Server 44

53 Configuring GEMS Core Within your environment, if GEMS needs to communicate with any of these servers, check to see whether these servers are using public CA certificates. If they are not using public CA certificates, then use the following procedure to add the non-public CA certificates into the GEMS Java keystore. To export the CA certificate from the server with which GEMS needs to communicate: 1. Make sure you have the JAVA bin directory in your environment PATH. See Configuring the Java Runtime Environment under Core Prerequisites. This will allow you to run the keytool from any directory. 2. Obtain a copy of your non-public CA certificate. If you are unclear on how to do this, check with the administrator of your Exchange, Good Proxy, or SharePoint servers. 3. Before modifying the Java keystore file on the GEMS host, make a backup copy of it. The default location of the Java keystore file is C:\Program Files\Java\jre7\lib\security\cacerts. 4. Copy your non-public CA certificate to the Java keystore directory in Step Open a DOS CMD and change directory to the Java keystore directory. 6. Use the following command to import your non-public CA certificate into the Java keystore: keytool -import -trustcacerts -alias <your_cert_alias> -file <your_cert>.cer -keystore cacerts Be sure to (a) replace <your_cert_alias> with the proper alias for your non-public certificate and (b) replace <your_cert>.cer with the file name of your non-public certificate. 7. Repeat Steps 2 through 6 for each non-public CA certificate. 8. Restart the Good Technology Common service from the Windows Service Manager. Enabling GEMS HTTP (Optional) Recognizing the inherent security vulnerability that comes with standard HTTP connections, when necessary or desired, you can manually configure GEMS to use HTTP in test/poc environments using the following procedure. To enable GEMS HTTP: 1. On the GEMS host, locate the org.ops4j.pax.web.cfg file and open it in a text editor. Its default location is C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Server Distribution\gemsquickstart-<version>\etc. 2. Comment out the org.ops4j.pax.web.listening.addresses= line by prefixing it with a # sign. It should look like this: #org.ops4j.pax.web.listening.addresses= Save the file. 4. Locate the jetty.xml file. Its default location is C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc and open it in your text editor. 5. Find the following block of lines and delete the comment markers highlighted in yellow: <!-- <Call name="addconnector"> <Arg> <New class="org.eclipse.jetty.server.nio.selectchannelconnector"> <Set name="host"> Good Enterprise Mobility Server 45

54 Configuring GEMS Services <Property name="jetty.host" /> </Set> <Set name="maxidletime">300000</set> <Set name="acceptors">2</set> <Set name="statson">false</set> <Set name="confidentialport">8443</set> <Set name="lowresourcesconnections">20000</set> <Set name="lowresourcesmaxidletime">5000</set> </New> </Arg> </Call> --> 6. Save the file. 7. Restart the Good Technology Common service. Configuring GEMS Services As previously indicated, you can configure one or more services at any time in any order desired according to your organization's mobile user demand and deployment requirements. Once again, these services currently comprise: Push Notifications ( ) Connect Presence Docs Launcher Certificate Lookup Note: The Analytics service is currently an app developer's preview. In GEMS 1.5, administrators may safely omit configuration of this service. There is no impact on the other services. Configuring the Push Notification (Mail) Service Configuring GEMS for PNS support of the Good Work app, which includes Mail, Contacts, and Calendar, entails: Enabling Exchange ActiveSync (EAS) Configuring Mail in the GEMS Dashboard Configuring Good Control Configuring GEMS-PNS for High Availability Enabling Exchange ActiveSync (EAS) EAS is a protocol designed for the synchronization of , contacts, calendar, tasks, and notes from the messaging server to the Good Work client. GEMS does not participate in EAS activity, but if EAS is not properly enabled, then GEMS cannot support Good Work clients with PNS. Good Enterprise Mobility Server 46

55 Configuring GEMS Services Consequently, if you plan to deploy the Good Work client to your users, please ensure that EAS is enabled on port 443 and that connections are permitted to the Good Proxy server. Note: By default, ActiveSync is enabled when you install the Client Access server role on the computer that's running Microsoft Exchange Server 2010 or Exchange For detailed guidance on Exchange EAS and how it works with Good apps, please refer to Good Work EAS Security Information and Guidance. For additional information on how to enable and manage EAS in your existing Exchange environment, see Microsoft's Exchange and IIS documentation. Configuring PNS (Mail) in the GEMS Dashboard Important: The configuration sequence presented next must be strictly followed to avoid connectivity issues. Chiefly, it is critical that database configuration be completed prior to configuring Microsoft Exchange. After clicking Mail under Good Services Configuration on the Dashboard home page, complete its service configuration in the following order: Good Dynamics Database Microsoft Exchange Web Proxy Android Push Notifications Stop Notifications Good Dynamics Note: Your Good Dynamics servers must be operating before the GEMS Push Notifications Service can be configured for Good Dynamics. 1. On the GOOD MAIL SERVICE CONFIGURATION page, click Good Dynamics. Good Enterprise Mobility Server 47

56 Configuring GEMS Services 2. Enter the Good Proxy Hostname. If you have more than one Good Proxy server, pick any one you wish. Autodiscover will correctly identify the others. 3. Enter the Good Proxy Port. 4. Select either HTTP or HTTPS, the latter being the more secure transport protocol. Note: See Configuring HTTPS for GEMS to Good Proxy in Appendix Bfor supplemental guidance on transferring the CA certificate for Good Proxy to GEMS. 5. Use the Test button to verify the connection. 6. Click Save to record the setting. Good Enterprise Mobility Server 48

57 Configuring GEMS Services Database In configuring your SQL database for GEMS-PNS, you have a choice of using either Windows Authentication or SQL Authentication for granting access to the database by GEMS. Make sure you have already set the Good Technology Common service to run as the service account in Windows Service Manager (SrvMan). After restarting the Good Technology Common service, perform the steps below for either Windows Authentication or SQL Authentication. To use Windows Authentication to access the database: 1. In the GOOD MAIL SERVICE CONFIGURATION page, click Database. 2. Enter the Server host name and instance name; i.e., <your_sqlserver_hostname>\<instance_name>. 3. Enter the Database name. Note: If you are configuring the database for an AlwaysOn Availability Group, please see Appendix L. 4. Select Windows Authentication for the Authentication Type. 5. Click the Test button to verify connectivity with the database. 6. Click Save to commit your changes. 7. Finally (and critical to the configuration process), restart the Good Technology Common service in Windows Services Manager to allow these settings to take effect. Good Enterprise Mobility Server 49

58 Configuring GEMS Services To use SQL Authentication to access the database: 1. Select SQL Server Login as the Authentication Type. 2. Enter the SQL Server Username and Password. 3. Click the Test button to verify connectivity with the database. 4. Click Save to commit your changes. 5. Use the Windows Services Manager to locate the service named Good Technology Common service, then select Restart to allow these settings to take effect. Tip: After restart, check the table dbo.keyvaluerecord to verify that your SQL Server database is now being used by GEMS. Microsoft Exchange 1. Returning to the GOOD MAIL SERVICE CONFIGURATION page, click Microsoft Exchange. Good Enterprise Mobility Server 50

59 Configuring GEMS Services 2. Enter the Domain, Username ("GoodAdmin" is recommended), and Password of the Windows Service Account. This account should have impersonation rights on Exchange. 3. Enter a valid end-user address to test connectivity using the Service Account and click Test. Note: If the service account is correctly configured and the test fails, it is generally the case that GEMS is attempting to communicate with an Exchange Server that is not using a trusted SSL Certificate. If your Exchange server is not set up to use a trusted SSL certificate, see Importing CA Certificates for GEMS. 4. Click Save to commit your changes. Database Connectivity Issues If GEMS is unable to connect to its Push Notification database, this usually means that the Mail > Microsoft Exchange configuration information was applied in the GEMS Dashboard before configuring the Mail > Database information. If you encounter this problem, use the following procedure to resolve the issue. From the GEMS Dashboard: 1. Restart the Good Technology Common service. 2. Make sure the information in Mail > Database is correct. 3. Repopulate the Mail > Exchange Server configuration, then test and save your changes. Good Enterprise Mobility Server 51

60 Configuring GEMS Services Web Proxy Because APNS pushes are sent via the Good Network Operations Center (NOC), which resides outside of your enterprise network, a proxy may be needed to access the NOC. To configure a Web Proxy for GEMS-PNS: 1. Returning to the GOOD MAIL SERVICE CONFIGURATION page, click Web Proxy. 2. Enable the Use Web Proxy checkbox. 3. For Proxy Address, enter the FQDN of the web proxy. 4. Enter a Proxy Port. 5. Select a Proxy Server Authentication Type (or None) from the drop-list. If you choose Basic or NTLM authentication, enter recognized credentials (Username, Password) and, optionally, the Domain. 6. Check Use the same web proxy settings to connect to an externally hosted Exchange if you want to use this web proxy to communicate with a hosted Exchange (cloud deployed). Good Enterprise Mobility Server 52

61 Configuring GEMS Services 7. Click Test to confirm connection to the proxy server. 8. Click Save to commit your changes. Android Push Notifications Google Cloud Messaging (GCM) must be configured to support Android Push Notifications. This requires a GCM sender ID and API key. To configure Android Push Notification: 1. On the dashboard's GOOD MAIL SERVICE CONFIGURATION page, click Android Push Notification. Good Enterprise Mobility Server 53

62 Configuring GEMS Services 2. Open a new browser tab and login to Good Control. 3. In the GC Dashboard under SETTINGS, click Licenses and Keys, then open the API Keys tab. Note: If a GCM API Key does not currently exist in Good Control, follow the guidance in Appendix H for obtaining a GCM API Key. If the key is already in Good Control vis-à-vis the screenshot above, continue with the instructions here. 4. From the Good Cloud Messaging API section, copy the Sender ID and, switching to your browser's GEMS Dashboard tab, paste the value into the GCM Sender ID field. 5. Returning to Good Control, copy the Key, switch to the GEMS Dashboard tab, and paste this value into the GCM API Key field. 6. Click Save. Stop Notifications By default, notifications are sent to a user's device and are regulated by a set of timers. The Stop Notifications feature allows you to stop notification for all devices associated with a particular user immediately. A user can resubscribe to notifications but only if the user is entitled to an app that can subscribe to notification services. To selectively stop push notifications for an individual user: 1. On the dashboard's GOOD MAIL SERVICE CONFIGURATION page, click Stop Notifications. Good Enterprise Mobility Server 54

63 Configuring GEMS Services 2. Enter the user's address and click Save. Remember, you can always return to the GEMS Dashboard to adjust and fine-tune your settings or change them altogether. Next, you're ready to configure Good Control to support GEMS services. Configuring Good Control A few basic configuration settings are necessary so that Good Control can properly support Good Work application users with GEMS services. These include: Configuring EAS for the Good Work app Adding Applications and Users Device Provisioning and Activation Note: The Good Work application must be published in Good Control. For prerequisite details on setting up Good Control, see Good Dynamics Requirements. To learn how to add the application in Good Control, see "Registering a New Application" in the GC console's online help. With respect to GEMS, to complete configuration of PNS, please login to Good Control with full admin rights. Good Enterprise Mobility Server 55

64 Configuring GEMS Services Configuring Exchange ActiveSync (EAS) for Good Work To allow your users to easily enroll in EAS when they activate their Good Work app, the app must be configured in Good Control to connect to EAS. This is accomplished from your Good Control console. Important: Before the Good Work app can be configured to use PNS, it must first be configured for EAS. There are two parts to this procedure: Whitelisting the EAS server(s) in Good Control Adding the correct JSON configuration If this has not already been accomplished, please see the Good Work Product Guide for the correct setup instructions. Adding Applications and Users in Good Control By default, every user is assigned to the Everyone group. If you plan to use the default, simply add the Good Work app to the Everyone Application Group. Refer to your Good Control online help utility and the Good Work Product Guide for guidance on adding applications like Good Work and Good Connect, along with adding new user accounts and modifying policies and permissions. Whitelisting Your GEMS Host(s) in Good Control The GEMS host must be whitelisted in Good Control to enable proper communication between the Good Proxy server and GEMS. To whitelist GEMS in Good Control: 1. Open the Good Control console, then under SETTINGS, click Client Connections. 2. Scroll down to ADDITIONAL SERVERS and click. 3. In the SERVERfield, add the FQDN of the GEMS machine and enter 8443 for the Port. Choose a primary GP cluster and a secondary GP cluster (if available). Good Enterprise Mobility Server 56

65 Configuring GEMS Services 4. White list additional GEMS hosts with GP Clusters by repeating from Step Click Submit to save your changes. Adding GEMS to the Good Work Application Server List The Good Work client checks the Good Work server list for available GEMS instances hosting the Presence service. Hence, the list must be populated with at least one GEMS machine configured for the Good Enterprise Services entitlement app. When multiple GEMS hosts are listed, you can use Good Work's Preferred Presence Server Configuration parameter to set up a presence affinity association (see Configuring Presence Affinity for Good Work). To add GEMS to the Good Work application server list: 1. Under APPS, click Manage Apps, search for or scroll down to Good Work and click it. 2. Click the GOOD DYNAMICS tab, then, in the Server section, click EDIT. 3. Enter the GEMS host FQDN in the Host Name field, then enter 8443 under Port. Good Enterprise Mobility Server 57

66 Configuring GEMS Services Note: Unless you import a publicly verifiable certificate into the GEMS Java keystore, please be aware of the following: 1. Access to the GEMS Dashboard from a browser will show an untrusted SSL certificate. 2. You will need to upload the GEMS certificate to Good Control. 4. If you have additional GEMS hosts, configure them for the application in the same way, after clicking to add a new row. 5. Click Save to commit your changes. Configuring GEMS-PNS for HA High Availability for GEMS-PNS is based on clustering. When adding a new GEMS-PNS instance, you will need to: 1. Configure your new GEMS-PNS instance to use the existing database. 2. Configure your new GEMS-PNS instance to point to the same Good Proxy server. 3. Configure your new server host and port in the Good Control server list. The GEMS Push Notifications Service (PNS) supports high availability (HA) by adding additional servers running PNS. The GEMS instances hosting PNS that you designate to participate in HA must share the same database. To set up a HA GEMS-PNS host, simply provision an additional server and install GEMS-PNS. Using the same service account ("GoodAdmin") for all HA servers is strongly recommended. In the GEMS dashboard configuration on the HA server, be sure to point the HA server to the same database. From the Good Control console, add each HA server to the Good Work application server list in accordance with the instructions above for configuring the Good Work App with EAS. Good Enterprise Mobility Server 58

67 Configuring GEMS Services Configuring GEMS-PNS for DR Recommended disaster recovery (DR) measures for GEMS-PNS are based on an active/cold standby clustering model. Before adding a GEMS-PNS instance for DR, you will need to: 1. Configure database replication for the GEMS-PNS database from your primary site to your DR site. SQL log shipping is recommended. Consult your database administrator for assistance. 2. Ensure that the appropriate network ports are open to allow the GEMS-PNS servers within your DR site to communicate with the database, Exchange, and Good Proxy servers in your DR and Primary site. When adding a new DR GEMS-PNS instance, you will need to: 1. Configure your DR GEMS-PNS instance to use the primary database in the cluster. 2. Configure your DR GEMS-PNS instance to use the primary Good Proxy server in the cluster. 3. Whitelist your DR GEMS-PNS server host and port in Good Control (see Whitelisting Your GEMS Host(s) in Good Control). 4. Configure your DR GEMS-PNS instance in Good Control for the Good Work App [see Adding GEMS to the Good Work Application Server List). Be sure to set the PRIORITY setting to Secondary or Tertiary. Important: After the DR GEMS-PNS instance is installed and configured, you will need to stop the Good Technology Common service. This places the DR GEMS-PNS instance in cold standby. In a DR situation in which you want to failover, you will need to: 1. Stop the Good Technology Common service on all your primary GEMS-PNS instances. 2. Failover your GEMS-PNS database on your database server (i.e., make the GEMS-PNS database in your DR site active). 3. Failover your DB FQDN DNS to your DR DB server. If this is not possible, see Step Start the Good Technology Common service on your DR GEMS-PNS instance. 5. If you were not able to do Step 3 (failover DB DNS), you will need to login to the GEMS Dashboard and update the GEMS-PNS DB information to point to your DR DB server, then restart the Good Technology Common service for the new DB settings to take effect. 6. If you also failed over your Good Proxy servers as part of this process, you will need to update the Good Proxy information in the GEMS dashboard for the GEMS-PNS service. Device Verification and Testing The Good Work app is publicly available from the Apple App Store or the Google Play store. By default the app will only use HTTPS to communicate with GEMS when it registers for push notifications. If you would like to do device verification and testing in a test environment, you can configure communications to use HTTP instead of HTTPS. Good Enterprise Mobility Server 59

68 Configuring GEMS Services This is a matter of making additional changes to the Good Control configuration (JSON) we set up when configuring the Good Work app with Active Sync earlier. If you haven t already done so, download the Good Work app to your device. Upon launching the Good Work app for the first time, you will be prompted for an address and a provisioning PIN. If you don t have this information, refer to the previous section on device activation keys. Good Work will continue the provisioning process once the address and PIN is entered correctly. Depending on the Good Control policy for the device, you may be prompted to create a password for the app. After the app password is set, you will be prompted for your enterprise address and Active Directory password. If the system is not able to correlate your address to an Exchange Active Sync (EAS) server, you will be prompted for a different EAS server and domain credentials. When everything is setup correctly, Good Work will automatically start synchronizing with Exchange and you will start to see mail, calendar and contact information in the app. If Good Presence is configured, you will also see presence information for each contact. To test from GEMS as to whether a device is actually connected, go to Push Channels and query GEMS. You can also query users by going to EWS Listener. If these tests fail or are inconclusive, investigate Autodiscover troubleshooting. Refer to Logging and Diagnostics for any additional issues encountered. Adjusting the Push Notification Cutoff Time GEMS-PNS Mail notifications are downgraded to "no-details" if the device has not registered within a configurable amount of time. The default cutoff time is three days (43200 seconds). Max value is 18 days (43200 * 6) or seconds. To change the mail push notification cutoff time: 1. Go to and login as administrator with the appropriate AD credentials. 2. Click OSGi, then select Configuration. 3. Scroll down to the Good Technology Push Coalescing section and locate the pushdowngradecutoffsec parameter. 4. Increase or decrease the value (default = 43200) to the desired cutoff time in seconds. Good Enterprise Mobility Server 60

69 Configuring GEMS Services PNS Logging and Diagnostics Helpful performance logs and diagnostic information for GEMS and the Push Notification Service can be found in the GEMS Web Console. To set/change the administrator's password see Changing the GEMS Web Console Password. GEMS Web Console The GEMS Web Console provides advanced configuration and tuning options for GEMS. It should be used with care as it offers advanced maintenance capabilities intended for expert users of the system. To see the relevant logs in your browser: 1. Go to https://<fqdn_of_your_gems_host>.com:8443/system/console/configmgr 2. Login as an administrator with the appropriate AD credentials. Good Enterprise Mobility Server 61

70 Configuring GEMS Services 3. Click on OSGi, then select Log Service. 4. Scroll the log activity. It's listed in chronological order. Note: A more robust and complete administration guide covering how to use the advanced features of the GEMS Web Console is scheduled for publication later this year. Log File Location The actual log files are stored in the GEMS installation directory. Its default location is: C:\Program Files\Good Technology\Good Enterprise Mobility Server All log directories are relative to this path. The GEM Server Log can be found in: \Good Server Distribution\gems_quickstart-<version>\data\log\ Autodiscover Override In certain environments, the system may not be able to dynamically retrieve the autodiscover endpoint URL. If this happens, the autodiscover endpoint URL will need to be set manually. Push notification failure and EWS Listener queries returning NULL are common symptoms. To set the override from the GEMS machine: 1. Login to the GEMS Web Console as an administrator. 2. Select OSGi > Configuration. 3. Scroll down to GEMS Autodiscover Configuration and click it. 6. Enter an Autodiscover override URL in the field provided. This typically takes the form "https://" + domain + "/autodiscover/autodiscover" + fileextension. Ex.: https://mycas.mydomain/autodiscover/autodiscover.svc. Good Enterprise Mobility Server 62

71 Configuring GEMS Services The value of fileextension depends on which Autodiscover access method is used, SOAP or POX. The SOAP service uses a ".svc" file extension; POX uses ".xml". Important: Because GEMS uses SOAP (Simple Object Access Protocol), you must use the.svc file extension. 7. Click Save. 8. Restart the Good Technology Common service. To remove the override, return to the GEMS Autodiscover Configuration in the GEMS Web Console and remove the override URL, then save the configuration. Detailed Notifications Cutoff Time After a configurable amount of time (12 hours by default) if Good Work has not been unlocked and actively used on a device, the GEMS Push Notification Service will remove details about individual messages from Notifications that are displayed on the device. Message details in Notifications sent by the GEMS Push Notification Service will resume when Good Work is next unlocked and used on the device. To configure the detailed notifications cutoff time: 1. Open the GEMS Web Console in your browser (https://<fqdn_of_your_gems_host>.com:8443/system/console/configmgr). 2. Login as administrator (the default uid/pwd is "admin"/"admin"). 3. Select OSGi > Configuration, then scroll down to Good Technology Push Coalescing and click it. 4. Increase/decrease the value of pushdowngradecutoffsec in seconds. The default value is (in seconds) or 12 hours. The following conversion table is provided for convenience. Good Enterprise Mobility Server 63

72 Configuring GEMS Services Seconds Hours Days Checking EWS Listener and Push Channels GEMS provides diagnostic URLs to help you determine whether GEMS-PNS is working properly. However, these PNS is running. Therefore, you must use " " as the hostname in each of the URLs below. A quick way to check whether or not the Push Channels and EWS Listener are working is to query GEMS with the following URLs: Push Channels Sample Output: diagnostic URLs are not remotely accessible. They can only be accessed on the same machine on which GEMS- 30D ","bundleId": "com.good.gcs.g3.enterprise","ewsprofileid":"51","devicetype":"ios"}] If the outputs are NULL ([]), check the log for the reasons why. If outputs are not found, then refer to the SSH console for additional detail. EWS Listener Sample Output: "lasterrortime":null,"status ":null}] Using the first check, you will see a push channel registration if the device successfully connected to GEMS. Then, if your Exchange Configuration is set up properly you will see a streaming EWS Listener subscription. Note that in the diagnostic URLs above, the HTTP protocol is used. This is permissible for connections made to GEMS from same machine on which GEMS is running but not from remote clients. Occasionally, for evaluation or demonstration purposes, you may not yet have configured SSL for GEMS Core. In this situation, you can permit remote connections to GEMS via HTTP. Even when doing so, please note that traffic between the device and the Good Proxy remains protected over a secure channel. To do so, add the following line to the JSON configuration for Good Work in Good Control: "serverprotocol":"http", Good Enterprise Mobility Server 64

73 Configuring GEMS Services For example: { } "serverprotocol":"http", "disablesslcertificatechecking":"true", "< domain for end users>": { "EASDomain":"<EAS Windows domain for end users>", "EASServer":"<EAS server fully qualified DNS name>", "AutodiscoverURL":"https://autodiscover.mydomain.com/autodiscover/autodiscover.xml", "EASServerPort":"<EAS server port number>", "EASUseSSL":"true" } If using Autodiscover, replace the EASServer parameter above with AutodiscoverURL so that "EASServer":"<EAS server fully qualified DNS name>" becomes "AutodiscoverURL":"https://autodiscover.good.com/autodiscover/autodiscover.xml" See Enabling GEMS HTTP above; see also "Adding the JSON Configuration for EAS" in the Good Work Product Guide. Configuring the Connect Service The Connect service governs IM and presence capabilities of the Good Connect app. Configuring the GEMS Dashboard and Good Control are critical phases in the deployment of Good Connect. This entails: Configuring Connect in the GEMS Dashboard Configuring Good Control for Connect Enabling SSL via Good Proxy Configuring support for the Global Catalog Configuring Connect in the GEMS Dashboard Using Good Connect, employees can track coworker availability, initiate or receive an instant message, make a phone call, share and open file links in Good Share or send an securely via Good for Enterprise. Best of all, Good Connect lets you efficiently embrace BYOD programs without compromising corporate security or employee privacy. Good Enterprise Mobility Server 65

74 Configuring GEMS Services Complete the configuration steps for each of the following components to set up the Connect service: Service Account Database Good Dynamics Lync 2010 or Lync 2013 Microsoft Exchange (optional) Web Proxy (optional) Click Connect in the dashboard's Good Services Configuration page to get started. Configuring the Service Account Necessary components are grayed-out until you provide the correct Windows Service Account credentials for GEMS. which uses this information to securely connect to Microsoft Services like Active Directory, Lync, Exchange, and SQL Server. Make sure this service account has RTCUniversalReadOnlyAdmins rights. If an account has not yet been created, contact your Windows domain administrator to request an account. Good Enterprise Mobility Server 66

75 Configuring GEMS Services Important: Be sure to stop the "Good Technology Connect" service in Windows Services Manager. To configure the Windows Service Account for GEMS: 1. Click Service Account to provide the GEMS Domain Service Account credentials. 2. Enter the service account Username and Password 3. Click Save. These credentials are not stored after the current browser session ends. If the credentials are valid, the service is connected and the links to the other components on the Good Connect Service Configuration page are activated. Good Enterprise Mobility Server 67

76 Configuring GEMS Services Configuring the Database 1. In the Good Connect Service Configuration page click Database. 2. Enter the Server and Database name, then select the appropriate Authentication Type When you choose Windows Authentication, the credentials for the Windows Service Account configured for the Good Connect Service are used. If you select SQL Server Login, you will then need to enter a valid Username and Password for the SQL Server database prescribed in the Prerequisites section of this guide. 4. Click Test to verify that a connection with the database can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. If testing fails, check that System and Network Requirements, plus all Database Requirements, have been met. Correct as needed, then return to Step 1 above. 5. Click Save. Configuring Good Dynamics Before continuing with this setup phase, make sure that your Good Dynamics servers Good Connect and Good Proxy are installed and operating. For details, see the Good Dynamics Server Installation Guide available on GDN. Good Enterprise Mobility Server 68

77 Configuring GEMS Services To configure GEMS connectivity with Good Dynamics: 1. In the Good Connect Service Configuration page (breadcrumb: Services > Connect), click Good Dynamics. 2. Next, in the Good Dynamics Server Configuration page, enter the Hostname and Port number of the Good Proxy server, then choose communication via HTTP or HTTPS. Important: To configure HTTPS you must upload the Good Proxy server's CA certificate to the GEMS- Connect server s Windows keystore. See Configuring GEMS-Connect to use SSL with Good Proxy for details. 3. Click Test to verify that a connection to the Good Proxy server can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. If testing fails, check that all System and Network Requirements, plus all Good Dynamics Requirements have been met. Correct as needed, then return to Step 1 above. 4. Click Save to record these settings. Next, follow the guidance for the Lync Server version deployed in your environment: Lync 2010 or Lync Configuring Lync From the Good Connect Service Configuration page, click Lync The system will query the Lync server to verify that the appropriate GEMS Lync topology has been added. Allow a few moments for the query to complete. Good Enterprise Mobility Server 69

78 Configuring GEMS Services 2. From the Application ID drop-down list, select the pool_gems.<mycompany.com> application id. If the list is empty, this means that either the GEMS Lync topology was not setup correctly or the service account does not have the proper permissions to query these settings. Refer to Microsoft Lync 2010 Requirements and correct your topology or permissions as needed. 3. Click Test to verify that a connection to the Lync 2010 Server can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. It testing fails, check that all System and Network Requirements, plus all Microsoft Lync 2010 Requirements, have been met. Correct as needed, then return to Step 1 above. 4. Click Save to record these settings. The default location of the GEMS Connect Dashboard logs is: (a) <install dir>\good Enterprise Mobility Server\Good Component Manager\RunAsService\logs (b) <install dir>\good Enterprise Mobility Server\Good Component Manager\logs These are the log files you will want to check if issues arise with your Lync configuration. Configuring Lync From the Good Connect Service Configuration page, click Lync The system will query the Lync server to verify that the appropriate GEMS Lync topology has been added. Allow a few moments for the query to complete. Good Enterprise Mobility Server 70

79 Configuring GEMS Services 2. From the Application ID drop-down list, select the appid_connect.<mycompany.com> application id. If the list is empty, this means that either the GEMS Lync topology was not setup correctly or the service account does not have the proper permissions to query for these settings. Refer to Microsoft Lync 2013 Requirements and correct your topology or permissions as needed. 3. Click Test to verify that a connection to the Lync 2010 Server can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. It testing fails, check that all System and Network Requirements, plus all Microsoft Lync 2013 Requirements, have been met. Correct as needed, then return to Step 1 above. 4. Click Save to record these settings. The default location of the GEMS Connect Dashboard logs is: (a) <install dir>\good Enterprise Mobility Server\Good Component Manager\RunAsService\logs (b) <install dir>\good Enterprise Mobility Server\Good Component Manager\logs These are the log files you will want to check if issues arise with your Lync configuration. Configuring Microsoft Exchange Conversation History Enable this component connection only if you wish to access saved conversations from Microsoft Exchange. Bear in mind that before configuring conversation history for the Good Connect Service, you must first make sure that it is enabled on the enterprise Lync Server for which you are configuring Good Connect. As indicated on the Dashboard, consult your Microsoft Lync 2010 Administration Guide and Windows PowerShell Supplement. To configure GEMS to access Exchange conversation histories: 1. From the Good Connect Service Configuration page, click on Microsoft Exchange. Good Enterprise Mobility Server 71

80 Configuring GEMS Services 2. Check Enable Conversation History. 3. Enter the URL for your Microsoft Exchange Server in the field provided. 4. Select the supported Exchange Server Type (version) from the drop-down list. 5. Enter the desired Server Write Interval in minutes. This determines the frequency with which each unique conversation will be sent to Exchange. 6. Click Test to verify that a connection to the Exchange Server can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. If testing fails, check that System and Network Requirements, plus all Microsoft Lync Server Requirements, have been met. Correct as needed, then return to Step Click Save to record these settings. Configuring a Web Proxy If your company uses a web proxy server to connect to the Internet, you must enter the required information necessary to enable a connection with the Good Connect Service. Skip this setup phase if your enterprise does not use a web proxy. Good Enterprise Mobility Server 72

81 Configuring GEMS Services To configure the GEMS Internet connection using a web proxy: 1. From the Good Connect Service Configuration page, click on Web Proxy. 2. Check Use Web Proxy. 3. Enter Proxy Address and Proxy Port number. Both of these value should be exclusive to your organization. 4. Select a Proxy Authentication Type. Good Enterprise Mobility Server 73

82 Configuring GEMS Services Basic authentication requires that a user name and password be supplied by the GEMS-Connect Service to authenticate a request. Digest authentication is more secure because it applies a hash function to the password before sending it over the network. If no authentication is required or desired, select None. If you choose an authentication type, the Connect Service Username and Password are automatically populated based on the Windows Domain Service Account you assigned to the Connect Service under Configuring Windows Services. 5. Next, you can specify the Domain, although this is not required. 6. Click Test to verify that connection to the Web Proxy can be made. If the test is successful, a confirmation is displayed at the top of the page in blue. If testing fails, check that you entered the correct Proxy Address in Step 3 above, and that all System and Network Requirements have been met. Correct as needed, then retry by clicking Test again. 7. Click Save to record these settings. Restart the Good Technology Connect Service Now that GEMS is configured, you must restart the Good Technology Connect service in the Windows Services Manager in order for your changes to take effect. Configuring Good Control for Connect Next, it s important to associate deployed GEMS and the Good Connect Client within Good Control s application management handler. This is required for each GEMS machine, individually and clustered. This configuration information dictates the available servers to which a Good Connect client may connect. Important: The Good Connect application must be published in Good Control. For prerequisite details on setting up Good Control, see Good Dynamics Requirements. To learn how to add the Good Control app, see "Registering a New Application" in the GC console's online help. To add server pool and IM platform information, you must launch the Good Control management console in your browser. Then, with the Good Control management console loaded in your browser, complete the following steps (as pictured): 1. In the navigator under APPS, click Manage Apps, then search for or scroll down to select Good Connect. 2. Click it to open, then click the GOOD DYNAMICS tab. 3. In the Server section, click EDIT. Good Enterprise Mobility Server 74

83 Configuring GEMS Services 4. For each GEMS machine deployed: a. Click the Add icon. b. In the new HOST NAME field, enter the FQDN of the Connect service host. c. In the PORTfield, enter the corresponding port (typically 8080). d. For each GEMS machine, enter the following information in the Configuration field: PLATFORM=LYNC SERVERS=<comma-separated list of available GEMS hosts using the format FQDN:port> Consult the Good Control online help utility for additional information. Next, you re ready to list the approved GEMS hostnames and ports for client connections. Defining Allowed Domains and Servers Allowed domains and servers within your enterprise network to which the Good Collaboration client apps can connect are defined in Good Control s Client Connections option under SETTINGS. It is strongly recommended that you whitelist each individual GEMS. Here, the domain you are trying to configure is the one that allows GD connections to your Microsoft Exchange server and your host and port(s) for Connect IM. Whitelisting means that domains and servers on the list will be accepted, approved or recognized. It is the reverse of blacklisting the practice of identifying those that are denied or unrecognized. First, locate ADDITIONAL SERVERS under Client Connections. Good Enterprise Mobility Server 75

84 Configuring GEMS Services This is a list of specific servers with which all GD applications can connect. Add servers to this list instead of using the ALLOWED DOMAINS list if you want to restrict access so that GD applications can only connect to certain servers like GEMS and Exchange and not to every machine in a domain. To add an allowed server: 1. Click to add a blank row to the list. 2. Enter the SERVERfully qualified hostname and PORTin the respective fields. 3. Assign a primary and secondary GP cluster for the server, if applicable. Connections through GP servers in the primary cluster are attempted first, and if no responses are received, connections are attempted through GP servers in the secondary cluster. 4. Click Submit. As indicated at the beginning of this topic, you can also whitelist or block domains. Good Enterprise Mobility Server 76

85 Configuring GEMS Services To edit information for an allowed server: 1. Click the Edit icon for the server. 2. Modify the server name or GP cluster configuration. 3. Click Submit to commit the change. To remove a server from the list: 1. Click the Removeicon for the server. 2. Click Submit. To whitelist GEMS: 1. Click the Edit icon. 2. Under Additional Servers, add an entry for the GEMS Connect service that will use port Reflecting your specific machine information, the entry should look something like this: goodconnect<n>.<mycomany.com>: Make sure to save your changes. So, for example, your Client Connections with GEMS Presence and Connect configured will look something like this: Good Enterprise Mobility Server 77

86 Configuring GEMS Services Setting Policy Governing Disclaimer Text Via Good Control, you can choose the option to display a Corporate Policy disclaimer at the top over every new conversation (IM) within each Connect Service client; for example: Use of this service, a company IT asset, is subject to the proper conduct, secure use and handling policies found in the XYZ Employee Handbook. To set or add a disclaimer via Good Control: 1. In the navigator under POLICIES, click Policy Sets, then select the policy set you want to govern Good Connect. 2. Click the APPLICATION POLICIES tab, then expand the GOOD CONNECT application listing. 3. Click the Disclaimer tab. 4. Enable (check) the Display Disclaimer option. 5. Type or paste in your approved Disclaimer Text (250 characters max). 6. Click Update to display this disclaimer at the top of each new client conversation window. Establishing User Affinity In clustered environments, client affinity can be used to map a client to a GEMS machine for the duration of the client session. This makes it possible for a GEMS administrator to pin a user to a cluster of GEMS machines, instead of letting the system randomly assign this particular user to a server from a master list. Good Enterprise Mobility Server 78

87 Configuring GEMS Services To better understand how to use affinity assignments, consider the following example. XYZ Inc. has two Lync pools a West Coast pool hosting users in XYZ s West Coast offices, and an East Coast pool, which hosts users in the firm s East Coast offices so IT deploys a Connect server for each pool, while only setting up one Good Control and Good Proxy cluster, as pictured. Unless affinity is configured, when Aaron Beard launches his Good Works client, Good Control sends a list of servers that includes both East Coast and West Coast servers and Aaron s client randomly chooses which one with which to connect. Even though Aaron is a West Coast user, there s a strong chance he ll actually be served by the East Coast server. By contrast, when user affinity is enabled, it means Aaron will always connect to the West Coast server. To enable User Affinity for Connect: 1. In the navigator under POLICIES, click Policy Sets, then select the policy set corresponding to user affinity assignments for Good Connect; e.g., West Coast Connect Users. 2. Open the APPLICATION POLICIES tab and expand the GOOD CONNECT application listing. 3. Click the Server Configuration tab. 4. Enter (type or paste) your Connect Server Hosts separated by commas in the following format: <server_1_fqdn>:<port>,<server_2_fqdn>:<port>,<server_n_fqdn>:<port> Example: westcoast1.xyzcorp.com:8080,westcoast2.xyzcorp.com:8080,eastcoast1.xyzcorp.com:8080 Good Enterprise Mobility Server 79

88 Configuring GEMS Services 5. In the navigator under USERS, click Manage Users. 6. Select the user(s) for whom you want to establish an affinity policy, then click Edit. Good Enterprise Mobility Server 80

89 Configuring GEMS Services 7. From the Policy Set dropdown, assign the user to the appropriate policy set. 8. Click Refresh to confirm the change and update the user account. Enabling/Disabling Conversation History Saving conversation histories on respective user devices in enabled by default in Good Control. The GEMS Connect Service supports the option to limit storing conversation histories of more than 40 messages on client devices. The decision to do so could be in support of standard enterprise security policy, to conserve physical storage availability on devices, or for any other reason. To disable/enable the conversation history option: 1. In the Good Control navigator under POLICIES, click Policy Sets, then select the policy set governing collaboration suite apps; i.e., Good Connect. 2. Click the APPLICATION POLICIES tab, then expand the GOOD CONNECT application listing. 3. Click the Conversation History tab, then check/uncheck Save more than 40 messages in a conversation history on the device. 4. Click Update. Good Enterprise Mobility Server 81

90 Configuring GEMS Services Controlling Browser and Map Behavior GEMS supports the option to control whether or not the local device browser application is invoked when tapping on a Web page URL within a Good Work or Good Connect contact, conversation, or , and if the device s map application can be used when tapping an address. Both browser and map access are allowed by default in Good Control. To disable either browser or map access or both from Good Work or Good Connect : 1. In the navigator under POLICIES, click Policy Sets, then select the policy set governing the application you want to set; i.e., Good Connect or Good Work. 2. Open the APPLICATION POLICIES tab and expand the Good Connect or Good Work application listing. 3. Click the App Settings tab. 4. Disable (uncheck) either option or both, then click Update. Here, it's important to remember that Good Control Policy Sets are assigned to provisioned devices running the application governed by the policy's permissions. When the app is activated by the user, a policy's permissions and restrictions are applied immediately. Configuring GEMS-Connect for HA Like GEMS-PNS, high availability (HA) for GEMS-Connect is based on clustering. The GEMS-CONNECT service supports HA by adding additional GEMS servers running the GEMS-Connect service in a cluster. When adding a new GEMS-Connect instance for HA, you will need to: 1. Configure your new GEMS-Connect instance to use the existing database. 2. Configure your new GEMS-Connect instance to point to the same Good Proxy server. 3. Whitelist your new GEMS-Connect server host and port in Good Control. 4. Configure your new GEMS-Connect instance in Good Control for the Good Connect app. If you have GEMS-Connect user affinity configured, be sure to add the new GEMS-Connect instances to your affinity list as well. Good Enterprise Mobility Server 82

91 Configuring GEMS Services Lync Front-End (FE) Pool Consideration If your Lync environment has more than one FE pool especially if it s a FE pool for HA it is recommended that you create an additional Trusted Application Pool for your GEMS-Connect HA instances. The additional Trusted Application Pool should be created in your FE HA pool. For instance, let's assume you have FE Pool1 for general use and FE Pool2 for HA. In which case, you would create a Trusted Application Pool in FE Pool1 for your primary GEMS-Connect instances and a Trusted Application Pool in FE Pool2 for your GEMS-Connect HA instances. See Creating an Additional Trusted Application Pool above for details. Configuring GEMS-Connect for DR Disaster Recovery (DR) for GEMS-CONNECT is based on an active/cold standby clustering model. Before adding a GEMS-Connect instance for DR, you will need to: 1. Evaluate your Lync Disaster Recovery strategy. If you have separate Front End (FE) pools for DR, it is recommended that you create a separate Trusted Application Pool for your GEMS-Connect instances. This separate Trusted Application Pool should be associated with the DR Front End pool. Associate all DR GEMS-Connect instances to this Trusted Application Pool. If you don t have separate Front End pools for DR, then using a single Trusted Application Pool is fine, although you must make sure your Lync DR strategy properly preserves the Trusted Application Pool in event of a failover. 2. Ensure that the appropriate network ports are open to allow GEMS-Connect servers in your DR site to communicate with database, Lync, Lync DB, and Good Proxy servers in your DR and Primary site. When adding a new DR GEMS-Connect instance, you will need to: 1. Create a GEMS-Connect database on the DB server in the DR site. Use the schema files that came with the software to manually extend the schema. Only one database is needed for all DR GEMS-Connect instances. 2. Do not provide the name of the GEMS-Connect database during the DR GEMS-Connect installation. 3. After the installation, configure GEMS-Connect to use the database in the DR site. 4. Configure your DR GEMS-Connect instance to use the secondary Good Proxy server in the cluster. 5. Whitelist your DR GEMS-Connect server host and port in Good Control [see Defining Allowed Domains and Servers). 6. Configure your DR GEMS-Connect instance in Good Control for the Good Connect App (see Configuring Good Control for Connect). Be sure to set the PRIORITY setting to Secondary or Tertiary. Important: After the DR GEMS-Connect instance is installed and configure, you will need to stop the Good Technology Connect Service. This places the DR GEMS-Connect instance in cold standby. Good Enterprise Mobility Server 83

92 Configuring GEMS Services In a DR situation in which you want to failover, you will need to: 1. Stop the Good Technology Connect service on all your Primary GEMS-Connect instances. 2. Start the Good Technology Connect service on your DR GEMS-Connect instance. Using Friendly Names for Certificates in Connect The friendly name of a certificate can be helpful when multiple certificates with a similar subject exist in a certificate store. Friendly names are properties in the X.509 certificate store that associate aliases with certificates so they can be easily identified. You can restrict certificates used for GEMS-Connect to a Friendly Name by: a. Creating and enrolling a certificate, if you don't already have one b. Changing the certificate Friendly Name and Description, and c. Setting the new certificate friendly name string value in the Good Connect Server configuration file (GoodConnectServer.exe.config). If you do not already have a certificate, you can create and verify a GEMS SSL Certificate for Lync by following the guidance under GEMS Prerequisites, above, for creating and adding the GEMS SSL certificate for Lync. To change the certificate Friendly Name and Description: 1. Open a command prompt and run mmc. 2. Select File > Add/Remove Snap-in. 3. Click Certificates, click Add, click Computer Account, then click Next. 4. Click Local Computer, click Finish, and then clickok. 5. Select Certificates (Local Computer) > Personal > Certificates. 6. Locate the certificate you want to change and double-click it. Good Enterprise Mobility Server 84

93 Configuring GEMS Services 7. Open the Details tab and select Show: <All>, then click Edit Properties Enter a Friendly Name. 9. Enter a Description. 10. Click Apply, then OK to save your changes. 11. Click OK again, to exit the Certificate popup. You're now ready to set the certificate's new Friendly Name in the configuration file for the GEMS-Connect service. To update the Good Connect Server configuration file: 1. Open GoodConnectServer.exe.config in your favorite text editor. You can find the file in <install path>\good Technology\Good Server\Good Connect Server\GoodConnectServer.exe.config.. 2. Add the following line (or change its value if it has already been added): <add key="restrict_cert_by_friendly_name" value="<cert_friendly_name>"/> Note: The value for <cert_friendly_name> is case-sensitive. Enter it exactly as you see it from the certificate. Good Enterprise Mobility Server 85

94 Configuring GEMS Services 3. Save your changes. 4. Restart the Good Technology Connect service in the Windows Service Manager for this change to take effect. Enabling SSL Support Via Good Proxy In the diagram below, the blue lines indicate the path to the GEMS machine from each Good Work client. Although SSL is disabled by default, GEMS can be configured to run securely using SSL/TLS (HTTPS) to communicate with clients through Good Proxy. As discussed under prerequisites, GEMS requires a signed server SSL certificate from a third-party Certificate Authority (CA). The following step-by-step details will guide you in enabling SSL support via Good Proxy: Importing the CA-signed certificate to the GEMS machine Binding the SSL certificate to the Connect SSL port Adding the certificate to the GEMS-Connect configuration file Configuring Good Control to send requests over SSL Configuring GEMS-Connect to use SSL with Good Proxy Troubleshooting SSL certificate exceptions Submitting the CSR to a Certificate Authority (CA) If you need to send the new CSR to a well-known third-party CA and purchase a certificate for your server, the third-party CA may also send you a file that contains the full certificate chain, including possible intermediate certificates. Well-known third-party CAs include: Good Enterprise Mobility Server 86

95 Configuring GEMS Services Symantec Thawte GeoTrust GlobalSign DigiCert When the issued certificate is received, it is important that it be installed on the same server that generated the CSR. To do so, after the new certificate is issued, you must: Import the CA-signed SSL certificate to the GEMS machine Bind the issued certificate to the GEMS machine's SSL port Add the new certificate information to the GEMS configuration file Upload the CA certificate to Good Control Configure Good Control to send requests over SSL Importing the Signed Certificate Installing the signed certificate is done on the GEMS machine with the GEMS service account. Thus, to install a well-known third-party CA-signed SSL certificate for GEMS, login with the Submitting the CSR to a Certificate Authority (CA) GEMS service account, and then: 1. Click Start > Run, enter mmc, and click OK. 2. After the MMC launches, click File > Add/Remove Snap-in Good Enterprise Mobility Server 87

96 Configuring GEMS Services 3. Select Certificates in the left panel and click Add to move it into the right panel, then click OK. 4. Select the Computer account option and click Next. 5. Confirm that Local computer is selected and click Finish. 6. Click OK to confirm Certificates in the Console Root. Good Enterprise Mobility Server 88

97 Configuring GEMS Services 7. Launch import of the trusted root certificate by expanding Certificates (Local Computer) in the panel on the left, then right-clicking Personal > All Tasks > Import. 8. Once the Certificate Import Wizard opens, click Next. 9. Specify the file you want to import; e.g., the certificate received after submitting a CSR to a well-known, thirdparty CA; and click Next. 10. Click Next to confirm placing the certificate in the Personal store, then click Finish to import the certificate. Good Enterprise Mobility Server 89

98 Configuring GEMS Services 11. Click OK when informed that the import was successful. Next, you re ready to bind the certificate to the server. Binding the SSL Certificate to the Connect SSL Port Before binding the certificate to the GEMS machine s SSL port, you must first import the third-party CA-signed certificate to the GEMS machine. If import was successful, complete the binding exercise that follows here. Binding must be completed prior to configuring Good Control to use the new certificate. To bind the new certificate to the GEMS machine's SSL port: 1. Login to the GEMS machine with the correct service account. 2. In the MMC s Certificate Snap-in, double-click the certificate, then click on Details to switch to that tab. 3. Change the Show value to Properties Only. 4. Click Thumbprint. 5. Copy the thumbprint value in the lower textbox. 6. Paste the copied thumbprint into a text editor and remove all the spaces, so that f becomes f 7. Copy this edited version of the thumbnail to the clipboard. 8. Open a command prompt as an administrator and enter the following command string: > netsh http add sslcert ipport= :<port> certhash=<thumbprint> appid={ad67330e-7f e2- F6DF9687BC71} replacing <port> with the port number you want to use (e.g., 8082) and <thumbprint> with the contents of the clipboard. The appid is an arbitrary GUID value. Good Enterprise Mobility Server 90

99 Configuring GEMS Services 9. Confirm the certificate binding by executing the following command: > netsh http show sslcert If the certificate is properly bound, you re ready to: Add the new certificate information to the GEMS configuration file Configure Good Control to send requests over SSL If binding fails, see Troubleshooting SSL Certificate Exceptions. Modifying the GEMS-Connect Configuration File with the New Certificate Some important configuration file changes are necessary to allow Good Connect to use the new SSL certificate. Before continuing, however, it is recommended that you make a backup copy of the current Good Connect server configuration file. Next, for discussion purposes here, it is assumed that you have installed GEMS in the default directory location on the server. Adjust the drive:\path\ for your deployment as necessary. To modify the server configuration to use the correct SSL certificate, open C:\Program Files\Good Technology\Good Server\Good Connect\GoodConnectServer.exe.config and: a. Find this value is the configuration file: <add key="base_url" value="http://*:8080/" /> b. Change it to this: <add key="base_url" value="https://*:8082/" /> Note: Save your changes, then restart the Good Technology Connect service in the Windows Service Manager for these changes to take effect. Configuring Good Control to Send Requests over SSL There are only a couple of changes needed in the Good Control console to enable client SSL connections with GEMS. These configuration settings involve making sure that: Any server previously installed without SSL, including prior implementations of Good Connect and Connect Server, has its FQDN added and associated with the new SSL port. Previously installed non-ssl Good Connect servers and Connect Service servers must be removed from Good Control. The format and port information for servers listed in the configuration must be prepended with https:// and assigned to the new SSL port. To change the necessary application server settings in Good Control (pictured below): 1. Open your Good Control console. 2. In the navigator under APPS, click Manage Apps. 3. Search for or scroll down to Good Connect and click the GOOD DYNAMICS tab. 4. In the Server section, click EDIT, then click the Add icon. Good Enterprise Mobility Server 91

100 Configuring GEMS Services 5. Under HOST NAME, enter the fully qualified domain name (FQDN) of each GEMS-Connect Server. 6. Under PORT, enter the SSL port. 7. In the Configuration text box, prepend each listed FQDN with https:// and change its port assignment to the Connect SSL port; e.g., To change user affinity-clustering: 1. Click on Policy Sets in the navigator, select the policy to modify and open the APP POLICIES tab. 2. Expand the GOOD CONNECT policy set, then open the Server Configuration tab. 3. Change the port numbers in Connect Server Hosts to the new SSL port for GEMS. Configuring GEMS-Connect to Use SSL with Good Proxy By default, the Good Proxy server uses a certificate that is signed by the Good Control CA a private CA which means GEMS-Connect will not trust it by default. In order for GEMS-Connect to trust the Good Proxy server s certificate, you must upload Good Control s CA certificate to the GEMS-Connect server s Windows keystore. Although there are a variety of ways to export the Good Control CA certificate, the easiest method is to use the Firefox browser. Good Enterprise Mobility Server 92

101 Configuring GEMS Services To export the Good Control CA certificate using Firefox: 1. Navigate to the Good Control URL from Firefox. 2. In the Firefox URL bar click on the lock icon (to the left of the URL address), then click More Information. 3. Click Security, then click View Certificate. 4. Open the Details tab and then expand the GC CA entry (should be the very first under Certificate Hierarchy). 5. Click Export. Once you have the GC CA certificate, you must now import it into the Windows keystore. To import the certificate to the Windows keystore: 1. Open a Windows MMC and select File > Add/Remove Snap-in > Certificates. 2. Select Computer Account > Local computer > OK. 3. Expand Certificates > Trusted Root Certification Authorities > Certificates. 4. Right-click the Certificates folder, then select All Tasks > Import. 5. Select the GC CA certificate and import it. Now that the GC CA certificate is imported into the Windows keystore, go back to the GEMS Dashboard and navigate to Connect > Good Dynamics and configure HTTPS. Upload the CA Certificate to Good Control If your certificate is signed with an internal certificate authority (i.e., private CA), you must upload the CA certificate to Good Control. Doing this allows the Good Connect client to trust your certificate. If you do not upload your private CA certificate to Good Control, Good Connect will not be able to connect to the GEMS- Connect service. Good Enterprise Mobility Server 93

102 Configuring GEMS Services To upload your CA certificate to Good Control: 1. Obtain a copy of your CA certificate. Consult your certificate administrator if you do not have access to the CA certificate. 2. Login to Good Control as an administrator. 3. Under SETTINGS, click Certificates and open the SERVER CERTIFICATES tab. 4. Click button to browse for the appropriate certificate and upload it. 5. Click Apply to save your changes. Upon uploading the certificate, Good Control automatically distributes it to all GD apps, including Good Connect. Troubleshooting SSL Certificate Exceptions Despite meeting all of the SSL certificate requirements defined under Enabling SSL Support via Good Proxy, you may continue to get the following error: Description: The process was terminated due to an unhandled exception. Exception Info: Microsoft.Rtc.Internal.Sip.TLSException If so, the most likely explanation is that the SSL certificate was not created with the correct CSP and key spec. The KeySpec property sets or retrieves the type of key generated. Valid values are determined by the cryptographic service provider (CSP) in use, typically Microsoft RSA. To check the certificate s CSP and KeySpec: 1. Open cmd/powershell on the GEMS machine and execute the following command: certutil.exe v store my <name of ssl cert> > c:\temp\ssl.txt 2. Open c:\temp\ssl.txt in a text editor and search for CERT_KEY_PROV_INFO_PROP_ID. The search should return the following: CERT_KEY_PROV_INFO_PROP_ID(2): Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0-cd24435fe903 Provider = Microsoft RSA SChannel Cryptographic Provider ProviderType = c Flags = 20 KeySpec = 1 -- AT_KEYEXCHANGE If the values for Provider, ProviderType, and KeySpec are not exactly the same as those shown above, you will need to have the CA reissue a new SSL with appropriate provider and key spec values. Configuring Support for the Global Catalog In a multi-domain Active Directory Domain Services (AD DS) forest, the global catalog provides a central repository of domain information for the forest by storing partial replicas of all domain directory partitions. These partial replicas are distributed by multimaster replication to all global catalog servers in a forest. In this way, the global catalog makes the directory structure within a forest transparent to users who perform a search. Without a global catalog server, this query would require a search of every domain in the forest. Good Enterprise Mobility Server 94

103 Configuring GEMS Services During an interactive domain logon, the domain controller authenticates the user by verifying the user s identity, and also provides authorization data for the user s access token by determining all groups of which the user is a member. Because the global catalog is the forest-wide location of the membership of all universal groups, access to a global catalog server is a requirement for authentication in a multidomain forest. A global catalog server is also required for Microsoft Exchange Server. To support Good collaboration suite users from multiple domains within the same forest, the following modifications using the Active Directory Schema MMC Snap-In will enable users to be accessed from the Global Catalog: 1. Click the Attributes folder in the snap-in. 2. In the right panel, scroll down to the desired attribute, right-click it, and then click Properties. 3. Click to select the Replicate this attribute to the Global Catalog check box. 4. Click OK. 5. Verify that the following attributes are published to the Global Catalog: msrt-primaryuseraddress mail telephonenumber displayname title mobile givenname sn samaccountname 6. Edit the following configuration parameters in the GoodConnectServer.exe.config file installed by default in the C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Connect folder: <addkey = "AD_USERS_SOURCE" value = "GC"/> <addkey = "AD_USERS_SOURCE_DOMAIN" value="<root GC domain; LDAP format>"/> Note: You must restart Good Technology Connect Service in the Windows Service Manager after updating the parameters. Configuring Windows Services Good Connect Server is now listed in the Microsoft Windows Services UI. By opening it, you can review its current status. Good Enterprise Mobility Server 95

104 Configuring GEMS Services If you select the Log On tab, you should see the Service Account user you entered for the Connect service the GEMS Dashboard. In order for Connect to run as another domain user, the following must be true: The alternate domain user must have access to the private key of the computer certificate. See Identifying/Acquiring a Valid SSL Certificate for details. The alternate domain user must be enabled to Log on as service through the Local Security Policy tool. To give your GEMS account Log on as service privileges: 1. Run the Local Security Policy admin tool on the Good Connect host. 2. Expand the Local Policies folder in the navigator on the left. Good Enterprise Mobility Server 96

105 Configuring GEMS Services 3. Select the User Rights Assignments folder to see a list of policies. 4. Double-click Log on as a service to add this policy to the Good Connect account. Connect Service Logging and Diagnostics Server logs and performance information for the Connect Service can be found in the GEMS installation direction directory. Log File Location The default GEMS host installation directory is: C:\Program Files\Good Technology\Good Enterprise Mobility Server All log directories are relative to this path. GEMS Connect Service Log \Good Connect\logs\Application-log_<data>.txt Common Good Connect Issues The most common issues can be diagnosed by properly analyzing the appropriate log file when encountering IM or preference issues. For troubleshooting, entries like the following examples are generally the most revealing: Example 1 Log Entry: Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionFailureException: Unable to establish a connection. ---> System.Net.Sockets.SocketException: No such host is known. Issue: The hostname value in the configuration file for the key OCS_SERVER does not exist or is not recognized as a valid server. Good Enterprise Mobility Server 97

106 Configuring GEMS Services Resolution: Correct the OCS_SERVER value in the configuration file. Example 2 Log Entry: DeregisterReason=None ResponseCode=480 ResponseText=Temporarily Unavailable Microsoft.Rtc.Signaling.RegisterException: The endpoint was unable to register. See the ErrorCode for specific reason. Issue: The port number specified in OCS_PORT_TLS is not valid. Resolution: Correct OCS_PORT_TLS value in the configuration file. Example 3 Log Entry: ErrorCode= FailureReason=RemoteDisconnected LocalEndpoint= :5060 RemoteEndpoint= :55118 RemoteCertificate=<null> Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x ) --> Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Remote disconnected while outgoing tls negotiation was in progress --> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host. Issue: OCS_TRANSPORT was specified as TLS, however the port number provided was TCP. Resolution: Change the OCS_PORT_TLS to Example 4 Log Entry: Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionFailureException: Failed to listen on any address and port supplied. Issue: Port number specified for UCMA_APPLICATION_PORT in the configuration file is either blocked by a firewall or used by another application. Resolution: Unblock port if it is a firewall issue or choose another port number. Example 5 Log Entry: Failed to start GoodConnectServer: WCFGaslampServiceLibrary.OCSCertificateNotFoundException: Certificate not found. Issue: The certificate's subjectname must contain the local host's FQDN and the private key for the cert must be enabled for the user which executes the GEMS software. Resolution: Enable private keys for this cert for the user running the GEMS machine. Good Enterprise Mobility Server 98

107 Configuring GEMS Services Configuring the Presence Service Configuring the GEMS-Presence to support both Good Work and other third-party apps running on the Good Dynamics platform entails a few steps. These include: Configuring Presence in the GEMS Dashboard Configuring Good Control for Presence Configuring Presence in the GEMS Dashboard The Presence service exposes the Lync Presence Provider (LPP) to third-party Good Dynamics applications. Setting up the Presence service is similar to configuring the Connect service. It can be reduced to the following four steps: a. Service Account: Enter the GEMS Service Account, but only after making sure this service account has RTCUniversalReadOnlyAdmins rights. Click Save to record these settings. b. Good Dynamics: Enter the Good Proxy Hostname. Use the Test button to test the connection. Click Save to record these settings. c. Settings: Default settings are typically sufficient. d. Lync 2010/2013 After clicking on this setting, the system will dynamically query the Lync Server to see if the appropriate GEMS Lync topology has been added. It will typically take a few moments for the query to complete, so please be patient. For Application ID, select the Lync Presence Provider application ID, then select the corresponding Application Endpoint. If the listboxes are empty, this means that either the GEMS Lync topology was not setup correctly or the service account does not have the proper permissions to query these settings. To configure the Presence service for your environment: 1. Click Presence under Good Services Configuration. 2. Complete Steps a thru d above, accessing each section from the GOOD PRESENCE SERVICE CONFIGURATION page, beginning with Service Account. Good Enterprise Mobility Server 99

108 Configuring GEMS Services 3. Use the Test button to test connectivity. 4. Click Save when done. Additional resources for App Developers If you are a GD app developer seeking to incorporate the presence service in your apps, the following will be useful links: Good Presence Service API Good Presence Sample app Configuring Good Control for Presence Presence is currently one of three services, along with Follow-Me and Directory Lookup, enabled through Good Control via the Good Enterprise Services entitlement app. You only have to add GEMS as the application server to GES entitlement once to enable all three services, rather than for each service individually. See Configuring Good Enterprise Services in Good Control for guidance. Note: You will only need to configure GEMS for services entitlement once to cover all three service; i.e., Presence, Follow-Me, and Directory Lookup. Otherwise, setting up the Presence service for Good Work involves: Adding GEMS to the Good Work Application Server List Configuring Presence Affinity for the Good Work app Adding GEMS to the Good Work Application Server List The Good Work client checks the Good Work server list for available GEMS instances hosting the Presence service. Hence, the list must be populated with at least one GEMS machine configured for the Good Enterprise Services entitlement app. When multiple GEMS hosts are listed, you can use Good Work's Preferred Presence Server Configuration parameter to set up a presence affinity association (see Configuring Presence Affinity for Good Work). Good Enterprise Mobility Server 100

109 Configuring GEMS Services To add GEMS to the Good Work application server list: 1. Under APPS, click Manage Apps, search for or scroll down to Good Work and click it. 2. Click the GOOD DYNAMICS tab, then, in the Server section, click EDIT. 3. Enter the GEMS host FQDN in the Host Name field, then enter 8443 under Port. Note: Unless you import a publicly verifiable certificate into the GEMS Java keystore, please be aware of the following: 1. Access to the GEMS Dashboard from a browser will show an untrusted SSL certificate. 2. You will need to upload the GEMS certificate to Good Control. 4. If you have additional GEMS hosts, configure them for the application in the same way, after clicking to add a new row. 5. Click Save to commit your changes. Configuring Presence Affinity for Good Work Presence affinity for Good Work is configured in Good Control's Application Policies. Presence affinity is optional. Be aware, however, that once you set affinity, it takes precedence. Caution: When a distributed computer system is truly load balanced, each request is routed to a different server. This load balancing approach is diminished when server affinity techniques are applied. To set Presence Affinity for Good Work: 1. In the Good Control navigator click Policy Sets, then locate the policy you want to apply and click it. 2. Click the APP POLICIES tab. 3. Scroll down to Good Work and click it, then click the App Settings tab. Good Enterprise Mobility Server 101

110 Configuring GEMS Services 4. In the Server Hosts field, enter in the FQDN of your GEMS host and a colon followed by port As desired, add more servers in the same fashion, separated by a comma and no space. 5. Click Update. 6. Now, repeat Steps 1 through 5 for every policy that will use Good Work Presence. Configuring GEMS-Presence for HA The GEMS-Presence service supports high availability (HA) by adding additional GEMS servers running the GEMSpresence service. When adding a new GEMS-Presence instance for HA, you will need to: 1. Configure your new GEMS-Presence instance to point to the same Good Proxy server. 2. Whitelist your new GEMS-Presence server host and port in Good Control (see Defining Allowed Domains and Servers). 3. Configure your new GEMS-Presence instance in Good Control for the Good Work App (see Adding GEMS to the Good Work Application Server List). 4. Configure your new GEMS-Presence instance in Good Control for the Good Enterprise Services Entitlement app see Adding GEMS to the Good Enterprise Services Entitlement App). If you have GEMS-Presence user affinity configured, be sure to add the new GEMS-PRESENCE instances to your affinity list as well. Lync Front-End (FE) Pool Consideration If your Lync environment has more than one FE pool especially if it s a FE pool for HA it is recommended that you create an additional Trusted Application Pool for your GEMS-Presence HA instances. The additional Trusted Application Pool should be created in your FE HA pool. Good Enterprise Mobility Server 102

111 Configuring GEMS Services For instance, let's assume you have FE Pool1 for general use and FE Pool2 for HA. In which case, you would create a Trusted Application Pool in FE Pool1 for your primary GEMS-Presence instances and a Trusted Application Pool in FE Pool2 for your GEMS-Presence HA instances. See Creating an Additional Trusted Application Pool above for details. Configuring GEMS-Presence for DR Like for other GEMS services, disaster recovery (DR) for GEMS-Presence is based on an active/cold standby model. Before adding a GEMS-PRESENCE instance for DR, you will need to: 1. Evaluate your Lync Disaster Recovery strategy. If you have separate Front End (FE) pools for DR, it is recommended that you create a separate Trusted Application Pool for your GEMS-Presence instances. This separate Trusted Application Pool should be associated with the DR Front End pool. Associate all DR GEMS-Presence instances to this Trusted Application Pool. If you don t have separate Front End pools for DR, using a single Trusted Application Pool is fine as long as you make sure your Lync DR strategy properly preserves the Trusted Application Pool in the event of a failover. Note: GEMS-Presence and GEMS-Connect can use the same Trusted Application Pool for DR. 2. Ensure that the appropriate network ports are open to allow GEMS-Presence servers in your DR site to communicate with database, Lync, Lync DB, and Good Proxy servers in your DR and Primary site. When adding a new DR GEMS-Presence instance, you will need to: 1. Configure your DR GEMS-Presence instance to use the secondary Good Proxy server in the cluster. 2. Whitelist your DR GEMS-Presence server host and port in Good Control (see Defining Allowed Domains and Servers). 3. Configure your DR GEMS-Presence instance in Good Control for the Good Work App (see Adding GEMS to the Good Work Application Server List). Be sure to set the PRIORITY setting to Secondary or Tertiary. 4. Configure your DR GEMS-Presence instance in Good Control for the Good Enterprise Services Entitlement App (see Adding GEMS to the Good Enterprise Services Entitlement App). Be sure to set the PRIORITY setting to Secondary or Tertiary. Important: After the DR GEMS-Presence instance is installed and configure, you will need to stop the Good Technology Presence service. This places the DR GEMS-Presence instance in cold standby. In a DR situation in which you want to failover, you will need to: 1. Stop the Good Technology Presence service on all your Primary GEMS-Presence instances. 2. Start the Good Technology Presence service on your DR GEMS-Presence instance. Good Enterprise Mobility Server 103

112 Configuring GEMS Services Using Friendly Names for Certificates in Presence The friendly name of a certificate can be helpful when multiple certificates with a similar subject exist in a certificate store. Friendly names are properties in the X.509 certificate store that associate aliases with certificates so they can be easily identified. You can restrict certificates used for GEMS-Presence to a Friendly Name by: a. Creating and enrolling a certificate, if you don't already have one b. Changing the certificate Friendly Name and Description, and c. Setting the new certificate friendly name string value in the GEMS Lync Presence Provider (LPP) Service configuration file. If you do not already have a certificate, you can create and verify a certificate for the Lync Presence Provider (LPP) by following the guidance under GEMS Prerequisites, above, for requesting a GEMS certificate from a local AD certificate authority. To change the certificate Friendly Name and Description: 1. Open a command prompt and run mmc. 2. Select File > Add/Remove Snap-in. 3. Click Certificates, click Add, click Computer Account, then click Next. 4. Click Local Computer, click Finish, and then clickok. 5. Select Certificates (Local Computer) > Personal > Certificates. 6. Locate the certificate you want to change and double-click it. Good Enterprise Mobility Server 104

113 Configuring GEMS Services 7. Open the Details tab and select Show: <All>, then click Edit Properties Enter a Friendly Name. 9. Enter a Description. 10. Click Apply, then OK to save your changes. 11. Click OK again, to exit the Certificate popup. You're now ready to set the certificate's new Friendly Name in the configuration file for the GEMS Presence service. To update the LPP configuration file: 1. Open LyncPresenceProviderService.exe.config in your favorite text editor. You can find the file in <install path>\technology\good Enterprise Mobility Server\Good Presence\LyncPresenceProviderService.exe.config. 2. Add the following line (or change its value if it has already been added): <add key="restrict_cert_by_friendly_name" value="<cert_friendly_name>"/> Note: The value for <cert_friendly_name> is case-sensitive. Enter it exactly as you see it from the certificate. Good Enterprise Mobility Server 105

114 Configuring GEMS Services 3. Save your changes. 4. Restart the Good Technology Presence service in the Windows Service Manager for this change to take effect. Logging and Diagnostics The default GEMS host installation directory is: C:\Program Files\Good Technology\Good Enterprise Mobility Server All log directories are relative to this path. GEMS Host Machine Log \Good Server Distribution\assembly-<version>\data\log\<gems_server_name+timestamp>.log Note: At 23:59 the timestamp resets to 0:00. It is also reset by a service restart or when the file size reaches 100 MB. GEMS Presence Service \Good Presence\Logs\LPP-log.txt Updating the Connect and Presence Services Using Lync Director The Lync Director role provides functionality for users accessing Lync, internally and externally 1. To support this capability, Lync Server is deployed as one or more pools, based on Standard Edition or Enterprise Edition Lync Server. Users can be homed on only a single pool. Clients can be configured to find their Lync pool automatically. However, the DNS records that support this functionality can point to only a single pool. In a multi-pool environment, this "primary" pool will have to redirect users to their correct home pool. This is an overhead on the primary pool. The Lync Director is used to offload this redirection functionality. The Director does not home any users itself but instead redirects the user to their correct pool home. The requirement for the Lync Director is therefore for multi-pool environments with high user numbers. Once the user has been redirected to their correct pool, the Director plays no further role in communications between the client and the pool server. To update the Connect and Presence services to use a Director: 1. From the GEMS host, stop the following services: Good Technology Connect Good Technology Presence 2. Locate the Good Connect configuration file. Its default location is: C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Connect\GoodConnectServer.exe.config 1 From Microsoft Corporation. Used with permission. Good Enterprise Mobility Server 106

115 Configuring GEMS Services 3. Open the file in notepad, locate the LYNC_SERVER key, then update its value with the FQDN of the Director pool you want to use. 4. Locate the Good Presence configuration file. Its default location is: C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Presence\LyncPresenceProviderService.exe.config As with Connect, open the file in notepad and locate the LYNC_SERVER key. Update this value with the FQDN of the Director pool you want to use. 5. Start the two services that you stopped in Step 1. Configuring the Docs Service The Docs Configuration Console is required to configure and maintain document/file repositories (file shares, SharePoint) and user access policies for mobile app users of the service. Please make sure that all requirements identified under Docs Service Prerequisites have been satisfied before continuing. Configuring Docs in the GEMS Dashboard Just like configuring the other primary services, setting up the Docs service in the Dashboard starts on the Home page. After clicking Docs under Good Services Configuration on the Dashboard home page, completing its service configuration comprises the following properly setting up the following modules: Good Dynamics Web Proxy Database Repositories Settings Note: Your Good Dynamics servers must be operating before the Docs service can be configured for Good Dynamics. Good Enterprise Mobility Server 107

116 Configuring GEMS Services Good Dynamics To configure your Good Dynamics server (Good Proxy) for the Docs: 1. On the GOOD DOCS SERVICE CONFIGURATION page, click Good Dynamics. 2. Enter the Good Proxy Hostname. If you have more than one Good Proxy server, pick any one you wish. Autodiscover will correctly identify the others. 3. Enter the Good Proxy Port. 4. Select either HTTP or HTTPS, the latter being the more secure transport protocol. Note: See Configuring HTTPS for GEMS to Good Proxy in Appendix B for supplemental guidance on transferring the CA certificate for Good Proxy to GEMS. 5. Use the Test button to verify the connection. 6. Click Save to record the setting. Good Enterprise Mobility Server 108

117 Configuring GEMS Services Web Proxy If you use a web proxy to connect your enterprise servers to the Internet for SharePoint and Office Web App Server (OWAS), you will need to enable Use Web Proxy and configure its address, port, and authentication type for the Docs service. Note: NTLM and Basic Authentication are not currently supported in GEMS v1.5 for Web Proxy. To configure a web proxy for the Docs service: 1. On the GOOD DOCS SERVICE CONFIGURATION page, click Web Proxy. 2. Check Use Web Proxy. Uncheck it to disable use of a web proxy. 3. For Proxy Address, enter the FQDN of the web proxy. 4. Enter a Proxy Port. 5. Select a Proxy Server Authentication Type (or None) from the drop-list. If you choose Basic or NTLM authentication, enter recognized credentials (Username, Password) and, optionally, the Domain. Good Enterprise Mobility Server 109

118 Configuring GEMS Services 6. Click Test to confirm connection to the proxy server. 7. Click Save to commit your changes. Database In configuring your SQL database for GEMS-Docs, you have a choice of using either Windows Authentication or SQL Authentication for granting access to the database by GEMS. Make sure you have already set the Good Technology Common service to run as the service account in Windows Service Manager (SrvMan). After restarting the Good Technology Common service, perform the steps below for either Windows Authentication or SQL Authentication. To use Windows Authentication to access the database: 1. On the GOOD DOCS SERVICE CONFIGURATION page, click Database. Good Enterprise Mobility Server 110

119 Configuring GEMS Services 2. Enter the Server host name and instance name; i.e., <your_sqlserver_hostname>\<instance_name>. 3. Enter the Database name. 4. Select Windows Authentication for the Authentication Type. 5. Click the Test button to verify connectivity with the database. 6. Click Save to commit your changes. 7. Finally (and critical to the configuration process), restart the Good Technology Common service service in Windows Services Manager to allow these settings to take effect. To use SQL Authentication to access the database: 1. Select SQL Server Login as the Authentication Type. 2. Enter the SQL Server Username and Password. 3. Click the Test button to verify connectivity with the database. 4. Click Save to commit your changes. 5. Use the Windows Services Manager to locate the Good Technology Common service, then select Restart to allow these settings to take effect. Repositories The Docs service furnishes your end users with access to stored enterprise data from their mobile devices. A Docs repository (also called a "share") lives on an enterprise server containing files shared by authorized users. Good Enterprise Mobility Server 111

120 Configuring GEMS Services Before you configure your repositories, you should first complete initial configuration of your Security Settings, and then configure Good Control to entitle your users so that they can access the repositories you will add and define later from their mobile devices. Finally, with respect to Docs, see Managing Repositories for detailed guidance on setting up and maintaining your enterprise shares in GEMS and the associated user access. Settings Docs security settings control acceptable SharePoint Online domains, the URL of the approved Office Web App Server (OWAS), the appropriate LDAP domains to use, and whether you want to use Kerberos Constrained Delegation for user authentication. To configure your Docs security settings: 1. In the GOOD DOCS SERVICE CONFIGURATION page, click Settings. 2. Check Enable Kerberos Constrained Delegation to allow Docs to use KCD; uncheck it to disable KCD. Delegation is the act of allowing a service to impersonate a user account in order to access resources throughout the network. Constrained delegation limits this trust to a select group of services explicitly Good Enterprise Mobility Server 112

121 Configuring GEMS Services specified by a domain administrator. See Configuring Kerberos Constrained Delegation (KCD) for GEMS-Docs below for the steps to set up File Share servers and SharePoint apps for constrained delegation to GEMS. 3. Separated by a comma, enter each of the SharePoint Online Domains you plan to make available. See Configuring Support for Hosted SharePoint for additional details. 4. Enter the URL for your approved Office Web App Server. See Configuring Office Web Apps (OWA) for Docs Service Support for guidance on setting up your OWA environment to work with GEMS-Docs. 5. Provide you Active Directory User Domains (separated by commas), then enter the corresponding LDAP Port. LDAP (Lighweight Directory Access Protocol) is used to look up users and their membership in user groups. 6. Check Use SSL for LDAP for secure communication with your AD servers. 7. Click Save to keep these settings. As indicated, restart the Good Technology Common service in order for your changes to take effect. With the Docs service configured for communication and storage, you're ready to configure Good Control to entitle your users, via application groups, to use the Docs service. Following user entitlement, see Managing Repositories to set up your file shares and SharePoint sites. Configuring Good Control for the Docs Service Configuring Good Control for the Docs Service consists of three primary tasks: Good Enterprise Mobility Server 113

122 Configuring GEMS Services Entitling Users Publishing the Docs app Configuring User Affinity Follow the steps for each to complete set up of Good Control (GC) connectivity and communication with the Docs service. Entitling Users To configure Docs Service entitlement: 1. Click Manage Apps under APPS and enter a full or partial search string for "Feature - Docs Service Entitlement". 2. Click on Feature - Docs Service Entitlement in the search results. 3. Open the GOOD DYNAMICS tab. 4. In the GD App ID section, click EDIT. 5. Select a policy from the Policy Set Override drop-down if you want to override the default policy. 6. Click Save. Good Enterprise Mobility Server 114

123 Configuring GEMS Services Publishing the Docs App To publish the Docs app for all users: 1. In the Good Control DASHBOARD, click App Groups under APPSand edit the Everyone group by clicking. 2. Click Add More, then enable the checkbox for Feature - Docs Service Entitlement - ALL. 3. Click OK. Configuring User Affinity for Docs Caution: As pointed out for the Presence service, when a distributed computer system is truly load balanced, each request is routed to a different server. This load balancing approach is diminished when server affinity techniques are applied. Be aware that once you set affinity, it takes precedence. Good Enterprise Mobility Server 115

124 Configuring GEMS Services To enable server affinity for Docs in Good Work: 1. In the Good Control console navigator, click Policy Sets, then locate the policy you want to apply and click it. 2. Click the APP POLICIES tab. 3. Scroll down to Good Work and click it, then click the App Settings tab. 4. In the Server Hosts field, enter in the FQDN of your GEMS host and a colon (:) followed by port Add more preferred servers in the same manner, each separated by a comma and no space. 5. Click Update. 6. Now, repeat Steps 1 through 5 for every policy that will use the Docs Service. Troubleshooting the Docs Service Major errors and the recommended fixes are listed here on an advisory basis. For additional troubleshooting resources and support, please visit Good's Public KB. Remember to check back often for updates to this list. Configuring GEMS-Docs for HA Like other GEMS services, high (HA) availability for GEMS-Docs is based on clustering. The GEMS-Docs service supports HA by adding additional GEMS servers running the GEMS-Docs service in a cluster. When adding a new GEMS-Docs instance for HA, you will need to: 1. Configure your new GEMS-Docs instance to use the existing database. 2. Configure your new GEMS-Docs instance to point to the same Good Proxy server. Good Enterprise Mobility Server 116

125 Configuring GEMS Services 3. Whitelist your new GEMS-Docs server host and port in Good Control (see Defining Allowed Domains and Servers). 4. Configure your new GEMS-Docs instance in Good Control for the Good Work App (see Configuring Good Control for the Docs Service). If you have GEMS-Docs user affinity configured, be sure to add the new GEMS-Docs instances to your affinity list as well. Configuring GEMS-Docs for DR As with the other GEMS services, Disaster Recovery (DR) for GEMS-Docs is based on an active/cold standby clustering model. Before adding a GEMS-Docs instance for DR, you will need to: 1. Evaluate the DR strategy for your network resources File Share, SharePoint, OWAS, etc., then make sure your network resources are accessible from your DR site in the event a DR situation arises. 2. Configure database replication for the GEMS-Docs database from your primary site to your DR site. SQL log shipping is recommended. Consult your database administrator for assistance. 3. Ensure that the appropriate network ports are open to allow GEMS-Docs servers in your DR site to communicate with the database, network resources, and Good Proxy servers in your DR and Primary sites. When adding a new DR GEMS-DOCS instance, you will need to: 1. Configure your DR GEMS-Docs instance to use the GEMS-Docs database in your primary site. 2. Configure your DR GEMS-Docs instance to use the primary Good Proxy server in the cluster. 3. Whitelist your DR GEMS-Docs server host and port in Good Control (see Whitelisting Your GEMS Host(s) in Good Control). 4. Configure your DR GEMS-Docs instance in Good Control for the Good Work App (see Adding GEMS to the Good Work Application Server List). Be sure to set the PRIORITY setting to Secondary or Tertiary. Important: After the DR GEMS-DOCS instance is installed and configure, you will need to stop the Good Technology Common service. This places your DR GEMS-Docs instance in cold standby. In a DR situation in which you want to failover, you will need to: 1. Stop the Good Technology Common service on all your Primary GEMS-Docs instances 2. Failover your GEMS-Docs database on your database server (i.e., make the GEMS-Docs database in your DR site active). 3. Failover your database FQDN DNS to your DR database server. If this is not possible, see Step Start the Good Technology Common service on your DR GEMS-DOCS instance. 5. If you were not able to do Step 3 (failover database DNS), then you will need to login to the GEMS Dashboard and update the GEMS-DOCS database information to point to your DR database server. Restart the Good Technology Common service for the new database settings to take effect. Good Enterprise Mobility Server 117

126 Configuring GEMS Services 6. If you also failed over your Good Proxy servers in this process, you will also need to update the Good Proxy information in the GEMS dashboard for the GEMS-Docs service. Managing Repositories There are two repository storage types: File Share a secure directory on an enterprise file server containing shared files and sub-directories which can be remotely accessed. SharePoint a secure web server containing shared files which are accessed via the Internet. A repository is further categorized in GEMS-Docs by who added/defined it as follows: Admin-defined file shares and SharePoint sites added and maintained by GEMS administrators to which individual users and user groups are granted access. User-defined file shares and/or SharePoint sites added by individual end users from their mobile devices to which you, as the GEMS admin, may rescind and/or reinstate mobile-based access in accordance with your enterprise IT acceptable-use policies. To get started, click Repositories on the GOOD DOCS SERVICE CONFIGURATION page. The REPOSITORIES CONFIGURATION page has three tabs: ADMIN DEFINED in which you create and manage repositories, add/remove users and groups of users, then assign them file access and use permissions. USER DEFINED in which you add/remove users and groups of users, enable/disable their ability to create user-defined shares, and grant/rescind permission to perform a range of file-related actions on their userdefined shares. USERS allows you to search for a specific user in an Active Directory domain to view the repositories permitted by path or override, and who defined the share the admin or the user. Good Enterprise Mobility Server 118

127 Configuring GEMS Services Next, we briefly cover what you can do under each tab to create and maintain a robust yet secure file sharing environment for authorized members of your mobile device user community. Admin-Defined Shares As aforementioned, shares are of two types: Files Shares and SharePoint. You can further organize your administrator-defined shares into lists. A named (defined) share, however, can only belong to one list. This is enforced to help you avoid unwanted/unintended duplication. Stepwise guidance for defining repositories and lists is found under the following topics: Defining a Repository Defining a New Repository List Defining User Access Permissions Defining a Repository To define a repository: 1. On the GEMS Dashboard Home page, click Docs then click Repositories. 2. On the REPOSITORIES CONFIGURATION page, click the ADMIN DEFINED tab. Existing (already defined) shares are listed by NAME and PATH and further organized by List name, where applicable. Click a List name expand/compress its member repositories. To view and/or edit an existing repository definition, just click the NAME or PATH of the repository in the list and skip to Step Click New Repository to create a new repository definition. 4. Provide the following information in the corresponding field to define the share: a. Display Name the name of the repository to that will be displayed to users granted mobile access to the repository. Spaces and special characters are allowed. The name must be unique; duplicate names are Good Enterprise Mobility Server 119

128 Configuring GEMS Services disallowed. b. Storage Type must be either File Share or SharePoint, selected from the drop-down list. If Storage Type is SharePoint, and the share is running under SharePoint 2013 or a later version, check Add sites followed by users on this site to make this feature available to users of this share. It will only work, however, if SharePoint's MySite plugin is enabled. c. Path the path to the share. If Storage Type is File Share, Path can include AD attributes; e.g., \\fileshare1\<samaccountname> or <homedirectory>. If Storage Type is SharePoint, enter a fully qualified SharePoint URL with/without AD attributes. If the path cannot be verified, an error caution is displayed when you attempt to save the definition. d. List select an existing list from the drop-down to which you want this repository to belong. If no list is defined, you can create one later, as desired, or leave this field blank. If a List is selected, check Enable inheriting of access control of repository list to apply the Access Permissions of the List to this repository. Otherwise, you must define specific access permissions for this share (repository). 5. Click Save to store this information (recommended), then see Defining User Access Permissions to complete the definition. Defining a Repository List Use Lists to assign users to multiple repositories and/or to organize your repositories by common characteristics. This allows you to batch-configure user access permissions. Included repositories can inherit the configured user Good Enterprise Mobility Server 120

129 Configuring GEMS Services access permissions of the list or maintain permissions independent of the list. On the REPOSITORIES CONFIGURATION page (breadcrumb = Home > Docs > Repositories) under the ADMIN DEFINED tab: Click New List to create a list. Click a list name to edit an existing list. To define a repository list: 1. Enter/change the repository's Display Name. This is the list name that will be displayed to authorized users on their mobile devices. 2. Select/deselect the Repositories to include from the list of defined repositories. Remember that a repository must already be defined before it can be added to a Repository List. 3. See Adding Users and User Groups for steps to add new users to the list definition. 4. See Granting User Access Permissions for guidance on granting or rescinding user access permissions. 5. Click Save to store the list definition. Adding Users and User Groups Active Directory Users and Groups must be added to a repository definition or a list definition before access permissions can be configured. Good Enterprise Mobility Server 121

130 Configuring GEMS Services To add a users and user groups to a repository or list definition: 1. If the repository definition is not already open, then on the REPOSITORIES CONFIGURATION page under the ADMIN DEFINED tab, click a repository or a list to open its definition. 2. Click Add Users / Groups. 3. In the Search In field, enter a new domain or keep the default domain. 4. Select either Users or Groups, then click in the search field, type a full or partial search string, and click Search. 5. Select from the results by checking one or more entries. 6. Optionally, you can enable Use Different Credentials to configure a different Username and Password for accessing this repository by these users. 7. Click Add to include the selected users or groups in the repository definition. These users or groups will automatically receive default access permissions, which you can edit in the repository configuration. See Granting User Access Permissions. Granting User Access Permissions Access permissions are defined for a single repository or inherited from an existing list of repositories. Permissions can be selectively granted to existing Active Directory domain users and user groups. At least one user or user group must be added to the repository definition in order to begin configuring access permissions. The user access permissions you can enable/disable are enumerated in the following table: Good Enterprise Mobility Server 122

131 Configuring GEMS Services User Access Permissions and Attributes Access Permission Permission Attributes Default Setting List (Browse) View and browse repository content (subfolders and files) in a displayed list, and to sort the list(s) by Name, Date, Size, or Kind Enabled Delete Files Remove files from the repository Enabled Read (Download) Download repository files to user's device and open them to read Enabled Write (Upload) Cache (Offline Files) Upload files (new/modified) from user's device to the repository for storage Temporarily store a cache of repository files on the device for offline access Enabled Enabled Open In Open a file in a format-compatible app on the device Enabled Create Folder Add new folders to the repository Enabled Copy/Paste Check In/Check Out Copy repository file content and paste it into a different file or app While a file is checked out, user can edit the file, close it, reopen it, and work with the file offline. Other users cannot change the file or see changes until it is checked back in Enabled Enabled (SharePoint only) To change user access permissions: 1. Check or uncheck a permission under Access Permissions on the REPOSITORIES CONFIGURATION page (breadcrumb = Home > Docs > Repositories > Edit), to grant or rescind it. 2. Click in the far right column to remove a user or group from the repository definition. 3. Click Save. Good Enterprise Mobility Server 123

132 Configuring GEMS Services User-Defined Shares You can allow users to define their own "named" data sources on admin-defined repositories for which they have already been granted permission. Configuring permissions for allowing your users to define their owned repositories involves: Setting access rights Setting allowed data sources Granting access permissions Your users will then be able to define their own shares (data sources), presuming they already have the appropriate access permissions configured on the host server. If not, user-defined share creation will fail. To set access rights: 1. On the REPOSITORIES CONFIGURATION page (breadcrumb = Home > Docs > Repositories) click the USER DEFINED tab. 2. Check Enable "User Defined Shares" to allow your mobile users to define their own data sources. 3. (Optional) Check Automatically add sites followed by users for authorized SharePoint 2013 repositories with the required MySite plugin enabled. To set allowed data sources: 1. Check Allow Files Shares to enable user-defined File Share repositories. 2. Check Allow SharePoint Sites to enable user-defined SharePoint repositories. Important: At least one of the above must be enabled or the entire user-defined option is disabled. To grant access permissions: Permissions can be selectively granted to existing Active Directory domain users and user groups. Bear in mind that the most restrictive permissions (admin-defined or user-defined) will be applied. The user access permissions you can enable/disable for user-defined repositories are enumerated in the following table: Good Enterprise Mobility Server 124

133 Configuring GEMS Services User Access Permissions and Attributes Access Permission Permission Attributes Default Setting List (Browse) View and browse repository content (subfolders and files) in a displayed list, and to sort the list(s) by Name, Date, Size, or Kind Enabled Delete Files Remove files from the repository Enabled Read (Download) Download repository files to user's device and open them to read Enabled Write (Upload) Cache (Offline Files) Upload files (new/modified) from user's device to the repository for storage Temporarily store a cache of repository files on the device for offline access Enabled Enabled Open In Open a file in a format-compatible app on the device Enabled Create Folder Add new folders to the repository Enabled Copy/Paste Check In/Check Out Add New Repositories Copy repository file content and paste it into a different file or app While a file is checked out, user can edit the file, close it, reopen it, and work with the file offline. Other users cannot change the file or see changes until it is checked back in Permits new repositories to be added from the user's mobile device. Enabled Enabled (SharePoint only) Disabled To change user access permissions: 1. Check or uncheck a permission under Access Permissions on the REPOSITORIES CONFIGURATION page (breadcrumb = Home > Docs > Repositories > Edit), to grant or rescind it. 2. Click in the far right column to remove a user or group from the user-defined repository definition. 3. Click Save. Good Enterprise Mobility Server 125

134 Configuring GEMS Services User Repository Rights You may need to search for a particular user to review which repositories are configured for his/her access, as well as the specific permissions granted. This is especially true when a user is merely one member of an AD group configured for repositories and therefore not listed individually in your admin-defined or user-defined repository configurations and you need/want to consider making specific changes to this user's access permissions. To search for a specific user: 1. Click the USERS tab on REPOSITORIES CONFIGURATION page (breadcrumb = Home > Docs > Repositories). 2. Enter a full or partial search string for the users AD account. 3. If you don't see the user you want, extend or narrow the search string or click Switch Domains to search a different AD domain. 4. When found, click the NAME you want to see the list of repositories currently allowed to this user. Here, the DEFINED BY column identifies what type of repository it is Admin-defined or User-defined. Good Enterprise Mobility Server 126

135 Configuring GEMS Services 5. Click the name of the repository (or anywhere on the row) to display this user's access permission. 6. Optionally, enter an Override Path for this User to narrow or broaden access within this repository, then click Save. To make changes to this user's access permissions, see Granting User Access Permissions under Admin-Defined Shares or how to change access permissions under User-Defined Shares. Using the Docs Self-Service Web Console Very similar to the method for adding user-defined repositories on/from the device (see "Adding a New Data Source" in the respective Good Work Client User Guide for ios or Android ), authorized users can conveniently login to a GEMS-Docs Self-Service Web Console from a browser on their office workstation or laptop to add userdefined File Share and SharePoint repositories. The self-service console is included in your GEMS installation and automatically configured with the Docs service in the GEMS Dashboard. The URL is To login and use the Docs Self-Service Console: 1. In your workstation browser, enter the URL above with the appropriate substitutions. 2. Login with your AD credentials Username, Password and Domain. Good Enterprise Mobility Server 127

136 Configuring GEMS Services 3. Click Add Repository to define a new data source. 4. Enter a Display Name - this is what will be displayed in repository lists in the console and on device(s). 5. Enter a Storage Type, either File Share or SharePoint. 6. Enter the Path in accordance with the format indicated by the example. Good Enterprise Mobility Server 128

137 Configuring GEMS Services 7. Click Save. Your new user-defined repository is now listed and will be available on your device the next time login to Good Work. To remove a repository, just click the X next to it. Windows Folder Redirection (Native) This feature gives administrators the ability to redirect the path of a folder to a new location, which can be on the local computer or a directory on a network file share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree when you edit a domain-based Group Policy using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection. Offline File technology (turned on by default) gives users access to the folder even when they are not connected to the network, and is especially useful on laptops and mobile devices. Offline folders do not, however, work out of the box with Samba network drives. See Offline Folders (Native) for details. Otherwise, Windows Folder Redirection can be enabled for any of the predefined folders in the Group Policy Management Editor. Good Enterprise Mobility Server 129

138 Configuring GEMS Services In Windows Server 2008, a total of 13 different folders can be redirected. Pictured above, these include: AppData(Roaming) Desktop Start Menu Documents Pictures Music Favorites Contacts Downloads Links Saved Games Searches Videos As an administrator, you will need to create the root folder for the destination location. This folder can be created on a local or remote machine (NAS), but it is important that all members of the group who will have Windows Folder Redirection enabled are given full access to the root folder. To enable Folder Redirection and configure access: 1. Create a root folder (e.g., RedirectShare) for the redirect destination. 2. In the Group Policy Management Editor, select a specific folder (e.g., Documents) and add one or more rules to determine which users/groups can redirect the selected folder to the root folder. 3. Set an environment variable %USERNAME% to the path [Root]\<username>\Documents\. The tree structure of the root for example, RedirectShare will look something like: Now the user s folder has exclusive user permissions. No other user can see the files. The user can update these files, add new files, and delete files. Then, when the user connects to the corporate network again, the files are automatically synchronized with the redirected location. If modifications are attempted on the same file in both locations at the same time, an alert is issued (pictured next), and the user is responsible for resolving the conflict; i.e., keep source, keep destination, keep both files). Good Enterprise Mobility Server 130

139 Configuring GEMS Services Thus, if a user uploads a file through a mobile app directly to the share, it will be visible on the local PC in the Documents folder. Moreover, when the Docs Service is configured with User Private Shares pointing to the redirected root folder e.g., C:\RedirectShare\ users can automatically use their own folders inside the mobile app from the Home Directory on their phone or tablet. Note: For users with their home folder defined in AD, Folder Redirection works when the redirection path is the same as the user s home folder in AD. Local Folder Synchronization Offline Folders (Native) Users who work remotely on content creation and save files locally for offline access, can now access these files on-the-go from their mobile devices without having to open their local machine. The Docs Service provides authorized users access to their Home Directory hosted on NAS shares and exposed through Active Directory. However, this synchronization feature synching folders on the user s remote laptop or desktop with their home directory is only available on local machines running Microsoft Windows. When you select a network file or folder to make it available offline, Windows automatically creates a copy of that file or folder on your computer. Thereafter, any time you reconnect to the network folder, Windows synchronizes these files with those in the network folder. You can also synchronize them manually any time you want. As pointed out above, this feature does not work out of the box with a Samba network drive, and workarounds are not currently supported by Microsoft. Otherwise, the feature can be enabled from Windows Explorer and used for any shared folder as pictured. Now that the shared folder is available offline, it can be used offline. Users can even make a shortcut to the shared folder on their desktop for convenience. Moreover, when working offline and changes are made to offline Good Enterprise Mobility Server 131

140 Configuring GEMS Services files in a network folder, Windows automatically syncs the changes the very next time you connect to that network folder. You can also manually sync changes by clicking the Sync Center tool. Additionally, there are more advanced sync scheduling controls available in the Windows Sync Center. If the user is working offline while someone else changes a file in a shared network folder, Windows syncs those changes with the offline file on the local computer the next time it connects to that network folder. If a sync conflict occurs meaning changes were made to both the network and offline versions of the file between syncups Windows will prompt the user to decide which change takes precedence. Files that were cached automatically are removed on a least-recently used basis once the maximum cache size is reached. Files cached manually are never removed from the local cache. When the total cache size limit is reached and all files that were cached automatically have already been removed, files cannot be made available offline until you specify a new limit or delete files from the local cache by using the Offline Files control panel applet (pictured below). Good Enterprise Mobility Server 132

141 Configuring GEMS Services The default size limit for the Offline Files cache is 25-percent of the total disk space of the drive where the cache is located. The cache size can be configured through the Group Policy by setting the limit on disk space used by Offline Files go to Computer Configuration > Policies > Administrative Templates > Network > Offline Files on each client separately. Synchronization takes place a few minutes after the user logs in and connects/opens a shared network folder containing offline files and is schedule- or event-based. However, this must still be enabled manually by each user. Even so, through the Group Policy editor, the domain administrator can set various synchronization triggers; e.g., On Logon, On Logoff, Sync Interval, etc. Pictured above, these settings are available in User Configuration\Administrative Templates\ Network\Offline Files and in Computer Configuration\Administrative Templates\Network\Offline Files in the Group Policy Object Editor snap-in. For more information about policy settings, see the Explain tab on the Properties page of each policy. Good Enterprise Mobility Server 133

142 Configuring GEMS Services See also Configuring Group Policy for Offline Files on Technet. These options Folder Redirection and Offline Folders offer these advantages compared to a proprietary laptop/desktop agent furnished by Good: IT does not have to manage and deploy another desktop agent Microsoft Folder Redirection is integrated with GPO and manages conflicts Existing compliance tools and processes govern the data. Again, once the files are synchronized to the Home Directory, IT administrators can make use of the GEMS-Docs Service feature in which AD attributes can be specified in the path to expose the user s Home Directory to the Good Work app running on provisioned mobile devices. It is also important to remember that for users who have their home folder defined in AD, Folder Redirection works when the folder redirection path is the same as the user s home folder in AD. Configuring Support for SharePoint Online/OneDrive for Business SharePoint Online locations can be added as repositories in Docs just like an on-premise SharePoint site to support both admin-defined and user-defined data sources. This is also true for OneDrive for Business (ODfB). SharePoint Online furnishes two different ways for on-premises Active Directory (AD) users to authenticate and perform normal SharePoint operations. These include: DirSync with Password Hash wherein users and their passwords on AD are synchronized with Office 365 (O365). Users are presented with a login page where they can enter their credentials to access SharePoint Online. Active Directory Federation Service (ADFS) wherein ADFS serves as a Secure Token Service. Behind the scenes (in background), users are redirected to ADFS for authentication and are issued security tokens that are then used by SharePoint Online to sign in. SharePoint Online users will not need to enter credentials when accessing from the corporate network, which typically enables SSO scenarios. Both authentication mechanisms are supported by the Docs Service and all preparations take place on the server side exclusively. No device changes are required. The only prerequisite is that SharePoint Online is already deployed based on either of the authentication mechanisms DirSync with Password Hash or ADFS. Consult Microsoft O365 resources regarding SharePoint Online deployment for details and procedures. To configure SharePoint Online and/or ODfB: 1. From the GEMS Dashboard, click Docs, then click Settings (breadcrumb = Home > Docs > Settings). 2. Enter the FQDN for your primary SharePoint Online Domain. Then, separated by a comma, enter your FQDN for OneDrive for Business. In the example below, goodshare.sharepoint.com is the primary or "main site" URL, and goodshare-my.sharepoint.com is the ODfB site. Good Enterprise Mobility Server 134

143 Configuring GEMS Services 3. Click Save, then restart Good Technology Common service to allow the settings to take effect. 4. Next, click Docs, click Repositories, then click the New Repository button. 5. Enter a Display Name of your choice, set the Storage Type to SharePoint, enter the Path for your primary SharePoint Online site from Step 2, then click Save. 6. Next, add another repository (optional) for OneDrive for Business by clicking New Repository. 7. Enter a Display Name of your choice, set the Storage Type to SharePoint, enter the Path for your ODfB site from Step 2, then click Save. Good Enterprise Mobility Server 135

144 Configuring GEMS Services Note: Here, you can use the username wild card ( <username> ) in the URL, as in the example below. When the user tries to browse this location from the Good Work app, it will replace the wildcard with the current user s username in the URL. Tip: You can login to the SharePoint Online website and click the OneDrive option, then copy the URL from your browser and paste it into Path. 8. Finally, confirm that both repositories are now shown in the repository list. SharePoint Online Authentication Setup For Kerberos Constrained Delegation (KCD), which allows for Single Sign-On credential-less access to network resources from devices, only ADFS authentication to SharePoint Online is supported. Good Enterprise Mobility Server 136

145 Configuring GEMS Services Note: Configure delegation using the GEMS Windows Service Account (e.g., GoodAdmin). Also, when adding Kerberos delegation constraints for Docs service users, add the ADFS server HTTP service. Do not attempt to add SharePoint Online servers for delegation here. For non-kcd configurations in which users must enter their credentials on the device both DirSync with Password Hash and ADFS authentication mechanisms to SharePoint Online are supported. No extra authentication-related steps are needed to use this configuration. ADFS Version and Location Good recommends ADFS 2.0. ADFS may be installed on either Windows 2008 R2 or Windows The ADFS server is automatically identified by the Docs Service based on the SharePoint Online location and therefore does not need to be specified. ADFS HTTPS Certificate If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as a trusted CA on the GEMS server machine. To add the certificate, navigate to IIS Manager on the ADFS machine, then go to Server Certificates and export the certificate to a file. Next, on the GEMS machine, import this certificate into the trusted CA list. Once you have deployed SharePoint Online, you re ready to configure the Docs Service for your SharePoint Online users. Troubleshooting SharePoint Issues Major errors and the recommended fixes are listed here on an advisory basis. For additional troubleshooting resources and support, please visit Good's Public KB. Remember to check back often for updates to this list. Issue: Suspected Cause: Resolution: Good Work Docs fails to find a SharePoint view by name HTTP URL length issue In IIS, under site or server, open Configuration Editor and in the drop-down at the top, expand system.web and select httpruntime. Should see maxurllength property here default is 260 increase this to Configuring Office Web Apps Server (OWAS) for Docs Service Support Office Web Apps Server is a new Office server product from Microsoft that delivers browser-based versions of Word, PowerPoint, Excel, and OneNote. A single Office Web Apps Server farm can support Docs service users who access Office files through SharePoint and File Shares. The new stand-alone deployment model means that you can manage updates to your Office Web Apps Server farm independently of other Office Server products that are deployed in your organization. Good Enterprise Mobility Server 137

146 Configuring GEMS Services GEMS-Docs Service and Good Work Support for OWAS GEMS-Docs support for OWAS gives your users the ability to view and edit Office documents and convert them to PDF format in Good Work and other GD-powered apps that use the Docs service. This is all done within the secure GD container. The Good Work Docs component is used to browse and select the files. Good Access is used to view and edit the documents. The following file types are supported: Microsoft Word File Format View Edit Open XML (.docx) Yes No Binary (.doc) Yes No Macro (.docm) Yes No, and macros do not work Templates (.dotm,.dotx) Yes No Other file formats (.dot,.mht,.mhtml, htm,.html,.odt,.rtf,.txt,.xml,.wps,.wpd) No No Microsoft Excel File Format View Edit Open XML (.xlsx) Yes Yes Binary (.xlsb) Yes Yes Binary (.xls) No No Macro (.xlsm) Yes Yes. However, you are prompted to create a copy of the file that has the macros removed when you save the changes that you have made Other file formats (.xltx,.xltm,.xlam,.xlm,.xla,.xlt,.xml,.xll,.xlw,ods,.prn,.txt,.csv,.mdb,.mde,.accdb,.accde,.dbc,.igy,.dqy,.rqy,.oqy,.cub,.uxdc,.dbf,.slk,.dif,.xlk,.bak,.xlb) No No Microsoft PowerPoint File Format View Edit Open XML (.pptx,.ppsx) Yes Yes Binary (.ppt,.pps) Yes Yes, PowerPoint Online or PowerPoint Web App converts the.ppt or.pps file to a.pptx or.ppsx file to allow you to edit the file but you must save the file in as a.pptx or.ppsx file to save your changes. Macro (.pptm,.potm,.ppam,.potx,.ppsm) Yes No Good Enterprise Mobility Server 138

147 Configuring GEMS Services File Format View Edit Other file formats (.pot,.htm,.html,.mht,.mhtml,.txt,.rtf,.wpd,.wps,.ppa,.odp,.thmx) No No PDF and OpenDocument File Format View Edit PDF (.pdf) Yes No OpenDocument Text (.odt) Yes No OpenDocument Spreadsheet (.ods) Yes Yes OpenDocument Presentation (.odp) Yes Yes For more information on the file types supported with OWAS, see MS Article Documents in a supported format can reside on any of the following storage types: File Shares SharePoint 2007/2010 SharePoint 2013 SharePoint Online Client devices supported 1 : ios devices o o ipad viewing and editing iphone view only Android devices o o Phones view only Tablets view only OWAS Deployment Deploying Office Web Apps Server involves installing some prerequisite software and running a few Windows PowerShell commands. Overall the process is fairly straightforward and summarized here with convenient links to pertinent Microsoft documentation and other associated aids. Important: To download Office Web Apps Server you must have a license under a Volume Licensing Agreement, for Office Professional Plus 2013, Office Standard 2013, or Office for Mac Device-specific functional limitations indicated for viewing/editing are the result of current OWA support for the devices rather than an inherent GEMS/Good Work or Good Access software limitation. Good Enterprise Mobility Server 139

148 Configuring GEMS Services To deploy Office Web Apps Server: 1. Install Microsoft Office Web App Server (OWAS) if one is not present on the network. Visit the following links for installation guidance: a. System requirements and planning steps b. Installation steps c. PowerShell commands 2. Configure GEMS Docs for OWA access: a. On the GEMS Dashboard, navigate to Docs, then Settings. b. Enter the Office Web Apps Server URL as where OWASERVER is the FQDN of the OWAS host machine and click Save. c. Restart the Good Technology Common service. 3. Export the SSL certificate of the GEMS server to a file: On the GEMS machine execute the following command (gems.jks is in the etc\keystores folder): keytool -export -alias serverkey -file gems.crt -keystore gems.jks 4. On the OWAS host, add the certificate from the previous step to the Trusted Root CA of the computer account as follows: a. Launch mmc.exe b. Go to File > Add/Remove Snap-in > Add Certificates c. Select Computer Account > Local Computer d. Expand Certificates, choose Trusted Root Certificate Authorities, right-click Import, and select the certificate from Step Obtain the OWAS server SSL certificate. 6. Add the OWAS SSL certificate to GEMS in accordance with the guidance under Importing CA Certificates for GEMS. Repeat Steps 3 through 6 for each GEMS machine deployed. Troubleshooting OWAS logs are found at C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS. Configuring Kerberos Constrained Delegation (KCD) for GEMS-Docs Configuring GEMS-Docs to use KCD for accessing resources such as SharePoint and File Shares obviates any need for end-users to provide their network credentials to access to network resources via the GEMS-Docs service. However, before configuring the GEMS-Docs service to use KCD, it is important to understand that configuring KCD for GEMS-Docs is independent of configuring Good Dynamics KCD. This means, for example, that if your mobile app (i.e., Good Work) requires use of the GEMS-Docs service exclusively, you only need to configure KCD for GEMS-Docs. In other words, there is no need to configure Good Dynamics KCD. To better illustrate this, the following diagram charts a sample KCD call flow for Good Work. Good Enterprise Mobility Server 140

149 Configuring GEMS Services All KCD (Kerberos constrained delegation) transactions are between the GEMS-Docs service account and the key distribution center (KDC) and respective resources. No KCD information is cached in the mobile app. The GEMS DOCS service utilizes Microsoft s S4U specifications for KCD. For more information on S4U, see: https://msdn.microsoft.com/en-us/library/cc aspx. Important: Configuring KCD for the Docs service requires v1.10.x or later of both Good Control and Good Proxy, and only Windows authentication in SharePoint is supported. Forms-based and claims-based authentication are not supported. Moreover, IP addresses are not allowed in the SharePoint URLs and File Share paths you configure in GEMS. Enabling Kerberos constrained authentication for the apps and files available through GEMS-Docs involves: 1. Finding an application s Pool Identity and Port number 2. Applying a user in the Active Directory for the apps and files 3. Adding Kerberos constraints in AD for each user and app 4. Adding Kerberos constraints in AD for each file share server 5. Enabling Kerberos constraints on GEMS. Good Enterprise Mobility Server 141

150 Configuring GEMS Services Finding the Application Pool Identity and Port To find the application pool identity and port number for the web applications to be shared: 1. Create a list of web applications that are going to be shared through GEMS-Docs. 2. Open Windows Internet Information Services (IIS) Manager. Note: Be sure to jot down any additional unique port numbers assigned if a web application was extended to create alternate access mappings. 3. Find the Application Pool identity in the Application Pools list view or in Central Administration > Security > Configure service accounts. Caution: In most instances, for KCD to work properly, the application pool identity user must be the same for all application pools whose applications will be accessed by GEMS-Docs. This means you cannot have different application pools running under different users. 4. Find the Port for each of the web applications listed in the Web Application tab. Also look in the Alternate Access Mappings view as necessary. Good Enterprise Mobility Server 142

151 Configuring GEMS Services 5. Navigate to Central Administration > Application Management, choose the web application and click Authentication Providers in the ribbon bar. Make sure that the authentication type for each web application is set to Windows and that Negotiate (Kerberos) is enabled under IIS Authentication Settings. Tip: In certain scenarios, switching to Negotiate might also require enabling Kernel-mode authentication in IIS for the corresponding IIS site. For more information, see "Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5" in MSDN. Applying the GEMS Service Account in Active Directory for the Apps and Files Ideally, you should use the GEMS service account (GoodAdmin) as the Service Principal Name (SPN) for KCD. Hence, in the guidance that follows, the user is <domain>\goodadmin. To apply the GoodAdmin user in Active Directory and associate it with the web apps and files to be shared: 1. Make sure the password for GoodAdmin is set to never expire. Also, do not require a password change for logging on. 2. Create a Service Principle Name (SPN) for each web application that needs to be shared as follows: setspn S HTTP/SPHOST:PORT domain\apppooluser setspn S HTTP/SPHOST.FQDN:PORT domain\apppooluser setspn S HTTP/SPHOST domain\apppooluser setspn S HTTP/SPHOST.FQDN domain\apppooluser If the port is a default port (80 or 443), omit the first two lines above. Note that some of the lines need just a host name while others need a fully qualified host name. If the application pool identity is for a built-in user such as Network Service, then specify the host name as shown below instead of <domain>\apppooluser; e.g.: setspn S HTTP/SPHOST:PORT domain\sphost setspn S HTTP/SPHOST.FQDN:PORT domain\sphost setspn S HTTP/SPHOST domain\sphost setspn S HTTP/SPHOST.FQDN domain\sphost Note: If you are using SSL, the SPN must refer to HTTP instead of HTTPS. 3. Create a SPN for the GEMS-Docs process user: setspn S HTTP/GEMSHOST domain\goodadmin setspn S HTTP/GEMSHOST.FQDN domain\goodadmin Good Enterprise Mobility Server 143

152 Configuring GEMS Services GEMSHOST is the hostname of the GEMS machine. Note that an HTTP service (IIS, etc.) need not be running on the GEMS machine and the lines above are needed to enable the Delegation tab in the User Properties tab in Active Directory. Adding KCD in Active Directory To create constrained delegations for GoodAdmin in each of the SPNs indicated below: 1. Open the Active Directory Users and Computers manager and look under Users to find GoodAdmin. 2. Right click GoodAdmin and select Properties. 3. Click the Delegation tab. 4. Select both Trust this user for delegation to specified services only option and the Use any authentication protocol option and click Add as shown below: 5. Select Users or Computers in the Add Services dialog box to open the Select users or Computers dialog box. Good Enterprise Mobility Server 144

153 Configuring GEMS Services 6. Enter the SharePoint Application Pool Identity user name and click OK. 7. Select all the services that correspond to the SharePoint web applications running under the username chosen above, except for the HTTP service, and click OK. 7. The services to which GoodAdmin can provide delegated credentials are now listed in the DelegationUser Properties dialog box as shown below. Good Enterprise Mobility Server 145

154 Configuring GEMS Services 8. Click Add and repeat Steps 2 through 7 above, but instead of choosing the application pool identity user, choose the computer account for the SharePoint server instead. When you choose the services, select HOST and http, then click OK to add each computer account to list of services. The list of added services are then listed Delegation tab. Good Enterprise Mobility Server 146

155 Configuring GEMS Services Now, repeat Steps 3 5 for each application pool identity user and each Web Application identified, then click OK to save these GoodAdmin delegation changes. Note: A limit of 1300 services can be delegated to one account. Adding KCD for User File Shares The main difference between sharing files, as opposed to sharing apps, is that here the delegation is to the GEMS computer account and not to the GEMS-Docs process user, GoodAdmin. To set up KCD for File Shares: 1. Go to Active Directory > Users and Computers > Computers 2. Right-click the GEMS computer entry and select Properties, then open the Delegation tab. 3. Click Add, select Users or Computers, type in the name of the server whose file share needs access and click OK. 4. In the list of services, select cifs and click OK. Good Enterprise Mobility Server 147

156 Configuring GEMS Services The Delegation tab should then look similar to the shot below (albeit with your computer's name): 5. Repeat Step 2 for each server that has file shares needing access. 6. For the changes above to be received right away, reboot your SharePoint servers and any servers whose network shares are to be accessed. Note: As Kerberos tokens are cached, rebooting is the only sure way to make sure all delegation changes are received on the machines. Enabling KCD on the GEMS Host Finally, to enable Kerberos Constraints on the GEMS host machine: 1. Go to Settings under Docs in the GEMS Dashboard. 2. Enable KCD, then Grant the Act as operating system privilege to your GEMS Windows Server Account (GoodAdmin) using Windows Service Manager (SrvMan). This must be done on machine running the GEMS Docs service. Good Enterprise Mobility Server 148

157 Configuring GEMS Services 4. Click OK. Configuring Good Launcher The Good Launcher, a UI component accessed in Good apps with the Launcher button with numerous functions, currently comprising display of:, is a library module User's name, photo, presence, and status List of GD-powered apps and modules installed on the device Quick create options to easily compose an , create a note, schedule a calendar event, or add a contact, regardless of which app is currently open In addition, the Launcher creates a convenient placeholder location for app settings. To provide this rich UX, the Launcher library requires GEMS server-side services to: 1. Synchronize policy-based sections (modules) between applications. so that, for instance, when Docs is enabled in Good Work, the Docs icon is enabled in the Launcher, even when it is opened outside of Good Work in apps like Good Access or Good Connect. 2. Fetch GAL information about the user to display the correct name and picture. 3. Fetch presence information for the user and display appropriate status (available, busy, away, do not disturb) and the user's presence message. The required server-side services for the Launcher currently comprise: Good Enterprise Mobility Server 149

158 Configuring GEMS Services Presence (service id = com.good.gdservice.enterprise.presence) Directory Lookup (service id = com.good.gdservice.enterprise.directory) Follow-Me Store (service id = com.good.gdservice.enterprise.followme) The client entitlement app to use these services is Good Enterprise Services (AppID = com.good.gdserviceentitlement.enterprise). GD clients like Good Work check the server list for available GEMS instances hosting these services. This means the list must be populated with at least one GEMS machine to enable Good Enterprise Services. In addition, the Good Enterprise Services entitlement app will need to be added to at least one App Group in Good Control like "Everyone." Hence, to configure Good Enterprise Services in Good Control, you must: Verify Good Enterprise Services in Good Control Add GEMS to the GES Entitlement App Add the GES Entitlement App to an App Group See Appendix I for additional information related to advanced setup of multiple GEMS hosts with user affinity. Verify Good Enterprise Services in Good Control Presuming Good Control is installed, and now that you've installed GEMS on, for example, GEMS-Host1 and GEMS-Host2, the Presence, Directory Lookup and Follow-Me services are now published in Good Control. Even so, it is wise to confirm that these services are available and ready. To confirm services availability: 1. Login to Good Control. 2. In the Good Control Dashboard under APPS, click Manage Services and verify that all three Launcherrequired services are present as shown below. Good Enterprise Mobility Server 150

159 Configuring GEMS Services If you cannot locate all three services, review Installing GEMS to make sure all tests and check-offs were completed successfully. Adding GEMS to the Good Enterprise Services Entitlement App All GD applications must be associated with an application server in Good Control to enable communications between the client app and its application server. To add your GEMS host(s) to the GES entitlement app: 1. In the GC Dashboard under APPS, click Manage Apps, then scroll down or search for "Good Enterprise Services." Good Enterprise Mobility Server 151

160 Configuring GEMS Services 2. Open Good Enterprise Services in the search results by clicking it, then click the GOOD DYNAMICS tab. Good Enterprise Mobility Server 152

161 Configuring GEMS Services 3. In the Server section, click EDIT, then enter the FQDN of the GEMS machine under HOST NAME and "8443" under PORT. 4. Set PRIORITY and GP CLUSTER information as necessary. 5. Click under ACTIONS to add the server. 6. Repeat Steps 3 to 5 for each GEMS host you are deploying. 7. Click Save. Your results will be depicted as follows, albeit listing the server hosts you configure. Adding the GES Entitlement App to an App Group The Good Services Entitlement (GES) app now needs to be added to an App Group in Good Control, such as the Everyone group, to entitle the services to users who belong to the group. Good Enterprise Mobility Server 153

162 Configuring GEMS Services To add the GES entitlement app to an App Group: 1. In the Good Control Dashboard under APPS, click App Groups. 2. Open a group or click under ACTIONS to edit. 3. Click. 4. Scroll down or search for "Good Enterprise Services - ALL" and enable it. 5. Click OK. Repeat to add the services entitlement app to another group. Configuring the Certificate Lookup Service The Certificate Lookup service requires LDAP configuration in the GEMS Web Console. To configure the GEMS Certificate Lookup service: 1. Login to the GEMS Web Console as an administrator as a member of the local administrators group or use your AD credentials if included under GEMS Systems Settings. Good Enterprise Mobility Server 154

163 Device Provisioning and Activation 2. Select OSGi > Configuration. 3. Scroll down to Directory Lookup Configuration.Configuring Good Control 4. Enter the LDAP Server Name and LDAP Server Port. 5. Enter the LDAP Login Account and Password. 6. Click Save. Maintaining GEMS Cluster Identification in Good Control Always ensure that Connect servers listed in the Good Control application configuration for Good Connect identifies installed GEMS machines in that cluster. If you add a server to the cluster, please correlate the timing of both the server s installation with updating the Good Control application configuration for Good Work, to include the additional server after it has been installed and is up and running. If you temporarily remove a server from the cluster for maintenance, it is not necessary to change the Good Control application configuration for GEMS. The Good Work client will detect that the server is offline and will automatically connect to another GEMS machine in the cluster. If you permanently remove a server from the cluster, first shut down the GEMS machine, then remove it from the Good Control application configuration. Device Provisioning and Activation Users invited to install and activate Good Connect on their device(s), require an access key. The access key must be entered when the user opens Good Connect for the first time on a given device. Good Enterprise Mobility Server 155

164 Device Provisioning and Activation The access key is a 15-character alphanumeric code sent to the user s (registered) company address and has the following properties: It can be used only once and is consumed immediately upon the activation of an application. It is not application-exclusive. In other words, a user who has been sent four access keys can use them to activate any four applications to which s/he is entitled. It does not support reactivation. Hence, if the client software is uninstalled, then reinstalled on the same device, a new access key is required. This is also true if a new or factory-reset device is in use, or if a device emulator is in use and its state is not persisted. However, a user who has been issued multiple access keys could use them to activate the same application multiple times. It can be configured to expire after a specified period of time. This is done in Provisioning Policies under the SECURITY POLICIES tab by enabling the Access Keys expire option, and then selecting the number of days after which access keys expire if not consumed. To grant access to all your enterprise users complete the following steps: 1. Assign the default policy set or create a new policy set in accordance with your enterprise s user access protocols. The default policy set is automatically applied to all new users. For each user, the policy currently applied is located at the top of the user s account page. To apply a different policy set, hover your cursor over it and select from the available policy sets in the listbox. It should be noted that the user must be granted access to the app in order to activate it. This is done by assigning the user to an App Group that includes the app (Good Work) for which the user is being permitted access. 2. Go to USERS > Manage Users in the navigation panel, locate and select the user you want to provision by clicking the corresponding checkbox, then click Edit. 3. Click on the Keys tab, then click New Access Key. A new access key will be sent to the user s registered enterprise address one message per key. Hashes of the access keys are also copied to the GD NOC for validation. Assuming the user has received the message containing the access key and downloaded and installed the GD client application from the pertinent online marketplace App Store or Google Play on the device, they can Good Enterprise Mobility Server 156

165 Uninstalling GEMS now activate the application until its GC-specified expiration date. At application start-up, the Good Dynamics user activation interface opens, whereupon the user must enter the access key and his/her enterprise address in the input fields provided on the client so that the GD Client Library can promptly transmit the access key to the NOC. Additional provisioning and activation options are also available in Good Control. For more on these features see: Easy Activation Uninstalling GEMS If you stop a GEMS instance, it will not be used any more by your HA implementation. and all users that were being serviced by the discontinued instance are reallocated to other servers automatically as soon as the discontinued instance goes down. This equally applies to Connect server instances. If you need to completely remove a GEMS or Connect instance from your environment, take the following steps. Removing a Single GEMS Instance To completely remove a GEMS instance from your environment: 1. Uninstall the desired GEMS instance by running the GEMS installer, located on the host machine's <GEMS_ install_location>\goodenterprisemobilityserversetup.<version>.exe. 2. Select Uninstall and follow the wizard's onscreen instructions. 3. Login to Good Control, then click Manage Apps and scroll down to or search for Good Work and click it. 4. Open the Good Dynamics tab. 5. In the Server section, click EDIT. 6. Locate the FQDN of the GEMS host you want to remove and click. Good Enterprise Mobility Server 157

166 Uninstalling GEMS 7. Click Save. Removing a Connect Instance Similar steps to those above are followed to remove a Connect instance configured in Good Control. To completely remove a Connect server instance from your environment: 1. Uninstall the GEMS instance on the host machine. 2. Login to Good Control, click Manage Apps and scroll down to or search for Good Connect and click it. 3. Open the Good Dynamics tab. 4. In the Server section, click EDIT. 5. Locate the FQDN of the GEMS-Connect host you want to remove and click. 6. Click Save. Good Enterprise Mobility Server 158

167 Appendix A Pre-Installation Checklists Appendix A Pre-Installation Checklists The following GEMS pre-installation checklists for the respective services cited are recommended for POC and testing environments: Push Notifications Connect and Presence Docs Upon completing these recommended checklists, please see the supplemental publication SSL/TLS Certificate Check for GEMS and Good Work for valuable information covering import/export of required security certificates to and from the relevant keystores on GEMS and GW client devices for authenticating with Good Dynamics, AD, Exchange, SharePoint, and OWAS. Good Enterprise Mobility Server 159

168 Appendix A Pre-Installation Checklists Push Notifications It is highly recommended that this checklist be completed prior to implementation of your Good Enterprise Mobility Server (GEMS) with Push Notifications and Presence Services. # Task Check Registration 1.1 Register with the GDN portal. 1.2 Download the latest GEMS software from the Good Admin Portal. 1.3 Request the Good Work app from the Good Marketplace. Network 2.1 Ensure the following ports are open for GEMS: Inbound TCP Ports o 8443 from the Good Proxy server (required for Presence and Push notifications); add port 8181 if SSL is not going to be used Outbound TCP Ports o o o o 443 to Good NOC/APNS 443 to GCM 443 to Exchange to the Good Proxy server (17433 for SSL) Active Directory and Exchange 3.1 Verify the supported version of Exchange you have already deployed: Exchange Exchange 2010 SP 1+ Microsoft O365 Hosted Exchange (2010 SP 1+; e.g., Certified Rackspace) 1 A plus sign (+) indicates that all later service packs and updates to the version cited are also supported. Good Enterprise Mobility Server 160

169 Appendix A Pre-Installation Checklists # Task Check 3.2 Create an AD account for Good. The preferred UID is "GoodAdmin" set with the following attributes: Password must not contain ';', or '/' Password Expired option must be set to Never for this account GoodAdmin should be a member of the local administrator group on the GEMS host machine 3.3 Create an Exchange mailbox for the GoodAdmin account. 3.4 Grant Application Impersonation Permissions to the Good Admin account in Exchange (very important!). For convenience, the Exchange shell command to apply Application Impersonation is as follows: Command Format: New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount Example: New-ManagementRoleAssignment -Name:GoodAppImpersonation -Role:ApplicationImpersonation -User:GoodAdmin For additional details, see "Configuring Exchange Impersonation" and "Grant Application Permission to the Service Account" in the GEMS Installation and Configuration Guide under "Setting Up a Windows Account for GEMS." 3.6 Make sure that your Exchange Autodiscover is set up correctly (very important!). See KB19909 for guidance on how to use GEMS Tech Tools to test autodiscover. 3.7 Make sure that Exchange EAS is enabled on port 443, and that connections are permitted for the Good Proxy server..net FRAMEWORK 4.1 Verify that you have the correct version(s) of.net Framework installed for the version of Microsoft Lync you have deployed or plan to deploy: Lync 2010.NET 3.5 SP1 and.net 4.5 Lync 2013.NET 4.5 Important: As of GEMS 1.5,.NET is required whether you are configuring Connect and Presence in addition to PNS and other services or not. GEMS 5.1 Verify that you have the correct OS support. The following Windows platforms are supported by GEMS: Windows Server 2008 R2 Windows Server 2008 R2 SP1 Good Enterprise Mobility Server 161

170 Appendix A Pre-Installation Checklists # Task Check Windows Server 2012 R2 5.2 Verify that you have the minimum required hardware in place to host GEMS. POC: Dual Core / 2.4 GHz CPU or higher 4 GB RAM / 50 GB HDD 100 / 1000 Ethernet Card Production: Pentium 4 Quadcore / 2.4 GHz CPU or higher 16 GB RAM / 50 GB HDD 100 / 1000 Ethernet Card 5.3 Verify that you have deployed the correct Good Dynamics support. GEMS requires Good Dynamics x or newer. Version x is strongly recommended. Important: Good Dynamics must already be installed and operational before installing GEMS. 5.4 Make sure that the GoodAdmin service account is a local administrator on the server. 5.5 Make sure that the GC service account has Logon As a Service rights. 5.6 Ensure that the server's date and time are set correctly. 5.7 Ensure that the server has been joined to the domain. 5.8 Make sure that Windows Firewall is OFF. 5.9 Make sure all antivirus/backup and backup software is stopped during the installation Install JRE 7 Update 67 or higher Java 7 update (click here to download). Note: Java 8 is now supported as of GEMS v Set the JAVA_HOME environment variable to the Java install folder; ensure that "C:\Program Files\Java\jre8"(if using Java 8) or "C:\Program Files\Java\jre7" (if using Java 7) is appended to the value string in accordance with Configuring the Java Runtime Environment "Configuring the Java Runtime Environment" in the GEMS Installation and Configuration Guide Ensure connectivity to SQL Server (typically, TCP port Ensure connectivity to Exchange (EWS). See KB19909 for guidance on using GEMS Tech Tools to test connectivity. Database 6.1 Verify Database Server support. The following database servers are supported: Good Enterprise Mobility Server 162

171 Appendix A Pre-Installation Checklists # Task Check All editions of MS SQL Server 2008 and 2008 R2 All editions of MS SQL Server 2012 and 2012 SP1 MS SQL Express 2008 R2 with Management Tools To download MS SQL Express, click here. To configure remote TCP/IP connections for SQL Server Express, see Database Requirements "Database Requirements" under PNS Prequisites "PNS Prerequisites" in the GEMS Installation and Administration Guide. 6.2 Create a database for the PNS service and name it "GEMS-EWS." 6.3 Make sure that the SQL account or the GEMS Windows Service Account has db_owner privileges to the GEMS-EWS database created in 6.2 above. Good Enterprise Mobility Server 163

172 Appendix A Pre-Installation Checklists Connect and Presence It is highly recommended that this checklist be completed prior to implementation of your Good Enterprise Mobility Server (GEMS) with Connect and Presence Services. # Task Check Registration 1.1 Register with the GDN Portal (click here) 1.2 Download the latest GEMS software 1.3 Request the Good Connect App from the Good Marketplace. ( very important!) 1.4 Request the Good Presence App ONLY if you are using third-party GD apps that require presence. The Good Presence app can be requested from Mobile App Sales Network 2.1 Ensure the following ports are open for GEMS: Inbound TCP ports o o o o 8080/8082 from the Good Proxy Server 8443 from the Good Proxy Server (for Presence) from the Lync Server (for Connect) from the Lync Server (for Presence) Outbound TCP ports o 443 to the Good Technology NOC / / /24 o o o o o 5061 to the Lync server to the Good Proxy server to the Good Proxy server 1433 to the MS SQL server (default) 1434 UDP to the Lync database (for initial setup only) Good Enterprise Mobility Server 164

173 Appendix A Pre-Installation Checklists # Task Check o TCP: Random port in this range to the Lync DB (for initial setup only) 2.2 If GEMS requires a Proxy server for external access, please note it here: Proxy Server Make/Model: Authentication Method: Active Directory and Lync 3.1 Create an AD service account for the GEMS software (can be the same account used for Good Dynamics) 3.2 Ensure that the GEMS service account has RTCUniversalReadOnlyAdmins permission during the GEMS install. This permission is granted via AD. 3.3 Create a Trusted Application Pool, trusted application, and trusted application endpoint for GEMS via the Lync Shell Console (very important!) Note: The user creating the Trusted Application Pool must have RTCUniversalServerAdmins and Domain Admins permissions. For complete guidance, see "Preparing the Initial GEMS Machine" under "Preparing the Lync Topology for GEMS" in the GEMS Installation and Configuration Guide. GEMS 4.1 Verify OS support. The following are supported by GEMS: For MS Lync 2010 Deployments use Windows Server in one of these 64-bit versions: o o 2008 R R2 SP1 For MS Lync 2013 Deployments use Windows Server in one of these 64-bit versions: o o 2008 R2 SP R2 4.2 Verify minimum hardware requirements: Pentium 4 Quadcore / 2.4 GHz CPU or higher 16 GB RAM / 50 GB HDD 100 / 1000 Ethernet Card 4.3 Verify Good Dynamics support. GEMS requires Good Dynamics x or newer. Good Dynamics must already be installed and operational before installing GEMS. 4.4 Verify Lync Support. Lync 2010 and Lync 2013 are supported. 4.5 Ensure that the GC Service account is a local administrator on the server 4.6 Ensure that the GC Service account has Logon As a Service rights Good Enterprise Mobility Server 165

174 Appendix A Pre-Installation Checklists # Task Check 4.7 Ensure that the server's date/time is correctly set 4.8 Ensure that the server has been joined to the domain 4.9 Verify that you have the correct version(s) of.net Framework installed for the version of Microsoft Lync you have deployed or plan to deploy: Lync 2010.NET 3.5 SP1 and.net 4.5 Lync 2013.NET 4.5 or.net (download) 4.10 Ensure that MS Windows PowerShell (x86) is installed: For both Lync 2010 and Lync 2013, install PowerShell 3.0 RTM (click here to download) Open Windows PowerShell (x86) and run the following command to enable execution of remote signed scripts: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned 4.11 Ensure that the Microsoft Unified Communications Managed API is installed: For Lync 2010, install UCMA 3.0 (click here to download) For Lync 2013, install UCMA 4.0 (click here to download) o Enable Windows Media Foundation on Windows Server 2012 o Enable Desktop Experience on Windows Server 2008 R2 SP1 After installing UcmaRuntimeSetup.exe, you must also run the OCSCore.msi file. This is a hidden file and must be run on the GEMS host machine. By default, this file is located at: C:\Program Data\Microsoft\Lync Server\Deployment\cache\ \Setup\OCSCore.msi Note: The version number in the path will vary Request and install a SSL certificate on GEMS (very important!). See "SSL Certificate Requirements for Lync and Presence" in the GEMS Installation and Configuration Guide Ensure that all antivirus/backup and backup software is stopped during the installation Install JRE 7 Update 67 or higher update of Java 7 (click here to download). Note: Java 8 is now support as of GEMS v Set the JAVA_HOME environment variable to the Java install folder; ensure that "C:\Program Files\Java\jre8"(if using Java 8) or "C:\Program Files\Java\jre7" (if using Java 7) is appended to the value string in accordance with Configuring the Java Runtime Environment "Configuring the Java Runtime Environment" in the GEMS Installation and Configuration Guide. Database 5.1 Verify Database server support. The following database servers are supported: Good Enterprise Mobility Server 166

175 Appendix A Pre-Installation Checklists # Task Check All editions of MS SQL Server 2008 and 2008 R2 All editions of MS SQL Server 2012 and 2012 SP1 MS SQL Express 2008 R2 with Management Tools To download MS SQL Express, click here. 5.2 Create a DB for the GEMS Connect Service and name it "GEMS-Connect" (very important!). This must be done prior to installing GEMS. For more information, see Database Requirements "Database Requirements" under Connect Prerequisites "Connect Prerequisites" in the GEMS Installation and Configuration Guide. 5.3 Ensure that the GEMS service account has db_owner permission for the GEMS Connect database. Good Enterprise Mobility Server 167

176 Appendix A Pre-Installation Checklists Docs It is highly recommended that this checklist be completed prior to implementation of your Good Enterprise Mobility Server (GEMS) with the Docs Service. # Task Check Registration 1.1 Register with the GDN portal. 1.2 Download the latest GEMS software from the Good Admin Portal. 1.3 Request the Good Work app from the Good Marketplace (very important!) 1.4 Request the "Feature-Docs Service" virtual (entitlement) app from the Marketplace (equally important) Network 2.1 Ensure the following ports are open for GEMS: Inbound TCP Ports o 8443 from the Good Proxy server Outbound TCP Ports o o o o o o 80 or 443 to SharePoint 80 or 443 to Office Web App Server or to the Good Proxy Server 1433 to SQL (default) 445, 139 to CIFS share 389 or 636 to LDAP Outbound UDP Ports o to CIFS share 2.2 If GEMS requires a Proxy server for external access, please note it here: Proxy Server Make/Model: Good Enterprise Mobility Server 168

177 Appendix A Pre-Installation Checklists # Task Check Authentication Method: Active Directory 3.1 Create an AD service account for the GEMS software (this can be the same account that was used for Good Dynamics).NET FRAMEWORK 4.1 Verify that you have the correct version(s) of.net Framework installed for the version of Microsoft Lync you have deployed or plan to deploy: Lync 2010.NET 3.5 SP1 and.net 4.5 Lync 2013.NET 4.5 Important: As of GEMS 1.5,.NET is required whether you are configuring Connect and Presence in addition to Docs and other services or not. GEMS 5.1 Verify that you have the correct OS support. The following Windows platforms are supported by GEMS: Windows Server 2008 R2 Windows Server 2008 R2 SP1 Windows Server 2012 R2 5.2 Verify that you have the minimum required hardware in place to host GEMS. POC: Dual Core / 2.4 GHz CPU or higher 4 GB RAM / 50 GB HDD 100 / 1000 Ethernet Card Production: Pentium 4 Quadcore / 2.4 GHz CPU or higher 16 GB RAM / 50 GB HDD 100 / 1000 Ethernet Card 5.3 Verify that you have deployed the correct Good Dynamics support. GEMS requires Good Dynamics x or newer. Version x is strongly recommended. Important: Good Dynamics must already be installed and operational before installing GEMS. 5.4 Ensure that the server's time and date set correctly. 5.5 Ensure that the server has been joined to the domain. Good Enterprise Mobility Server 169

178 Appendix A Pre-Installation Checklists # Task Check 5.6 If network shares are used, make sure all GEMS-Docs users have Allow Logon Locally permission on the GEMS host. 5.7 Verify SharePoint support. SharePoint 2007, 2010, 2013, SharePoint online are supported. 5.8 If you are using KCD, make sure that the GEMS service account (Good Admin) is a local administrator on the server. 5.9 Make sure that the GEMS service account has Logon As a Service rights Make sure that Windows Firewall is OFF Make sure all antivirus/backup and backup software is stopped during the installation Install JRE 7 Update 67 or higher update (click here to download) Note: Java 8 is now supported and is recommended Set the JAVA_HOME environment variable to the Java install folder; ensure that "C:\Program Files\Java\jre8"(if using Java 8) or "C:\Program Files\Java\jre7" (if using Java 7) is appended to the value string in accordance with 6Configuring the Java Runtime Environment "Configuring the Java Runtime Environment" in the GEMS Installation and Configuration Guide. Database 6.1 Verify Database Server support. The following database servers are supported: All editions of MS SQL Server 2008 and 2008 R2 All editions of MS SQL Server 2012 and 2012 SP1 MS SQL Express 2008 R2 with Management Tools To download MS SQL Express, click here. 6.2 Create a database for the Docs service and name it "GEMS-Docs." 6.3 Make sure the GEMS Service Account has db_owner permissions for the GEMS-Docs database. Good Enterprise Mobility Server 170

179 Appendix B Importing/Configuring Certificates in the GEMS Java Keystore Appendix B Importing/Configuring Certificates in the GEMS Java Keystore Java Keytool is a key and certificate management tool that is used to manipulate Java Keystores, and is included with Java. A Java Keystore is a container for authorization certificates or public key certificates, and is used by Java-based applications for encryption, authentication, and serving over HTTPS. Its entries are protected by a keystore password. A keystore entry is identified by an alias, and it consists of keys and certificates that form a trust chain. Importing a Certificate As briefly covered under Replacing the Auto-Generated Self-Signed SSL Certificate above, a Java keystore file, called gems.jks, containing a SSL self-signed certificate is generated by the GEMS installer. Note: The browser will report that your SSL certificate is untrusted because it is a self-signed certificate. Default Location The default location is: <GEMS Machine Path>\Good Enterprise Mobility\Server\Good Server Distribution\gems-quickstart- <version>\etc\keystores\gems.jks Default Password The default password is changeit. Keystore File Reference The keystore file is referenced in jetty.xml. Its default location is: <GEMS Machine Path>\Good Enterprise Mobility\Server\Good Server Distribution\gems-quickstart- <version>\etc\jetty.xml The relevant snippet from jetty.xml referencing the location of the keystore file and its associated password would look like the following: <Call name="addconnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.sslselectchannelconnector"> <Arg> <New class="org.eclipse.jetty.http.ssl.sslcontextfactory"> <Set name="keystore"><systemproperty default="." name="jetty.home"/>/etc/keystores/gems.jks</set> <Set name="truststore"><systemproperty default="." name="jetty.home"/>/etc/keystores/gems.jks</set> <Set name="keystorepassword">obf:1vn21ugu1saj1v9i1v941sar1ugw1vo0</set> <Set name="keymanagerpassword">obf:1uh01xmu1k8k1juc1k5m1wg21kmk1w</set> <Set name="truststorepassword">obf:1vn21ugu1saj1v9i1v941sar1ugw1vo0</set> </New> </Arg> <Set name="port">8443</set> <Set name="maxidletime">30000</set> </New> </Arg> Good Enterprise Mobility Server 171

180 Appendix B Importing/Configuring Certificates in the GEMS Java Keystore </Call> The passwords are obfuscated. The keystorepassword and the truststorepassword are typically the identical and represent the Java keystore password. The keymanagerpassword is the challenge password for the certificate. Certificate Format Any certificate used should be PKCS #12 and the private key must contain a challenge password. In addition, please also make sure that the certificate has the appropriate key chain; i.e., root and intermediate certificate. Importing the Certificate The Java keytool is used to import the certificate into the java keystore. The default location of this tool on the GEMS host is C:\Program Files\Java\jre7\bin. To import a certificate: 1. Make a backup copy of the gems.jks file. 2. Open a command prompt and import the certificate using the following command: keytool -importkeystore -destkeystore <path to gems.jks file> -srckeystore <path to your certficiate> - srcstoretype pkcs12 -alias <alias of your certficate> -storepass changeit For example: keytool -importkeystore -destkeystore gems.jks -srckeystore mycert.p12 -srcstoretype pkcs12 -alias myserver.com -storepass changeit 3. Delete the old self-signed certificate from the keystore using the following command: keytool -delete -alias serverkey -keystore gems.jks -storepass changeit 4. Copy the new gems.jks file back to its original location. 5. Generate the obfuscated challenge password for your private key. In order for the GEM server to access your certificate private key, you must include the challenge password in the jetty.xml file. The password must be obfuscated. This can be done with the GEMS SSL Tech Tool. See KB16041 for details. Caution: When you run the GEMS SSL Tech Tool to obfuscate the password, it will generate a new gems.jks file. You can then delete the gems.jks file generated under Step 2 above because you are really only interested in the obfuscated password. GEMS SSL Tech Tool output will look similar this: Good Enterprise Mobility Server 172

181 Appendix B Importing/Configuring Certificates in the GEMS Java Keystore 6. Update keymanagerpassword in the jetty.xml file with the obfuscated password. 7. Restart Good Technology Common service from the Windows Service Manager. 8. Test the new certificate by accessing the GEMS Dashboard in a browser. Its certificate information should now reflect the newly imported certificated. Other Useful Keystore Commands The following keystore commands are available at the command line: To check which certificates are currently in the keystore, use: keytool -list -v -keystore gems.jks To export a certificate from the keystore, use: keytool -export -alias serverkey -file gems.crt -keystore gems.jks To check a standalone certificate, use: keytool -printcert -v -file gems.crt To delete a cert from the keystore, use: keytool -delete -alias serverkey -keystore gems.jks To import a signed primary certificate to an existing GEMS Java keystore, use: keytool -import -trustcacerts -alias serverkey -file gems.crt -keystore gems.jks Configuring HTTPS for GEMS to Good Proxy By default, the java keystore on the GEMS host does not contain the CA certificate for the Good Proxy server. This means the GEMS server will not be able to verify the Good Proxy server s SSL certificate; and, thus, any HTTPS connection made from GEMS to the Good Proxy server will fail. Workaround A workaround for this issue is to disable SSL checking on the GEMS server. This can be done from the GEMS Console at https://localhost:8443/system/console/. The default login is admin/admin. Then, from OSGi > Configuration > Good Technology Async HTTP Client Configuration, select Disable SSL certificate checking. Caution: This workaround is only recommended for lab or proof of concept systems. For production systems, please follow the guidance found under Resolution. Resolution The Good Proxy CA certificate is in a Java keystore on the Good Control server. The default location of this file is C:\Program Files (x86)\good Technology\Good Control\jre\lib\security\cacerts. Good Enterprise Mobility Server 173

182 Appendix B Importing/Configuring Certificates in the GEMS Java Keystore Among the many certificates in this keystore is one with the alias "gdca." You will need to export this certificate and import it into the GEMS Java kestore. Note: The default password for the keystore is changeit. To import the required certficate into the keystore on the GEMS host: 1. Make sure you have the Java bin directory in your environment PATH. See Configuring the Java Runtime Environment under Core Prerequisites. This will allow you to run the keytool from any directory. 2. Copy the Good Control Java keystore from C:\Program Files (x86)\good Technology\Good Control\jre\lib\security\cacerts to the GEMS host and place it in a convenient location. For example, C:\gemscert. 3. Rename the file. The name is arbitrary. For this example, let s call it cacerts.gdca. 4. Export the Good Control CA certificate with the following command: keytool -export -alias gdca -file gdca.cer -keystore cacerts.gdca 5. On the GEMS host, locate your Java keystore the default location is C:\Program Files\Java\jre7\lib\security\cacerts and copy it to C:\gemscert. 6. Import the Good Control CA certificate into the GEMS Java keystore with the following command: keytool -import -trustcacerts -alias gdca -file gdca.cer -keystore cacerts 7. Now copy the updated kesytore file to its proper Java keystore location (C:\Program Files\Java\jre7\lib\security). 8. Restart the Good Technology Common service from the Windows Service Manager. Good Enterprise Mobility Server 174

183 Appendix C Understanding the GEMS-Connect Configuration File Appendix C Understanding the GEMS-Connect Configuration File Configuration settings can be manually updated directly in the GEMS configuration file located in <install path>\good Technology\Good Server\Good Connect Server\GoodConnectServer.exe.config. After updating any of the configuration parameters, you must restart the GEMS machine for the changes to take effect. Parameter Name Required (Y/N) Description Default Setting ACK_TIME_WAIT No Time (in milliseconds) that the Connect server waits for acknowledgment from client for a message received before sending message failed to deliver ACTIVE_DIRECTORY_ CACHE_REFRESH_ SECS Yes The number of seconds the Good Connect Server waits before synchronizing with the Active Directory (any value smaller than 7200 is ignored in favor of 7200 seconds) 86,400 (24 hours) ACTIVE_DIRECTORY_ SEARCH_RESULT_ MAX Yes The upper limit on the number of hits from a search of the Global Address List (GAL) 150 AD_USERS_SOURCE No Parameter indicates if Good Connect server should read AD or GC for SIP-enabled users; value can be GC or LDAP (default is LDAP, if empty) AD_USERS_SOURCE_ DOMAIN Yes, if users source is GC Domain for the for AD or GC to query. This value should be in LDAP format; i.e., DC=GOOD,DC=COM APN_ALERT Yes Apple push notification message string that notifies a user that there are unread messages APN_BADGE Yes Determines whether or not to use the badge graphic for Apple push notifications APN_SLEEP_TIME Yes The number of milliseconds the Good Connect Server waits in between queued Apple push notifications You have <number> unread messages. True 100 APN_SOUND Yes Play sound when an Apple device receives a push notification BASE_ADDRESS Yes URL for the Good Connect Server which takes the form BUILD_VERSION Yes The version number of the Good Connect Server build Auto-populated DB_AUTHTYPE Yes USE_INTEGRATEDAUTH when the specifying windows integrated authentication, otherwise SQL Server authentication will be used DB_INIT_CATALOG No SQL Server database name; only valid if DB_TYPE=SQLSERVER GoodConnect Good Enterprise Mobility Server 175

184 Appendix C Understanding the GEMS-Connect Configuration File Parameter Name Required (Y/N) Description Default Setting Caution:This value is set by the installer, so do not change DB_PURGE_HOURS No Any IMs from invitations are will be obfuscated. In addition to obfuscation, the integer value representing the maximum age, in hours, of missed messages and invitations before they are automatically deleted (purged) is set with DB_PURGE_HOURS. 0 Ex: <add key="db_purge_hours" value="72" /> If Connect is started 12:31pm, then on 12:31pm a process removes all invitations and all missed messages older than 72 hours. Connect will continue to run every 24 hours thereafter. DB_RECONNECT_ TRY_NUM Yes # of times Connect server to retry reconnecting to database after a failure to connect to database 3 DB_RECONNECT_ WAITTIME_SEC Yes # of seconds to wait before reconnecting attempt to database 300 DB_SESSION_ TIMEOUT_SECS Yes Time limit for search Lync/OCS database as defined by LYNC_DB_ CONNECTIONSTRING 300 DB_TYPE Yes SQLSERVER or ORACLE depending on what database is used DISABLE_ MESSAGEUPDATE No Disable message not delivered errors which may potentially be due client/network latencies False ENABLE_SOURCE_ NETWORK No Labels address book contacts as "external" if they do not belong to your organization. These are federated contacts. A federated contact is a member of a company whose Office Communications Server is federated (connected) with your company s Office Communications Server False EWS_HISTORY_ INTERVAL_MINUTES No Defines the number of interval in minutes Good Connect server will wait before writing to Conversation history. 0 means that conversation history is written only after conversation has been terminated 5 EWS_HOST No FQDN of the Exchange server to which the Good Connect Server will write conversation history EWS_VERSION No Version of Exchange server: 2 GASLAMP_ USERNAME Yes 0 = Exchange 2007 SP1 1 = Exchange = Exchange 2010 SP1 3 = Exchange 2010 SP2 or SP3 4 = Exchange 2013 Window Service account Good Enterprise Mobility Server 176

185 Appendix C Understanding the GEMS-Connect Configuration File Parameter Name Required (Y/N) Description Default Setting GD_APN_HTTP_URL Yes Web Service URL for Good Dynamics Apple Push Notification Service (APNS) GD_APN_PROXY_ AUTH_DOMAIN GD_APN_PROXY_ AUTH_PASSWORD GD_APN_PROXY_ AUTH_USERNAME No Web Proxy Domain Deprecated No Web Proxy Password Deprecated No Web Proxy Username Deprecated GD_APN_PROXY_ HTTP_HOST No Web Proxy Host GD_APN_PROXY_ HTTP_PORT No Web Proxy Port GD_APN_PROXY_ TYPE No Web Proxy Authentication Mechanisms. Acceptable values are: "" (empty string for no proxy) "Basic No Auth" "Basic" "Digest" "" GD_APNS_ BLACKLIST_RETRY_ NO Yes Specifies # of retries after the server receives APNS response where the token has been blacklisted 3 GD_HOST Yes Good Dynamics Proxy host GD_PORT Yes Good Dynamics Proxy port GD_USE_SSL Yes Determines whether or not the Good Connect Server uses the Good Dynamics secure port (17433) or unsecured port (17080). False LONG_INVITATION_ TIME_DELAY No Time (in milliseconds) that a Connect client will wait for invitation received to confirm/ignore a request to a conversation LYNC_DB_ CONNECTIONSTRING No SQL Server connection string for the Lync/OCS database OCS_SERVER Yes FQDN (Full Qualified Domain Name) of the Microsoft Lync Front-End server or Front-End server pool RESTRICT_CERT_BY_ FRIENDLY_NAME No Allows naming of certificate so that Connect server can load correct certificate; the certificate friendly name must match the name specified here SEND_TIME_WAIT No Time (in milliseconds) the Connect server waits after sending message before reporting message failed to deliver SESSION_TIMEOUT_ Yes The number of seconds a client is allowed to remain idle 86,400 (24 hours) Good Enterprise Mobility Server 177

186 Appendix C Understanding the GEMS-Connect Configuration File Parameter Name Required (Y/N) Description Default Setting SECS UCMA_ APPLICATION_NAME Yes Name of application as defined through the installation provisioning process Generated during application provisioning UCMA_ APPLICATION_PORT Yes The fixed port used by the Good Connect Server to receive messages from the enterprise IM server UCMA_GRUU Yes GRUU = Globally Routable User-Agent URI that uniquely defines the Session Initiation Protocol (SIP) URI for the application Generated during application provisioning Good Enterprise Mobility Server 178

187 Appendix D Fine-Tuning Your Java Memory Settings Appendix D Fine-Tuning Your Java Memory Settings Java settings for GEMS are found in the configuration file Good Server Distribution\gems-karaf- <version>\etc\goodserverdistribution-wrapper.conf. You may wish to review or modify the default Java settings used by GEMS. However, as a general rule, you won't need to make changes to these settings. In particular, the default memory settings for GEMS can be viewed at: Initial memory allocation: # Initial Java Heap Size (in MB) wrapper.java.initmemory=2048 # Maximum Java Heap Size (in MB) wrapper.java.maxmemory=2048 Java memory settings: wrapper.java.additional.14=-xx:permsize=512m wrapper.java.additional.15=-xx:maxpermsize=1024m By default, this means that the Java process used by GEMS will always need approximately 3 GB of memory free for its use on the machine hosting it. Good Enterprise Mobility Server 179

188 Appendix E IIS SSL Offloading Appendix E IIS SSL Offloading SSL offloading takes all the processing of SSL encryption and decryption off the main Web server and moves it to the GEMS host. To set up IIS on the GEMS host: 1. Download and install the IIS Application Request Routing extension and install it. 2. When installation completes, select Start > IIS Manager. 3. Under Connections, select Server > Server Certificates, then double-click Import to import a trusted thirdparty certificate (the.pfx file received from your CA). 4. After the certificate is added, click Server under Connections, double-click Application Request Routing, andclick Server Proxy Settings... under Actions. 5. Check Enable proxy, then click Apply. Good Enterprise Mobility Server 180

189 Appendix E IIS SSL Offloading 6. Next, click Server under Connection, double-click URL Rewrite, then click Add Rule(s)... under Actions. 7. Select Blank Rule and click OK. 8. On the Edit Inbound Rule screen, enter a Name for the rule e.g., "gems" in the field provided. 9. With Requested URL: Matches the Pattern Using: Regular Expressions displayed, enter "pushnotify/pushchannels" in the Pattern field. 10. Scroll down and expand the Conditions section, then click Add... Good Enterprise Mobility Server 181

190 Appendix E IIS SSL Offloading 11. For Condition input enter {REQUEST_METHOD}. 12. For Pattern enter POST, then click OK. 13. Scroll down and expand the Action section. 14. For Rewrite URL enter 15. In the Actions panel on the far left, click Apply. Good Enterprise Mobility Server 182

191 Appendix E IIS SSL Offloading Finally, verify that you can now access GEMS under its secure HTTPS port by opening the GEMS Dashboard in your browser using https://localhost:8443/dashboard. 16. After the certificate is added, click Server under Connections, double-click Application Request Routing, andclick Server Proxy Settings... under Actions. 17. Check Enable proxy, then click Apply. 18. Next, click Server under Connection, double-click URL Rewrite, then click Add Rule(s)... under Actions. 19. Select Blank Rule and click OK. 20. On the Edit Inbound Rule screen, enter a Name for the rule e.g., "gems" in the field provided. 21. With Requested URL: Matches the Pattern Using: Regular Expressions displayed, enter "pushnotify/pushchannels" in the Pattern field. 22. Scroll down and expand the Conditions section, then click Add... Good Enterprise Mobility Server 183

192 Appendix E IIS SSL Offloading 23. For Condition input enter {REQUEST_METHOD}. 24. For Pattern enter POST, then click OK. 25. Scroll down and expand the Action section. 26. For Rewrite URL enter 27. In the Actions panel on the far left, click Apply. Good Enterprise Mobility Server 184

193 Appendix E IIS SSL Offloading Finally, verify that you can now access GEMS under its secure HTTPS port by opening the GEMS Dashboard in your browser using https://localhost:8443/dashboard. Good Enterprise Mobility Server 185

194 Appendix F GEMS Windows Event Log Messages Appendix F GEMS Windows Event Log Messages Message Component Level Context Error communicating with Good Proxy Server - HTTP code {}, Message {} Failed to retrieve the list of Good Proxy servers - code {} - Reason {} Failed to retrieve the list of Good Proxy servers Incorrect Good Proxy Server configuration server-core/gd-core error Could not connect to Good Proxy Server while verifying auth token (during Push Registration from G3 Mail context) server-core/gd-core error Used for HA and load balancing of requests to Good Proxy server. The list of known GP servers are maintained in memory and requests are loadbalanced through this list. server-core/gd-core error Used for HA and load balancing of requests to Good Proxy server. The list of known GP servers are maintained in memory and requests are loadbalanced through this list. server-core/gd-spring error Communicate with Good Proxy server to verify Authorization token using HTTP(s) protocol. If URL is syntactically wrong or configuration error then error is logged in event log. Autodiscover failed for {} users with exception {} servernotifications/autodiscover warn Failed to retrieve user s settings through autodiscover. Needs administrator attention to fix the issue. The user will not receive notifications until issue is resolved. This is a batch request and the log only prints the number of users that failed auto discover. Invalid syntax for property {}, must be a valid URL servernotifications/autodiscover error Server is configured with an invalid URL used for bypassing the steps to find the autodiscover end point. GEMS server would ignore this URL and follow the regular steps to perform autodiscover. User {} being quarantined after {} attempts to perform autodiscover servernotifications/autodiscover warn GEMS server could not autodiscover user s settings for configured number of attempts. The user mentioned will be marked as QUARANTINED and will not receive notifications. The status can be reset through karaf command (user:reset). No response from server while performing autodiscover for user {} servernotifications/autodiscover warn Autodiscover failed for the user mentioned. Autodiscover failed for user {}, error code: {}, Detail: {} servernotifications/autodiscover warn Autodiscover failed for the user mentioned. Failed to retrieve user settings while performing autodiscover for user {} servernotifications/autodiscover warn Autodiscover failed for the user mentioned. No valid EWS URL setting configured for the user {} servernotifications/autodiscover warn Autodiscover failed for the user mentioned. Error communicating with Database server- error GEMS failed to connect to SQL database. Needs Good Enterprise Mobility Server 186

195 Appendix F GEMS Windows Event Log Messages Message Component Level Context server - {error msg} notifications/autodiscover immediate attention. Database Error - {error msg} servernotifications/autodiscover error GEMS failed to connect to SQL database. Needs immediate attention. Lost connection with exchange server. Last known error {} servernotifications/ewslistener error EWSListener: Lost connection with exchange server. This might be due to Exchange server\autodiscover service down. Error subscribing user {} with exchange server {} servernotifications/ewslistener error Subscribe to the user address with exchange server to track modifications of user mailbox. User {} marked for re-autodiscover servernotifications/ewslistener info Does a DB call to mark the user for reautodiscovery. This task is done every n interval of time. Error communicating with Database server - {error details} servernotifications/pushnotifydbmanager error Bootstrap database connection. {} is no longer the master (producer) since database server time {} servernotifications/pushnotify-hadbwatcher error HA System: Check whether the node itself is Producer or not. Prints the error in event log when the server has lost ownership of the HA system (not master any more). {} is the master (producer) since database server time {} servernotifications/pushnotify-hadbwatcher info HA System: Check whether the node itself is Producer or not. If it was not master before; the failover is happening. Detected Server {} is inactive. Users will be load balanced to other active servers servernotifications/pushnotify-hadbwatcher error HA System: If server is detected as inactive\heartbeat fails, the users of the bad server are reassigned to other active servers. Error communicating with Database server - {error details} servernotifications/pushnotifyprefs error Database error due to server down\login error, etc. { Good Dynamic Proxy Server connection error details } Connection to Good Dynamic Proxy Server is successful Connection Successful, Server: - {}: Database : {} Exception during connection test - {} server-console/config error Connect GD Module Test from dashboard with GP down, connection failure error. server-console/config info Connect GD Test from dashboard when GP is up and running, successful test. server-console/config info Mail DB Test database configurations from dashboard. Connection successful. server-console/config error Mail DB Test database configurations from dashboard. Connection issues due to bad password or user or host info. Invalid configuration properties - {} server-console/config error Mail DB Test database configurations from dashboard. Validation of database configuration values. Good Enterprise Mobility Server 187

196 Appendix F GEMS Windows Event Log Messages Message Component Level Context { Good Dynamic Proxy Server connection error details } Connection to Good Dynamic Proxy Server is successful server-console/config error Presence GD Test from dashboard with GP down, connection failure error. server-console/config info Presence GD Test from dashboard when GP is up and running, successful test. Lync Presence Provider Ping failed with error status {} and reason - {} server-presence/presencebundle error Connection to Presence server. If response received, log the reason for failure. Lync Presence Provider Ping failed with exception {}: {} - set status {} server-presence/presencebundle error Connection to Presence server. Most likely connection refused because down Lync Presence Provider Ping failed, cause unknown server-presence/presencebundle error Connection to Presence server. Presence Service failed to reset LPP, interrupted with error: {} server-presence/presencebundle error Reset all contacts presence status. Presence Service failed to reset LPP, timed out with error: {} server-presence/presencebundle error Reset all contacts presence status. Timeout error. Failed to reset LPP, {} with error: {} server-presence/presencebundle error Reset all contacts presence status. Presence Service started. server-presence/presencebundle info Presence service started. Presence Service stopped. server-presence/presencebundle info Presence service stopped. Bad Lync Presence Provider Subscription URI: {} server-presence/presencebundle error Presence service provider subscription URI. Bad Lync Presence Provider Ping URI: {} Ping server-presence/presencebundle error Presence service provider subscription URI. Redis Cache & Queue services are not available at the moment. server-presence/presencebundle error When cache provider is set to Redis and Redis service is unavilable. GNP Relay Service not available server-presence/presencebundle warn GNP service which sends GNP notification is not available or down. Good Enterprise Mobility Server 188

197 Appendix G File Types Supported by GEMS-Docs Appendix G File Types Supported by GEMS-Docs The following file types/extensions are currently supported by the Docs service and as mail attachments:.goodsharefile,.doc, Docx wordprocessingml.document, powerpoint.ppt, PPTx excel.xls, XLSX spreadsheetml.sheet, adobe.pdf, apple.rtfd, apple.webarchive,.image,.jpeg,.tiff,.apple.pict,.compuserve.gif,.png,.quicktime-image,.bmp,.camera-raw-image,.svg-image,.text,.plain-text,.utf8-plain-text,.utf16-plain-text,.rtf,.html,.xml,.xhtml,.htm,.data,.content.zip Good Enterprise Mobility Server 189

198 Appendix G File Types Supported by GEMS-Docs Media Files (ios only) o o o o o o o o o o o o o o o o.3gp.mp3.mp4.m4a.m4v.wav.caf.aac.adts.aif.aiff.aifc.au.snd.sd2.mov Good Enterprise Mobility Server 190

199 Appendix H Obtaining a Google Cloud Messaging API Key Appendix H Obtaining a Google Cloud Messaging API Key Required to support the Android Push Notifications service of GEMS, Google Cloud Messaging (GCM) is a free service that sends data from EAS via GEMS to GD applications. GCM replaces the beta version of C2DM (Android Cloud to Device Messaging). You will need to have your enterprise's Google account handy. If possible, avoid using personal accounts. Creating a Google API Project Use of GCM requires an API key. If you are an existing C2DM user, you can use your C2DM token instead. To create a Google API project: 1. Open the Google Developers Console, then click Create Project. 2. Enter a name for your project, accept the default Project ID, then click Create. Good Enterprise Mobility Server 191

200 Appendix H Obtaining a Google Cloud Messaging API Key Note: The Project ID cannot be changed after the project is created, and must remain the same for the lifetime of the project. The Project Number is automatically assigned by the Google Developers Console when you create the project. 3. Click Projects in the console navigator, then click Overview. The Project Number appears at the top of the Project Dashboard. Important: Jot down this Project Number or copy it to Notepad. 4. In the the Project Dashboard, under Boost your app with a Google API, click Enable an API. 5. Under Mobile APIs, click Cloud Messaging for Android. 6. Click Enable API. Good Enterprise Mobility Server 192

201 Appendix H Obtaining a Google Cloud Messaging API Key 7. In the navigator, under APIs and auth, click Credentials, then (on the right) under Public API Access, click Create new Key. 8. Click Server key. 9. Click Create. Good Enterprise Mobility Server 193

202 Appendix H Obtaining a Google Cloud Messaging API Key Important: Leave Accept requests from these server IP addresses blank. Do not specify any addresses or address masks. 10. Jot down the API key under Key for server applications or copy it to Notepad. 11. Make sure you have the Project Number from Step 3 and API key from Step 10 accurately written down or copied to Notepad. If you used the latter method, be sure to save the file. Adding the API Key to Good Control The API Key and GCM project number must now be added to Good Control. To add the Google Cloud Messaging API Key to Good Control: 1. In Good Control, under SETTINGS, click Licenses and Keys, then open the API KEYS tab. 2. In the Sender ID field, enter the Project Number from Step 3 above (or paste it in from Notepad). 3. In the Key field, enter the API Key from Step 10 above (or paste it in from Notepad). Good Enterprise Mobility Server 194

203 Appendix H Obtaining a Google Cloud Messaging API Key 4. Click Save to record this information. Good Enterprise Mobility Server 195

204 Appendix I Advanced Launcher Setup Appendix I Advanced Launcher Setup Good Launcher relies on the services identified in Configuring the Good Launcher with Good Enterprise Services. In a basic setup, a Launcher search for a provider of the services produces a single result for all services (com.good.gdservice-entitlement.enterprise). In setups that require user affinity, however, or where there's a large list of GEMS machines deployed, each with different purposes, strict adherence to the basic setup approach is insufficient. Deploying Multiple GEMS Environments containing multiple GEMS hosts with different servers tied to different purposes will need new, organization-level App IDs created for the appropriate services; after which, these services will then bind to the new App IDs, which will require updated server information so they point to the correct GEMS server(s). Finally, these App IDs need to be configured as allowed apps for select users via App Groups. To illustrate by example, consider a fictional company that wants to deploy 25 GEMS hosts, six of which will be used for Presence, with three others used for both Directory and Follow-Me services. Hence, the following steps would need to be performed via Good Control: 1. Create a couple of organization-level App IDs: com.xyzcorp.gdservice-entitlement.presence and com.xyzcorp.gdservice-entitlement.directory-followme. 2. Make com.xyzcorp.gdservice-entitlement.presence a provider of the enterprise Presence service and com.xyzcorp.gdservice-entitlement.directory-followme a provider of the enterprise Directory and Follow- Me services. Notwithstanding the different App IDs, each would use the existing published Good Enterprise Services; they would not create their own. 3. Under the application details of com.xyzcorp.gdservice-entitlement.presence, set up the 6 GEMS hosts. Only the server list needs to be configured; the application configuration is left blank. For the application details of com.xyzcorp.gdservice-entitlement.directory-followme, populate the three severs to be used for Directory and Follow-Me. Again, leave the application configuration section blank. 4. Add com.xyzcorp.gdservice-entitlement.presence and com.xyzcorp.gdservice-entitlement.directoryfollowme to the appropriate application group(s). 5. Make sure that com.good.gdservice-entitlement.enterprise is NOT listed as an allowed application in the "Everyone" App Group. As a result of this configuration, when Launcher opens up, it will search for providers of the three services. For Presence, it will find com.xyzcorp.enterprise-services.presence, then read the provider's configured servers list, using it to set up communication with the Presence server. The same behavior applies to the other two services. Launcher is agnostic with respect to the providers of each service; i.e., whether they are the same machine or different. Configuring User Affinity For most other apps, user affinity is done via the security policy configuration of that app. Good Work, for example, has a section for entering affinity servers. Users are divided into different security policies as a means of Good Enterprise Mobility Server 196

205 Appendix I Advanced Launcher Setup determining which server affinity to use. With Launcher, the same end-goal is accomplished by dividing users into different application groups. For purpose of simplicity, assume a company plans to deploy all three of the above services on a GEMS host but these servers will be geolocated across the world and will have different and/or unique sets of users connecting to them. For example, lets say there's a company with three different offices located in San Francisco, London, and Tokyo. Ideally, you would configure Good Control in the following manner: 1. Create three (3) organization-level App IDs: com.xyzcorp.gdservice-entitlement.enterprise.svl, com.xyzcorp.gdservice-entitlement.enterprise.ldn, and com.xyzcorp.gdserviceentitlement.enterprise.tyo. 2. In Good Control, go to Manage Apps > Add App > GD App ID and Version Only. 3. Populate the server information for the new application IDs in Step 1 with the appropriate server clusters for each affinity. For example, com.xyzcorp.gdservice-entitlement.enterprise.svl would have its servers be strictly those located in Sunnyvale. Do the following: a. Go to Manage Apps >newly created App ID > Good Dynamics > Server-Edit b. Configure all the servers for this particular location c. Repeat Steps a b for each app that were created in Step Assign each of the app IDs as providers of the three enterprise services listed under basic setup, as follows: a. Go to Manage Apps >newly created App ID> Good Dynamics > Version-Edit b. Click Edit for your version, then click the Bind Service button. Add all three services (Presence, Directory, FollowMe) c. Repeat Step a b for each app created in Step Create a different App Group for each affinity. 6. Make sure that com.good.gdservice-entitlement.enterprise is NOT listed as an allowed application in the "Everyone" App Group. 7. Assign each new App ID as an allowed application to the respective application group. Since users can be part of multiple application groups, it would be ideal that these new affinity groups be strictly limited to allowed apps for that affinity. 8. Add users to the appropriate App Groups. Additional Considerations Since it is possible to mix and match multiple GEMS and user affinities, when desired, in deployments where there is a different Good Control server for different affinities, advanced setup may be unnecessary. This is because server configurations aren't shared across GCs. The major thing to watch out for when performing custom setup is to ensure that a user will find only one provider of a particular service. If Launcher detects multiple providers of a service, it will choose one at random (and likely remain with that choice if nothing changes). In setups where organization-level App IDs are created for complex server mapping, such a scenario could happen in the following ways: Good Enterprise Mobility Server 197

206 Appendix I Advanced Launcher Setup a. com.good.gdservice-entitlement.enterprise is populated with server information and not removed from the "Everyone" application group. b. Multiple organization-level App IDs are created that become providers of the same service and a user is granted access to them. c. A user is added to more than one affinity App Group. From the client perspective, the best way to debug this is by enabling detailed logging and looking through the logs to determine if more than one provider has been found. Troubleshooting Launcher Performance During Launcher setup in Good Control, your primary concern is making sure the configured services are visible to Good Launcher. If you use the Good Enterprise Services App ID com.good.gd-serviceentitlement.enterprise and it is incorrectly configured, the following log lines could appear. No FollowMe service available Unable to find Presence service provider Unable to find Directory service provider One of two things could be causing this: a. App IDs that are providers of server-side services will not show up for an app if there no servers are specified for this particular App ID. b. Although users can be allowed access to an ID on an individual basis, assigning a user to an application group is typically more efficient; the pariticular user in question may not belong to an App Group with access to this App ID. To verify that servers are specified for this App ID: In Good Control, click Manage Applications, select com.good.gdservice-entitlement.enterprise, then open the Good Dynamics tab and add the pertinent FQDNs to the GEMS server cluster. See Adding GEMS to the Good Enterprise Services Entitlement App for detailed instructions. To verify that the user is entitled to this App ID: Find the App Groups to which this user belongs and check to see that the GES entitlement ID is set as an allowed application to at least one of the groups. If the setup is correct and none of the log messages above show up, make sure detailed logging is enabled and check for the following log line: Discovered <PROVIDERS COUNT> service providers for service: <SERVICE NAME> (using first in list) Here, <PROVIDER COUNT> should always be 1. If this number is greater than 1, it is because more than one app became a provider of one of the three enterprise services. If this provider happens to be an actual app that is installed on the device, it will show up as a provider, despite not listing any servers. Unfortunately, Launcher's logging doesn't list this case so it may be a challenge to track down the rogue provider. Future versions of Launcher will address this issue. Otherwise, immediately following this log line, look for the following: Discovered <SERVER COUNT> servers for service provider: <SERVICE PROVIDER NAME> Good Enterprise Mobility Server 198

207 Appendix I Advanced Launcher Setup Here, verify that the <SERVICE PROVIDER NAME> is the correct or intended provider. For setups using the GES entitlement ID, the name should be Good Enterprise Mobility Server Entitlement. If remedial action is taken to specify servers for this App ID or to add this user to an entitled App Group, Launcher should now be attempting to connect to the appropriate GEMS host. Again, with detailed logging enabled, you should see the following: Directory info request: <REQUEST URL>\n<REQUEST HEADERS> (directory info) Presence subscribe request: <REQUEST URL>\n<REQUEST HEADERS>\n<JSON BODY> (presence) A log line for Followme indicating the start of a request will be added in a future release of Launcher. If a connection error occurs, it could be for either of two reasons: a. The https connection could not be established b. The server returned with an error response. If the former (a), the following log lines will appear: Error in getting directory info (<ERROR CODE>): <ERROR REASON> (directory info) Error in subscribing to presence (<ERROR CODE>): <ERROR REASON> (presence) Connection error when trying to retrieve from FollowMe store: <ERROR REASON> (followme) These log entries don't require detailed logging to be enabled. In such cases, first verify that the user is connected to the web, that the required GEMS hosts are each online, and that the server URL(s) specified for the provider(s) of the Launcher services are correct. For cases where the server returns an error code, this is likely no longer an issue with Launcher but something for the GEMS engineering support team to take a look at. Good Enterprise Mobility Server 199

208 Appendix J Changing the GEMS Dashboard and Web Console Login Appendix J Changing the GEMS Dashboard and Web Console Login As of GEMS 1.4, both the Dashboard and Web Console support Active Directory-based login. However, for versions of GEMS numbered 1.3.x and earlier, it is a recommended practice to change the administrator's password for the GEMS Dashboard UID/PWD, in accordance with your IT policy. To change the administration password in v1.3.x and earlier: 1. In your favorite text editor, open <GEMS Machine Path>\Good Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc\users.properties. 2. Change the current password from admin (the SHA-1 Hash highlighted in yellow) to something else, after which, this will be the password for the GEMS Web Console. admin={crypt}a becd921781d5ba1e58fa4d129b24060f{crypt}, _g_:admingroup ð admin=<new_password>,_g_:admingroup You can enter a plain text value. It will automatically be replaced with a salted SHA-256 Hash the next time an admin user logs in. 3. Save your changes. To confirm the change: Restart the Good Technology Common service and login to the GEMS Web Console by going to your_gems_host>.com:8443/system/console/configmgr using the new/changed password. Good Enterprise Mobility Server 200

209 Appendix K Migrating Your Good Share Database to GEMS-Docs Appendix K Migrating Your Good Share Database to GEMS-Docs A Good Share deployment can migrate/repurpose its database for the GEMS-Docs service to support existing user transition from the Good Share client to Good Work. First, however, GEMS and the Docs Configuration Console must be installed in accordance with the guidance offered in the GEMS Installation and Configuration Guide for Administrators. Client App Support Considerations The following limitations must be considered in determining whether or not a migration is advisable: Good Share clients communicate with the Good Share server only; they are not supported by the GEMS-Docs service Good Work Docs communicates with the GEMS-Docs service only; it is not supported by the Good Share server. Given these inherent limitations, it is recommended that you continue to run your deployed Good Share servers in parallel with the GEMS-Docs service for a duration sufficient to conveniently transition your users from their Good Share client app to Good Work. Important: After upgrading your Good Share database to GEMS-Docs, discontinue using the old Good Share Console and use only the GEMS Dashboard Home > Docs pages for administration going forward. Otherwise, you will want to consider two basic migration scenarios: (1) Migrating with continued Good Share client support (2) Migrating to Good Work only (no Good Share client support) Each is covered in turn here. Migrating with Continued Support for Good Share To migrate to GEMS-Docs while continuing to support Good Share clients: 1. Install the GEMS-Docs Service in accordance with the procedure enumerated in the GEMS Installation and Configuration Guide. Note: If you are using Windows Authentication for the database, Good Technology Common Services must run under a user who has access to the Good Share database. 2. Launch the GEMS Dashboard, click on Docs, then click on Database and select the database being used by Good Share. Upon completion of Step 2, both the GEMS-Docs service and Good Share server should now be functional and sharing the same data. This means that policies, users, and data sources previously configured for Good Share should all be available in GEMS-Docs. Logged audit data continues to be available, and reports can be generated from the Good Share Web Console. Good Enterprise Mobility Server 201

210 Appendix K Migrating Your Good Share Database to GEMS-Docs 3. When all Good Share users have switched to Good Work and Good Share clients are no longer being used, you can safely uninstall Good Share server and the Good Share Web Console. Migrating to Good Work Only If there is no requirement to support both Good Work and Good Share at the same time (i.e., concurrently), then the machine(s) used for Good Share can be repurposed in accordance with the following steps: 1. Uninstall Good Share server and the Good Share Web Console but do not remove the database. 2. Install GEMS and configure the Docs service in accordance with the procedures enumerated in the GEMS Installation and Configuration Guide. Again, if you are using Windows Authentication for the database, Good Technology Common Services must run under a user who has access to the Good Share database. 3. Launch the GEMS Dashboard, click Docs, then click Database, and here also select the database previously used by Good Share. Upon completion of Step 3, all previously configured policies, users, data sources and settings are now available to the GEMS-Docs service and configurable in the Docs Configuration Console. Noteworthy Feature Differences (GEMS-Docs versus Good Share) The following feature changes will be noticed when comparing GEMS-Docs to Good Share server: Open-in application list is now managed in the Good Control application policy for Good Work. Any Open-in lists created in Good Share must now be added in Good Control. Keep in-sync feature is not supported Permissions in data sources not supported: o o o Allow Native Print Open in Security settings no longer supported: o o o o Allow playing of media files ios only (stored outside of the secure container during playback) Enable device to remember user password Display event information for calendar alerts Force user to save Pending Uploads Good Enterprise Mobility Server 202

211 Appendix L Configuring AlwaysOn Support for SQL Server 2012 Appendix L Configuring AlwaysOn Support for SQL Server 2012 The AlwaysOn Availability Groups feature is a high-availability and disaster-recovery solution providing an enterprise-level alternative to database mirroring. Introduced in SQL Server 2012, AlwaysOn Availability Groups maximize the availability of a set of user databases for an enterprise. An availability group supports a failover environment for a discrete set of user databases, known as availability databases, that fail over together. An availability group supports a set of read-write primary databases and 1 to 8 sets of corresponding secondary databases. Optionally, secondary databases can be made available for read-only access and/or some backup operations. Setting Up SQL AlwaysOn AlwaysOn requires Windows Cluster, but not Quorum. For guidance from Microsoft on creating a Windows Server failover cluster, see Clustering and High-Availability. The guidance presented here is limited to AlwaysOn for SQL Server. To set up SQL Server for an AlwaysOn Availability Group: 1. Launch SQL Installation Center, and choose New SQL Server stand-alone installation or add features to an existing installation. 2. Click Next. Then, in the Feature Selection window, select the recommended features outlined below in red, and click Next again. Good Enterprise Mobility Server 203

212 Appendix L Configuring AlwaysOn Support for SQL Server In the Server Configuration window: a. Set the Account Name to the domain account. b. Select Manual as the Startup Type. c. Click Next. 4. In the Database Engine Configuration window, click the Server Configuration tab: a. Select an Authentication Mode. b. Create a SQL Server sa password. Good Enterprise Mobility Server 204

213 Appendix L Configuring AlwaysOn Support for SQL Server 2012 c. Click Add Current User. d. Click Next. 5. Click the Data Directories tab and enter a directory or keep the default. Share storage is not required. 6. Click Next to complete installation. To set up SQL AlwaysOn: 1. On each machine in the cluster, launch SQL Server Configuration Manager, then right-click the desired SQL Server instance and select Properties. 2. Enable AlwaysOn Availability Groups, then click OK. 3. Now do a full back up of the database that will reside in the AlwaysOn group. The backup should be located in a shared folder that the other nodes of the cluster can reach and read. 4. Launch Microsoft SQL Server Management Studio, right-click AlwaysOn High Availability in the Object Explorer and select New Availability Group Wizard... Good Enterprise Mobility Server 205

214 Appendix L Configuring AlwaysOn Support for SQL Server Specify an Availability group name (for display, not connection) and click Next. 6. Select the databases for the AlwaysOn availablity group, then click Next. 7. Open the Replicas tab and click Add Replica... to create a new replica (optional), then specify instances of SQL Server to host a secondary replica. Up to two replicas can be set for Automatic Failover; up to three for Synchronous Commit. Good Enterprise Mobility Server 206

215 Appendix L Configuring AlwaysOn Support for SQL Server Click the Listener tab and if no Availability Group Listener exists, create one now, then click Next. 9. Select Full as your data synchronization preference and specify a shared network location. Remember, it must be accessible by all replicas. Good Enterprise Mobility Server 207

216 Appendix L Configuring AlwaysOn Support for SQL Server Click Next. Then, if validation is successful, clik Next again to complete availability group setup. Testing Database Failover To test automatic failover: 1. Connect the database using the Listener. 2. In a query, execute: select The host name of the current primary server should be listed. 3. Restart the primary server and verify that the replica configured for automatic failover can the take the AlwaysOn availability group to be the primary. 4. Execute select again to determine if a result is returned and whether or not the host name has changed. To test manual failover: 1. Connect to the database using the Listener. 2. In a query, execute: select The host name of the current primary server should be listed. 3. Now, connect to the database using the primary server name. 4. In the AlwaysOn group, right-click the target primary and select Failover, then select a target replica for failover. Good Enterprise Mobility Server 208

Good Share Client User Guide for ios Devices

Good Share Client User Guide for ios Devices Good Share Client User Guide for ios Devices Product Version: 3.1.3 Doc Rev 3.1 Last Updated: 24-Feb-15 Good Share TM Table of Contents Introducing Good Share 1 Installing the Good Share App 1 Getting

More information

http://docs.trendmicro.com

http://docs.trendmicro.com Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Service Release Notes 8.2

Service Release Notes 8.2 Service Release Notes 8.2 Version 8.2.0.1.1097 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good

More information

Cloud Deployment Guide

Cloud Deployment Guide Cloud Deployment Guide Product Version: 1.2 Doc Rev 1.3 Last Updated: 15-Jan-15 Good Work TM Table of Contents Introduction What is the Cloud? 1 The Private Cloud 1 Good Work in the Cloud 1 Environment

More information

http://docs.trendmicro.com

http://docs.trendmicro.com Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Installation Guide for Pulse on Windows Server 2008R2

Installation Guide for Pulse on Windows Server 2008R2 MadCap Software Installation Guide for Pulse on Windows Server 2008R2 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software

More information

Technical Certificates Overview

Technical Certificates Overview Technical Certificates Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0 Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

Installation Guide for Pulse on Windows Server 2012

Installation Guide for Pulse on Windows Server 2012 MadCap Software Installation Guide for Pulse on Windows Server 2012 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software

More information

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.1 Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...

More information

Kaseya Server Instal ation User Guide June 6, 2008

Kaseya Server Instal ation User Guide June 6, 2008 Kaseya Server Installation User Guide June 6, 2008 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations. Kaseya's

More information

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.3 Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing

More information

DameWare Server. Administrator Guide

DameWare Server. Administrator Guide DameWare Server Administrator Guide About DameWare Contact Information Team Contact Information Sales 1.866.270.1449 General Support Technical Support Customer Service User Forums http://www.dameware.com/customers.aspx

More information

Enterprise Manager. Version 6.2. Installation Guide

Enterprise Manager. Version 6.2. Installation Guide Enterprise Manager Version 6.2 Installation Guide Enterprise Manager 6.2 Installation Guide Document Number 680-028-014 Revision Date Description A August 2012 Initial release to support version 6.2.1

More information

Interworks. Interworks Cloud Platform Installation Guide

Interworks. Interworks Cloud Platform Installation Guide Interworks Interworks Cloud Platform Installation Guide Published: March, 2014 This document contains information proprietary to Interworks and its receipt or possession does not convey any rights to reproduce,

More information

System Requirements. Version 8.2.0.1.1072. Mobile Service Manager

System Requirements. Version 8.2.0.1.1072. Mobile Service Manager System s Version 8.2.0.1.1072 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good ). Good may have

More information

Kaspersky Lab Mobile Device Management Deployment Guide

Kaspersky Lab Mobile Device Management Deployment Guide Kaspersky Lab Mobile Device Management Deployment Guide Introduction With the release of Kaspersky Security Center 10.0 a new functionality has been implemented which allows centralized management of mobile

More information

Introduction to Mobile Access Gateway Installation

Introduction to Mobile Access Gateway Installation Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure

More information

www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013

www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this

More information

Veeam Backup Enterprise Manager. Version 7.0

Veeam Backup Enterprise Manager. Version 7.0 Veeam Backup Enterprise Manager Version 7.0 User Guide August, 2013 2013 Veeam Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may

More information

User Self-Service Configuration Overview

User Self-Service Configuration Overview User Self-Service Configuration Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation

More information

System Administration Training Guide. S100 Installation and Site Management

System Administration Training Guide. S100 Installation and Site Management System Administration Training Guide S100 Installation and Site Management Table of contents System Requirements for Acumatica ERP 4.2... 5 Learning Objects:... 5 Web Browser... 5 Server Software... 5

More information

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1 Quick Install Guide Lumension Endpoint Management and Security Suite 7.1 Lumension Endpoint Management and Security Suite - 2 - Notices Version Information Lumension Endpoint Management and Security Suite

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

Shavlik Patch for Microsoft System Center

Shavlik Patch for Microsoft System Center Shavlik Patch for Microsoft System Center User s Guide For use with Microsoft System Center Configuration Manager 2012 Copyright and Trademarks Copyright Copyright 2014 Shavlik. All rights reserved. This

More information

SMART Vantage. Installation guide

SMART Vantage. Installation guide SMART Vantage Installation guide Product registration If you register your SMART product, we ll notify you of new features and software upgrades. Register online at smarttech.com/registration. Keep the

More information

Sophos Mobile Control Installation guide

Sophos Mobile Control Installation guide Sophos Mobile Control Installation guide Product version: 2.5 Document date: July 2012 Contents 1 Introduction... 3 2 The Sophos Mobile Control server... 4 3 Set up Sophos Mobile Control... 13 4 Running

More information

WhatsUp Gold v16.3 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide WhatsUp Gold v16.3 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup Installation Overview... 1 Overview... 1 Security considerations... 2 Standard

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide April 2005 Part Number 132-00001-001, Version 1.0 Copyright Notice Copyright 2005 LifeSize Communications. All rights reserved. LifeSize Communications has made every

More information

Introduction to the EIS Guide

Introduction to the EIS Guide Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Sophos Mobile Control Installation guide. Product version: 3.5

Sophos Mobile Control Installation guide. Product version: 3.5 Sophos Mobile Control Installation guide Product version: 3.5 Document date: July 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...10 4 External

More information

Good Connect for ios Client User Guide

Good Connect for ios Client User Guide Good Connect for ios Client User Guide Product Version: 2.3.6 Doc Rev 2.1 Last Update: 3-Feb-15 Good Connect TM Table of Contents Overview 1 What is Good Connect? 1 Installing the Good Connect App 1 Using

More information

Server Software Installation Guide

Server Software Installation Guide Server Software Installation Guide This guide provides information on...... The architecture model for GO!Enterprise MDM system setup... Hardware and supporting software requirements for GO!Enterprise

More information

MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described

More information

Enterprise Self Service Quick start Guide

Enterprise Self Service Quick start Guide Enterprise Self Service Quick start Guide Software version 4.0.0.0 December 2013 General Information: info@cionsystems.com Online Support: support@cionsystems.com 1 2013 CionSystems Inc. ALL RIGHTS RESERVED.

More information

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition The installation of Lync Server 2010 is a fairly task-intensive process. In this article, I will walk you through each of the tasks,

More information

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009 Microsoft Dynamics AX 2009 Installation Guide Microsoft Corporation Published: November 2009 Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your

More information

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 May 2015 This guide describes how to configure Microsoft Office 365 for use with Dell One Identity Cloud Access Manager

More information

Resonate Central Dispatch

Resonate Central Dispatch Resonate Central Dispatch Microsoft Exchange 2010 Resonate, Inc. Tel. + 1.408.545.5535 Fax + 1.408.545.5502 www.resonate.com Copyright 2013 Resonate, Inc. All rights reserved. Resonate Incorporated and

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Windows Azure Pack Installation and Initial Configuration

Windows Azure Pack Installation and Initial Configuration Windows Azure Pack Installation and Initial Configuration Windows Server 2012 R2 Hands-on lab In this lab, you will learn how to install and configure the components of the Windows Azure Pack. To complete

More information

formerly Help Desk Authority 9.1.3 Upgrade Guide

formerly Help Desk Authority 9.1.3 Upgrade Guide formerly Help Desk Authority 9.1.3 Upgrade Guide 2 Contacting Quest Software Email: Mail: Web site: info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com

More information

Dell One Identity Cloud Access Manager 7.0.2. Installation Guide

Dell One Identity Cloud Access Manager 7.0.2. Installation Guide Dell One Identity Cloud Access Manager 7.0.2 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under

More information

How to Install Microsoft Mobile Information Server 2002 Server ActiveSync. Joey Masterson

How to Install Microsoft Mobile Information Server 2002 Server ActiveSync. Joey Masterson How to Install Microsoft Mobile Information Server 2002 Server ActiveSync Joey Masterson How to Install Microsoft Mobile Information Server 2002 Server ActiveSync Joey Masterson Copyright Information

More information

Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com

Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Manual Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious

More information

Advanced Configuration Steps

Advanced Configuration Steps Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

More information

Request Manager Installation and Configuration Guide

Request Manager Installation and Configuration Guide Request Manager Installation and Configuration Guide vcloud Request Manager 1.0.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

Sophos Mobile Control Installation guide. Product version: 3

Sophos Mobile Control Installation guide. Product version: 3 Sophos Mobile Control Installation guide Product version: 3 Document date: January 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...16 4 External

More information

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0 Microsoft Dynamics GP Workflow Installation Guide Release 10.0 Copyright Copyright 2008 Microsoft Corporation. All rights reserved. Complying with all applicable copyright laws is the responsibility of

More information

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior

More information

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.

More information

MaaS360 On-Premises Cloud Extender

MaaS360 On-Premises Cloud Extender MaaS360 On-Premises Cloud Extender Installation Guide Copyright 2014 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software

More information

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015 Metalogix SharePoint Backup Publication Date: August 24, 2015 All Rights Reserved. This software is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this

More information

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.

More information

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide

BlackBerry Enterprise Service 10. Version: 10.2. Installation Guide BlackBerry Enterprise Service 10 Version: 10.2 Installation Guide Published: 2015-08-17 SWD-20150817115607897 Contents 1 About this guide...5 2 What is BlackBerry Enterprise Service 10?... 6 Key features

More information

Migrating Exchange Server to Office 365

Migrating Exchange Server to Office 365 Migrating Exchange Server to Office 365 By: Brien M. Posey CONTENTS Domain Verification... 3 IMAP Migration... 4 Cut Over and Staged Migration Prep Work... 5 Cut Over Migrations... 6 Staged Migration...

More information

ArcGIS 9. Installation Guide: Workgroup for Microsoft SQL Server Express

ArcGIS 9. Installation Guide: Workgroup for Microsoft SQL Server Express ArcGIS 9 Installation Guide: Workgroup for Microsoft SQL Server Express Copyright 2006 ESRI All Rights Reserved. Printed in the United States of America. The information contained in this document is the

More information

WhatsUp Gold v16.2 Installation and Configuration Guide

WhatsUp Gold v16.2 Installation and Configuration Guide WhatsUp Gold v16.2 Installation and Configuration Guide Contents Installing and Configuring Ipswitch WhatsUp Gold v16.2 using WhatsUp Setup Installing WhatsUp Gold using WhatsUp Setup... 1 Security guidelines

More information

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2 Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2 Table of Contents Table of Contents... 1 I. Introduction... 3 A. ASP.NET Website... 3 B. SQL Server Database... 3 C. Administrative

More information

Introduction to the AirWatch Cloud Connector (ACC) Guide

Introduction to the AirWatch Cloud Connector (ACC) Guide Introduction to the AirWatch Cloud Connector (ACC) Guide The AirWatch Cloud Connector (ACC) provides organizations the ability to integrate AirWatch with their back-end enterprise systems. This document

More information

Evoko Room Manager. System Administrator s Guide and Manual

Evoko Room Manager. System Administrator s Guide and Manual Evoko Room Manager System Administrator s Guide and Manual 1 1. Contents 1. Contents... 2 2. Read this first! Introduction to this Guide... 6 3. User Guide... 6 4. System Architecture Overview... 8 ----

More information

insync Installation Guide

insync Installation Guide insync Installation Guide 5.2 Private Cloud Druva Software June 21, 13 Copyright 2007-2013 Druva Inc. All Rights Reserved. Table of Contents Deploying insync Private Cloud... 4 Installing insync Private

More information

Sophos Mobile Control Installation guide. Product version: 3.6

Sophos Mobile Control Installation guide. Product version: 3.6 Sophos Mobile Control Installation guide Product version: 3.6 Document date: November 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...5 3 Set up Sophos Mobile Control...11 4 External

More information

Desktop Surveillance Help

Desktop Surveillance Help Desktop Surveillance Help Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating from Desktop Surveillance 2.6 to Desktop Surveillance 3.2... 13 Program Structure... 14 Getting

More information

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide Contents Introduction... 2 Environment Topology... 2 Virtual Machines / System Requirements...

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

TANDBERG MANAGEMENT SUITE 10.0

TANDBERG MANAGEMENT SUITE 10.0 TANDBERG MANAGEMENT SUITE 10.0 Installation Manual Getting Started D12786 Rev.16 This document is not to be reproduced in whole or in part without permission in writing from: Contents INTRODUCTION 3 REQUIREMENTS

More information

MaaS360 Cloud Extender

MaaS360 Cloud Extender MaaS360 Cloud Extender Installation Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software described

More information

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015 Metalogix Replicator Quick Start Guide Publication Date: May 14, 2015 Copyright Metalogix International GmbH, 2002-2015. All Rights Reserved. This software is protected by copyright law and international

More information

Mobile Device Management Version 8. Last updated: 17-10-14

Mobile Device Management Version 8. Last updated: 17-10-14 Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names

More information

Websense v7.6 Install or Upgrade Checklist

Websense v7.6 Install or Upgrade Checklist Websense v7.6 Install or Upgrade Checklist Greetings from Websense Technical Support. Most Websense upgrades complete successfully, and from my years of troubleshooting, I have learned a number of steps

More information

E2E Complete 4.1. Installation and Configuration Guide

E2E Complete 4.1. Installation and Configuration Guide E2E Complete 4.1 Installation and Configuration Guide APRIL 2016 Table of Contents Table of Contents... 2 Section 1. Introduction... 3 1.1 Purpose... 3 1.2 Audience... 3 1.3 About E2E Complete... 3 1.4

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

SOLARWINDS ORION. Patch Manager Evaluation Guide

SOLARWINDS ORION. Patch Manager Evaluation Guide SOLARWINDS ORION Patch Manager Evaluation Guide About SolarWinds SolarWinds, Inc. develops and markets an array of network management, monitoring, and discovery tools to meet the diverse requirements of

More information

Installation and Administration Guide

Installation and Administration Guide Installation and Administration Guide BlackBerry Collaboration Service Version 12.1 Published: 2015-02-25 SWD-20150225135812271 Contents About this guide... 5 Planning a BlackBerry Collaboration Service

More information

BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4. Upgrade Guide

BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4. Upgrade Guide BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 4 Upgrade Guide Published: 2014-01-16 SWD-20140116175501016 Contents 1 Overview: BlackBerry Enterprise Server...7 2 Planning

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER QUICK-START GUIDE FOR THE ENTERPRISE EDITION Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not

More information

How to Secure a Groove Manager Web Site

How to Secure a Groove Manager Web Site How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

More information

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central and remote sites. Contents Table of Contents Using WhatsUp

More information

Office 365 deployment checklists

Office 365 deployment checklists Chapter 128 Office 365 deployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues.

More information

Installing and Configuring vcenter Multi-Hypervisor Manager

Installing and Configuring vcenter Multi-Hypervisor Manager Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1 This document supports the version of each product listed and supports all subsequent

More information

Microsoft Dynamics AX 2012 Installation Guide. Microsoft Corporation Published: April 2011 This content is preliminary and is subject to change.

Microsoft Dynamics AX 2012 Installation Guide. Microsoft Corporation Published: April 2011 This content is preliminary and is subject to change. 2012 Installation Guide Microsoft Corporation Published: April 2011 This content is preliminary and is subject to change. Microsoft Dynamics is a line of integrated, adaptable business management solutions

More information

Cisco TelePresence Management Suite Extension for Microsoft Exchange

Cisco TelePresence Management Suite Extension for Microsoft Exchange Cisco TelePresence Management Suite Extension for Microsoft Exchange Deployment Guide Version 4.0 D15111 02 July 2014 Contents Introduction 6 Prerequisites 7 Estimating your deployment size 7 Hardware

More information

Good Share Server Installation and Administration Guide

Good Share Server Installation and Administration Guide Good Share Server Installation and Administration Guide Product Version: 3.1.3 Doc Rev 3.4 Last Updated: 30-Jun-15 Good Share TM Legal Notice This document, as well as all accompanying documents for this

More information

Pearl Echo Installation Checklist

Pearl Echo Installation Checklist Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions

More information

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012 SOLARWINDS ORION Patch Manager Evaluation Guide for ConfigMgr 2012 About SolarWinds SolarWinds, Inc. develops and markets an array of network management, monitoring, and discovery tools to meet the diverse

More information

GFI MailArchiver for Exchange 4. Manual. By GFI Software

GFI MailArchiver for Exchange 4. Manual. By GFI Software GFI MailArchiver for Exchange 4 Manual By GFI Software http://www.gfi.com Email: info@gfi.com Information in this document is subject to change without notice. Companies, names, and data used in examples

More information

File Auditor for NAS, Net App Edition

File Auditor for NAS, Net App Edition File Auditor for NAS, Net App Edition Installation Guide Revision 1.2 - July 2015 This guide provides a short introduction to the installation and initial configuration of NTP Software File Auditor for

More information

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Configuration Guide. Websense Web Security Solutions Version 7.8.1 Websense Web Security Solutions Version 7.8.1 To help you make the transition to Websense Web Security or Web Security Gateway, this guide covers the basic steps involved in setting up your new solution

More information

Lepide Exchange Recovery Manager

Lepide Exchange Recovery Manager Configuration Guide Lepide Exchange Recovery Manager Lepide Software Private Limited, All Rights Reserved This User Guide and documentation is copyright of Lepide Software Private Limited, with all rights

More information

Office 365 deploym. ployment checklists. Chapter 27

Office 365 deploym. ployment checklists. Chapter 27 Chapter 27 Office 365 deploym ployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of

More information

Microsoft Dynamics GP Release

Microsoft Dynamics GP Release Microsoft Dynamics GP Release Workflow Installation and Upgrade Guide February 17, 2011 Copyright Copyright 2011 Microsoft. All rights reserved. Limitation of liability This document is provided as-is.

More information

Mobility Services Platform 3.1.1 Software Installation Guide

Mobility Services Platform 3.1.1 Software Installation Guide Mobility Services Platform 3.1.1 Software Installation Guide Mobility Services Platform 3.1.1 Software Installation Guide 72E-100159-04 Revision D January 2008 2007 by Motorola, Inc. All rights reserved.

More information

Kaseya 2. Installation guide. Version 7.0. English

Kaseya 2. Installation guide. Version 7.0. English Kaseya 2 Kaseya Server Setup Installation guide Version 7.0 English September 4, 2014 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept

More information

Installation & Activation Guide. Lepide Active Directory Self Service

Installation & Activation Guide. Lepide Active Directory Self Service Installation & Activation Guide Lepide Active Directory Self Service , All Rights Reserved This User Guide and documentation is copyright of Lepide Software Private Limited, with all rights reserved under

More information