Good Connect Server Installation and
Transcription
Good Connect Server Installation and
Good Connect 2.2 Server Installation and Administration Guide Microsoft Lync 2010 Issue Date: 14-Oct-13 Last Updated: 23-Oct-14 Table of Contents 1. 2. Overview......................................................................................................................................... 4 Requirements ................................................................................................................................. 5 2.1 System and network requirements .......................................................................................... 5 2.2 Good Dynamics requirements ................................................................................................. 6 2.3 Microsoft Windows PowerShell 2.0 RTM................................................................................. 6 2.4 Microsoft .NET Framework 3.5 Service Pack 1, or later, service packs.................................. 6 2.5 Microsoft Unified Communications Managed API 3.0 Runtime (64-bit) .................................. 6 2.6 A SSL certificate ...................................................................................................................... 6 2.7 The Good Connect Database ................................................................................................ 10 3. 2.7.1 Setting up Oracle XE database ................................................................................ 11 2.7.2 Setting up Microsoft SQL Server 2008 R2 ............................................................... 11 Preparing the Lync topology for Good Connect ........................................................................... 13 3.1 Preparing for the first installation of the Good Connect server .............................................. 13 3.2 Preparing for subsequent Good Connect servers ................................................................. 14 4. Installing the Good Connect Server ............................................................................................. 15 4.1 Good Connect Server Windows Service ............................................................................... 24 4.2 APNS web proxy support ....................................................................................................... 25 4.2.1 Setting the configuration parameters ........................................................................ 25 4.2.2 Storing the user credentials ...................................................................................... 26 4.3 Configuring the Good Connect Server to use the Global Catalog......................................... 27 5. Repairing/Upgrading the Good Connect Server .......................................................................... 28 5.1 Repairing the Good Connect Server...................................................................................... 28 5.2 Upgrading the Good Connect server ..................................................................................... 28 6. 7. The Good Connect Server configuration file ................................................................................ 29 Configuring Good Control............................................................................................................. 32 7.1 Entering the Good Connect Server Pool information and IM platform type .......................... 32 7.2 Listing the approved Good Connect Server hostnames and ports ........................................ 33 7.3 Controlling browser and map behavior .................................................................................. 33 7.4 Enabling a disclaimer ............................................................................................................. 34 7.5 Disabling Conversation History.............................................................................................. 35 8. Configuring Good Connect user affinity ....................................................................................... 36 8.1 ABC company example ......................................................................................................... 36 8.2 Enabling User Affinity ............................................................................................................ 36 9. 10. Configuring MS Exchange Conversation History ......................................................................... 38 Enabling SSL support for Connect Client and Connect Server via Good Proxy.......................... 40 10.1 Creating the CSR ......................................................................................................... 41 10.2 Send the new CSR to a well-known third-party CA to issue your certificate ............... 45 10.3 Binding the SSL certificate ........................................................................................... 45 Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 2 of 52 10.4 Configuring the Good Connect server to use the new certificate ................................ 47 10.5 Configuring the Good Connect client to start sending requests over SSL .................. 48 A. Troubleshooting with Log Exceptions .......................................................................................... 50 B. Troubleshooting with SSL certificate exceptions ......................................................................... 51 Legal Notice ........................................................................................................................................... 52 Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 3 of 52 1. Overview This manual provides step-by-step instructions for installing version 2.2 of the Good Connect Server in your Microsoft Lync 2010 environment. Be sure to carefully read and confirm that you meet all the listed requirements before you start the installation. There is also a detailed administration portion for your reference after you finish installing the server. The following diagram shows how the Good Connect Server works with both the enterprise IM infrastructure and the Good Dynamics (GD) servers behind the enterprise firewall. The Good Connect server then communicates with the Good Dynamics Network Operation Center (NOC) to securely reach the mobile device. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 4 of 52 2. Requirements This section lists the requirements for the Good Connect Server software. If you installed an Early Access version of Good Connect, you must uninstall the Early Access version before you can install this General Availability version. Important Upgrade Note If you are upgrading from a previous version of Good Connect Server, you must use the same Windows Service Account used to install your current version of Good Connect Server. Caution: If you don’t install the required software, or fail to configure them correctly before starting the installation of the Good Connect Server, the Good Connect Server may fail or may behave in an unexpected manner. 2.1 System and network requirements You must meet the following requirements before installing the Good Connect server. • Microsoft Windows Server 2008 SP2 (64-bit) or Microsoft Windows Server 2008 R2 (64-bit) • 4GB of RAM • 20GB disk space • 4 core processor • The installing user must have local administrative privileges on the host computer. • The Good Connect Server must be in the same domain as Microsoft Lync Server 2010 server. • The Good Connect Server must be able to communicate with the Microsoft Active Directory. • The local Windows Firewall must be disabled. Note: A Group Firewall Policy causes the installer to fail prerequisite checks, even if the local firewall is disabled. • Disable local anti-virus software during installation • The following inbound ports must not be blocked by any firewall: • • o 8080 from the Good Proxy server or 8082 if SSL is required for inbound Good Proxy communications (see section 7.2). o 49555 from the Lync server The following outbound ports must not be blocked by any firewall: o 80 to the Good Technology NOC/Apple Push Notification Service o 443 to the Good Technology NOC/Apple Push Notification Service o 5061 to the Lync server o 17080 to the Good Proxy server o 17433 to the Good Proxy server Good Connect also requires TCP/IP port access to the database used. o 1433 to the Microsoft SQL server default. o 1521 to the Oracle XE server default Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 5 of 52 2.2 Good Dynamics requirements • At least version 1.4.31.5 of the Good Control server • At least version 1.4.31.3 of the Good Proxy server You can download the Good Dynamics servers here: https://begood.good.com/docs/DOC-1053 2.3 Microsoft Windows PowerShell 2.0 RTM • Windows Server 2008 SP 2 This operating system version comes with PowerShell 1.0. Install PowerShell 2.0 by applying KB968930. • Windows Server 2008 R2 This operating system version comes with PowerShell 2.0. Enable the Windows PowerShell 2.0 feature using Server Manager. 2.4 Microsoft .NET Framework 3.5 Service Pack 1, or later, service packs • Windows Server 2008 SP 2 Download Microsoft .NET Framework 3.5 here: http://www.microsoft.com/en-us/download/details.aspx?id=21 • Windows Server 2008 R2 Enable Microsoft .NET Framework 3.5 feature using Server Manager. 2.5 Microsoft Unified Communications Managed API 3.0 Runtime (64-bit) http://www.microsoft.com/en-us/download/details.aspx?id=20958 UcmaRuntimeSetup.exe also installs an additional installer named OCSCore.msi that is also required by Good Connect Server. Find OCSCore.msi by navigating to following directory, launch and use the default settings in the wizard. (Note: By default, the ProgramData folder is hidden in Windows Explorer. You can change this in folder settings) C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\Setup\OCSCore.msi 2.6 A SSL certificate The Good Connect Server must form a mutual trust relationship for MTLS communications with the Lync server. Mutual trust requires a SSL certificate that meets the following criteria: • The private certificate issued by a trusted CA must be stored in the Good Connect computer's Console Root\Certificates local_host_name\Personal\Certificates folder. • Both the computer’s private certificate and the Lync server’s internal computer certificate must be trusted by root certificates in the Good Connect computer’s Console Root\Certificates local_host_name\ Trusted Root Certification Authorities \Certificates folder. • Any intermediate certificates for both the Good Connect Server’s private certificate and the Lync server’s internal computer certificate must be located in the Good Connect computer's Console Root\Certificates local_host_name\ Trusted Root Certification Authorities \Certificates folder. • The account used to run the Good Connect server application must have read access to the certificate store and the private key. • The Subject Name (SN) of the certificate must contain the Common Name (CN) for the Good Connect server's fully-qualified domain name such as “CN=server.subdomain.domain.tld”. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 6 of 52 • The certificate must be signed by by a CA that is mutually-trusted by both the Lync server and the Good Connect server. See the following documentation for further information regarding SSL Certificate requirements: http://msdn.microsoft.com/en-us/library/lync/hh347354.aspx The following steps explain how to create a certificate for your Good Connect Server through your Enterprise Certificate Authority. 1. Launch the Microsoft Management Console (MMC). 2. Select File -> Add/Remove Snap-in -> Select Certificate. 3. Select Computer Account, Next, Local Computer, Finish 4. Select Certificates -> Personal -> Certificates. Note that the final Certificates option is only available if there is at least one certificate in the MMC. If not, just select Personal. 5. Select Actions -> All Tasks -> Request New Certificate. 6. Click Next when the Certificate Enrollment wizard displays the Before You Begin screen. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 7 of 52 7. Select Active Directory Enrollment Policy in the next screen and click Next. 8. Select Computer as the type of certificate and click Enroll. 9. Click Finish when the enrollment process succeeds. The MMC now lists the new certificate. If you don’t see the new certificate, expand the tree view in the left-hand pane by clicking Console Root -> Certificates (Local Computer) -> Personal -> Certificates. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 8 of 52 10. Verify that your new certificate lists the fully qualified domain name of your Good Connect Server in the Subject attribute of your newly issued certificate as shown below. This is the default behavior of the Certificate Authority. However, if your CA uses custom certificate templates, an administrator may need to explicitly add that field for inclusion. 11. Right click on the newly created certificate and select More Actions -> All Tasks -> Manage Private Keys. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 9 of 52 12. Click Add in the Security tab of the Permissions dialog box to see the Select Users, Computers, Service Accounts or Groups dialog box. 13. Enter the Good Connect service account and click OK to grant permission to this certificate’s private key. 14. Click OK in the Permissions dialog box. 2.7 The Good Connect Database Good Connect server requires a relational database, either existing in your environment or installed per this document. The currently supported databases are Oracle and Microsoft SQL Server. A database must be installed and prepared before you start the Good Connect Server installation. SQL scripts must be executed before you start the Good Connect Server installation. These scripts can be found in the zip file containing the Good Connect installer. Microsoft and Oracle have visual and command line tools to assist you with database and schema creation (Microsoft Management Studio, sqlcmd, Oracle SQL Developer, sql*plus etc). Supported Oracle Versions • • Oracle 10g (Standard/Enterprise) Oracle 11g (Express/Standard/Enterprise) Download Oracle 11g Express http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html Download Oracle ODAC (Client libraries, 64-bit ODAC 11.2 Release 5 for Windows x64) You must install client libraries on the Good Connect Server http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html Supported Microsoft SQL Server Versions • • SQL Server 2008 (Express/Standard/Enterprise) SQL Server 2008 R2 (Express/Standard/Enterprise) Download MS SQL Server 2008 R2 Express http://download.microsoft.com/download/5/5/8/558522E02150-47E2-8F52-FF4D9C3645DF/SQLEXPRWT_x64_ENU.exe Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 10 of 52 2.7.1 Setting up Oracle XE database Prior to running the installer, you must create a schema named “GoodConnect” in your instance as well as a user account with privileges for executing schema, stored procedures and creating table for said schema. 1. Start the Run SQL Command Line Program: Start Menu > All Programs > Oracle Database Express Edition > Run SQL Command Line Enter connect system and provide the password as prompted. 2. Run the following commands: create user GoodConnect identified by password; grant connect, resource to GoodConnect; alter user GoodConnect default role all; grant create table to GoodConnect; @<unzip directory>\Sql\Oracle\1_Balboa_Schema.sql; @<unzip directory>\Sql\Oracle\1_Balboa_storedProcedures.sql; @<unzip directory>\Sql\Oracle\2_Cardiff_Schema.sql; grant execute on GOODCONNECT.USP_CREATENEWADTABLE to GoodConnect; grant execute on GOODCONNECT.USP_SWITCHADTABLES to GoodConnect; grant execute on GOODCONNECT.UTILS to GoodConnect; 2.7.2 Setting up Microsoft SQL Server 2008 R2 SQL Server Management Studio, which is bundled with the SQL Server 2008 R2 Express download, is required for setting the Good Connect database. If your SQL Server installation does not include the SQL Server Management Studio software, it is available as a separate download from the Microsoft website. http://www.microsoft.com/en-us/download/details.aspx?id=7593 Follow the instructions to set up the Good Connect database in SQL Server: 1. Install the SQL Server database per the directions in the installation wizard. Specify Windows Authentication mode or SQL Server and Windows Authentication mode under the Security section of the Server Properties. 2. After installation, launch SQL Server Management Studio and log in. You will perform steps 3 and 4 through the SQL Server Management Studio console. 3. Set up the login that will be used to manage the Good Connect database. Expand the Security item in the Object Explorer pane, then right-click Logins and select New Login o If you selected SQL Server and Windows Authentication mode in the Server Properties and wish to have a SQL Server login to manage the Connect database, enter GoodConnect as the Login name. Select SQL Server authentication and set a password for this login. You will need to enter the password value correct when the Good Connect installer asks for Connect database information. Click OK to add the login. o If you want to use a Windows account to manage the database, select Windows authentication. Enter the Windows account username in the domain\username format as the Login name. This account should be the same as the service or administrator account setup to run the Good Connect Server service. Click OK to add the login. 4. Right-click the Databases item in the Object Explorer pane, then select New Database. Enter GoodConnect as the Database name and set the login you configured in the previous step as the database Owner. Click OK to add the database. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 11 of 52 5. Launch the SQL Server Configuration Manager: Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server Configuration Manager 6. Select Protocols for SQLEXPRESS. Enable TCP/IP and add port 1433 for IPAll. 1433 is the default port which the Good admin can change. 7. Restart the Microsoft SQL Server service. 8. Run Schema and Stored Procedure scripts. You must execute the following scripts in the specified order to properly create the GoodConnect database schema and stored procedures. These scripts can be found in the install directory under the “SQL\SQLServer” folder. sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 1_Balboa_Schema.sql sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 1_Balboa_StoredProcedures.sql sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 2_Cardiff_Schema.sql Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 12 of 52 3. Preparing the Lync topology for Good Connect Good Connect is a Microsoft Lync trusted-UCMA application. In order to establish trust with Microsoft Lync 2010, you must use the Lync Management Shell to do the following: • • • • • Create a trusted application pool. Designate trusted applications for the use of the Good Connect computer. Create a trusted-computer entry for every Good Connect server in the environment. Publish these changes to the Lync Topology. Create a Trusted Endpoint for the Good Connect administrator. Note You must be a member of the RTCUniversalServerAdmins and Domain Admins security groups to provision and publish new applications in the Microsoft Lync topology. If you have a designated Lync administrator within your organization, that person should perform the steps listed below. You must complete the application provisioning process as described here. After the application provisioning process, the Lync administrator needs to delegate RTCUniversalReadOnlyAdmins permission to you in order to access the provisioning information during the Good Connect installation process. 3.1 Preparing for the first installation of the Good Connect server The preparations described in this section are only required if you are installing the Good Connect server for the first time. See the section 3.2 Preparing for subsequent Good Connect servers to see how the preparations vary if you’ve already set up the Lync topology for the Good Connect server. When you create a trusted application pool for the first installation of Good Connect, you also create the trusted-computer entry. Subsequent installations of the Good Connect server do not require a new trusted application pool or designated trusted applications because these are added to the existing trusted application pool. Launch the Lync Management Shell: Start Menu -> All Programs -> Microsoft Lync Server 2010 -> Lync Management Shell and enter the commands listed in the screen excerpt below to do the following: 1. Create a Trusted Application Pool. 2. Designate a Trusted Application. 3. Publish the changes to the Lync Topology. You must follow the naming conventions provided in bold. Replace myhost with your Good Connect hostname and myconnectdomain.com with your Good Connect server’s computer domain. PS> Get-CsSite If your organization has more than one Site in its topology, look up the appropriate siteId number and the corresponding registrar value. You need this information to create the Application Pool below. PS> New-CsTrustedApplicationPool -Force -Identity "pool_goodconnect.myconnectdomain.com" -Registrar <registrar> -RequiresReplication $false -Site <siteId number> -ComputerFqdn "myhost.myconnectdomain.com" The value for <registrar> can be either a Director pool or a Lync pool. Director pools direct (or redirect) user request to the appropriate Front End server. However should the director pool become unavailable, then all pools would be inaccessible. PS> New-CsTrustedApplication -Force -ApplicationId "appid_goodconnect.myconnectdomain.com" -TrustedApplicationPoolFqdn "pool_goodconnect.myconnectdomain.com" -Port 49555 PS> Enable-CsTopology Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 13 of 52 3.2 Preparing for subsequent Good Connect servers Follow the instructions in this section only if you’ve already installed the Good Connect server at least once before. If this is your first installation of the Good Connect server, follow the instructions in section 3.1 Preparing for the first installation of the Good Connect server. Launch the Lync Management Shell: Start Menu -> All Programs -> Microsoft Lync Server 2010 -> Lync Management Shell and enter the commands listed below to do the following: • Create a trusted computer for the Good Connect trusted application pool. You must follow the naming conventions provided in bold. Replace myhost with your Good Connect hostname and mycompany.com with your organization’s domain. PS> New-CsTrustedApplicationComputer -Identity "myhost.myconnectdomain.com" -Pool "pool_goodconnect. myconnectdomain.com" Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 14 of 52 4. Installing the Good Connect Server This section details the various installation steps. Note: The Good Connect installer securely stores Web Proxy, Database, and Exchange service password in the Windows Credential Manager as the installer user. If the installer user is not the same as the Good Connect Windows Service account, you will need to manually add password to the Windows Credential Manager. 1. Run the installer executable. 2. Introduction screen This screen provides some basic information about the installer and the amount of space needed. Review the information and only proceed by clicking Next. 3. License Agreement screen Be sure to read the Good Server License and Services Agreement. If you agree with the terms, click Next. 4. Prerequisites screen The installer checks to make sure you meet the prerequisites that are detailed under the Requirements section of this manual. Failure to meet all the pre-requisite requirements will cause Good Connect to not run properly. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 15 of 52 5. Good Dynamics Host Information screen The Good Connect Server requires the hostname and port of the Good Dynamics Proxy server. If you choose HTTPS be aware that, at this time, Good Dynamics does not support internal CA issued SSL certificates within the Good Dynamics Proxy server. The certificate must come from a well-known 3rd Party certificate authority. See the Good Dynamics’ Good Control Server, Good Proxy Server Installation Guide for detailed instructions on how to do so. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 16 of 52 6. Database Server Settings screen. Good Connect requires a database to execute properly. Database configuration parameters can be set on this screen. 6.1 Microsoft SQL Server 2008 R2 MS SQL server can be authenticated in two ways: integrated windows authentication or SQL Server Authentication. Integrated Windows Authentication When a user connects through a Windows OS user account, SQL Server validates the account name and password using the Windows principal token in the operating system. The user’s credentials are confirmed by Windows OS and it is not necessary to provide username and password. Windows Integrated Authentication uses Kerberos security protocol that provides password policy enforcement, support for account lockout, and password expiration. A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 17 of 52 SQL Server Authentication When using SQL Server Authentication, logins are created in Microsoft SQL Server directly which are not based on Windows OS user accounts. Both the username and the password are stored and managed in the SQL Server. Users connecting using SQL Server Authentication must provide their credentials when they connect. If you choose SQL Server Authentication, you must provide username and password. The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one that installs the Good Connect, you will need to manually add the database username and password to the Windows Credential Manager as described in the following steps: 1. Login into the Good Connect server as the run user (this is the domain user as defined in Good Connect Server Host Information screen). 2. Launch cmd.exe as Adminstrator. 3. Execute the cmd: cmdkey /generic:GoodConnectDatabase /user:dbadmin /pass:password Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 18 of 52 6.2 Oracle XE Note: In order to use an Oracle database, you must install the Oracle ODAC on the Good Connect server. The Good Connect installer uses this to test connectivity to the Oracle database server. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 19 of 52 7. Good Connect Server Host Information screen Each Good Connect server’s host information also needs to be entered in the Good Control console. The installer automatically enters the local hostname. If the installer cannot detect a hostname, you can enter one, however the hostname must resolve properly within your network’s DNS for it to operate correctly with Good Dynamics and Microsoft Lync. Good Connect server supports HTTP and HTTPS connections from the Good Connect client. 7.1 HTTP Client Connections The default port for incoming client connections to the Good Connect Server is 8080. By default, the Good Connect installer will enable Connect server to respond to HTTP client requests. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 20 of 52 7.2 HTTPS Client Connections The Good Connect server supports client SSL connections to the Good Connect server. The Good Connect admin will need to follow the instructions prior to installation for enabling SSL for the Connect client. The instructions can be found in the Enabling SSL Support Between Good Dynamics Proxy and Good Connect Servers. After the setting up SSL, follow the instructions during installations: 1. Select Use GD SSL Binding 2. Enter Port and Certificate Friendly Name Each Good Connect server can host a maximum of 10000 concurrent sessions. A session constitutes any device actively connected into Good Connect and using the service. If you anticipate more than 10000 concurrent sessions, you should install a second Good Connect Server Each Good Connect server’s host information also needs to be entered in the Good Control console. See Section 7 for instructions on setting up Good Control. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 21 of 52 8. Exchange Conversation History screen The Exchange Conversation History screen information enables Good Connect to archive conversations to Exchange via Exchange Web Services. Good Connect server supports three different schema types for Exchange: o Exchange 2010 o Exchange 2010 SP1 o Exchange 2010 SP2 If you are using Exchange 2010 SP3, select Exchange 2010 SP2. Prior to installation, Good Admin must follow steps in Section 9 to enable Exchange Conversation history. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 22 of 52 9. Web Proxy screen If your Enterprise uses a web proxy to restrict access to the Internet, then you must selected the Web Proxy checkbox. The Good Connect server supports the following web proxy types: None, NTLM, Digest, or Basic Authentication. Select the authentication type used by your Enterprise’s web proxy and enter the appropriate information. The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one which installs the Good Connect, you will need to manually add the web proxy username and password to the Windows Credential Manager as described in the following steps: 1. Login into the Good Connect server as the run user (this is the domain user as defined in Good Connect Server Host Information screen). 2. Launch cmd.exe as Adminstrator. 3. Execute the cmd: cmdkey /add:GoodConnectWebProxy /user:foouser /pass:foopass 10. Good Connect Server Location screen. Click Next unless you want to change the default installation directory location. 11. Pre-installation Summary screen Review the summary information and make sure the values are correct before clicking the Install button. 12. Installation screen 13. Finalize screen The information gathered during this installation is available for review in the Good Connect Server’s configuration file. See section 6 The Good Connect Server configuration file for details. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 23 of 52 4.1 Good Connect Server Windows Service After installation, the Good Connect Server is listed in the Microsoft Windows Services interface. Good Connect can run as another domain user given the following: • The alternate domain user must have access to the private key of the computer certificate. See section 2.6 A SSL certificate, step 10 for more information. • The alternate domain user must be enabled to “Log on as service” through the Local Security Policy tool. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 24 of 52 The following steps explain how to make sure your account has Log on as service privileges: 1. Run the Local Security Policy admin tool on the Good Connect host. 2. Expand the Local Policies folder in the navigation pane on the left. 3. Select the User Rights Assignments folder to see a list of policies in the right pane. 4. Double click the Log on as a service policy to add your account. 4.2 APNS web proxy support If the host machine for the Good Connect server must work with a web proxy server to access the Internet and you did not install the Good Connect server with web proxy enabled, then follow the instructions to manually configure the web proxy. You must (1) set the following configuration parameters, (2) store the user credentials for "GoodConnectWebProxy" in the Windows Credential Manager, and (3) ensure that the Good Connect Server is Running As a user account that has local administrator privileges. Note: Make sure the account you are using to follow the instructions below has local administrator privileges as explained in section <> Good Connect Server Windows Service. 4.2.1 Setting the configuration parameters Edit the GoodConnectServer.exe.config file which is installed by default in C:\Program Files\Good Technology\Good Connect Server\. Note: You must restart the Good Connect Server after updating the parameters. • GD_APN_PROXY_TYPE • GD_APN_PROXY_HTTP_HOST • GD_APN_PROXY_HTTP_PORT See section 5 Administering the Good Connect Server for the complete list of parameters including descriptions. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 25 of 52 4.2.2 Storing the user credentials Please execute the following from the cmd prompt as a local administrator, replacing "username" and "password" with what is required: cmdkey /add:GoodConnectWebProxy /user:username /pass:password If you don’t want to store the password value and prefer to be prompted for it instead, omit the password_value so the command looks like this: cmdkey /add:GoodConnectWebProxy /user:username /pass: Make sure you are using a user account that has local administrator privileges. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 26 of 52 4.3 Configuring the Good Connect Server to use the Global Catalog If your organization plans to support Good Connect users from multiple domains within the same forest, follow these instructions in this section to enable users to be accessed from the Global Catalog. 1. Click the Attributes folder in the snap-in. 2. In the right pane, scroll down to the desired attribute, right-click it, and then click Properties. 3. Click to select the Replicate this attribute to the Global Catalog check box. 4. Click OK. Verify that the following attributes are published to the Global Catalog: • msrtcsip-primaryuseraddress • mail • telephoneNumber • displayname • title • mobile • givenName • sn • sAMAccountName Edit the GoodConnectServer.exe.config file which is installed by default in C:\Program Files\Good Technology\Good Connect Server\ as follows: <add key = ”AD_USERS_SOURCE” value = “GC”/> <addkey = “AD_USERS_SOURCE_DOMAIN” value=”<root GC domain; LDAP format>”/> Note: You must restart the Good Connect Server after updating the parameters. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 27 of 52 5. Repairing/Upgrading the Good Connect Server Repair and Upgrade options are available in the Good Connect 2.2 installer. These options are present when the install detects a previous installation of the Good Connect server. Note: Please make a backup copy of the config file prior to repair or upgrade. Custom configuration settings for EWS will not be copied over, you will need to copy them back into the configuration file after repair/upgrade. 5.1 Repairing the Good Connect Server The Good Connect 2.1 installer allows restoration of the Good Connect server installation. This process reverts the Good Connect Server executables, binary, and configuration parameters to the values of the last successful installation. Any manual changes are discarded during the reparation process. 5.2 Upgrading the Good Connect server The Good Connect 2.2 installer does not preserve changes made to the log4net.config file before performing an upgrade. The following steps explain how to backup and restore the log4net.config file to preserver custom changes. 1. Stop the Good Connect Server service 2. Execute 2_Cardiff_Schema.sql in the SQL or Oracle folder on your database 3. Run the Good Connect Server installer Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 28 of 52 6. The Good Connect Server configuration file After installation, you can update Good Connect configuration file at <install path>\Good Technology\Good Connect Server\GoodConnectServer.exe.config Note: You must restart the Good Connect Server after updating the parameters. Parameter Name Required Description Default UCMA_APPLICATION_NAME Yes Name of application as defined through the installation provisioning process. Generated during application provisioning UCMA_GRUU Yes GRUU - Globally Routable User-Agent URI that uniquely defines the Session Initiation Protocol (SIP) URI for the application. Generated during application provisioning UCMA_APPLICATION_PORT Yes The fixed port used by the Good Connect Server to receive messages from the enterprise IM server. 49555 OCS_SERVER Yes FQDN (Full Qualified Domain Name) of the Microsoft Lync Front-End server or Front-End server pool. GD_HOST Yes Good Dynamics Proxy host. GD_PORT Yes Good Dynamics Proxy port. BASE_ADDRESS Yes URL for the Good Connect Server which takes the form of http://goodconnect.mycompany.com:8080/ BUILD_VERSION Yes The version number of the Good Connect Server build. Auto-populated SESSION_TIMEOUT_SECS Yes The number of seconds a client is allowed to remain idle 86,400 (24 hours) ACTIVE_DIRECTORY_CACHE_ REFRESH_SECS Yes The number of seconds the Good Connect Server waits before synchronizing with the Active Directory. Any value smaller than 7200 is ignored in favor of 7200 seconds. 86,400 (24 hours) GD_USE_SSL Yes Determines whether or not the Good Connect Server uses the Good Dynamics secure port (17433) or unsecure port (17080). False APN_SOUND Yes Play sound when an Apple device receives a push notification. APN_BADGE Yes Determines whether or not to use the badge graphic for Apple push notifications. True APN_ALERT Yes Apple push notification message string that notifies a user that there are unread messages. “You have number unread messages.” APN_SLEEP_TIME Yes The number of milliseconds the Good Connect Server waits in between queued Apple push notifications. 100 Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 17080 Page 29 of 52 ACTIVE_DIRECTORY_SEARCH_ RESULT_MAX Yes The upper limit on the number of hits from a search of the Global Address List (GAL). Maximum value is 500. 150 GD_APN_PROXY_TYPE No Web Proxy Authentication Mechanisms. Acceptable values are: • “” (empty string for no proxy) • “Basic No Auth” • “Basic” • “Digest” “” GD_APN_HTTP_URL Yes WebService URL for Good Dynamics Apple Push Notification Service (APNS) GD_APN_PROXY_AUTH_DOMAIN No Web Proxy Domain Deprecated. GD_APN_PROXY_AUTH_USERNAME No Web Proxy Username Deprecated. GD_APN_PROXY_AUTH_PASSWORD No Web Proxy Password Deprecated. GD_APN_PROXY_HTTP_HOST No Web Proxy Host GD_APN_PROXY_HTTP_PORT No Web Proxy Port GD_APNS_BLACKLIST_RETRY_NO Yes Specifies # of retries after the server receives APNS response where the token has been blacklisted. 3 DB_TYPE Yes SQLSERVER or ORACLE depending on what database is used. Deprecated. DB_AUTHTYPE Yes USE_INTEGRATEDAUTH when the specifying windows integrated authentication, otherwise SQL Server authentication will be used. Deprecated. DB_HOST No Only valid if DB_TYPE=ORACLE Deprecated. DB_PORT No Only valid if DB_TYPE=ORACLE Deprecated. DB_SERVICE No Only valid if DB_TYPE=ORACLE, Oracle database instance name. Deprecated. GASLAMP_USERNAME Yes Window Service account. DB_INIT_CATALOG No SQL Server database name, Only valid if DB_TYPE=SQLSERVER LYNC_DB_CONNECTIONSTRING No SQL Server connection string for the Lync/OCS database. DB_SESSION_TIMEOUT_SECS Yes Time limit for search Lync/OCS database as defined by LYNC_DB_CONNECTIONSTRING. EWS_HOST No FQDN of the Exchange server to which the Good Connect Server will write conversation history EWS_HISTORY_INTERVAL_MINUTES No Defines the number of interval in minutes Good Connect server will wait before writing to Conversation history. 0 means that conversation history is written only after conversation has been terminated. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Deprecated. 300 5 Page 30 of 52 EWS_VERSION No Version of Exchange server. 0 for Exchange 2007 SP1 1 for Exchange 2010 2 for Exchange 2010 SP1 3 for Exchange 2010 SP2 4 for Exchange 2013 2 DB_RECONNECT_WAITTIME_SEC Yes # of seconds to wait before reconnecting attempt to database. 300 DB_RECONNECT_TRY_NUM Yes # of times Connect server to retry reconnecting to database after a failure to connect to database 3 AD_USERS_SOURCE No Parameter indicates if Good Connect server should read AD or GC for SIPenabled users. Value can be “GC” or “LDAP”. Default is LDAP if empty. AD_USERS_SOURCE_DOMAIN Yes, if users source is GC Domain for the for AD or GC to query. This value should be in LDAP format Ie DC=GOOD,DC=COM EWS_HOST No FQDN of the Exchange server to which the Good Connect Server will write conversation history EWS_HISTORY_INTERVAL_MINUTES No Defines the number of interval in minutes Good Connect server will wait before writing to Conversation history. 0 means that conversation history is written only after conversation has been terminated. 5 EWS_VERSION No Version of Exchange server. 0 for Exchange 2007 SP1 1 for Exchange 2010 2 for Exchange 2010 SP1 3 for Exchange 2010 SP2 4 for Exchange 2013 2 DB_RECONNECT_WAITTIME_SEC Yes # of seconds to wait before reconnecting attempt to database. 300 DB_RECONNECT_TRY_NUM Yes # of times Connect server to retry reconnecting to database after a failure to connect to database 3 AD_USERS_SOURCE No Parameter indicates if Good Connect server should read AD or GC for SIPenabled users. Value can be “GC” or “LDAP”. Default is LDAP if empty. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 31 of 52 7. Configuring Good Control This section details the steps for configuring the Good Control server with the Good Connect Server information. 7.1 Entering the Good Connect Server Pool information and IM platform type In the Good Control Server Info section of Good Connect enter the Hostname, Port for each Good Connect server, and Configuration information. This configuration information gets delivered to Good Connect clients and dictates the available servers a client may connect to. All servers listed in the Configuration information should also be listed in the table above the Configuration box. For each Good Connect server: • Hostname: <the fully qualified domain name of the Good Connect Server host> • Port: <the Good Connect Server port> After the listing all the Good Connect servers • Configuration: PLATFORM=LYNC SERVERS= <a comma separated list of available Good Connect Servers using the format host_fully_qualified_domain_name:port.> Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 32 of 52 7.2 Listing the approved Good Connect Server hostnames and ports In Good Control’s Client Connections option under Settings define the allowed domains and servers that the Good Connect client application can connect to within the corporate network. We recommend you whitelist each individual Good Connect Server as shown in the example below. 7.3 Controlling browser and map behavior Good Connect supports the option to control when the local device browser application can be used by tapping on a webpage URL and if the map application can be used when tapping on an address. The following steps explain how to disable this access by using Good Control’s Policy Sets option: 1. Select the policy set where you wish to disable access. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the App Settings tab. 5. Uncheck or disable either or both options to disable the respective access. 6. Click Update. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 33 of 52 7.4 Enabling a disclaimer Good Connect supports the option to display a Corporate Policy disclaimer at the top over every new conversation within the Good Connect client. The following steps explain how to enable this disclaimer by using Good Control’s Policy Sets option: 1. Select the policy set where you wish to add the disclaimer. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the Disclaimer tab. 5. Check or enable the Display Disclaimer option. 6. Type or paste in your disclaimer text into the textbox. 7. Click Update. The Good Connect client will now display this disclaimer at the top of each new conversation window. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 34 of 52 7.5 Disabling Conversation History Good Connect supports the option to disable storing conversation history on the Connect client and limit the length of a conversation to 40 messages. The following steps explain how to disable conversation history by using Good Control’s Policy Sets option: 1. Select the policy set where you wish to disable conversation history. 2. Select the Application Policies tab. 3. Expand the Good Connect application. 4. Click on the Conversation History tab. 5. Uncheck or disable the “Save more than 40 messages in a conversation history on the device” option. 6. Click Update. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 35 of 52 8. Configuring Good Connect user affinity It is possible for a Good Connect administrator to pin a user to a cluster of Good Connect servers instead of letting the system randomly assign that user to a server from a master list. 8.1 ABC company example ABC company has two Lync pools, a West Coast pool which hosts users in the west coast offices and an East Coast pool which hosts users in the east coast offices. ABC company sets up a Good Connect server for each pool, but only sets up one Good Control and Good Proxy cluster as shown below: When Aaron Beard launches the Good Connect client, Good Control sends the list of servers to his client. In this case, the list of servers includes both the West Coast server and the East Coast server. The client randomly chooses a Good Connect server. Aaron has a chance of getting connected to the East Coast server instead of the West Coast server. Enabling user affinity allows Aaron to always connect to West Coast server. 8.2 Enabling User Affinity The following steps explain how to create a user affinity for a given Good Control server. 1. Click Good Control’s Policy Sets option. 2. Select the policy set in which you want to define the user affinity. 3. Select the Application Policies tab. 4. Expand the Good Connect application. 5. Check the Server Configuration option. 6. Type or paste your connect server host name in the textbox. 7. Select the platform (Lync or Sametime). Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 36 of 52 8. Click Update. 9. Select the User Accounts option and select Manage Users. 10. Select the user for whom you wish to set this policy. 11. Set the West Coast Connect Users policy set for the user. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 37 of 52 9. Configuring MS Exchange Conversation History Good Connect optionally supports saving instant messaging chats to MS Exchange’s Conversation History. As a prerequisite to enabling this functionality, the following configuration changes must be implemented: • Auto-discovery must be enabled on the MS Exchange server. • Lync/Exchange integration must be enabled. • MS Exchange SSL certificates must be installed on the Good Connect server in order to establish secure communication. Note: If the SSL certificate on the Good Connect server is incorrectly installed, the history logging to Exchange fails. • On the Good Connect Window Service account, setup the ApplicationImpersonation management role for the security principle. This is accomplished on the Exchange server in the Exchange Management Console using the New-ManagementRoleAssignment cmdlet. Note: The following command enables application impersonation for all users to the Good Connect service account; however every user may not be Lync enabled. Permissions can be granted only to a scope of mailboxes, if this is required. See the Microsoft documentation for more details on Configuring Exchange Impersonation. New-ManagementRoleAssignment –Name ”ApplicationImpersonation - Good Connect” -Role “ApplicationImpersonation” –User connectserviceaccount@example.com • Good Connect configuration parameters must be added to the configuration file. o <add key="EWS_HOST" value="cas2010.example.com"/> EWS_HOST is the server, which host Exchange Web services (normally the Client Access Server). If this setting is null or missing, conversation history is disabled. If it is invalid, errors will occur and conversation history will not be saved. At least one message will be written to the windows event log. o <add key="EWS_HISTORY_INTERVAL_MINUTES" value="1"/> Default value is 5. Describes how often history should be saved. A value of 0 means that history will be saved only when the conversation is terminated (chat window is closed). o <add key="EWS_VERSION" value="2"/> EWS_VERSION – Default value is 2. It is a characteristic of the EWS interface that this setting must be no higher than the version in use, otherwise communications will fail. We require Exchange 2010 SP1, so the recommended setting is 2. 0 for Exchange 2007 SP1 1 for Exchange 2010 2 for Exchange 2010 SP1 3 for Exchange 2010 SP2 4 for Exchange 2013 Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 38 of 52 When the MS Exchange server requires credential authentication from a remote server (in this case, the Good Connect server) follow the these instructions: 1. Logon to the Good Connect server using the Good Connect Window Service account. 2. Open the Windows Vault and select "Manage your network credentials". 3. Create a new credential set under the application name "GoodConnectEWS". If no credential set provided, the same credentials used by the service ("default credentials") will be used to authenticate with Exchange. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 39 of 52 10. Enabling SSL support for Connect Client and Connect Server via Good Proxy The Good Connect server can be configured to run securely using SSL (https). By default, this is not enabled. This section describes the requirements to set up the Good Connect server for SSL connections from Good Connect clients. The yellow highlight in the following figure show the path to the Good Connect server from the Good Connect client. The Good Connect server requires a signed server SSL certificate from a third-party Certificate Authority (CA). Presently, the Good Dynamics (GD) SDK only supports the use of third-party certificates for GD applications. Good Connect is based on the GD SDK framework and is subject to this requirement. If you are using an enterprise CA, or are familiar with how to create a no-template legacy key Certificate Signing Request (CSR), please review this section for the required properties and recommended optional settings for creating the CSR. The processes covered in this section provides detailed steps to accomplish the following high-level tasks: 1. 2. 3. 4. Creating the CSR. Binding the SSL certificate. Configuring the Good Connect server to use the new certificate. Configuring the Good Connect client to start sending requests over SSL. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 40 of 52 10.1 Creating the CSR Start by creating the CSR through the Microsoft management console (MMC) Certificates snap-in for the local computer hosting the Good Connect server. The following steps explain what is required to create the CSR. 1. Launch the Microsoft Management Console. 2. Select File > Add/Remove Snap-in > Select Certificate. 3. Select Computer Account, Next, Local Computer, Finish 4. Select Certificates > Personal > Certificates. Note that the final Certificates option is only available if there is at least one certificate in the MMC. If not, just select Personal. 5. Select More Actions. 6. From More Actions, click on the following: All Tasks > Advanced Operations > Create Custom Request. 7. Select the Legacy key template, using the PKCS #10 request format. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 41 of 52 8. If you are prompted to use your Active Directory Enrollment Policy, click on Proceed without enrollment policy. 9. On the Certificate Information screen, click on the request’s Details and then click on Properties. 10. On the General tab, enter a value for the Friendly name, such as the hostname. 11. On the Subject tab, select the type Common name and enter the fully qualified domain name of your Good Connect server. In this example, the server1 is a member of the servers domain, which is a subdomain of domain.tld. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 42 of 52 12. Select and enter the remaining subject types and values as illustrated here. 13. On the Extensions tab, expand the Key usage section and add Data encipherment. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 43 of 52 14. On the same tab, expand the next section titled Extended Key Usage (application policies) and add Server Authentication. 15. On the Private Key tab, expand the section titled Key type and select Exchange. 16. On the same tab, expand the section titled Key options. a. Change the Key size to 2048. b. Enable Make private key exportable. c. Enable Allow private key to be archived. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 44 of 52 17. Click on the OK button to proceed with generating the CSR, then click on Next and continue through to the end where you specify the .req (text file) to be created. 18. Edit the CSR request, copy the text and paste it in the Validate a CSR VeriSign validator to confirm there are no errors: https://ssl-tools.verisign.com/checker/ 10.2 Send the new CSR to a well-known third-party CA to issue your certificate You need to send the new CSR to a well-known third-party CA and purchase a certificate for your server. The third-party CA may also send you a file that contains the full certificate chain, including possible intermediate certificates. Please install all relevant certificate files that you receive on the server that generated the CSR. 10.3 Binding the SSL certificate You must import the third-party CA signed certificate and any other required intermediate certificates prior to following the instructions in this section,. This section details the steps needed to bind the third-party CA signed SSL certificate to the SSL port you wish to use on your Good Connect server. This port binding exercise must be completed prior to executing the steps in the following sections. Step 1: Copy the certificates thumbprint 1. Double-click on the certificate in the Certificate snap-in then click on Details to switch to that tab. 2. Change the Show value to Properties Only to filter out other details. 3. Click on Thumbprint to display the thumbprint value. 4. Copy the thumbprint value from the lower text box in this dialog window. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 45 of 52 5. Paste the thumbprint into a text editor. 6. Use search and replace to find all spaces and delete them, so “ 08 82 41 2f…” becomes “0882412f…” 7. Copy this modified version of the thumbprint value into the clipboard for the next step. Step 2: Open the cmd prompt as an administrator and type the following as one line. 1. Replace “<thumbprint>” with the thumbprint copied from step 1. 2. Replace “<port>” with the port number you wish to use, such as 8082. 3. Copy and paste the remainder of the parameters listed here: netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint> appid={AD67330E-7F41-4722-83E2-F6DF9687BC71} Step 3: Confirm the certificate binding by executing the following command. netsh http show sslcert Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 46 of 52 10.4 Configuring the Good Connect server to use the new certificate The steps detailed in this section require you to make configuration changes to the Good Connect server. Please make a backup copy of your Good Connect server configuration file before making any changes. For documentation purposes, we will assume that you have installed the Good Connect server in the default location. Please alter the drive:\path\ information to match your actual implementation. 1. Navigate to the C:\Program Files\Good Technology\Good Connect Server\ directory. 2. Edit the GoodConnectServer.exe.config file to administer the following changes. The sections included below contain portions of the configuration file, showing the relative scope where the highlighted text should be inserted. All other sections in the configuration document not listed below do not change. <service behaviorConfiguration="WCFGaslampServiceLibrary.Service1Behavior" name="WCFGaslampServiceLibrary.Gaslamp"> <endpoint address="GaslampService" behaviorConfiguration="jsonBehavior" binding="customBinding" bindingConfiguration="JsonSSLMapper" contract="Gaslamp.Interfaces.IGaslamp"/> <host> <baseAddresses> <!-- Replace “<port>” with the port number you used in section 1 (e.g., 8082). --> <add baseAddress="https://yourserver.domain1.domain2.tld:<port>/"/> </baseAddresses> </host> </service> <customBinding> <binding name=" JsonSSLMapper"> <webMessageEncoding webContentTypeMapperType="GaslampWindowsService.GaslampContentTypeMapper, GoodConnectServer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> <sslStreamSecurity requireClientCertificate="false"/> <httpTransport manualAddressing="true" authenticationScheme="Anonymous" requireClientCertificate="false"/> </binding> </customBinding> <serviceBehaviors> <behavior name="WCFGaslampServiceLibrary.Service1Behavior"> <serviceMetadata httpsGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="true"/> </behavior> </serviceBehaviors> 3. Restart the Good Connect server service for these changes to take effect. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 47 of 52 10.5 Configuring the Good Connect client to start sending requests over SSL This section describes what you need to change to enable client SSL connections. The changes required here are administered entirely within the Good Control application configuration.: 1. If previously installed without SSL, you will need to change the servers you have listed on the Manage Application page, in the Servers tab (illustrated below) or if you are using User Affinity in the Application Policies tab of the Policy Set (also illustrated below) you have defined. a. You will need to add each server’s fully qualified domain name with the new SSL port. b. If you had previously installed Good Connect server with non-SSL ports, you will need to remove those entries from this table. 2. The format and port information for the servers you have listed after SERVERS= will need to have https:// added, in addition to using the new SSL port. For example, if you have a cluster of two servers, both using port 8082 for SSL, you would update SERVERS as follows: SERVERS=https://server1.domain.tld:8082,https://server2.domain.tld:8082 Changing servers in the Manage Application page, in the Servers tab. Changing servers in Application Policy in the Policy Sets, for User Affinity implementation. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 48 of 52 Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 49 of 52 A. Troubleshooting with Log Exceptions The best place to diagnose issues is the log file in the Good Connect Server folder: C:\Program Files\Good Technology\Good Connect Server\Application-log.txt Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionF ailureException: Unable to establish a connection. ---> System.Net.Sockets.SocketException: No such host is known. The hostname value in the configuration file for the key OCS_SERVER does not exist or is not recognized as a valid server. Correct OCS_SERVER value in the configuration file. DeregisterReason=None ResponseCode=480 ResponseText=Temporarily Unavailable Microsoft.Rtc.Signaling.RegisterExc eption: The endpoint was unable to register. See the ErrorCode for specific reason. The port number specified in OCS_PORT_TLS is not valid. Correct OCS_PORT_TLS value in the configuration file. ErrorCode=-2146233088 OCS_TRANSPORT was specified as TLS, however the port number provided was TCP. Change the OCS_PORT_TLS to 5061. Failed to start GoodConnectServer: Microsoft.Rtc.Signaling.ConnectionF ailureException: Failed to listen on any address and port supplied. UCMA_APPLICATION_PORT number specified in the configuration file is either blocked by a firewall or used by another application. Unblock port if it is a firewall issue or choose another port number. Failed to start GoodConnectServer: WCFGaslampServiceLibrary.OCSCertifi cateNotFoundException: Certificate not found. The certificate's subjectName must contain the local host's FQDN and the private key for the cert must be enabled for the user which executes the Good Connect Server. Enable private keys for this cert for the user running the Good Connect Server. FailureReason=RemoteDisconnected LocalEndpoint=10.120.165.137:5060 RemoteEndpoint=10.120.167.109:55118 RemoteCertificate=<null> Microsoft.Rtc.Signaling.TlsFailureE xception: Unknown error (0x80131500) --> Microsoft.Rtc.Internal.Sip.RemoteDi sconnectedException: Remote disconnected while outgoing tls negotiation was in progress --> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 50 of 52 B. Troubleshooting with SSL certificate exceptions If the SSL certificate requirements defined in Section 2.6 have been meet and you are still getting the following error: Description: The process was terminated due to an unhandled exception. Exception Info: Microsoft.Rtc.Internal.Sip.TLSException Then, it is possible that the SSL certificate has not been created with the correct CSP and key spec. Follow the steps below to check CSP and key spec on the SSL certificate. 1. Open cmd/powershell on Good Connect server. 2. Execute command: certutil.exe -v -store "my" "<name of ssl cert>" > c:\temp\ssl.txt 3. Open c:\temp\ss.txt with your favorite editor and search for “CERT_KEY_PROV_INFO_PROP_ID”. You should see: CERT_KEY_PROV_INFO_PROP_ID(2): Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0cd24435fe903 Provider = Microsoft RSA SChannel Cryptographic Provider ProviderType = c Flags = 20 KeySpec = 1 -- AT_KEYEXCHANGE Provider, provider type and keyspec must be exactly the values listed above. If not, you will need to reissue a new SSL certificate with appropriate provider and key spec values. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 51 of 52 Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information © Copyright 2014. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents. Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010 Page 52 of 52