good connect server for lync 2013 installati…
TRANSCRIPT
Good Connect Server for Lync 2013Installation and Administration Guide
Product Version: 2.2Doc Rev 1.4
Last Update: 5-Aug-15
Good ConnectTM
Legal Notice
This document, as well as all accompanying documents for this product, is published by Good Technology Corporation(“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual propertyrights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any wayimply any license to these or other intellectual properties, except as expressly provided in written license agreements withGood. This document is for the use of licensed or authorized users only. No part of this document may be used, sold,reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, forany purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorizedcopying, distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is subject to change withoutnotice and does not represent a commitment on the part of Good. The software described in this document is furnishedunder a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with theterms of those written agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilizethe most current documentation available. Good assumes no duty to update you, and therefore Good recommends thatyou check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for theaccuracy or completeness of the content. The content of this document may contain information regarding Good’s futureplans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Goodcreates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims alltheories of contract, detrimental reliance and/or promissory estoppel or similar theories.
Legal Information
© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOODTECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL,GOODDYNAMICS, SECURED BY GOOD, GOODMOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOODVAULT, and GOODDYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. Allthird-party technology products are protected by issued and pending U.S. and foreign patents.
Good Connect™ ii
Good Connect™ iii
Table of Contents
Overview 1
Requirements 2
System and Network Requirements 2
Good Dynamics Requirements 3
Microsoft .NET Framework 4.5 3
Microsoft Windows PowerShell 3.0 RTM 3
Microsoft Unified Communications Managed API 4.0 Runtime (64-bit) 3
SSL Certificate Requirements 4
Good Connect Database 7
Database Level Permissions 7
Setting Up an Oracle XE database 8
Setting Up Your Microsoft SQL Server 2008 R2 9
Preparing Your Lync Topology for Good Connect 10
Initial Installation of Good Connect Server 11
Preparing for Subsequent Good Connect Servers 12
Installing the Good Connect Server 12
Good Connect Windows Service 22
APNS Web Proxy Support 23
Setting Your Proxy Configuration Parameters 23
Storing User Credentials 23
Configuring for Global Catalog 24
Repairing/Upgrading the Good Connect Server 25
Repairing the Good Connect Server 25
Upgrading from Good Connect 1.2 25
Upgrading from Good Connect 2.1 25
Configuring Good Control 25
Entering the Server Pool Information and IM Platform Type 26
Listing Approved Server Hostnames and Ports 26
Controlling Browser and Map Behavior 27
Enabling Disclaimer 28
Good Connect™ iv
Disabling Conversation History 29
Configuring Good Connect User Affinity 29
ABC Company Example 29
Enabling User Affinity 30
Configuring MS Exchange Conversation History (Optional) 31
Enabling SSL Support via Good Proxy 33
Creating the CSR 34
Send the New CSR to a Well-Known Third-Party CA 37
Binding the SSL Certificate 37
Configuring Good Connect Server to Use the New Certificate 38
Configuring Good Connect Clients to Send Requests Over SSL 39
Good Connect Cluster Configuration Maintenance 41
Troubleshooting 41
Appendix A – Good Connect Server Configuration File 43
Appendix B – Troubleshooting SSL Certificate Exceptions 46
Glossary 47
Good Connect™ 1
Overview
This manual provides step-by-step instructions for installing version 2.2 of the Good Connect Server in your Lync2013 environment. Be sure to carefully read and confirm that you meet all the listed requirements beforestarting the installation.
There is also a detailed administration portion for reference when server installation is complete.
The following diagram shows how the Good Connect Server works with both the enterprise IM infrastructure andthe Good Dynamics (GD) servers behind the enterprise firewall. The Good Connect server then communicateswith the Good Dynamics Network Operation Center (NOC) to securely reach the mobile device.
Overview
Good Connect™ 2
Requirements
This section lists the requirements for the Good Connect Server software.
Important: If you are upgrading from a previous version of Good Connect Server, you must use the sameWindows Service Account used to install your current version of Good Connect Server.
Caution: If you don’t install the required software, or fail to configure them correctly before starting theinstallation of the Good Connect Server, the Good Connect Server may fail or may behave in an unexpectedmanner.
System and Network RequirementsYou must meet the following requirements before installing the Good Connect server.
l Microsoft Windows Server 2008 R2 (64-bit) or Microsoft Windows Server 2012 (64-bit)
l 4 GB of RAM
l 20 GB disk space
l 4 core processor
l The installing user must have local administrative privileges on the host computer.
l The Good Connect Server must be in the same domain as Microsoft Lync Server 2013.
l The Good Connect Server must be able to communicate with the Microsoft Active Directory.
l The local Windows Firewall must be disabled.
Note: A Group Firewall Policy causes the installer to fail prerequisite checks, even if the local firewall isdisabled.
l Disable local anti-virus software during installation
l The following inbound ports must not be blocked by any firewall:
o 8080 from the Good Proxy server
o 49555 from the Lync server
l The following outbound ports must not be blocked by any firewall:
o 443 to the Good Technology NOC/Apple Push Notification Service
o 5061 to the Lync server
o 17080 to the Good Proxy server
o 17433 to the Good Proxy server
l Good Connect also requires TCP/IP port access to the database used.
o 1433 to the Microsoft SQL server default.
o 1521 to the Oracle XE server default
Requirements
Good Connect™ 3
Good Dynamics Requirements
l At least version 1.3.26.40 of the Good Control server
l At least version 1.3.26.10 of the Good Proxy server
You can download the Good Dynamics servers from the Good Developer Network (GDN).
Microsoft .NET Framework 4.5
l Windows Server 2008 R2
This operating system version comes with .Net framework 3.5. Download and install .NET Framework 4.5.
l Windows Server 2012
Enable Microsoft .NET Framework 4.5 feature using Server Manager.
Microsoft Windows PowerShell 3.0 RTM
l Windows Server 2008 R2
This operating system version comes with PowerShell 2.0. Install Powershell 3.0 by downloading andinstalling MS Update Package Windows6.1-KB2506143-x64 .
Powershell 3.0 on 2008 R2 requires .Net framework 3.5 Service Pack 1 to be installed. Enable this featureusing Server Manager.
l Windows Server 2012
This operating system version comes with PowerShell 3.0. Enable the Windows PowerShell 3.0 feature usingServer Manager.
Microsoft Unified Communications Managed API 4.0 Runtime (64-bit)Download UCMA 4.0.
UcmaRuntimeSetup.exe also installs an additional installer named OCSCore.msi that is required by GoodConnect Server. Find OCSCore.msi by navigating to following directory, launch and use the default settings in thewizard. (Note: By default, the ProgramData folder is hidden in Windows Explorer. You can change this in foldersettings):
C:\ProgramData\Microsoft\Lync Server\Deployment\cache\5.0.8308.0\Setup\OCSCore.msi
l Windows Server 2008 R2
UCMA 4.0 requires Desktop Experience on the Windows Server 2008 R2. Enable this feature using the ServerManager.
l Windows Server 2012
UCMA 4.0 requires Media Foundation on the Windows Server 2012. Enable this feature using the ServerManager.
Requirements
Good Connect™ 4
SSL Certificate RequirementsGood Connect Server must form a mutual trust relationship for MTLS communications with the Lync server. Mutual trust requires a SSL certificate on the Good Connect computer meeting the following criteria:
l The private certificate issued by a trusted CA is stored in Console Root\Certificates\<local_host_
name>\Personal\Certificates.
l The computer’s private certificate, as well as the Lync server’s internal computer certificate, must both betrusted by root certificates stored in Console Root\Certificates\<local_host_name>\Trusted Root Certification
Authorities\Certificates.
l Any intermediate certificates for both the Good Connect Server’s private certificate and the Lync server’sinternal computer certificate must be located in Console Root\Certificates\<local_host_name>\Trusted Root Certification
Authorities\Certificates.
l The account used to run the Good Connect server application must have read access to the certificate storeand the private key.
l The Subject Name (SN) of the certificate must contain the Common Name (CN) for the Good Connect server'sfully-qualified domain name; e.g., "CN=server.subdomain.domain.tld".
l The certificate must be signed by a CA that is mutually-trusted by both the Lync server and the Good Connectserver.
For more on SSL Certificate requirements see Certificate infrastructure requirements for Lync 2010.
To create a certificate for Good Connect Server through your enterprise certificate authority (CA):
1. Launch the Microsoft Management Console (MMC).
2. Select File > Add/Remove Snap-in > Select Certificate.
3. Select Computer Account.
4. Click Next.
5. Select Local Computer.
6. Click Finish.
7. Select Certificates > Personal > Certificates
Note: The final Certificates option is only available if there is at least one certificate in the MMC. If not, justselect Personal.
8. Select Actions > All Tasks > Request New Certificate.
Requirements
Good Connect™ 5
9. Click Next .
10. Select Active Directory Enrollment Policy and click Next.
11. Select Computer as the type of certificate, then click Enroll.
Requirements
Good Connect™ 6
12. Click Finish when the enrollment process succeeds.
The MMC now lists the new certificate. If you don’t see the new certificate, expand the tree view in the left-hand pane by clicking Console Root > Certificates (Local Computer) > Personal > Certificates.
13. Verify that your new certificate lists the fully qualified domain name of your Good Connect Server in theSubject attribute of your newly issued certificate as pictured below. This is the default behavior of theCertificate Authority. However, if your CA uses custom certificate templates, an administrator may need toexplicitly add that field for inclusion.
14. Right click on the newly created certificate and select More Actions > All Tasks > Manage Private Keys.
15. Click Add in the Security tab of the Permissions dialog box to see the Select Users, Computers, ServiceAccounts or Groups dialog box.
Requirements
Good Connect™ 7
13. Enter the Good Connect service account and click OK to grant permission to this certificate’s private key.
14. Click OK in the Permissions dialog box.
Good Connect DatabaseGood Connect server requires a relational database, either existing in your environment or freshly installed foryour Good Connect deployment. Currently supported databases include Oracle and Microsoft SQL Server.
Important: The database must be installed and prepared before attempting to start your Good Connectserver installation. In addition, SQL scripts included in your Good Connect installer package must be executedbefore you start the Good Connect Server installation.
Microsoft and Oracle have visual and command line tools to assist you with database and schema creation. Theseinclude Microsoft Management Studio, sqlcmd, Oracle SQL Developer, sql*plus, etc.
Supported Oracle versions include:
l Oracle 10g (Standard/Enterprise)
l Oracle 11g (Express/Standard/Enterprise)
Note: Oracle Database 10.2 and 11.1 are no longer available for download. The software is available as amedia or FTP request for those customers who own a valid Oracle Database product license for any edition. Torequest access to these releases, follow the instructions in Oracle Support Document 1071023.1 (RequestingPhysical Shipment or Download URL for Software Media) from My Oracle Support.
You must also download the Oracle Data Access Components (ODAC 11.2 Release 5 for Windows x64) and installthe client libraries on the Good Connect server machine.
Supported Microsoft SQL Server Versions:
l SQL Server 2008 SP 1 (Express/Standard/Enterprise)
l SQL Server 2008 R2 (Express/Standard/Enterprise)
For POC deployments, you can download a trial of MS SQL Server 2008 R2 Express.
Database Level Permissions
The database user for Good Connect requires the minimum set of database level permissions to:
Requirements
Good Connect™ 8
1. Connect to the database over RCP/IP
2. Select/insert/update/delete to and from tables
3. Create/alter tables
4. Execute stored procedures
Defined as the database level permissions, the minimum set includes:
l ALTER
l CONNECT
l CREATE TABLE
l DELETE
l EXECUTE
l INSERT
l SELECT
l UPDATE
Failure to grant these minimum database level permissions to the database user for Good Connect will renderthe product inoperable and will be unsupported.
Exclusions
These roles are not required by database user for Good Connect:
l DB_BACKUPOPERATOR
l DB_ACCESSADMIN
l DB_SECURITYADMIN
l DB_DLLADMIN
l DB_OWNER
The database user for Good Connect also does not require any of these instance roles:
l DBCREATOR
l DISKADMIN
l PROCESSADMIN
l SECURITYADMIN
l SERVERADMIN
l SETUPADMIN
l SYSADMIN
Setting Up an Oracle XE database
Prior to running the installer, you must create a schema named “GoodConnect” in your instance, as well as a useraccount with privileges for executing schema, stored procedures and creating table for said schema.
Requirements
Good Connect™ 9
To set up your Oracle database:
1. Select Start Menu > All Programs > Oracle Database Express Edition > Run SQL Command Line.
2. When prompted, enter connect system and provide the password.
3. Run the following commands:
create user GoodConnect identified by password;grant connect, resource to GoodConnect;alter user GoodConnect default role all;grant create table to GoodConnect;
@<unzip directory>\Sql\Oracle\1_Balboa_Schema.sql;@<unzip directory>\Sql\Oracle\1_Balboa_storedProcedures.sql;@<unzip directory>\Sql\Oracle\2_Cardiff_Schema.sql;
grant execute on GOODCONNECT.USP_CREATENEWADTABLE to GoodConnect;grant execute on GOODCONNECT.USP_SWITCHADTABLES to GoodConnect;grant execute on GOODCONNECT.UTILS to GoodConnect;
Setting Up Your Microsoft SQL Server 2008 R2
SQL Server Management Studio, which is bundled with the SQL Server 2008 R2 Express download, is required forsetting up the Good Connect database. If your SQL Server installation does not include the SQL ServerManagement Studio software, click the link immediately above.
Follow these instructions to set up the Good Connect database in SQL Server:
1. Install the SQL Server database per the directions in the installation wizard. Specify Windows Authenticationmode or SQL Server and Windows Authentication mode under the Security section of ServerProperties.
2. After installation, launch SQL Server Management Studio and log in.
3. Set up the login that will be used to manage the Good Connect database by expanding the Security item intheObject Explorer pane right-clicking Logins , then select New Login.
Here, if you selected SQL Server and Windows Authentication mode in Step 1, enter "GoodConnect" as theLogin name. Select SQL Server authentication and set a Password for this login—this password will beneeded later when the Good Connect installer asks for Connect database information—then click OK to addthe login.
If you selected Windows authenticationin Step 1 because you want to use a Windows account to managethe database, enter the Windows account username in domain\username format as the Login name. Thisaccount should be the same as the service or administrator account setup to run the Good Connect serverservice. Click OK to add the login.
4. Right-click theDatabases item in theObject Explorer pane, then select New Database, enterGoodConnectas theDatabase name, and set the login you configured in the previous step as the databaseOwner. ClickOK to add the database.
5. Launch the SQL Server Configuration Manager by selecting Start > All Programs > Microsoft SQL Server2008 R2 > Configuration Tools > SQL Server Configuration Manager.
Requirements
Good Connect™ 10
6. Expand SQL Server Network Configuration and select Protocols for SQLEXPRESS, then enable TCP/IP andadd TCP Port 1433 for IPAll. 1433 is merely a default port, which you can change as needed or desired, post-installation.
7. Restart the Microsoft SQL Server service.
8. Run the following schema and stored procedure scripts.
sqlcmd –S <host>\SQLExpress –d GoodConnect –i 1_Balboa_Schema.sqlsqlcmd –S <host>\SQLExpress –d GoodConnect –i 1_Balboa_StoredProcedures.sqlsqlcmd –S <host>\SQLExpress –d GoodConnect –i 2_Cardiff_Schema.sql
Important: Execute the scripts in the order specified above to properly create the GoodConnect databaseschema and stored procedures. These scripts can be found in the installation directory within the..\SQL\SQLServer folder.
Preparing Your Lync Topology for Good Connect
Good Connect is a Microsoft Lync trusted-UCMA application. In order to establish trust with Microsoft Lync2013, you must use the Lync Management Shell to do the following:
l Create a trusted application pool.
l Designate trusted applications for the use of the Good Connect computer.
l Create a trusted-computer entry for every Good Connect server in the environment.
Preparing Your Lync Topology for Good Connect
Good Connect™ 11
l Publish these changes to the Lync Topology.
l Create a Trusted Endpoint for the Good Connect administrator.
Important: You must be a member of theRTCUniversalServerAdmins and Domain Admins security groupsto provision and publish new applications in the Microsoft Lync topology. If you have a designated Lyncadministrator within your organization, it is ideally this person who should perform the steps listed next.
You must complete the application provisioning process as described here. After the application provisioningprocess, the Lync administrator will need to delegateRTCUniversalReadOnlyAdmins permission to you, as theinstaller, in order to access the provisioning information during the Good Connect installation process.
Initial Installation of Good Connect ServerThe preparations described here are required only if you are installing the Good Connect server for the first time.See Preparing for Subsequent Good Connect Servers if you’ve already completed an initial setup of the Lynctopology for the Good Connect.
When you create a trusted application pool for the initial installation of Good Connect, you also create thetrusted-computer entry. Subsequent installations of the Good Connect server do not require a new trustedapplication pool or designated trusted applications because these are added to the existing trusted applicationpool.
Launch the Lync Management Shell and enter the commands listed below to do the following:
1. Create a Trusted Application Pool.
2. Designate a Trusted Application.
3. Publish the changes to the Lync Topology.
Important: Please follow the naming conventions in bold, replacing <myhost>with your Good Connect hostname and <myconnectdomain.com> with your organization's domain.
PS> Get-CsSite
If your organization has more than one Site in its topology, look up the appropriate siteId number and thecorresponding registrar value. You will need this information to create the Application Pool below.
PS> New-CsTrustedApplicationPool -Force -Identity "pool_goodconnect.<myconnectdomain.com>" -Registrar<registrar> -RequiresReplication $false -Site <siteId number> -ComputerFqdn"<myhost>.<myconnectdomain.com>"
The value for <registrar> can be either a Director pool or a Lync pool. Director pools direct (or redirect) userrequests to the appropriate front-end server. If the director pool becomes unavailable, however, all pools will beinaccessible.
PS> New-CsTrustedApplication -Force -ApplicationId "appid_goodconnect.<myconnectdomain.com>" -
TrustedApplicationPoolFqdn "pool_goodconnect.<myconnectdomain.com>" -Port 49555
PS> Enable-CsTopology
PS> New-CsTrustedApplicationComputer -Identity "<myhost.myconnectdomain.com>" -Pool "pool_
goodconnect.<myconnectdomain.com>"
Preparing Your Lync Topology for Good Connect
Good Connect™ 12
Preparing for Subsequent Good Connect ServersFollow the instructions here only if you’ve already installed the Good Connect server at least once before. If this isyour first installation of the Good Connect server, follow the instructions in Initial Installation of Good ConnectServer.
Launch the Lync Management Shell and enter the commands listed below to create a trusted computer for theGood Connect trusted application pool.
Important: As with your initial installation, please follow the naming conventions in bold, replacing <myhost>with your Good Connect host name and <mycompany.com>with your organization’s domain.
PS> New-CsTrustedApplicationComputer -Identity "<myhost>.<myconnectdomain.com>" -Pool "pool_
goodconnect.<myconnectdomain.com>"
Installing the Good Connect Server
Note: The Good Connect installer securely stores Web Proxy, Database, and Exchange service passwords in theWindows Credential Manager as the installer user. If the installer user is not the same as the Good ConnectWindows Service account, you will need to manually add passwords to the Windows Credential Manager.
To install the Good Connect server software:
1. Run the installer executable.
2. The introduction presented furnishes basic information about the installer and disk space needed. Review theinformation carefully, verify that your machine can support the storage requirement, then proceed by clickingNext.
3. Read the License and Services Agreementand accept the terms by clickingNext.
4. The installer now checks to make sure you meet the prerequisites detailed in Pre-Installation Requirementsabove. Failure to meet all the requirements will cause Good Connect to fail or behave improperly.
Installing the Good Connect Server
Good Connect™ 13
5. Good Dynamics Host Information screen
The Good Connect Server requires the hostname and port of the Good Dynamics Proxy server. If you chooseHTTPS be aware that, at this time, Good Dynamics does not support internal CA issued SSL certificates withinthe Good Dynamics Proxy server. The certificate must come from a well-known 3rd Party certificateauthority. See you GD Server Installation Guide for detailed instructions on how to do so.
Installing the Good Connect Server
Good Connect™ 14
6. Database Server Settings screen.
Good Connect requires a database to execute properly. Database configuration parameters can be set onthis screen.
Microsoft SQL Server 2008 R2
Installing the Good Connect Server
Good Connect™ 15
MS SQL server can be authenticated in two ways: (a) integrated windows authentication or (b) SQL ServerAuthentication.
Integrated Windows Authentication
When a user connects through a Windows OS user account, SQL Server validates the account name andpassword using the Windows principal token in the operating system. The user’s credentials are confirmed byWindows OS and it is not necessary to provide username and password. Windows Integrated Authenticationuses Kerberos security protocol that provides password policy enforcement, support for account lockout, andpassword expiration. A connection made using Windows Authentication is sometimes called a trustedconnection, because SQL Server trusts the credentials provided by Windows.
SQL Server Authentication
When using SQL Server Authentication, logins are created in Microsoft SQL Server directly which are not basedon Windows OS user accounts. Both the username and the password are stored and managed in the SQLServer. Users connecting using SQL Server Authentication must provide their credentials when they connect. If you choose SQL Server Authentication, you must provide username and password.
Installing the Good Connect Server
Good Connect™ 16
The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one that installs the Good Connect,you will need to manually add the database username and password to the Windows Credential Manager asdescribed in the following steps:
1. Login into the Good Connect server as the run user (this is the domain user as defined in Good ConnectServer Host Information screen).
2. Launch cmd.exe as Administrator.
3. Execute the cmd:
cmdkey /generic:GoodConnectDatabase /user:dbadmin /pass:password
Oracle XE
Note: In order to use Oracle database, you must install the Oracle ODAC on the Good Connect server inorder for the installer to test connectivity to the Oracle database server.
Installing the Good Connect Server
Good Connect™ 17
7. Good Connect Server Host Information screen
Each Good Connect server’s host information also needs to be entered in the Good Control console. Theinstaller automatically enters the local hostname. If the installer cannot detect a hostname, you can enter one,however the hostname must resolve properly within your network’s DNS for it to operate correctly with GoodDynamics and Microsoft Lync.
Good Connect server supports HTTP and HTTPS connections from the Good Connect client.
HTTP Client Connections
The default port for incoming client connections to the Good Connect Server is 8080. By default, the GoodConnect installer will enable Connect server to respond to HTTP client requests.
Installing the Good Connect Server
Good Connect™ 18
HTTPS Client Connections
The Good Connect server supports client SSL connections to the Good Connect server. The Good Connectadmin will need to follow the instructions prior to installation for enabling SSL for the Connect client. Theinstructions can be found in the Enabling SSL Support Between Good Dynamics Proxy and Good ConnectServers.
After the setting up SSL, follow the instructions during installations:
1. Select Use GD SSL Binding
2. Enter Port and Certificate Friendly Name
Installing the Good Connect Server
Good Connect™ 19
Each Good Connect server can host a maximum of 10000 concurrent sessions. A session constitutes anydevice actively connected into Good Connect and using the service. If you anticipate more than 10000concurrent sessions, you should install a second Good Connect Server.
Each Good Connect server’s host information also needs to be entered in the Good Control console. SeeConfiguring Good Controlfor instructions on setting up Good Control.
8. Exchange Conversation History screen
The Exchange Conversation History screen information enables Good Connect to archive conversations toExchange via Exchange Web Services. Good Connect server supports four ???? different schema types forExchange:
l Exchange 2010
l Exchange 2010 SP1
l Exchange 2010 SP2
If you are using Exchange 2010 SP3, select Exchange 2010 SP2.
Installing the Good Connect Server
Good Connect™ 20
Prior to installation, Good Admin must follow steps in Section 9 to enable Exchange Conversation history.
9. Web Proxy screen
If your Enterprise uses a web proxy to restrict access to the Internet, then you must select the Web Proxycheckbox.
Installing the Good Connect Server
Good Connect™ 21
The Good Connect server supports the following web proxy types: None, NTLM, Digest, or BasicAuthentication. Select the authentication type used by your Enterprise’s web proxy and enter the appropriateinformation.
The Good Connect Installer securely stores the username and password to the Window Credential Manager. If you run the Good Connect windows service as a different user from the one which installs the GoodConnect, you will need to manually add the web proxy username and password to the Windows CredentialManager as described in the following steps:
1. Login into the Good Connect server as the run user (this is the domain user as defined in Good ConnectServer Host Information screen).
2. Launch cmd.exe as Administrator.
3. Execute the cmd:
cmdkey /add:GoodConnectWebProxy /user:foouser /pass:foopass
10. Good Connect Server Location screen.
Click Next unless you want to change the default installation directory location.
11. Pre-installation Summary screen
Review the summary information and make sure the values are correct before clicking the Install button.
12. Installation screen
Installing the Good Connect Server
Good Connect™ 22
13. Finalize screen
The information gathered during this installation is available for review in the Good Connect Server’sconfiguration file.
Good Connect Windows ServiceAfter installation, theGood Connect Server is listed in the Microsoft Windows Services interface.
Good Connect can run as another domain user given the following:
l The alternate domain user must have access to the private key of the computer certificate. See SSL CertificateRequirements 10 for additional details.
l The alternate domain user must be enabled to Log on as service through the Local Security Policy tool.
The following steps explain how to make sure your account has Log on as service privileges:
1. Run the Local Security Policy admin tool on the Good Connect host.
2. Expand the Local Policies folder in the navigation pane on the left.
3. Select theUser Rights Assignments folder to see a list of policies in the right pane.
4. Double click the Log on as a service policy to add your account.
Installing the Good Connect Server
Good Connect™ 23
APNS Web Proxy SupportIf the host machine for Good Connect server must work with a web proxy to access the Internet, and you did notinstall the Good Connect server with Web Proxy enabled, you will need to manually configure the web proxy. Todo so, set the configuration parameters outlined below, then store the user credentials for"GoodConnectWebProxy" in Windows Credential Manager.
Important: Make sure that Good Connect Server is Running As a user account which has been granted localadministrator privileges.
Setting Your Proxy Configuration Parameters
Edit theGoodConnectServer.exe.config file located by default in C:\Program Files\Good Technology\GoodConnect Server.
Note: You must restart the Good Connect Server after updating the parameters.
l GD_APN_PROXY_TYPE
l GD_APN_PROXY_HTTP_HOST
l GD_APN_PROXY_HTTP_PORT
See section Appendix A for the complete list of parameters, format, and expected values.
Storing User Credentials
Please execute the following from the cmd prompt as a local administrator, replacing "username" and"password" with what is required:
cmdkey /add:GoodConnectWebProxy /user:<username> /pass:<password>
If you don’t want to store the password value and would prefer to be prompted for it, omit the <password> valueso the command looks like this:
cmdkey /add:GoodConnectWebProxy /user:<username> /pass:
Again, make sure you are using a user account that has local administrator privileges.
Installing the Good Connect Server
Good Connect™ 24
Configuring for Global CatalogIf your organization plans to support Good Connect users from multiple domains within the same forest, followthese instructions so users can be accessed from the Global Catalog.
To configure Good Connect to use the Global Catalog:
1. Click theAttributes folder in the snap-in.
2. In the right panel, scroll down to the desired attribute, right-click it, and then click Properties.
3. Click to select theReplicate this attribute to the Global Catalog check box.
4. Click OK.
5. Confirm publication of the following attributes to the Global Catalog:
l msrtcsip-primaryuseraddress
l mail
l telephoneNumber
l displayname
l title
l mobile
l givenName
l sn
l sAMAccountName
6. Edit theGoodConnectServer.exe.config file in C:\Program Files\Good Technology\Good Connect Serveras follows:
<add key = ”AD_USERS_SOURCE” value = “GC”/><addkey = “AD_USERS_SOURCE_DOMAIN” value=”<root GC domain; LDAP format>”/>
Note: You must restart the Good Connect Server after updating the parameters.
Installing the Good Connect Server
Good Connect™ 25
Repairing/Upgrading the Good Connect Server
Repair and Upgrade options are available in the Good Connect 2.1 installer. These options are present when theinstall detects a previous installation of the Good Connect server.
Note: Please make a backup copy of the config file prior to repair or upgrade. Custom configuration settingsfor EWS will not be copied over, you will need to copy them back into the configuration file afterrepair/upgrade.
Repairing the Good Connect ServerThe Good Connect 2.1 installer allows restoration of the Good Connect server installation. This process revertsthe Good Connect Server executables and binary and configuration parameters to the values of the lastsuccessful installation. Any changes executed manually are discarded during the reparation process.
Upgrading from Good Connect 1.2When upgrading from the 1.2 version of the Good Connect server, the following configuration information ispreserved:
l GD hostname
l GD port
l Web Proxy Address
l Web Proxy Port
l Web Proxy Authentication Method
l Web Proxy Domain
The installer does not create a backup of the configuration file (GoodConnectServer.exe.config). However if theinstaller finds gaslampdb.db3, a migration script will be executed to move offline/missed messages to the GoodConnect database.
Upgrading from Good Connect 2.1For upgrades with the Good Connect 2.1 version, the installer will create a backup copy of the configuration file. All the values (except passwords, which must be re-entered) will be pre-populated in the installer panels. Goodadministrators have the options of making changes during upgrade process.
Configuring Good Control
There are two configuration steps you need to perform in Good Control.
Repairing/Upgrading the Good Connect Server
Good Connect™ 26
Entering the Server Pool Information and IM Platform TypeIn the Good Control Server Info section of Good Connect enter theHostname, Port for each Good Connectserver, and Configuration information. This configuration information gets delivered to Good Connect clientsand dictates the available servers a client may connect to. All servers listed in theConfiguration informationshould also be listed in the table above the Configuration box.
For each Good Connect server:
l Hostname: <the fully qualified domain name of the Good Connect Server host>
l Port: <the Good Connect Server port>
After the listing all the Good Connect servers
l Configuration:
PLATFORM=LYNC
SERVERS=<a comma separated list of available Good Connect Servers using the format host_fully_qualified_domain_name:port.>
Listing Approved Server Hostnames and PortsIn Good Control’s Client Connections option under Settings define the allowed domains and servers that theGood Connect client application can connect to within the corporate network. We recommend you whitelist eachindividual Good Connect Server as shown in the example below.
Configuring Good Control
Good Connect™ 27
Controlling Browser and Map BehaviorGood Connect supports the option to control if the local device browser application can be used when tappingon a webpage URL and if the map application can be used when tapping on an address.
The following steps explain how to disable this access by using Good Control’s Policy Sets option:
1. Select the policy set where you wish to disable access.
2. Select theApplication Policies tab.
3. Expand the Good Connect application.
4. Click on theApp Settings tab.
5. Uncheck or disable either or both options to disable the respective access.
6. Click Update.
Configuring Good Control
Good Connect™ 28
Enabling DisclaimerGood Connect supports the option to display a Corporate Policy disclaimer at the top over every newconversation within the Good Connect client.
To enable this disclaimer using the Policy Sets option:
1. Select the policy set where you wish to add the disclaimer.
2. Select theApplication Policies tab.
3. Expand the Good Connect application.
4. Click on theDisclaimer tab.
5. Check or enable theDisplay Disclaimer option.
6. Type or paste in your disclaimer text into the textbox.
7. Click Update.
Configuring Good Control
Good Connect™ 29
The Good Connect client will display this disclaimer on top of each new conversation window.
Disabling Conversation HistoryGood Connect supports the option to disable storing conversation history on the Connect client and limit thelength of a conversation to 40 messages. The following steps explain how to disable conversation history byusing Good Control’s Policy Sets option:
1. Select the policy set where you wish to disable conversation history.
2. Select theApplication Policies tab.
3. Expand the Good Connect application.
4. Click on theConversation History tab.
5. Uncheck or disable the “Save more than 40 messages in a conversation history on the device” option.
6. Click Update.
Configuring Good Connect User Affinity
It is possible for a Good Connect administrator to pin a user to a cluster of Good Connect servers instead ofletting the system randomly assign that user to a server from a master list.
ABC Company ExampleABC company has two Lync pools, a West Coast pool which hosts users in the west coast offices and an EastCoast pool which hosts users in the east coast offices. ABC company sets up a Good Connect server for each
Configuring Good Connect User Affinity
Good Connect™ 30
pool, but only sets up one Good Control and Good Proxy cluster as shown below:
When Aaron Beard launches the Good Connect client, Good Control sends the list of servers to his client. In thiscase, the list of servers includes both the West Coast server and the East Coast server. The client randomlychooses a Good Connect server. Aaron has a chance of getting connected to the East Coast server instead of theWest Coast server.
Enabling user affinity allows Aaron to always connect to West Coast server.
Enabling User AffinityThe following steps explain how to create a user affinity for a given Good Control server.
1. Create/Select the policy set for which you wish to create user affinity.
2. Select theApplication Policies tab.
3. Expand the Good Connect application.
4. Check the Server Configuration.
5. Type or paste your connect server host in the textbox.
6. Select Platform (Lync or Sametime).
Configuring Good Connect User Affinity
Good Connect™ 31
7. Click Update.
8. Select theUser Accounts option and select Manage Users.
9. Select the user for whom you wish to set this policy.
10. Set theWest Coast Connect Users policy set for the user.
Configuring MS Exchange Conversation History (Optional)
Good Connect optionally supports saving instant messaging chats to MS Exchange’s “Conversation History”. As aprerequisite to enabling this functionality, the following configuration changes must be implemented:
l Auto-discovery must be enabled on the MS Exchange server.
l Lync/Exchange integration must be enabled.
l MS Exchange SSL certificates must be installed on the Good Connect server in order to establish securecommunication.
Configuring MS Exchange Conversation History (Optional)
Good Connect™ 32
Note: If the SSL certificate on the Good Connect server is incorrectly installed, the history logging toExchange will fail.
l On the Good Connect Window Service account, setup theApplicationImpersonation management role forthe security principle. This is accomplished on the Exchange server in the Exchange Management Consoleusing the New-ManagementRoleAssignment cmdlet.
Note: The following command enables application impersonation for all users to the Good Connect serviceaccount; however every user may not be Lync enabled. Permissions can be granted only to a scope ofmailboxes, if this is required. See Microsoft documentation for more details on Configuring ExchangeImpersonation.
New-ManagementRoleAssignment–Name ”ApplicationImpersonation - Good Connect” -Role “ApplicationImpersonation”–User [email protected]
l Good Connect configuration parameters must exist in the configuration file. The 2.2 Good ConnectInstaller automatically handles adding these parameters during installation.
l <add key="EWS_HOST" value="cas2010.example.com"/>
EWS_HOST is the server, which host Exchange Web services (normally the Client Access Server). If thissetting is null or missing, conversation history is disabled. If it is invalid, errors will occur andconversation history will not be saved. At least one message will be written to the windows event log.
l <add key="EWS_HISTORY_INTERVAL_MINUTES" value="1"/>
Default value is 5. Describes how often history should be saved. A value of 0 means that history will besaved only when the conversation is terminated (chat window is closed).
l <add key="EWS_VERSION" value="2"/>
EWS_VERSION – Default value is 2. It is a characteristic of the EWS interface that this setting must be nohigher than the version in use, otherwise communications will fail. We require Exchange 2010 SP1, sothe recommended setting is 2.
l 0 for Exchange 2007 SP1
l 1 for Exchange 2010
l 2 for Exchange 2010 SP1
l 3 for Exchange 2010 SP2 or SP3
l 4 for Exchange 2013
When the MS Exchange server requires credential authentication from a remote server (in this case, the GoodConnect server) follow the these instructions:
1. Login to the Good Connect server using the Good Connect Window Service account.
2. Open the Windows Vault and select "Manage your network credentials".
3. Create a new credential set under the application name "GoodConnectEWS".
Configuring MS Exchange Conversation History (Optional)
Good Connect™ 33
If no credential set provided, the same credentials used by the service ("default credentials") will be used toauthenticate with Exchange.
Enabling SSL Support via Good Proxy
The Good Connect server can be configured to run securely using SSL (https). By default, this is not enabled. Thissection describes the requirements to set up the Good Connect server for SSL connections from Good Connectclients.
The yellow highlight in the following figure show the path to the Good Connect server from the Good Connectclient.
The Good Connect server requires a signed server SSL certificate from a third-party Certificate Authority (CA).Presently, the Good Dynamics (GD) SDK only supports the use of third-party certificates for GD applications.Good Connect is based on the GD SDK framework and is subject to this requirement.
If you are using an enterprise CA, or are familiar with how to create a no-template legacy key Certificate SigningRequest (CSR), please review this section for the required properties and recommended optional settings forcreating the CSR.
The processes covered in this section provides detailed steps to accomplish the following high-level tasks:
1. Creating the CSR.
2. Binding the SSL certificate.
3. Configuring the Good Connect server to use the new certificate.
4. Configuring the Good Connect client to start sending requests over SSL.
Enabling SSL Support via Good Proxy
Good Connect™ 34
Creating the CSRStart by creating the CSR through the Microsoft management console (MMC) Certificates snap-in for the localcomputer hosting the Good Connect server. The following steps explain what is required to create the CSR.
1. Launch the Microsoft Management Console.
2. Select File > Add/Remove Snap-in > Select Certificate.
3. Select Computer Account, Next, Local Computer, Finish
4. Select Certificates > Personal > Certificates. Note that the final Certificates option is only available if thereis at least one certificate in the MMC. If not, just select Personal.
5. Select More Actions.
6. FromMore Actions, click on the following: All Tasks > Advanced Operations > Create Custom Request.
7. Select the Legacy key template, using the PKCS #10 request format.
8. If you are prompted to use your Active Directory Enrollment Policy, click on Proceed without enrollmentpolicy.
Enabling SSL Support via Good Proxy
Good Connect™ 35
9. On theCertificate Information screen, click on the request’sDetails and then click on Properties.
10. On theGeneral tab, enter a value for the Friendly name, such as the hostname.
11. On the Subject tab, select the typeCommon name and enter the fully qualified domain name of your GoodConnect server. In this example, the server1 is a member of the servers domain, which is a subdomain ofdomain.tld.
12. Select and enter the remaining subject types and values as illustrated here.
Enabling SSL Support via Good Proxy
Good Connect™ 36
13. On the Extensions tab, expand the Key usage section and add Data encipherment.
14. On the same tab, expand the next section titled Extended Key Usage (application policies) and add ServerAuthentication.
15. On the Private Key tab, expand the section titled Key type and select Exchange.
16. On the same tab, expand the section titled Key options.
a. Change theKey size to 2048.
b. EnableMake private key exportable.
c. EnableAllow private key to be archived.
Enabling SSL Support via Good Proxy
Good Connect™ 37
17. Click on theOK button to proceed with generating the CSR, then click on Next and continue through to theend where you specify the .req (text file) to be created.
18. Edit the CSR request, copy the text and paste it in the VeriSign Validate a CSR validator to confirm there areno errors: https://ssl-tools.verisign.com/checker/
Send the New CSR to a Well-Known Third-Party CAYou need to send the new CSR to a well-known third-party CA and purchase a certificate for your server. Thethird-party CA may also send you a file that contains the full certificate chain, including possible intermediatecertificates. Please install all relevant certificate files that you receive on the server that generated the CSR.
Binding the SSL CertificateYou must import the third-party CA signed certificate and any other required intermediate certificates prior tofollowing the instructions in this section,.
Enabling SSL Support via Good Proxy
Good Connect™ 38
This section details the steps needed to bind the third-party CA signed SSL certificate to the SSL port you wish touse on your Good Connect server. This port binding exercise must be completed prior to executing the steps inthe following sections.
Step 1: Copy the certificates thumbprint
1. Double-click on the certificate in the Certificate snap-in then click on Details to switch to that tab.
2. Change the Show value to Properties Only to filter out other details.
3. Click on Thumbprint to display the thumbprint value.
4. Copy the thumbprint value from the lower text box in this dialog window.
5. Paste the thumbprint into a text editor.
6. Use search and replace to find all spaces and delete them, so “ 08 82 41 2f…” becomes “0882412f…”
7. Copy this modified version of the thumbprint value into the clipboard for the next step.
Step 2: Open the cmd prompt as an administrator and type the following as one line:
netshhttp add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint> appid={AD67330E-7F41-4722-83E2-F6DF9687BC71}
1. Replace “<thumbprint>” with the thumbprint copied from step 1.
2. Replace “<port>” with the port number you wish to use, such as 8082.
3. Copy and paste the remainder of the parameters listed here:
netshhttp add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint> appid={AD67330E-7F41-4722-83E2-F6DF9687BC71}
Step 3: Confirm the certificate binding by executing the following command:
netsh http show sslcert
Configuring Good Connect Server to Use the New CertificateThe steps detailed in this section require you to make configuration changes to the Good Connect server. Pleasemake a backup copy of your Good Connect server configuration file before making any changes. For
Enabling SSL Support via Good Proxy
Good Connect™ 39
documentation purposes, we will assume that you have installed the Good Connect server in the defaultlocation. Please alter the drive:\path\ information to match your actual implementation.
1. Navigate to the C:\Program Files\Good Technology\Good Connect Server\ directory.
2. Edit theGoodConnectServer.exe.config file to administer the following changes.
The sections included below contain portions of the configuration file, showing the relative scope where thehighlighted text should be inserted.
All other sections in the configuration document not listed below do not change.
<service behaviorConfiguration="WCFGaslampServiceLibrary.Service1Behavior"name="WCFGaslampServiceLibrary.Gaslamp"><endpoint address="GaslampService" behaviorConfiguration="jsonBehavior" binding="customBinding"bindingConfiguration="JsonSSLMapper" contract="Gaslamp.Interfaces.IGaslamp"/><host><baseAddresses><!-- Replace “<port>” with the port number you used in section 1 (e.g., 8082). --><add baseAddress="https://yourserver.domain1.domain2.tld:<port>/"/></baseAddresses></host></service>
<customBinding><binding name=" JsonSSLMapper"><webMessageEncoding webContentTypeMapperType="GaslampWindowsService.GaslampContentTypeMapper,GoodConnectServer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/><sslStreamSecurity requireClientCertificate="false"/><httpTransport manualAddressing="true" authenticationScheme="Anonymous" requireClientCertificate="false"/></binding></customBinding>
<serviceBehaviors><behavior name="WCFGaslampServiceLibrary.Service1Behavior"><serviceMetadata httpsGetEnabled="true"/><serviceDebug includeExceptionDetailInFaults="true"/></behavior></serviceBehaviors>
3. Restart the Good Connect server service for these changes to take effect.
Configuring Good Connect Clients to Send Requests Over SSLThis section describes what you need to change to enable client SSL connections. The changes required here areadministered entirely within the Good Control application configuration:
1. If previously installed without SSL, you will need to change the servers you have listed on theManageApplication page, in the Servers tab (illustrated below) or if you are using User Affinity in the ApplicationPolicies tab of the Policy Set (also illustrated below) you have defined.
a. You will need to add each server’s fully qualified domain name with the new SSL port.
b. If you had previously installed Good Connect server with non-SSL ports, you will need to remove thoseentries from this table.
Enabling SSL Support via Good Proxy
Good Connect™ 40
2. The format and port information for the servers you have listed after SERVERS= will need to havehttps://added, in addition to using the new SSL port. For example, if you have a cluster of two servers, both usingport 8082 for SSL, you would update SERVERS as follows:
SERVERS=https://server1.domain.tld:8082,https://server2.domain.tld:8082
Changing servers in theManage Application page, in the Servers tab.
Changing servers in Application Policy in the Policy Sets, for User Affinity implementation.
Enabling SSL Support via Good Proxy
Good Connect™ 41
Good Connect Cluster Configuration Maintenance
Always ensure that the Good Connect servers listed in the Good Control application configuration for GoodConnect identifies installed Good Connect servers in that cluster.
If you add a server to the Good Connect cluster, please correlate the timing of both the server’s installation withupdating the Good Control application configuration for Good Connect, to include that additional server after ithas been installed and is up and running.
If you temporarily remove a server from the cluster for maintenance, it is not necessary to change the GoodControl application configuration for Connect. The Good Connect client will detect that the server is offline andwill automatically connect to another Good Connect server in the cluster.
If you permanently remove a server from the cluster, first shut down the Good Connect server, then remove itfrom the Good Control application configuration.
Troubleshooting
The best place to diagnose issues is the log file in the Good Connect Server folder:
C:\Program Files\Good Technology\Good Connect Server\Application-log.txt
Failed to start GoodConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException: Unable toestablish a connection. ---> System.Net.Sockets.SocketException: Nosuch host is known.
The hostname value in theconfiguration file for the key OCS_SERVER does not exist or is notrecognized as a valid server.
Correct OCS_SERVER value inthe configurationfile.
DeregisterReason=None
ResponseCode=480 ResponseText=Temporarily Unavailable
The port number specified in OCS_PORT_TLS is not valid.
Correct OCS_PORT_TLS valuein the
Good Connect Cluster Configuration Maintenance
Good Connect™ 42
Microsoft.Rtc.Signaling.RegisterException: The endpoint was unable toregister. See the ErrorCode for specific reason.
configurationfile.
ErrorCode=-2146233088
FailureReason=RemoteDisconnected
LocalEndpoint=10.120.165.137:5060
RemoteEndpoint=10.120.167.109:55118
RemoteCertificate=<null>
Microsoft.Rtc.Signaling.TlsFailureException: Unknown error(0x80131500) -->Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Remotedisconnected while outgoing tls negotiation was in progress -->System.Net.Sockets.SocketException: An existing connection wasforcibly closed by the remote host.
OCS_TRANSPORT was specified as TLS,however the port number providedwas TCP.
Change the OCS_PORT_TLS to5061.
Failed to start GoodConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException: Failed to listen onany address and port supplied.
UCMA_APPLICATION_PORT numberspecified in the configuration file iseither blocked by a firewall or used byanother application.
Unblock port if itis a firewall issueor chooseanother portnumber.
Failed to start GoodConnectServer:WCFGaslampServiceLibrary.OCSCertificateNotFoundException:Certificate not found.
The certificate's subjectName mustcontain the local host's FQDN and theprivate key for the cert must beenabled for the user which executesthe Good Connect Server.
Enable privatekeys for this certfor the userrunning theGood ConnectServer.
Troubleshooting
Good Connect™ 43
Appendix A – Good Connect Server Configuration File
After installation, you can update Good Connect configuration file at
<install path>\Good Technology\Good Connect Server\GoodConnectServer.exe.config
Note: You must restart the Good Connect Server after updating the parameters.
Parameter Name Required Description Default
UCMA_APPLICATION_NAME
Yes Name of application as defined through the installation provisioning process. Generatedduringapplicationprovisioning
UCMA_GRUU Yes GRUU - Globally Routable User-Agent URI that uniquely defines the SessionInitiation Protocol (SIP) URI for the application.
Generatedduringapplicationprovisioning
UCMA_APPLICATION_PORT
Yes The fixed port used by the Good Connect Server to receive messages from theenterprise IM server.
49555
OCS_SERVER Yes FQDN (Full Qualified Domain Name) of the Microsoft Lync Front-End serveror Front-End server pool.
GD_HOST Yes Good Dynamics Proxy host.
GD_PORT Yes Good Dynamics Proxy port. 17080
BASE_ADDRESS Yes URL for the Good Connect Server which takes the form ofhttp://goodconnect.mycompany.com:8080/
BUILD_VERSION Yes The version number of the Good Connect Server build. Auto-populated
SESSION_TIMEOUT_SECS
Yes The number of seconds a client is allowed to remain idle 86,400 (24 hours)
ACTIVE_DIRECTORY_CACHE_REFRESH_SECS
Yes The number of seconds the Good Connect Server waits before synchronizingwith the Active Directory. Any value smaller than 7200 is ignored in favor of7200 seconds.
86,400 (24 hours)
GD_USE_SSL Yes Determines whether or not the Good Connect Server uses the Good Dynamicssecure port (17433) or unsecure port (17080).
False
APN_SOUND Yes Play sound when an Apple device receives a push notification.
APN_BADGE Yes Determines whether or not to use the badge graphic for Apple pushnotifications.
True
APN_ALERT Yes Apple push notification message string that notifies a user that there areunread messages.
“You havenumber unread
Appendix A – Good Connect Server Configuration File
Good Connect™ 44
Parameter Name Required Description Default
messages.”
APN_SLEEP_TIME Yes The number of milliseconds the Good Connect Server waits in betweenqueued Apple push notifications.
100
ACTIVE_DIRECTORY_SEARCH_RESULT_MAX
Yes The upper limit on the number of hits from a search of the Global AddressList (GAL).
150
GD_APN_PROXY_TYPE
No Web Proxy Authentication Mechanisms. Acceptable values are:
l “” (empty string for no proxy)
l “Basic No Auth”
l “Basic”
l “Digest”
“”
GD_APN_HTTP_URL Yes WebService URL for Good Dynamics Apple Push Notification Service (APNS)
GD_APN_PROXY_AUTH_DOMAIN
No Web Proxy Domain Deprecated.
GD_APN_PROXY_AUTH_USERNAME
No Web Proxy Username Deprecated.
GD_APN_PROXY_AUTH_PASSWORD
No Web Proxy Password Deprecated.
GD_APN_PROXY_HTTP_HOST
No Web Proxy Host
GD_APN_PROXY_HTTP_PORT
No Web Proxy Port
GD_APNS_BLACKLIST_RETRY_NO
Yes Specifies # of retries after the server receives APNS response where the tokenhas been blacklisted.
3
DB_TYPE Yes SQLSERVER or ORACLE depending on what database is used.
DB_AUTHTYPE Yes USE_INTEGRATEDAUTH when the specifying windows integratedauthentication, otherwise SQL Server authentication will be used.
DB_HOST No Only valid if DB_TYPE=ORACLE
DB_PORT No Only valid if DB_TYPE=ORACLE
DB_SERVICE No Only valid if DB_TYPE=ORACLE, Oracle database instance name.
GASLAMP_USERNAME
Yes Window Service account.
DB_INIT_CATALOG No SQL Server database name, Only valid if DB_TYPE=SQLSERVER GoodConnect.
Appendix A – Good Connect Server Configuration File
Good Connect™ 45
Parameter Name Required Description Default
Set by installer,do not change.
LYNC_DB_CONNECTIONSTRING
No SQL Server connection string for the Lync/OCS database.
DB_SESSION_TIMEOUT_SECS
Yes Time limit for search Lync/OCS database as defined by LYNC_DB_CONNECTIONSTRING.
300
EWS_HOST No FQDN of the Exchange server to which the Good Connect Server will writeconversation history
EWS_HISTORY_INTERVAL_MINUTES
No Defines the number of interval in minutes Good Connect server will waitbefore writing to Conversation history. 0 means that conversation history iswritten only after conversation has been terminated.
5
EWS_VERSION No Version of Exchange server.
0 for Exchange 2007 SP1
1 for Exchange 2010
2 for Exchange 2010 SP1
3 for Exchange 2010 SP2 or SP3
4 for Exchange 2013
2
DB_RECONNECT_WAITTIME_SEC
Yes # of seconds to wait before reconnecting attempt to database. 300
DB_RECONNECT_TRY_NUM
Yes # of times Connect server to retry reconnecting to database after a failure toconnect to database
3
AD_USERS_SOURCE No Parameter indicates if Good Connect server should read AD or GC for SIP-enabled users. Value can be “GC” or “LDAP”. Default is LDAP if empty.
AD_USERS_SOURCE_DOMAIN
Yes, ifuserssource isGC
Domain for the for AD or GC to query. This value should be in LDAP format
i.e. DC=GOOD,DC=COM
EWS_HOST No FQDN of the Exchange server to which the Good Connect Server will writeconversation history
EWS_HISTORY_INTERVAL_MINUTES
No Defines the number of interval in minutes Good Connect server will waitbefore writing to Conversation history. 0 means that conversation history iswritten only after conversation has been terminated.
5
Appendix A – Good Connect Server Configuration File
Good Connect™ 46
Appendix B – Troubleshooting SSL Certificate Exceptions
If the SSL certificate requirements defined in SSL Certificate Requirements have been meet and you are stillgetting the following error:
Description: The process was terminated due to an unhandled exception. Exception Info: Microsoft.Rtc.Internal.Sip.TLSException
Then, it is possible that the SSL certificate has not been created with the correct CSP and key spec. Follow thesteps below to check CSP and key spec on the SSL certificate.
1. Open cmd/powershell on Good Connect server.
2. Execute command:
certutil.exe -v -store "my" "<name of ssl cert>" > c:\temp\ssl.txt
3. Open c:\temp\ss.txt with your favorite editor and search for “CERT_KEY_PROV_INFO_PROP_ID”. You shouldsee:
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0-cd24435fe903Provider = Microsoft RSA SChannel Cryptographic ProviderProviderType = cFlags = 20KeySpec = 1 -- AT_KEYEXCHANGE
Provider, provider type and keyspec must be exactly the values listed above. If not, you will need to reissue anew SSL certificate with appropriate provider and key spec values.
Appendix B – Troubleshooting SSL Certificate Exceptions
Good Connect™ 47
Glossary
A
Access KeyPart of the activation key that is different for every GD application activation. Access keys consistof 15 letters and numbers. Access keys are generated by the enterprise GC server.
Activation KeyAll the credentials necessary for activation of a GD application for an end user. The necessary cre-dentials are a provisioning ID and an access key.
ADActive Directory
ADSIActive Directory Services Interface
ADT PluginAndroid Development Tools Plugin
AffinitiesThe feature that enables enterprises to allocate their GP servers between their GC servers and theirapplication servers. Allocation can be an absolute division, or based on a priority order, or both.
Application PoliciesThe feature that enables GD application developers to add policies that are specific to their applic-ation to a GC server. Application policies are defined by developers, using an XML file format.
Application-Based ServiceA GD shared service that is provided by GD applications. An application-based service uses GoodDynamics AppKinetics for communication.
Authentication DelegationThe feature for transferring authentication of the end user from one application to another. Anapplication for which authentication is delegated does not display its unlock screen, and does nothave its own security password. Authentication delegation can be used between two GD applic-ations, and between GD applications and the GFE mobile client. Authentication delegation is con-trolled by the enterprise administrator through the management console of the respective softwareproduct, either GC or GFE Good Mobile Control.
Glossary
Good Connect™ 48
C
CIFSCommon Internet File System - the standard way that computer users share files across corporateintranets and the Internet. An enhanced version of the Microsoft open, cross-platform Server Mes-sage Block (SMB) protocol, CIFS is a native file-sharing protocol in Windows.
CLICommand Line Interface
COTSCommercial Off the Shelf HTTP Proxy
D
DCDirect Connect
DMZDemilitarized Zone
DMZ proxy for Direct ConnectHTTP proxy in the enterprise perimeter network that relays DC connections.
F
FQDNfully qualified domain name
G
GCGood Control server. The GD server component which hosts the web-enabled Good Control man-agement console, or GC console, for managing permissions and settings for Good Dynamicsapplications. GC resides on a machine belonging to your organization.
GDGood Dynamics. Good product that gives companies a set of development tools to create theirown secure apps built on the technology used to create GFE.
Glossary
Good Connect™ 49
GD Application IDThe unique identifier used throughout GD to identify the application for the purposes of enti-tlement, publishing and service provider registration.
GD Authentication Token mechanismA token-based single sign-on feature that enables an end user to be authenticated by an applicationserver without the need for entry of any further credentials.
GD Direct ConnectThe feature for relaying GD communication through a proxy in the enterprise perimeter network(also known as DMZ or demilitarised zone) instead of through the GD NOC. This feature alsoenables GP servers to be deployed in the enterprise perimeter network, instead of behind the fire-wall.
GD Enterprise ServersTwo GD components installed behind the enterprise firewall: Good Control (GC) and Good Proxy(GP).
GD NOCGood Dynamics Network Operations Centre - provides a secure communications infrastructurebetween the GD Runtime on the mobile device and the GD enterprise servers behind the firewall.
GD RuntimeThe component that is embedded in a mobile application to enable its connection to the GD plat-form and container. Every GD application includes an instance of the Good Dynamics Runtime.Alternative form: Good Dynamics Runtime
GD SDKGood Dynamics Software Development Kit. The products that enable developers to build GDapplications from source code in the native programming languages of the mobile platform. Nativesource code includes, for example, Objective-C on iOS, and Java on Android. Other forms: GoodDynamics SDK Good Dynamics Software Development Kit
GD Shared ServicesFramework for collaboration that includes Application-Based Services and Server- Based Ser-vices. Both types of service use a consumer-provider model. The consumer is always a GD applic-ation. The provider of an application-based service will also be a GD application. The provider ofa server-based service will be an application server. Alternative forms: GD Shared Services GoodDynamics Shared Services Framework GD Shared Services Framework Shared Services Frame-work
Glossary
Good Connect™ 50
GDWrapped ApplicationAn application in which the GD Runtime has been embedded by using the GD Wrapping process.Other form: Good Dynamics Wrapped Application
GDWrappingThe product for embedding the GD Runtime in a mobile application executable without requiringaccess to application source code. Other form: Good Dynamics Wrapping
GDNGood Developer Networking. A web portal to support app development. • Download the GoodDynamics SDK • Download the Good Dynamics Servers • Access technical support, the GoodCommunity, and other resources • Get notifications for technical updates • Get access to GoodDynamics enabled applications • Connect with developers and Good ISV partners
GEMSGood Enterprise Mobility Server
GFEGood for Enterprise
GNPGood Notification Push. Protocol that allows notification messages to be pushed from an applic-ation server to GD app.
Good Dynamics AppKinetics™Mechanism for secure exchange of application data between two mobile applications on the samemobile device. AppKinetics data exchange uses a consumer-provider model. One application inthe exchange provides a service that is consumed by the other.
GPGood Proxy. The GD server component which provides a secure bridge between the GC serverand your enterprise application servers, if any exist, and delivers messages to and from GD applic-ations. GP resides on a machine belonging to your organization.
GRPGood Relay Protocol. Protocol for end-to-end secure communications between the GD app andthe GP server.
GUIDGlobally Unique Identifier - is a unique reference number used as an identifier and typically refersto various implementation of the universally unique identifier (UUID) standard. See UUID.
Glossary
Good Connect™ 51
GWGood Wrapping. The GD server component which can be used to wrap non-GD iOS applicationswith GD technology, allowing you to secure your applications without the need for additional pro-gramming or access to source code. GW resides on a machine belonging to your organization.
H
HTML/CSS/JSHypertext Markup Language, Cascading Style Sheet, and JavaScript, which are the languagesused to code applications in the Adobe PhoneGap MEAP.
I
IDEIntegrated Development Environment
IOPSInput/Output Operations Per Second (pronounced eye-ops) is a common performance meas-urement used to benchmark computer storage devices like hard disk drives (HDD), solid statedrives (SSD), and storage area networks (SAN). As with any benchmark, IOPS numbers pub-lished by storage device manufacturers do not guarantee real-world application performance.
ISVIndepdent Software Vendor - a third-party software developer or reseller who has executed a part-nership agreement with Good.
J
JKSJava keystore
JSONJavaScript Object Notation, the format used for AppKinetics service definitions files. JSON is astandard.
K
KCDKerberos Constrained Delegation. A single sign-on feature that enables an end user to be authen-ticated by an application server that uses Kerberos, without the need for entry of further cre-dentials.
Glossary
Good Connect™ 52
KDCKey Distribution Center. A logical component of the Kerberos infrastructure
L
LDAPLightweight Directory Access Protocol - a directory service protocol that runs on a layer above theTCP/IP stack
LUNIn computer storage, a logical unit number, or LUN, is a number used to identify a logical unit,which is a device addressed by the SCSI protocol or Storage Area Network protocols which encap-sulate SCSI, such as Fibre Channel or iSCSI.
LUSELogical Unit Size Expansion
M
MAMMobile Application Management
MMCMicrosoft Management Console
MyTerm
O
OWAOutlook Web Access
P
Provisioning IDPart of the activation key that is the same for all GD applications activated by the same end user atthe same enterprise. The provisioning ID is typically the end user’s enterprise email address.
Glossary
Good Connect™ 53
R
Relay ServerServer in the NOC that provides communications between the GD app and GP servers.
RepositoryIn GEMS-Docs, a repository is shared data source designated by a Display Name, a Storage Type(File Share or SharePoint), and a Path. Each repository is defined with user access permissions.Repositories can be further organized into Lists. When a repository is member of a list, it can inher-ent the user access permissions defined for the whole list.
RTTRound trip time
S
SDKSoftware Development Kit. Typically a set of software development tools that allows for the cre-ation of applications for a certain software package, software framework, hardware platform, com-puter system, video game console, operating system, or similar platform.
Server ClusteringA feature within GD that enables enterprises to deploy groups of servers as single nodes in theirGD infrastructure. The following servers can be deployed in clusters using this feature: GP, GC,application servers.
Server-Based ServiceA GD shared service that is provided by application servers. A server-based service could use anycommunication technology, including HTTP or TCP sockets.
Service DiscoveryFeature that enables a prospective consumer of a shared service to query for available providers ofthe service. The result of a service discovery query will be a list of GD applications, for an applic-ation-based service, or a list of servers, for a server- based service. Alternative forms: AppKineticsService Discovery
Service provider registrationActivity of adding a GD application or application server to the list of providers of a particular ser-vice. The list of service providers is hosted in the GD NOC.
Glossary
Good Connect™ 54
ShareIn GEMS-Docs, a share is synonomous with a repository and can be one of two storage types: FileShare or SharePoint. See Repository.
SPNService Principal Name
SSLsecure socket layer
T
TLStransport layer security
U
UIUser Interface
UPN - User Principal NameIn Active Directory, this is the name of the system user in email address format
UUIDUniversally Unique Identifier - an identifier standard used in software construction. A UUID issimply a 128-bit value. The meaning of each bit is defined by any of several variants. For human-readable display, many systems use a canonical format using hexadecimal text with insertedhyphen characters. For example: de305d54-75b4-431b-adb2-eb6b9e546014 The intent of UUIDsis to enable distributed systems to uniquely identify information without significant central coordin-ation.
UXUser Experience
Glossary