Sage Abra SQL HRMS Abra Workforce Connections Pre-Installation Guide
2010 Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service names mentioned herein are registered trademarks or trademarks of Sage Software, Inc., or its affiliated entities. Business Objects, the Business Objects logo, and Crystal Reports are registered trademarks of SAP France in the United States and in other countries. NetLib is a registered trademark of Communication Horizons. OrgPlus is a trademark of HumanConcepts, LLC. TextBridge is a registered trademark of ScanSoft, Inc. Microsoft, Outlook, Windows, Windows NT, Windows Server, the.net logo, Windows Vista and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and /or other countries. The names of all other products and services are the property of their respective holders. Sage has made every effort to ensure this documentation is correct and accurate but reserves the right to make changes without notice at its sole discretion. Use, duplication, modification, or transfer of the product described in this publication, except as expressly permitted by the Sage License Agreement is strictly prohibited. Individuals who make any unauthorized use of this product may be subject to civil and criminal penalties. For additional assistance on this and other Sage products and services, visit our Web site at: www.sageabra.com Abra Workforce Connections
Table of Contents Requirements...1 Hardware and Software Requirements and Recommendations... 1 Sage Abra Workforce Connections (Abra ESS, Abra Benefit Enrollment, HR Actions for Sage Abra)...1 Client Requirements for Web Access to Sage Abra Workforce Connections...3 Using ASP.NET 3.x...5 Using Dynamic Information Sharing with Microsoft Windows 2008 Server...7 SQL Server Installation...11 Install SQL Server... 11 Firewall/Security Services Configuration...17 Sage Abra SQL HRMS Firewall / Security Services Configuration... 17 Abra Workforce Connections Firewall / Security Services Configuration... 17 Network Security Configurations... 18 Basic Network Security IIS behind Firewall...18 Advanced Network Security IIS and Two Demilitarized Zones (DMZs)...19 Enhanced Network Security IIS in Demilitarized Zone (DMZ)...19 Abra Workforce Connections Data Execution Prevention Settings...19 Create a Windows User Account...21 Appendix...29 Information Security Recommendations for Public Access Workstations... 29 Software Applications...29 Data Security...30 More Best Practices...31 Pre-Installation Guide i
ii Abra Workforce Connections
Requirements Important! This product should be installed only by a certified Business Partner. Hardware and Software Requirements and Recommendations Sage Abra Workforce Connections (Abra ESS, Abra Benefit Enrollment, HR Actions for Sage Abra) Recommended Server Specifications Processor Operating System Dual Core X86 Processor 2.4 GHz or higher During Open Enrollment (if Abra Benefits Enrollment installed): > 500 but < 1000 employees: Dual Core X86 Processor 3.0 GHz > 1000 but < 3000 employees: Quad Core x86 Processor 2.0 GHz Install and configure one of the following: Windows Server 2008, Standard or Enterprise Edition, latest service packs Windows Server 2003, Standard or Enterprise Edition, latest service packs. For Windows Server 2003, SP2 or higher, you must verify that the Data Execution Prevention (DEP) settings are correct. Refer to page 19 for details. For information about Windows Server 2003, Web Edition, refer to the note at the end of this table. Install and configure: Microsoft Internet Information Services web server and the World Wide Web Publishing Service SMTP Service MDAC 2.8.Net Framework 3.5 (HR Actions). See page 5 for IIS setup instructions. IIS must be in WOW mode on 64 bit applications. Use Manage Your Server to add and configure: the Application Server role, including ASP.NET the Mail Server role Refer to the Abra Workforce Connections Technical Installation Guide for Windows 2003 and 2008 for configuration information for IIS and SMTP. Pre-Installation Guide 1
Hardware and Software Requirements and Recommendations Recommended Server Specifications Database Install and configure one of the following: SQL Server 2005 Standard Edition, latest service packs. This must be set up using mixed mode authentication and default collation sequence (SQL_Latin1_General_CP1_CI_AS). Sage Abra SQL HRMS RAM Hard Drive Drive Monitor Browser Network Speed SQL Server 2005 Express Edition, latest service packs. This is the default database installed with Abra Workforce Connections. Advanced Services is required to run full text queries in Abra erecruiter when searching resumes. SQL Server 2008 Standard Edition, latest service packs. This must be set up using mixed mode authentication. SQL Server 2008 Express Edition, latest service packs. Refer to the Abra Workforce Connections Technical Installation Guide for Windows Server 2003 and 2008 for configuration information for SQL Server and mixed mode authentication setup. Sage Abra SQL HRMS v10.x If you are installing Sage Abra Alerts and Abra Workforce Connections on the same server, you must install Sage Abra Alerts before installing Abra Workforce Connections. Recommended: 2048 MB for up to 1,000 employees and 50 concurrent users. You must also do the following: Add 128 MB for every additional 500 employees in Sage HRMS Add 128 MB for every additional 25 concurrent users* (administrators, employees, and applicants) in Abra Workforce Connections File Attachments require additional disk space (HR Actions) *Concurrent users are the maximum number of users logged on to Abra Workforce Connections at the same time. 100 MB available space for the server (+100 MB for HR Actions) 80 MB plus 1 MB additional available space for every 100 employees DVD ROM drive SVGA 1024 x 768 resolution or higher Internet Explorer v7 and higher 100 Mbps minimum, 1000 Mbps preferred. Performance may dictate moving the installed applications to a multi server environment. SQL Server 2005 Express Edition (the embedded database installed with Abra Workforce Connections) is appropriate for organizations with 5 administrative HRMS users or less and 25 concurrent AWC users or less. Organizations with more than 5 administrative HRMS users or more than 25 concurrent AWC and Abra erecruiter users (administrators, employees, applicants) should consider SQL Server. 2 Abra Workforce Connections
Hardware and Software Requirements and Recommendations About Windows Server 2003 Web Edition: SQL Server 2005 or 2008 Express Edition can be installed on the same server that is running Windows Server 2003 Web Edition SQL Server cannot be installed on the same server that is running Windows Server 2003 Web Edition. However, you can use SQL Server with Windows Server 2003 Web Edition if SQL Server resides on a different server. About Windows Server 2008 Web Edition: SQL Server 2005 or 2008 Express Edition can be installed on the same server that is running Windows Server 2008 Web Edition. SQL Server can be installed on the same server that is running Windows Server 2008 Web Edition. More helpful information: Information concerning SQL Server security, stability, and scalability is available at the following link: http://www.microsoft.com/sql/techinfo/default.mspx Client Requirements for Web Access to Sage Abra Workforce Connections Your system must meet the minimum requirements for Microsoft Internet Explorer version 7 or higher. At the time of release, these requirements can be found at: http://www.microsoft.com/windows/products/winfamily/ie/ie7/sysreq.mspx Warning: When navigating in Abra Workforce Connections, do not click the browser s Forward and Back buttons to navigate. You must use the navigation buttons on the application page. Pre-Installation Guide 3
Hardware and Software Requirements and Recommendations 4 Abra Workforce Connections
Using ASP.NET 3.x If ASP.NET 3.x Framework is installed, you must open Internet Information Services (IIS) Manager and change the Web Service Extension for ASP.NET v2.0 from Prohibited to Allowed, or you will be unable to open the AWC Web page. See the following figures for IIS v6.0 and IIS v7.0 setup. IIS V6.0 IIS V7.0 Pre-Installation Guide 5
Using ASP.NET 3.x 6 Abra Workforce Connections
Using Dynamic Information Sharing with Microsoft Windows 2008 Server The information sharing capability allows you to share workforce data with other employees in your company. The View Builder is a highly versatile and customizable analytical tool that allows you to implement information sharing in your company. The View Builder allows you to create a View (similar to a template) that generates data and displays the output in your web browser. Follow the steps below if you will install Abra Workforce Connections on a server running Windows 2008 Server and plan to use the View Builder. 1. On the server, select Start > Administrative Tools > Server Manager to open the Server Manager dialog box. 2. Click the Roles node in the left hand pane. 3. Click Add Roles Services to open the Add Role Services dialog box. Pre-Installation Guide 7
Using Dynamic Information Sharing with Microsoft Windows 2008 Server 4. Select Application Development and then click Install. 5. Scroll down the list of Role services and select Security. 8 Abra Workforce Connections
Using Dynamic Information Sharing with Microsoft Windows 2008 Server 6. Scroll down the list of Role services and select IIS 6 Management Compatibility. 7. Click Next and then click Install to install the selected components. 8. After the install is complete, click the Features node and then click Add Features to open the Add Features Wizard. Pre-Installation Guide 9
Using Dynamic Information Sharing with Microsoft Windows 2008 Server 9. Select SMTP Server. If necessary, click Install to also install the Web Server (IIS) service. 10. Click Next and then click Install to install the selected features. 11. Restart the server. 10 Abra Workforce Connections
SQL Server Installation To run Sage Abra Workforce Connections, you must have Microsoft SQL Server or Microsoft SQL Server Express Edition with Advanced Services installed. For your convenience, Sage includes an installation of SQL Server 2005 Express Edition with Advanced Services on the Sage Abra Installer DVD. To use Microsoft SQL Server 2008 Express Edition with Advanced Services, download it from the Microsoft Web site, which at the time of release was: http://www.microsoft.com/downloads/details.aspx?familyid=b5d1b8c3 FDA5 4508 B0D0 1311D670E336&displaylang=en If you download and install Microsoft SQL Server 2008 Express Edition with Advanced Services, you must select mixed mode authentication and accept the default collation sequence (SQL_Latin1_General_CP1_CI_AS). Install SQL Server 1. Load the Sage Abra Installer DVD into the DVD drive. 2. Select Sage Abra Workforce Connections. The Abra Workforce Connections Installation dialog box opens. Pre-Installation Guide 11
Install SQL Server 3. Select Install SQL 2005 Express Edition with Advanced Services. 4. Select SQL Server 2005 Express Edition with Advanced Services and proceed with the installation. Be advised of the following information as you install: You must remove any beta or Community Technology Preview (CTP) versions of SQL Server Management Studio Express from your system before installation. Otherwise, this installation of SQL Server 2005 Express Edition will fail. A known issue could cause the installation of SQL Server 2005 Express Edition to pause for a significant amount of time during the installation. That is, when the primary domain has many external trust relationships with other domains, or many lookups are performed at the same time, the time required to look up domain group names may increase significantly. To work around this issue, you can temporarily disable the network on the computer where the installation will run. To do this, either disconnect the network cable or type the following command at a command prompt: ipconfig /release The system checks for, and if necessary, installs prerequisites for installation (Windows Installer 3.1,.NET Framework 2.0, and MDAC 2.8) before it begins installing SQL Server 2005 Express. 12 Abra Workforce Connections
Install SQL Server The required components are configured: The configuration includes a new version of SQL Server Books Online. However, if SQL Server 2005 Express Edition is already installed, the following warning displays. Click OK to proceed., Pre-Installation Guide 13
Install SQL Server a. SQL Server Management Studio Express is included in the installation. Click Next on the Welcome page to proceed: b. When installation is complete, click Finish. 14 Abra Workforce Connections
Install SQL Server 5. After completing the SQL Server Express or SQL Server Management Studio Express installations, open Management Studio Express (Start > Programs > SQL Server 2005 > SQL Server Management Studio), go to the Object Explorer tab, and verify that the AWCExpress instance exists. After SQL Server 2005 Express Edition installation is complete, return to the Abra Workforce Connections Installation page to install Abra Workforce Connections. Pre-Installation Guide 15
Install SQL Server 16 Abra Workforce Connections
Firewall/Security Services Configuration Sage Abra SQL HRMS - Firewall / Security Services Configuration The firewall considerations for Sage Abra SQL HRMS clients are as follows: The firewall considerations for Sage Abra SQL HRMS clients are as follows: Outgoing connections The following ports must be open for clients to connect to AWC: www http: 80/TCP This is needed only when non secure (http) access to the server is allowed. https: 443/TCP This is needed only if you want https access to the server and it is configured When Sage Abra SQL HRMS is configured to connect to a non local SQL Server, incoming and outgoing traffic for the following port is required. Refer to Microsoft Knowledge Base article INF: TCP Ports Needed for Communication to SQL Server Through a Firewall at: http://support.microsoft.com/?id=kb;en us;q287932 mssql ms sql: 1433/TCP Abra Workforce Connections - Firewall / Security Services Configuration The firewall considerations for an Abra Workforce Connections server are as follows: Incoming connections The following ports must be open for incoming connections to the server: www http: 80/TCP This is needed only when non secure (http) access to the server is allowed. https: 443/TCP This is needed only if you want https access to the server and it is configured Outgoing connections When Abra Workforce Connections is configured to connect to a non local SQL Server, incoming and outgoing traffic for the following port is required. Refer to Microsoft Knowledge Base article INF: TCP Ports Needed for Communication to SQL Server Through a Firewall at: Pre-Installation Guide 17
Firewall/Security Services Configuration http://support.microsoft.com/?id=kb;en us;q287932 mssql ms sql: 1433/TCP To resolve IP addresses via DNS (depending on your server configuration), the following ports need to be open: domain: 53/TCP domain: 53/UDP To send mail from the local SMTP service, at least the following port has to be available if outgoing e mails are configured to be sent or forwarded from the Abra Workforce Connections server: smtp: 25/TCP Network Security Configurations The following images are of common configurations that are used when implementing Abra Workforce Connections. These are guidelines only and can be modified for your environment. Basic Network Security IIS behind Firewall 18 Abra Workforce Connections
Firewall/Security Services Configuration Advanced Network Security IIS and Two Demilitarized Zones (DMZs) Enhanced Network Security IIS in Demilitarized Zone (DMZ) Abra Workforce Connections - Data Execution Prevention Settings Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. If you are running Abra Workforce Connections on a Windows 2003 Server with Service Pack 1 or higher, you must verify the DEP settings are correct. On the Abra Workforce Connections server, follow the steps below. We recommend that these steps be performed only by the company s IT department. Note: After verifying the DEP settings, you will be instructed to reboot the server. Therefore, before you begin, we recommend you make the necessary preparations for this required server reboot. Pre-Installation Guide 19
Firewall/Security Services Configuration 1. Verify the operating system is Windows 2003 Server with Service Pack 1 or higher: click Start > Run, type winver, and press Enter. 2. Verify the processor supports hardware DEP: a. Go to Control Panel > System > Advanced. b. Click Settings in the Performance section. c. Click the Data Execution Prevention tab. d. Verify that you do not see the following text at the bottom of the tab: Your computer s processor does not support hardware based DEP. However,... 3. If you do not see the text and Abra Workforce Connections is generating error 80010105, do the following to switch DEP settings: a. Go to Control Panel > System > Advanced. b. Click Settings in the Performance section. c. Click the Data Execution Prevention tab. d. Select Turn on DEP for essential Windows programs and services only. e. Click OK to save and close all dialog boxes. 4. Reboot the server. Tip: Refer to the following Microsoft Knowledge Base article for more information on DEP: http://support.microsoft.com/kb/875352. 20 Abra Workforce Connections
Create a Windows User Account Abra Workforce Connections (AWC) requires a Windows user account that has read and write access to the Sage Abra SQL HRMS data files, has permissions to log on as a service and launch processes, and is a member of the administrators group from the Abra Workforce Connections Web/Application server. Use the following instructions to create this account if the data files are located on your Abra Workforce Connections Web/Application server (that is, the server where you perform the Abra Workforce Connections installation). If the Sage Abra SQL HRMS database files are located on a different server and your enterprise uses workgroups, you must create the same Windows user account on both the AWC Web server and the Sage Abra SQL HRMS server. If your enterprise uses domains or active directory, a Windows user account at the domain level is sufficient. If Sage Abra SQL HRMS is accessed through a file share, you must set both share permissions and NTFS permissions (if applicable) to allow read and write access for the account. The account should have a static password that does not need to be changed. This prevents errors when Abra Workforce Connections tries to access the share using the account information after the password expires or changes. Skip the following if you already have a Windows user account that meets the aforementioned criteria. 1. From the Start menu, select (All) Programs > Administrative Tools > Computer Management > System Tools > Local Users and Groups. Pre-Installation Guide 21
Create a Windows User Account 2. Add a New User: a. Right click Users and select New User. The New User dialog box opens. b. In the User Name field, enter the Windows user account that has write access to the Sage Abra SQL HRMS data files. This account should have the rights of a standard user account (local or domain). c. In the Password fields, enter and confirm the password. d. Clear User must change password at next logon. e. Select User cannot change password and Password never expires. f. Click Create. g. Click Close. 22 Abra Workforce Connections
Create a Windows User Account 3. Add the new user to the Administrator group: a. Right click the (AWC) user and select Properties. b. Click the Member Of tab and then click Add to open the Select Groups dialog Pre-Installation Guide 23
Create a Windows User Account c. Click Advanced and then Find Now to find the Administrators group. 24 Abra Workforce Connections
Create a Windows User Account d. Highlight the Administrators group and click OK. e. Click OK. f. Click OK to end the task. The AWC user has now been added to the Administrators group. Pre-Installation Guide 25
Create a Windows User Account 4. Using Windows Explorer, navigate to the Sage Abra SQL HRMS Data folder, right click and select Properties. Notes: If you are using a Windows XP or Windows Server 2003 machine, the default location is \Documents and Settings\All Users\Application Data\Sage\SageAbraSQLHRMSServer\Data (as shown in the following figure) If you are using a Windows Server 2008, Windows Vista, or Windows 7 machine, the default location is \ProgramData\Sage\SageAbraSQLHRMSServer\Data 5. In the Data folder s Properties dialog box, select the Security tab and click Add. The Select Users, Computers, or Groups dialog box opens. 26 Abra Workforce Connections
Create a Windows User Account 6. In the Enter the object names to select field, enter <local server name>\awc. 7. Click OK. 8. Set the Modify user permission to Allow. 9. Click OK. Pre-Installation Guide 27
Create a Windows User Account 28 Abra Workforce Connections
Appendix Information Security Recommendations for Public Access Workstations Abra Workforce Connections allows users to access their personal, payroll, and benefit information via the Internet or an intranet. When you connect to a network and communicate with others, you are taking a risk. Internet security involves the protection of a computerʹs internet account and files from intrusion of an unknown user. This means people will always strive to find new ways to circumvent IT security, and users will need to be continually vigilant. Below are some recommendations for keeping your system and network secure. However, we highly recommend that you contact an Information Security expert to determine the best way for your company to keep your information secure. Software Applications Install and maintain up to date and properly configured anti virus software. Be sure that real time protection scans all files. Install active spyware defenses, for example, Windows Defender. Install only the minimum number of applications as needed. Update Web plug ins, Java Scripts, and media players on a regular basis as these are areas of increasing vulnerability. Periodically check the Web site of the Operating System vendor (such as Microsoft) for critical security updates that may need to be applied. Consider using multiple Web browsers for different software applications. Currently, Abra ESS and Abra erecruiter can run with Internet Explorer 7.0 and 8.0; Google Chrome 4.0.223.16; Apple Safari 3.2.3 (525.29), and Mozilla Firefox 3.6.3. Abra Workforce Connections Open Enrollment/Life Events can run with Internet Explorer 7.0 and 8.0. So, for example, you could use Mozilla Firefox to access Abra ESS and a different browser for general purpose Web browsing. This can minimize the chances of vulnerability in a Web browser, a Web site, or related software that can be used to compromise sensitive information. Disable other unnecessary network services. Pre-Installation Guide 29
Information Security Recommendations for Public Access Workstations Data Security Keep backup copies of important documents on a secure server and not a shared workstation. Use certificates, especially if you modify a DNS server (or write a Java based SSL proxy) to point your Web or XML client to another Web site. Configure the Abra Workforce Connections Web server for HTTPS/SSL using a valid site certificate and do not allow access from public workstations or computers on the Internet. Enable or disable functionality as required to secure your Web browser. Because some software features, such as ActiveX, Java, Scripting (for example, JavaScript or VBScript), that provide functionality to a Web browser can also introduce vulnerabilities to the computer system, you must understand which browsers support which features and the subsequent risks they could introduce. If you are not sure how to define the security settings, please consult an Information Security expert. Disable broadcast services. Disable the cache on the local system and always store confidential data securely (in transit and at rest). Clear out temporary files. Require users to change their password regularly and require a strong password. Never allow Windows to remember your password. Lock the BIOS to prevent USB, CD ROM, or Network booting and use a strong BIOS password. Prevent Internet Explorer from caching passwords. Set Internet Explorer to have a 0 day history and to clear the cache upon exit. This helps destroy session cookies. Perform a port scan or a network statistics on the kiosk operating system to determine active TCP connections. Block everything except the ports you need. 30 Abra Workforce Connections
Information Security Recommendations for Public Access Workstations More Best Practices Institute strong group policies. This is a good way to prevent security issues. Stress the importance of logging off and closing all applications, not opening e mail attachments unless you know the sender and know that it was intentionally sent to you, and not clicking links without considering the risks of their actions. Important! The best approach to adequately maintain the security of the system, without unduly inconveniencing the user, should be determined in consultation with an Information Security expert. Pre-Installation Guide 31