Good Connect Server Installation and

Transcription

Good Connect Server Installation and
Good Connect 2.2
Server Installation and Administration Guide
Microsoft Lync 2010
Issue Date:
14-Oct-13
Last Updated: 23-Oct-14
Table of Contents
1.
2.
Overview......................................................................................................................................... 4
Requirements ................................................................................................................................. 5
2.1 System and network requirements .......................................................................................... 5
2.2 Good Dynamics requirements ................................................................................................. 6
2.3 Microsoft Windows PowerShell 2.0 RTM................................................................................. 6
2.4 Microsoft .NET Framework 3.5 Service Pack 1, or later, service packs.................................. 6
2.5 Microsoft Unified Communications Managed API 3.0 Runtime (64-bit) .................................. 6
2.6 A SSL certificate ...................................................................................................................... 6
2.7 The Good Connect Database ................................................................................................ 10
3.
2.7.1
Setting up Oracle XE database ................................................................................ 11
2.7.2
Setting up Microsoft SQL Server 2008 R2 ............................................................... 11
Preparing the Lync topology for Good Connect ........................................................................... 13
3.1 Preparing for the first installation of the Good Connect server .............................................. 13
3.2 Preparing for subsequent Good Connect servers ................................................................. 14
4.
Installing the Good Connect Server ............................................................................................. 15
4.1 Good Connect Server Windows Service ............................................................................... 24
4.2 APNS web proxy support ....................................................................................................... 25
4.2.1
Setting the configuration parameters ........................................................................ 25
4.2.2
Storing the user credentials ...................................................................................... 26
4.3 Configuring the Good Connect Server to use the Global Catalog......................................... 27
5.
Repairing/Upgrading the Good Connect Server .......................................................................... 28
5.1 Repairing the Good Connect Server...................................................................................... 28
5.2 Upgrading the Good Connect server ..................................................................................... 28
6.
7.
The Good Connect Server configuration file ................................................................................ 29
Configuring Good Control............................................................................................................. 32
7.1 Entering the Good Connect Server Pool information and IM platform type .......................... 32
7.2 Listing the approved Good Connect Server hostnames and ports ........................................ 33
7.3 Controlling browser and map behavior .................................................................................. 33
7.4 Enabling a disclaimer ............................................................................................................. 34
7.5 Disabling Conversation History.............................................................................................. 35
8.
Configuring Good Connect user affinity ....................................................................................... 36
8.1 ABC company example ......................................................................................................... 36
8.2 Enabling User Affinity ............................................................................................................ 36
9.
10.
Configuring MS Exchange Conversation History ......................................................................... 38
Enabling SSL support for Connect Client and Connect Server via Good Proxy.......................... 40
10.1
Creating the CSR ......................................................................................................... 41
10.2
Send the new CSR to a well-known third-party CA to issue your certificate ............... 45
10.3
Binding the SSL certificate ........................................................................................... 45
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 2 of 52
10.4
Configuring the Good Connect server to use the new certificate ................................ 47
10.5
Configuring the Good Connect client to start sending requests over SSL .................. 48
A.
Troubleshooting with Log Exceptions .......................................................................................... 50
B.
Troubleshooting with SSL certificate exceptions ......................................................................... 51
Legal Notice ........................................................................................................................................... 52
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 3 of 52
1. Overview
This manual provides step-by-step instructions for installing version 2.2 of the Good Connect Server in
your Microsoft Lync 2010 environment. Be sure to carefully read and confirm that you meet all the listed
requirements before you start the installation.
There is also a detailed administration portion for your reference after you finish installing the server.
The following diagram shows how the Good Connect Server works with both the enterprise IM
infrastructure and the Good Dynamics (GD) servers behind the enterprise firewall. The Good Connect
server then communicates with the Good Dynamics Network Operation Center (NOC) to securely reach
the mobile device.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 4 of 52
2. Requirements
This section lists the requirements for the Good Connect Server software.
If you installed an Early Access version of Good Connect, you must uninstall the Early Access version
before you can install this General Availability version.
Important Upgrade Note
If you are upgrading from a previous version of Good Connect Server, you must use the same Windows
Service Account used to install your current version of Good Connect Server.
Caution: If you don’t install the required software, or fail to configure them correctly before starting the
installation of the Good Connect Server, the Good Connect Server may fail or may behave in
an unexpected manner.
2.1
System and network requirements
You must meet the following requirements before installing the Good Connect server.
•
Microsoft Windows Server 2008 SP2 (64-bit) or Microsoft Windows Server 2008 R2 (64-bit)
•
4GB of RAM
•
20GB disk space
•
4 core processor
•
The installing user must have local administrative privileges on the host computer.
•
The Good Connect Server must be in the same domain as Microsoft Lync Server 2010 server.
•
The Good Connect Server must be able to communicate with the Microsoft Active Directory.
•
The local Windows Firewall must be disabled.
Note: A Group Firewall Policy causes the installer to fail prerequisite checks, even if the local
firewall is disabled.
•
Disable local anti-virus software during installation
•
The following inbound ports must not be blocked by any firewall:
•
•
o
8080 from the Good Proxy server or 8082 if SSL is required for inbound Good Proxy
communications (see section 7.2).
o
49555 from the Lync server
The following outbound ports must not be blocked by any firewall:
o
80 to the Good Technology NOC/Apple Push Notification Service
o
443 to the Good Technology NOC/Apple Push Notification Service
o
5061 to the Lync server
o
17080 to the Good Proxy server
o
17433 to the Good Proxy server
Good Connect also requires TCP/IP port access to the database used.
o
1433 to the Microsoft SQL server default.
o
1521 to the Oracle XE server default
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 5 of 52
2.2
Good Dynamics requirements
•
At least version 1.4.31.5 of the Good Control server
•
At least version 1.4.31.3 of the Good Proxy server
You can download the Good Dynamics servers here: https://begood.good.com/docs/DOC-1053
2.3
Microsoft Windows PowerShell 2.0 RTM
•
Windows Server 2008 SP 2
This operating system version comes with PowerShell 1.0. Install PowerShell 2.0 by applying
KB968930.
•
Windows Server 2008 R2
This operating system version comes with PowerShell 2.0. Enable the Windows PowerShell 2.0
feature using Server Manager.
2.4
Microsoft .NET Framework 3.5 Service Pack 1, or later, service packs
•
Windows Server 2008 SP 2
Download Microsoft .NET Framework 3.5 here:
http://www.microsoft.com/en-us/download/details.aspx?id=21
•
Windows Server 2008 R2
Enable Microsoft .NET Framework 3.5 feature using Server Manager.
2.5
Microsoft Unified Communications Managed API 3.0 Runtime (64-bit)
http://www.microsoft.com/en-us/download/details.aspx?id=20958
UcmaRuntimeSetup.exe also installs an additional installer named OCSCore.msi that is also
required by Good Connect Server. Find OCSCore.msi by navigating to following directory, launch
and use the default settings in the wizard. (Note: By default, the ProgramData folder is hidden in
Windows Explorer. You can change this in folder settings)
C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\Setup\OCSCore.msi
2.6
A SSL certificate
The Good Connect Server must form a mutual trust relationship for MTLS communications with the
Lync server. Mutual trust requires a SSL certificate that meets the following criteria:
•
The private certificate issued by a trusted CA must be stored in the Good Connect computer's
Console Root\Certificates local_host_name\Personal\Certificates folder.
•
Both the computer’s private certificate and the Lync server’s internal computer certificate
must be trusted by root certificates in the Good Connect computer’s
Console Root\Certificates local_host_name\
Trusted Root Certification Authorities \Certificates folder.
•
Any intermediate certificates for both the Good Connect Server’s private certificate and the
Lync server’s internal computer certificate must be located in the Good Connect computer's
Console Root\Certificates local_host_name\
Trusted Root Certification Authorities \Certificates folder.
•
The account used to run the Good Connect server application must have read access to the
certificate store and the private key.
•
The Subject Name (SN) of the certificate must contain the Common Name (CN) for the Good
Connect server's fully-qualified domain name such as “CN=server.subdomain.domain.tld”.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 6 of 52
•
The certificate must be signed by by a CA that is mutually-trusted by both the Lync server
and the Good Connect server.
See the following documentation for further information regarding SSL Certificate requirements:
http://msdn.microsoft.com/en-us/library/lync/hh347354.aspx
The following steps explain how to create a certificate for your Good Connect Server through your
Enterprise Certificate Authority.
1. Launch the Microsoft Management Console (MMC).
2. Select File -> Add/Remove Snap-in -> Select Certificate.
3. Select Computer Account, Next, Local Computer, Finish
4. Select Certificates -> Personal -> Certificates. Note that the final Certificates option is only
available if there is at least one certificate in the MMC. If not, just select Personal.
5. Select Actions -> All Tasks -> Request New Certificate.
6. Click Next when the Certificate Enrollment wizard displays the Before You Begin screen.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 7 of 52
7. Select Active Directory Enrollment Policy in the next screen and click Next.
8. Select Computer as the type of certificate and click Enroll.
9. Click Finish when the enrollment process succeeds. The MMC now lists the new certificate. If
you don’t see the new certificate, expand the tree view in the left-hand pane by clicking Console
Root -> Certificates (Local Computer) -> Personal -> Certificates.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 8 of 52
10. Verify that your new certificate lists the fully qualified domain name of your Good Connect Server
in the Subject attribute of your newly issued certificate as shown below. This is the default
behavior of the Certificate Authority. However, if your CA uses custom certificate templates, an
administrator may need to explicitly add that field for inclusion.
11. Right click on the newly created certificate and select More Actions -> All Tasks -> Manage
Private Keys.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 9 of 52
12. Click Add in the Security tab of the Permissions dialog box to see the Select Users, Computers,
Service Accounts or Groups dialog box.
13. Enter the Good Connect service account and click OK to grant permission to this certificate’s
private key.
14. Click OK in the Permissions dialog box.
2.7
The Good Connect Database
Good Connect server requires a relational database, either existing in your environment or installed per
this document. The currently supported databases are Oracle and Microsoft SQL Server.
A database must be installed and prepared before you start the Good Connect Server installation.
SQL scripts must be executed before you start the Good Connect Server installation. These scripts can
be found in the zip file containing the Good Connect installer.
Microsoft and Oracle have visual and command line tools to assist you with database and schema
creation (Microsoft Management Studio, sqlcmd, Oracle SQL Developer, sql*plus etc).
Supported Oracle Versions
•
•
Oracle 10g (Standard/Enterprise)
Oracle 11g (Express/Standard/Enterprise)
Download Oracle 11g Express
http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html
Download Oracle ODAC (Client libraries, 64-bit ODAC 11.2 Release 5 for Windows x64)
You must install client libraries on the Good Connect Server
http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html
Supported Microsoft SQL Server Versions
•
•
SQL Server 2008 (Express/Standard/Enterprise)
SQL Server 2008 R2 (Express/Standard/Enterprise)
Download MS SQL Server 2008 R2 Express http://download.microsoft.com/download/5/5/8/558522E02150-47E2-8F52-FF4D9C3645DF/SQLEXPRWT_x64_ENU.exe
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 10 of 52
2.7.1 Setting up Oracle XE database
Prior to running the installer, you must create a schema named “GoodConnect” in your instance as well
as a user account with privileges for executing schema, stored procedures and creating table for said
schema.
1. Start the Run SQL Command Line Program:
Start Menu > All Programs > Oracle Database Express Edition > Run SQL Command Line
Enter connect system and provide the password as prompted.
2. Run the following commands:
create user GoodConnect identified by password;
grant connect, resource to GoodConnect;
alter user GoodConnect default role all;
grant create table to GoodConnect;
@<unzip directory>\Sql\Oracle\1_Balboa_Schema.sql;
@<unzip directory>\Sql\Oracle\1_Balboa_storedProcedures.sql;
@<unzip directory>\Sql\Oracle\2_Cardiff_Schema.sql;
grant execute on GOODCONNECT.USP_CREATENEWADTABLE to GoodConnect;
grant execute on GOODCONNECT.USP_SWITCHADTABLES to GoodConnect;
grant execute on GOODCONNECT.UTILS to GoodConnect;
2.7.2 Setting up Microsoft SQL Server 2008 R2
SQL Server Management Studio, which is bundled with the SQL Server 2008 R2 Express download, is
required for setting the Good Connect database. If your SQL Server installation does not include the SQL
Server Management Studio software, it is available as a separate download from the Microsoft website.
http://www.microsoft.com/en-us/download/details.aspx?id=7593
Follow the instructions to set up the Good Connect database in SQL Server:
1. Install the SQL Server database per the directions in the installation wizard. Specify Windows
Authentication mode or SQL Server and Windows Authentication mode under the Security
section of the Server Properties.
2. After installation, launch SQL Server Management Studio and log in. You will perform steps 3
and 4 through the SQL Server Management Studio console.
3. Set up the login that will be used to manage the Good Connect database. Expand the Security
item in the Object Explorer pane, then right-click Logins and select New Login
o
If you selected SQL Server and Windows Authentication mode in the Server
Properties and wish to have a SQL Server login to manage the Connect database, enter
GoodConnect as the Login name. Select SQL Server authentication and set a
password for this login. You will need to enter the password value correct when the
Good Connect installer asks for Connect database information. Click OK to add the
login.
o
If you want to use a Windows account to manage the database, select Windows
authentication. Enter the Windows account username in the domain\username format
as the Login name. This account should be the same as the service or administrator
account setup to run the Good Connect Server service. Click OK to add the login.
4. Right-click the Databases item in the Object Explorer pane, then select New Database. Enter
GoodConnect as the Database name and set the login you configured in the previous step as the
database Owner. Click OK to add the database.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 11 of 52
5. Launch the SQL Server Configuration Manager:
Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server
Configuration Manager
6. Select Protocols for SQLEXPRESS. Enable TCP/IP and add port 1433 for IPAll. 1433 is the
default port which the Good admin can change.
7. Restart the Microsoft SQL Server service.
8. Run Schema and Stored Procedure scripts.
You must execute the following scripts in the specified order to properly create the GoodConnect
database schema and stored procedures. These scripts can be found in the install directory
under the “SQL\SQLServer” folder.
sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 1_Balboa_Schema.sql
sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 1_Balboa_StoredProcedures.sql
sqlcmd –S <hostname>\SQLExpress –d GoodConnect –i 2_Cardiff_Schema.sql
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 12 of 52
3. Preparing the Lync topology for Good Connect
Good Connect is a Microsoft Lync trusted-UCMA application. In order to establish trust with Microsoft
Lync 2010, you must use the Lync Management Shell to do the following:
•
•
•
•
•
Create a trusted application pool.
Designate trusted applications for the use of the Good Connect computer.
Create a trusted-computer entry for every Good Connect server in the environment.
Publish these changes to the Lync Topology.
Create a Trusted Endpoint for the Good Connect administrator.
Note
You must be a member of the RTCUniversalServerAdmins and Domain Admins security
groups to provision and publish new applications in the Microsoft Lync topology. If you have a
designated Lync administrator within your organization, that person should perform the steps
listed below.
You must complete the application provisioning process as described here. After the application
provisioning process, the Lync administrator needs to delegate RTCUniversalReadOnlyAdmins
permission to you in order to access the provisioning information during the Good Connect installation
process.
3.1
Preparing for the first installation of the Good Connect server
The preparations described in this section are only required if you are installing the Good Connect server
for the first time. See the section 3.2 Preparing for subsequent Good Connect servers to see how the
preparations vary if you’ve already set up the Lync topology for the Good Connect server.
When you create a trusted application pool for the first installation of Good Connect, you also create the
trusted-computer entry. Subsequent installations of the Good Connect server do not require a new trusted
application pool or designated trusted applications because these are added to the existing trusted
application pool.
Launch the Lync Management Shell: Start Menu -> All Programs -> Microsoft Lync Server 2010 ->
Lync Management Shell and enter the commands listed in the screen excerpt below to do the following:
1. Create a Trusted Application Pool.
2. Designate a Trusted Application.
3. Publish the changes to the Lync Topology.
You must follow the naming conventions provided in bold. Replace myhost with your Good Connect
hostname and myconnectdomain.com with your Good Connect server’s computer domain.
PS> Get-CsSite
If your organization has more than one Site in its topology, look up the appropriate siteId number
and the corresponding registrar value. You need this information to create the Application Pool
below.
PS> New-CsTrustedApplicationPool -Force -Identity
"pool_goodconnect.myconnectdomain.com" -Registrar <registrar> -RequiresReplication
$false -Site <siteId number> -ComputerFqdn "myhost.myconnectdomain.com"
The value for <registrar> can be either a Director pool or a Lync pool. Director pools direct (or
redirect) user request to the appropriate Front End server. However should the director pool
become unavailable, then all pools would be inaccessible.
PS> New-CsTrustedApplication -Force -ApplicationId
"appid_goodconnect.myconnectdomain.com" -TrustedApplicationPoolFqdn
"pool_goodconnect.myconnectdomain.com" -Port 49555
PS> Enable-CsTopology
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 13 of 52
3.2
Preparing for subsequent Good Connect servers
Follow the instructions in this section only if you’ve already installed the Good Connect server at least
once before. If this is your first installation of the Good Connect server, follow the instructions in section
3.1 Preparing for the first installation of the Good Connect server.
Launch the Lync Management Shell: Start Menu -> All Programs -> Microsoft Lync Server 2010 ->
Lync Management Shell and enter the commands listed below to do the following:
•
Create a trusted computer for the Good Connect trusted application pool.
You must follow the naming conventions provided in bold. Replace myhost with your Good Connect
hostname and mycompany.com with your organization’s domain.
PS> New-CsTrustedApplicationComputer -Identity "myhost.myconnectdomain.com" -Pool
"pool_goodconnect. myconnectdomain.com"
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 14 of 52
4. Installing the Good Connect Server
This section details the various installation steps.
Note:
The Good Connect installer securely stores Web Proxy, Database, and Exchange service
password in the Windows Credential Manager as the installer user. If the installer user is not the
same as the Good Connect Windows Service account, you will need to manually add password
to the Windows Credential Manager.
1. Run the installer executable.
2. Introduction screen
This screen provides some basic information about the installer and the amount of space needed.
Review the information and only proceed by clicking Next.
3. License Agreement screen
Be sure to read the Good Server License and Services Agreement. If you agree with the terms,
click Next.
4. Prerequisites screen
The installer checks to make sure you meet the prerequisites that are detailed under the
Requirements section of this manual. Failure to meet all the pre-requisite requirements will cause
Good Connect to not run properly.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 15 of 52
5. Good Dynamics Host Information screen
The Good Connect Server requires the hostname and port of the Good Dynamics Proxy server. If
you choose HTTPS be aware that, at this time, Good Dynamics does not support internal CA
issued SSL certificates within the Good Dynamics Proxy server. The certificate must come from a
well-known 3rd Party certificate authority. See the Good Dynamics’ Good Control Server, Good
Proxy Server Installation Guide for detailed instructions on how to do so.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 16 of 52
6. Database Server Settings screen.
Good Connect requires a database to execute properly. Database configuration parameters can be
set on this screen.
6.1 Microsoft SQL Server 2008 R2
MS SQL server can be authenticated in two ways: integrated windows authentication or SQL
Server Authentication.
Integrated Windows Authentication
When a user connects through a Windows OS user account, SQL Server validates the account
name and password using the Windows principal token in the operating system. The user’s
credentials are confirmed by Windows OS and it is not necessary to provide username and
password. Windows Integrated Authentication uses Kerberos security protocol that provides
password policy enforcement, support for account lockout, and password expiration. A
connection made using Windows Authentication is sometimes called a trusted connection,
because SQL Server trusts the credentials provided by Windows.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 17 of 52
SQL Server Authentication
When using SQL Server Authentication, logins are created in Microsoft SQL Server directly which
are not based on Windows OS user accounts. Both the username and the password are stored
and managed in the SQL Server. Users connecting using SQL Server Authentication must
provide their credentials when they connect. If you choose SQL Server Authentication, you must
provide username and password.
The Good Connect Installer securely stores the username and password to the Window
Credential Manager. If you run the Good Connect windows service as a different user from the
one that installs the Good Connect, you will need to manually add the database username and
password to the Windows Credential Manager as described in the following steps:
1. Login into the Good Connect server as the run user (this is the domain user as defined in
Good Connect Server Host Information screen).
2. Launch cmd.exe as Adminstrator.
3.
Execute the cmd:
cmdkey /generic:GoodConnectDatabase /user:dbadmin /pass:password
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 18 of 52
6.2 Oracle XE
Note: In order to use an Oracle database, you must install the Oracle ODAC on the Good
Connect server. The Good Connect installer uses this to test connectivity to the Oracle
database server.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 19 of 52
7. Good Connect Server Host Information screen
Each Good Connect server’s host information also needs to be entered in the Good Control
console. The installer automatically enters the local hostname. If the installer cannot detect a
hostname, you can enter one, however the hostname must resolve properly within your network’s
DNS for it to operate correctly with Good Dynamics and Microsoft Lync.
Good Connect server supports HTTP and HTTPS connections from the Good Connect client.
7.1 HTTP Client Connections
The default port for incoming client connections to the Good Connect Server is 8080. By default,
the Good Connect installer will enable Connect server to respond to HTTP client requests.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 20 of 52
7.2 HTTPS Client Connections
The Good Connect server supports client SSL connections to the Good Connect server. The
Good Connect admin will need to follow the instructions prior to installation for enabling SSL for
the Connect client. The instructions can be found in the Enabling SSL Support Between Good
Dynamics Proxy and Good Connect Servers.
After the setting up SSL, follow the instructions during installations:
1. Select Use GD SSL Binding
2. Enter Port and Certificate Friendly Name
Each Good Connect server can host a maximum of 10000 concurrent sessions. A session
constitutes any device actively connected into Good Connect and using the service. If you
anticipate more than 10000 concurrent sessions, you should install a second Good Connect
Server
Each Good Connect server’s host information also needs to be entered in the Good Control
console. See Section 7 for instructions on setting up Good Control.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 21 of 52
8. Exchange Conversation History screen
The Exchange Conversation History screen information enables Good Connect to archive
conversations to Exchange via Exchange Web Services. Good Connect server supports three
different schema types for Exchange:
o
Exchange 2010
o
Exchange 2010 SP1
o
Exchange 2010 SP2
If you are using Exchange 2010 SP3, select Exchange 2010 SP2.
Prior to installation, Good Admin must follow steps in Section 9 to enable Exchange Conversation
history.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 22 of 52
9. Web Proxy screen
If your Enterprise uses a web proxy to restrict access to the Internet, then you must selected the
Web Proxy checkbox.
The Good Connect server supports the following web proxy types: None, NTLM, Digest, or Basic
Authentication. Select the authentication type used by your Enterprise’s web proxy and enter the
appropriate information.
The Good Connect Installer securely stores the username and password to the Window
Credential Manager. If you run the Good Connect windows service as a different user from the
one which installs the Good Connect, you will need to manually add the web proxy username and
password to the Windows Credential Manager as described in the following steps:
1. Login into the Good Connect server as the run user (this is the domain user as defined in
Good Connect Server Host Information screen).
2. Launch cmd.exe as Adminstrator.
3.
Execute the cmd:
cmdkey /add:GoodConnectWebProxy /user:foouser /pass:foopass
10. Good Connect Server Location screen.
Click Next unless you want to change the default installation directory location.
11. Pre-installation Summary screen
Review the summary information and make sure the values are correct before clicking the Install
button.
12. Installation screen
13. Finalize screen
The information gathered during this installation is available for review in the Good Connect
Server’s configuration file. See section 6 The Good Connect Server configuration file for details.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 23 of 52
4.1
Good Connect Server Windows Service
After installation, the Good Connect Server is listed in the Microsoft Windows Services interface.
Good Connect can run as another domain user given the following:
•
The alternate domain user must have access to the private key of the computer certificate. See
section 2.6 A SSL certificate, step 10 for more information.
•
The alternate domain user must be enabled to “Log on as service” through the Local Security
Policy tool.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 24 of 52
The following steps explain how to make sure your account has Log on as service privileges:
1. Run the Local Security Policy admin tool on the Good Connect host.
2. Expand the Local Policies folder in the navigation pane on the left.
3. Select the User Rights Assignments folder to see a list of policies in the right pane.
4. Double click the Log on as a service policy to add your account.
4.2
APNS web proxy support
If the host machine for the Good Connect server must work with a web proxy server to access the Internet
and you did not install the Good Connect server with web proxy enabled, then follow the instructions to
manually configure the web proxy.
You must (1) set the following configuration parameters, (2) store the user credentials for
"GoodConnectWebProxy" in the Windows Credential Manager, and (3) ensure that the Good Connect
Server is Running As a user account that has local administrator privileges.
Note:
Make sure the account you are using to follow the instructions below has local administrator
privileges as explained in section <> Good Connect Server Windows Service.
4.2.1 Setting the configuration parameters
Edit the GoodConnectServer.exe.config file which is installed by default in C:\Program Files\Good
Technology\Good Connect Server\.
Note:
You must restart the Good Connect Server after updating the parameters.
•
GD_APN_PROXY_TYPE
•
GD_APN_PROXY_HTTP_HOST
•
GD_APN_PROXY_HTTP_PORT
See section 5 Administering the Good Connect Server for the complete list of parameters including
descriptions.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 25 of 52
4.2.2 Storing the user credentials
Please execute the following from the cmd prompt as a local administrator, replacing "username" and
"password" with what is required:
cmdkey /add:GoodConnectWebProxy /user:username /pass:password
If you don’t want to store the password value and prefer to be prompted for it instead, omit the
password_value so the command looks like this:
cmdkey /add:GoodConnectWebProxy /user:username /pass:
Make sure you are using a user account that has local administrator privileges.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 26 of 52
4.3
Configuring the Good Connect Server to use the Global Catalog
If your organization plans to support Good Connect users from multiple domains within the same forest,
follow these instructions in this section to enable users to be accessed from the Global Catalog.
1. Click the Attributes folder in the snap-in.
2. In the right pane, scroll down to the desired attribute, right-click it, and then click Properties.
3. Click to select the Replicate this attribute to the Global Catalog check box.
4. Click OK.
Verify that the following attributes are published to the Global Catalog:
•
msrtcsip-primaryuseraddress
•
mail
•
telephoneNumber
•
displayname
•
title
•
mobile
•
givenName
•
sn
•
sAMAccountName
Edit the GoodConnectServer.exe.config file which is installed by default in C:\Program Files\Good
Technology\Good Connect Server\ as follows:
<add key = ”AD_USERS_SOURCE” value = “GC”/>
<addkey = “AD_USERS_SOURCE_DOMAIN” value=”<root GC domain; LDAP format>”/>
Note:
You must restart the Good Connect Server after updating the parameters.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 27 of 52
5. Repairing/Upgrading the Good Connect Server
Repair and Upgrade options are available in the Good Connect 2.2 installer. These options are present
when the install detects a previous installation of the Good Connect server.
Note: Please make a backup copy of the config file prior to repair or upgrade. Custom configuration
settings for EWS will not be copied over, you will need to copy them back into the configuration file
after repair/upgrade.
5.1
Repairing the Good Connect Server
The Good Connect 2.1 installer allows restoration of the Good Connect server installation. This process
reverts the Good Connect Server executables, binary, and configuration parameters to the values of the
last successful installation. Any manual changes are discarded during the reparation process.
5.2
Upgrading the Good Connect server
The Good Connect 2.2 installer does not preserve changes made to the log4net.config file before
performing an upgrade. The following steps explain how to backup and restore the log4net.config file to
preserver custom changes.
1. Stop the Good Connect Server service
2. Execute 2_Cardiff_Schema.sql in the SQL or Oracle folder on your database
3. Run the Good Connect Server installer
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 28 of 52
6. The Good Connect Server configuration file
After installation, you can update Good Connect configuration file at
<install path>\Good Technology\Good Connect Server\GoodConnectServer.exe.config
Note:
You must restart the Good Connect Server after updating the parameters.
Parameter Name
Required
Description
Default
UCMA_APPLICATION_NAME
Yes
Name of application as defined through
the installation provisioning process.
Generated during
application
provisioning
UCMA_GRUU
Yes
GRUU - Globally Routable User-Agent
URI that uniquely defines the Session
Initiation Protocol (SIP) URI for the
application.
Generated during
application
provisioning
UCMA_APPLICATION_PORT
Yes
The fixed port used by the Good Connect
Server to receive messages from the
enterprise IM server.
49555
OCS_SERVER
Yes
FQDN (Full Qualified Domain Name) of
the Microsoft Lync Front-End server or
Front-End server pool.
GD_HOST
Yes
Good Dynamics Proxy host.
GD_PORT
Yes
Good Dynamics Proxy port.
BASE_ADDRESS
Yes
URL for the Good Connect Server which
takes the form of
http://goodconnect.mycompany.com:8080/
BUILD_VERSION
Yes
The version number of the Good Connect
Server build.
Auto-populated
SESSION_TIMEOUT_SECS
Yes
The number of seconds a client is allowed
to remain idle
86,400 (24 hours)
ACTIVE_DIRECTORY_CACHE_
REFRESH_SECS
Yes
The number of seconds the Good
Connect Server waits before
synchronizing with the Active Directory.
Any value smaller than 7200 is ignored in
favor of 7200 seconds.
86,400 (24 hours)
GD_USE_SSL
Yes
Determines whether or not the Good
Connect Server uses the Good Dynamics
secure port (17433) or unsecure port
(17080).
False
APN_SOUND
Yes
Play sound when an Apple device
receives a push notification.
APN_BADGE
Yes
Determines whether or not to use the
badge graphic for Apple push
notifications.
True
APN_ALERT
Yes
Apple push notification message string
that notifies a user that there are unread
messages.
“You have number
unread messages.”
APN_SLEEP_TIME
Yes
The number of milliseconds the Good
Connect Server waits in between queued
Apple push notifications.
100
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
17080
Page 29 of 52
ACTIVE_DIRECTORY_SEARCH_
RESULT_MAX
Yes
The upper limit on the number of hits from
a search of the Global Address List (GAL).
Maximum value is 500.
150
GD_APN_PROXY_TYPE
No
Web Proxy Authentication Mechanisms.
Acceptable values are:
•
“” (empty string for no proxy)
•
“Basic No Auth”
•
“Basic”
•
“Digest”
“”
GD_APN_HTTP_URL
Yes
WebService URL for Good Dynamics
Apple Push Notification Service (APNS)
GD_APN_PROXY_AUTH_DOMAIN
No
Web Proxy Domain
Deprecated.
GD_APN_PROXY_AUTH_USERNAME
No
Web Proxy Username
Deprecated.
GD_APN_PROXY_AUTH_PASSWORD
No
Web Proxy Password
Deprecated.
GD_APN_PROXY_HTTP_HOST
No
Web Proxy Host
GD_APN_PROXY_HTTP_PORT
No
Web Proxy Port
GD_APNS_BLACKLIST_RETRY_NO
Yes
Specifies # of retries after the server
receives APNS response where the token
has been blacklisted.
3
DB_TYPE
Yes
SQLSERVER or ORACLE depending on
what database is used.
Deprecated.
DB_AUTHTYPE
Yes
USE_INTEGRATEDAUTH when the
specifying windows integrated
authentication, otherwise SQL Server
authentication will be used.
Deprecated.
DB_HOST
No
Only valid if DB_TYPE=ORACLE
Deprecated.
DB_PORT
No
Only valid if DB_TYPE=ORACLE
Deprecated.
DB_SERVICE
No
Only valid if DB_TYPE=ORACLE, Oracle
database instance name.
Deprecated.
GASLAMP_USERNAME
Yes
Window Service account.
DB_INIT_CATALOG
No
SQL Server database name, Only valid if
DB_TYPE=SQLSERVER
LYNC_DB_CONNECTIONSTRING
No
SQL Server connection string for the
Lync/OCS database.
DB_SESSION_TIMEOUT_SECS
Yes
Time limit for search Lync/OCS database
as defined by
LYNC_DB_CONNECTIONSTRING.
EWS_HOST
No
FQDN of the Exchange server to which
the Good Connect Server will write
conversation history
EWS_HISTORY_INTERVAL_MINUTES
No
Defines the number of interval in minutes
Good Connect server will wait before
writing to Conversation history. 0 means
that conversation history is written only
after conversation has been terminated.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Deprecated.
300
5
Page 30 of 52
EWS_VERSION
No
Version of Exchange server.
0 for Exchange 2007 SP1
1 for Exchange 2010
2 for Exchange 2010 SP1
3 for Exchange 2010 SP2
4 for Exchange 2013
2
DB_RECONNECT_WAITTIME_SEC
Yes
# of seconds to wait before reconnecting
attempt to database.
300
DB_RECONNECT_TRY_NUM
Yes
# of times Connect server to retry
reconnecting to database after a failure to
connect to database
3
AD_USERS_SOURCE
No
Parameter indicates if Good Connect
server should read AD or GC for SIPenabled users. Value can be “GC” or
“LDAP”. Default is LDAP if empty.
AD_USERS_SOURCE_DOMAIN
Yes, if
users
source is
GC
Domain for the for AD or GC to query.
This value should be in LDAP format
Ie DC=GOOD,DC=COM
EWS_HOST
No
FQDN of the Exchange server to which
the Good Connect Server will write
conversation history
EWS_HISTORY_INTERVAL_MINUTES
No
Defines the number of interval in minutes
Good Connect server will wait before
writing to Conversation history. 0 means
that conversation history is written only
after conversation has been terminated.
5
EWS_VERSION
No
Version of Exchange server.
0 for Exchange 2007 SP1
1 for Exchange 2010
2 for Exchange 2010 SP1
3 for Exchange 2010 SP2
4 for Exchange 2013
2
DB_RECONNECT_WAITTIME_SEC
Yes
# of seconds to wait before reconnecting
attempt to database.
300
DB_RECONNECT_TRY_NUM
Yes
# of times Connect server to retry
reconnecting to database after a failure to
connect to database
3
AD_USERS_SOURCE
No
Parameter indicates if Good Connect
server should read AD or GC for SIPenabled users. Value can be “GC” or
“LDAP”. Default is LDAP if empty.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 31 of 52
7. Configuring Good Control
This section details the steps for configuring the Good Control server with the Good Connect Server
information.
7.1
Entering the Good Connect Server Pool information and IM platform type
In the Good Control Server Info section of Good Connect enter the Hostname, Port for each Good
Connect server, and Configuration information. This configuration information gets delivered to Good
Connect clients and dictates the available servers a client may connect to. All servers listed in the
Configuration information should also be listed in the table above the Configuration box.
For each Good Connect server:
•
Hostname: <the fully qualified domain name of the Good Connect Server host>
•
Port: <the Good Connect Server port>
After the listing all the Good Connect servers
•
Configuration:
PLATFORM=LYNC
SERVERS= <a comma separated list of available Good Connect Servers using the format
host_fully_qualified_domain_name:port.>
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 32 of 52
7.2
Listing the approved Good Connect Server hostnames and ports
In Good Control’s Client Connections option under Settings define the allowed domains and servers that
the Good Connect client application can connect to within the corporate network. We recommend you
whitelist each individual Good Connect Server as shown in the example below.
7.3
Controlling browser and map behavior
Good Connect supports the option to control when the local device browser application can be used by
tapping on a webpage URL and if the map application can be used when tapping on an address.
The following steps explain how to disable this access by using Good Control’s Policy Sets option:
1. Select the policy set where you wish to disable access.
2. Select the Application Policies tab.
3. Expand the Good Connect application.
4. Click on the App Settings tab.
5. Uncheck or disable either or both options to disable the respective access.
6. Click Update.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 33 of 52
7.4
Enabling a disclaimer
Good Connect supports the option to display a Corporate Policy disclaimer at the top over every new
conversation within the Good Connect client. The following steps explain how to enable this disclaimer by
using Good Control’s Policy Sets option:
1. Select the policy set where you wish to add the disclaimer.
2. Select the Application Policies tab.
3. Expand the Good Connect application.
4. Click on the Disclaimer tab.
5. Check or enable the Display Disclaimer option.
6. Type or paste in your disclaimer text into the textbox.
7. Click Update.
The Good Connect client will now display this disclaimer at the top of each new conversation window.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 34 of 52
7.5
Disabling Conversation History
Good Connect supports the option to disable storing conversation history on the Connect client and limit
the length of a conversation to 40 messages. The following steps explain how to disable conversation
history by using Good Control’s Policy Sets option:
1. Select the policy set where you wish to disable conversation history.
2. Select the Application Policies tab.
3. Expand the Good Connect application.
4. Click on the Conversation History tab.
5. Uncheck or disable the “Save more than 40 messages in a conversation history on the
device” option.
6. Click Update.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 35 of 52
8. Configuring Good Connect user affinity
It is possible for a Good Connect administrator to pin a user to a cluster of Good Connect servers instead
of letting the system randomly assign that user to a server from a master list.
8.1
ABC company example
ABC company has two Lync pools, a West Coast pool which hosts users in the west coast offices and an
East Coast pool which hosts users in the east coast offices. ABC company sets up a Good Connect
server for each pool, but only sets up one Good Control and Good Proxy cluster as shown below:
When Aaron Beard launches the Good Connect client, Good Control sends the list of servers to his client.
In this case, the list of servers includes both the West Coast server and the East Coast server. The client
randomly chooses a Good Connect server. Aaron has a chance of getting connected to the East Coast
server instead of the West Coast server.
Enabling user affinity allows Aaron to always connect to West Coast server.
8.2
Enabling User Affinity
The following steps explain how to create a user affinity for a given Good Control server.
1. Click Good Control’s Policy Sets option.
2. Select the policy set in which you want to define the user affinity.
3. Select the Application Policies tab.
4. Expand the Good Connect application.
5. Check the Server Configuration option.
6. Type or paste your connect server host name in the textbox.
7. Select the platform (Lync or Sametime).
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 36 of 52
8. Click Update.
9. Select the User Accounts option and select Manage Users.
10. Select the user for whom you wish to set this policy.
11. Set the West Coast Connect Users policy set for the user.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 37 of 52
9. Configuring MS Exchange Conversation History
Good Connect optionally supports saving instant messaging chats to MS Exchange’s Conversation
History. As a prerequisite to enabling this functionality, the following configuration changes must be
implemented:
•
Auto-discovery must be enabled on the MS Exchange server.
•
Lync/Exchange integration must be enabled.
•
MS Exchange SSL certificates must be installed on the Good Connect server in order to establish
secure communication.
Note: If the SSL certificate on the Good Connect server is incorrectly installed, the history
logging to Exchange fails.
•
On the Good Connect Window Service account, setup the ApplicationImpersonation
management role for the security principle. This is accomplished on the Exchange server in the
Exchange Management Console using the New-ManagementRoleAssignment cmdlet.
Note:
The following command enables application impersonation for all users to the Good
Connect service account; however every user may not be Lync enabled. Permissions
can be granted only to a scope of mailboxes, if this is required. See the Microsoft
documentation for more details on Configuring Exchange Impersonation.
New-ManagementRoleAssignment
–Name ”ApplicationImpersonation - Good Connect” -Role “ApplicationImpersonation”
–User connectserviceaccount@example.com
•
Good Connect configuration parameters must be added to the configuration file.
o
<add key="EWS_HOST" value="cas2010.example.com"/>
EWS_HOST is the server, which host Exchange Web services (normally the Client Access
Server). If this setting is null or missing, conversation history is disabled. If it is invalid, errors
will occur and conversation history will not be saved. At least one message will be written to
the windows event log.
o
<add key="EWS_HISTORY_INTERVAL_MINUTES" value="1"/>
Default value is 5. Describes how often history should be saved. A value of 0 means that
history will be saved only when the conversation is terminated (chat window is closed).
o
<add key="EWS_VERSION" value="2"/>
EWS_VERSION – Default value is 2. It is a characteristic of the EWS interface that this
setting must be no higher than the version in use, otherwise communications will fail. We
require Exchange 2010 SP1, so the recommended setting is 2.
 0 for Exchange 2007 SP1
 1 for Exchange 2010
 2 for Exchange 2010 SP1
 3 for Exchange 2010 SP2
 4 for Exchange 2013
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 38 of 52
When the MS Exchange server requires credential authentication from a remote server (in this case, the
Good Connect server) follow the these instructions:
1. Logon to the Good Connect server using the Good Connect Window Service account.
2. Open the Windows Vault and select "Manage your network credentials".
3. Create a new credential set under the application name "GoodConnectEWS".
If no credential set provided, the same credentials used by the service ("default credentials") will
be used to authenticate with Exchange.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 39 of 52
10. Enabling SSL support for Connect Client and Connect Server via
Good Proxy
The Good Connect server can be configured to run securely using SSL (https). By default, this is not
enabled. This section describes the requirements to set up the Good Connect server for SSL connections
from Good Connect clients.
The yellow highlight in the following figure show the path to the Good Connect server from the Good
Connect client.
The Good Connect server requires a signed server SSL certificate from a third-party Certificate Authority
(CA). Presently, the Good Dynamics (GD) SDK only supports the use of third-party certificates for GD
applications. Good Connect is based on the GD SDK framework and is subject to this requirement.
If you are using an enterprise CA, or are familiar with how to create a no-template legacy key Certificate
Signing Request (CSR), please review this section for the required properties and recommended optional
settings for creating the CSR.
The processes covered in this section provides detailed steps to accomplish the following high-level
tasks:
1.
2.
3.
4.
Creating the CSR.
Binding the SSL certificate.
Configuring the Good Connect server to use the new certificate.
Configuring the Good Connect client to start sending requests over SSL.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 40 of 52
10.1 Creating the CSR
Start by creating the CSR through the Microsoft management console (MMC) Certificates snap-in for the
local computer hosting the Good Connect server. The following steps explain what is required to create
the CSR.
1. Launch the Microsoft Management Console.
2. Select File > Add/Remove Snap-in > Select Certificate.
3. Select Computer Account, Next, Local Computer, Finish
4. Select Certificates > Personal > Certificates. Note that the final Certificates option is only
available if there is at least one certificate in the MMC. If not, just select Personal.
5. Select More Actions.
6. From More Actions, click on the following: All Tasks > Advanced Operations > Create
Custom Request.
7. Select the Legacy key template, using the PKCS #10 request format.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 41 of 52
8. If you are prompted to use your Active Directory Enrollment Policy, click on Proceed without
enrollment policy.
9. On the Certificate Information screen, click on the request’s Details and then click on
Properties.
10. On the General tab, enter a value for the Friendly name, such as the hostname.
11. On the Subject tab, select the type Common name and enter the fully qualified domain name of
your Good Connect server. In this example, the server1 is a member of the servers domain,
which is a subdomain of domain.tld.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 42 of 52
12. Select and enter the remaining subject types and values as illustrated here.
13. On the Extensions tab, expand the Key usage section and add Data encipherment.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 43 of 52
14. On the same tab, expand the next section titled Extended Key Usage (application policies)
and add Server Authentication.
15. On the Private Key tab, expand the section titled Key type and select Exchange.
16. On the same tab, expand the section titled Key options.
a. Change the Key size to 2048.
b. Enable Make private key exportable.
c. Enable Allow private key to be archived.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 44 of 52
17. Click on the OK button to proceed with generating the CSR, then click on Next and continue
through to the end where you specify the .req (text file) to be created.
18. Edit the CSR request, copy the text and paste it in the Validate a CSR VeriSign validator to
confirm there are no errors: https://ssl-tools.verisign.com/checker/
10.2 Send the new CSR to a well-known third-party CA to issue your certificate
You need to send the new CSR to a well-known third-party CA and purchase a certificate for your server.
The third-party CA may also send you a file that contains the full certificate chain, including possible
intermediate certificates. Please install all relevant certificate files that you receive on the server that
generated the CSR.
10.3 Binding the SSL certificate
You must import the third-party CA signed certificate and any other required intermediate certificates prior
to following the instructions in this section,.
This section details the steps needed to bind the third-party CA signed SSL certificate to the SSL port you
wish to use on your Good Connect server. This port binding exercise must be completed prior to
executing the steps in the following sections.
Step 1: Copy the certificates thumbprint
1. Double-click on the certificate in the Certificate snap-in then click on Details to switch to that tab.
2. Change the Show value to Properties Only to filter out other details.
3. Click on Thumbprint to display the thumbprint value.
4. Copy the thumbprint value from the lower text box in this dialog window.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 45 of 52
5. Paste the thumbprint into a text editor.
6. Use search and replace to find all spaces and delete them, so “ 08 82 41 2f…” becomes
“0882412f…”
7. Copy this modified version of the thumbprint value into the clipboard for the next step.
Step 2: Open the cmd prompt as an administrator and type the following as one line.
1. Replace “<thumbprint>” with the thumbprint copied from step 1.
2. Replace “<port>” with the port number you wish to use, such as 8082.
3. Copy and paste the remainder of the parameters listed here:
netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint>
appid={AD67330E-7F41-4722-83E2-F6DF9687BC71}
Step 3: Confirm the certificate binding by executing the following command.
netsh http show sslcert
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 46 of 52
10.4 Configuring the Good Connect server to use the new certificate
The steps detailed in this section require you to make configuration changes to the Good Connect server.
Please make a backup copy of your Good Connect server configuration file before making any changes.
For documentation purposes, we will assume that you have installed the Good Connect server in the
default location. Please alter the drive:\path\ information to match your actual implementation.
1. Navigate to the C:\Program Files\Good Technology\Good Connect Server\ directory.
2. Edit the GoodConnectServer.exe.config file to administer the following changes.
The sections included below contain portions of the configuration file, showing the relative scope
where the highlighted text should be inserted.
All other sections in the configuration document not listed below do not change.
<service behaviorConfiguration="WCFGaslampServiceLibrary.Service1Behavior"
name="WCFGaslampServiceLibrary.Gaslamp">
<endpoint address="GaslampService" behaviorConfiguration="jsonBehavior"
binding="customBinding" bindingConfiguration="JsonSSLMapper"
contract="Gaslamp.Interfaces.IGaslamp"/>
<host>
<baseAddresses>
<!-- Replace “<port>” with the port number you used in section 1 (e.g., 8082). -->
<add baseAddress="https://yourserver.domain1.domain2.tld:<port>/"/>
</baseAddresses>
</host>
</service>
<customBinding>
<binding name=" JsonSSLMapper">
<webMessageEncoding
webContentTypeMapperType="GaslampWindowsService.GaslampContentTypeMapper,
GoodConnectServer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<sslStreamSecurity requireClientCertificate="false"/>
<httpTransport manualAddressing="true" authenticationScheme="Anonymous"
requireClientCertificate="false"/>
</binding>
</customBinding>
<serviceBehaviors>
<behavior name="WCFGaslampServiceLibrary.Service1Behavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
3. Restart the Good Connect server service for these changes to take effect.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 47 of 52
10.5 Configuring the Good Connect client to start sending requests over SSL
This section describes what you need to change to enable client SSL connections. The changes required
here are administered entirely within the Good Control application configuration.:
1. If previously installed without SSL, you will need to change the servers you have listed on the
Manage Application page, in the Servers tab (illustrated below) or if you are using User Affinity
in the Application Policies tab of the Policy Set (also illustrated below) you have defined.
a. You will need to add each server’s fully qualified domain name with the new SSL port.
b. If you had previously installed Good Connect server with non-SSL ports, you will need to
remove those entries from this table.
2. The format and port information for the servers you have listed after SERVERS= will need to
have https:// added, in addition to using the new SSL port. For example, if you have a cluster of
two servers, both using port 8082 for SSL, you would update SERVERS as follows:
SERVERS=https://server1.domain.tld:8082,https://server2.domain.tld:8082
Changing servers in the Manage Application page, in the Servers tab.
Changing servers in Application Policy in the Policy Sets, for User Affinity implementation.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 48 of 52
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 49 of 52
A. Troubleshooting with Log Exceptions
The best place to diagnose issues is the log file in the Good Connect Server folder:
C:\Program Files\Good Technology\Good Connect Server\Application-log.txt
Failed to start GoodConnectServer:
Microsoft.Rtc.Signaling.ConnectionF
ailureException: Unable to
establish a connection. --->
System.Net.Sockets.SocketException:
No such host is known.
The hostname value in the
configuration file for the key
OCS_SERVER does not exist or is not
recognized as a valid server.
Correct OCS_SERVER value in
the configuration file.
DeregisterReason=None
ResponseCode=480
ResponseText=Temporarily
Unavailable
Microsoft.Rtc.Signaling.RegisterExc
eption: The endpoint was unable to
register. See the ErrorCode for
specific reason.
The port number specified in
OCS_PORT_TLS is not valid.
Correct OCS_PORT_TLS value in
the configuration file.
ErrorCode=-2146233088
OCS_TRANSPORT was specified as
TLS, however the port number provided
was TCP.
Change the OCS_PORT_TLS to
5061.
Failed to start GoodConnectServer:
Microsoft.Rtc.Signaling.ConnectionF
ailureException: Failed to listen
on any address and port supplied.
UCMA_APPLICATION_PORT number
specified in the configuration file is
either blocked by a firewall or used by
another application.
Unblock port if it is a firewall issue
or choose another port number.
Failed to start GoodConnectServer:
WCFGaslampServiceLibrary.OCSCertifi
cateNotFoundException: Certificate
not found.
The certificate's subjectName must
contain the local host's FQDN and the
private key for the cert must be enabled
for the user which executes the Good
Connect Server.
Enable private keys for this cert for
the user running the Good Connect
Server.
FailureReason=RemoteDisconnected
LocalEndpoint=10.120.165.137:5060
RemoteEndpoint=10.120.167.109:55118
RemoteCertificate=<null>
Microsoft.Rtc.Signaling.TlsFailureE
xception: Unknown error
(0x80131500) -->
Microsoft.Rtc.Internal.Sip.RemoteDi
sconnectedException: Remote
disconnected while outgoing tls
negotiation was in progress -->
System.Net.Sockets.SocketException:
An existing connection was forcibly
closed by the remote host.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 50 of 52
B. Troubleshooting with SSL certificate exceptions
If the SSL certificate requirements defined in Section 2.6 have been meet and you are still getting the
following error:
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.Rtc.Internal.Sip.TLSException
Then, it is possible that the SSL certificate has not been created with the correct CSP and key spec.
Follow the steps below to check CSP and key spec on the SSL certificate.
1. Open cmd/powershell on Good Connect server.
2. Execute command:
certutil.exe -v -store "my" "<name of ssl cert>" > c:\temp\ssl.txt
3. Open c:\temp\ss.txt with your favorite editor and search for
“CERT_KEY_PROV_INFO_PROP_ID”. You should see:
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0cd24435fe903
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
Flags = 20
KeySpec = 1 -- AT_KEYEXCHANGE
Provider, provider type and keyspec must be exactly the values listed above. If not, you will
need to reissue a new SSL certificate with appropriate provider and key spec values.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 51 of 52
Legal Notice
This document, as well as all accompanying documents for this product, is published by Good Technology
Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other
intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other
document, does not in any way imply any license to these or other intellectual properties, except as expressly
provided in written license agreements with Good. This document is for the use of licensed or authorized users only.
No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in
any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without
the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a
violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is subject to change
without notice and does not represent a commitment on the part of Good. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those written agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to
utilize the most current documentation available. Good assumes no duty to update you, and therefore Good
recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes
no liability for the accuracy or completeness of the content. The content of this document may contain information
regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this
information is non-binding and Good creates no contractual obligation to deliver the features and functionality
described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or
similar theories.
Legal Information
© Copyright 2014. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD,
GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR
YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD
CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks
of Good Technology Corporation and its related entities. All third-party technology products are protected by issued
and pending U.S. and foreign patents.
Good Connect 2.3: Server Installation and Administration Guide for Microsoft Lync 2010
Page 52 of 52