installing afaria

Installing Afaria® 6.6 FP1

Afaria helps you manage all the pieces of your mobile infrastructure, including desktop and laptop computers, and your mobile devices. From a central location, you can keep devices secure, deploy applications, check inventory and provide automatic updates to your frontline workers.

This guide provides overviews and step-by-step information about how to install, configure, and begin using the Afaria Server, Afaria Administrator and related applications.

2

Installing Afaria 6.6 FP1

Document version 6.60.01

Copyright © 2010 Sybase, Inc. All rights reserved.

This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. To order additional documents, U.S. and Canadian customers should call Customer Fulfillment at (800) 685-8225, fax (617) 229-9845. Customers in other countries with a U.S. license agreement may contact Customer Fulfillment via the above fax number. All other international customers should contact their Sybase subsidiary or local distributor. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. A ® indicates registration in the United States of America.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.

Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

Unicode and the Unicode Logo are registered trademarks of Unicode, Inc.

All other company and product names used herein may be trademarks or registered trademarks of the respective companies with which they are associ-ated.

Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies.

Sybase, Inc., One Sybase Drive, Dublin, CA 94568


ContentsAfaria Installation and Maintenance............................................................................ 6Revisions for Document Update Version 6.60.01....................................................... 6

Afaria Support Services........................................................................................ 6Sybase Social Media Channels............................................................................ 6

Afaria Architecture ...................................................................................................... 7Afaria Server ........................................................................................................ 8Afaria Administrator.............................................................................................. 8

System Requirements and Release Notes ................................................................. 9Installing Afaria ......................................................................................................... 10

Installing a Simplified Environment .................................................................... 10Installing a Standard Environment ..................................................................... 11Reinstallation...................................................................................................... 11Upgrade.............................................................................................................. 11

Preparing to Install Afaria.......................................................................................... 12Creating User Accounts for Installing and Operating Afaria............................... 12The Afaria Database .......................................................................................... 12

Preparing for Upgrading the Platform ....................................................................... 18Preparing for Discontinued Server/Client Operations ........................................ 19Preparing for Continued iOS Device Management ............................................ 20Preparing for Continued Exchange Access Control Operations ........................ 21Preparing for Continued SSL Communications.................................................. 22Preparing for Continued OMA DM Operations................................................... 23Preparation for Upgrading to the Multitenancy Environment.............................. 24

Preparing for Upgrading Clients................................................................................ 26Data Security Manager Clients that use Encryption........................................... 26Clients in the Multitenancy Environment ............................................................ 26

Starting the Afaria 6.6 Setup Program...................................................................... 27Locating Product Documentation.............................................................................. 27Entering or Updating Your License Key.................................................................... 28Installing an Express Install ...................................................................................... 29Installing Afaria Server 6.6........................................................................................ 30

Starting the Server Setup Program .................................................................... 30Selecting Server Options.................................................................................... 33Selecting Authentication Type............................................................................ 34Completing the Installation ................................................................................. 36

Installing Afaria Administrator ................................................................................... 37Verifying Afaria Administrator IIS Settings ......................................................... 38Changing the IIS Connection Timeout Value ..................................................... 38

Starting Operations................................................................................................... 40

3


Logging in as the Default User ........................................................................... 40Adding a Server to the Server List ..................................................................... 41Users and Roles in Afaria................................................................................... 41Logging in as an Added User ............................................................................. 42Starting/Stopping/Restarting the Afaria Server .................................................. 43Accessing Afaria Administrator from a Remote Location ................................... 44Server Configuration .......................................................................................... 45

Additional Installation and Resource Items............................................................... 49Setting Up the OTA Deployment Center................................................................... 50

Getting Prerequisite Components ...................................................................... 51Installing Apache HTTP Server .......................................................................... 52Installing PHP Scripting Engine.......................................................................... 53Installing PHPConcepts PclZip........................................................................... 55Installing the Deployment Center for an IIS Web Server.................................... 56Installing the Deployment Center for an Apache Web Server............................ 56Deployment Center File Types........................................................................... 57Deployment Center File Locations ..................................................................... 58

Setting Up Access Control for Microsoft Exchange .................................................. 59Afaria Access Control for Microsoft Exchange Architecture............................... 60Installing the Afaria ISAPI Filter.......................................................................... 63

Setting Up the SMS Gateway ................................................................................... 66SMS Gateway Third-Party Dependencies.......................................................... 67

Setting Up iOS Features ........................................................................................... 68Installing the iOS Provisioning Server (Basic) .................................................... 68Configuring the Certificate Authority................................................................... 69Optional iOS Implementation Features .............................................................. 71Adding Payload Signing to the Basic iOS Implementation................................. 72Reinstalling Afaria iOS Provisioning Server for Signing ..................................... 74Installing the Afaria SCEP Plug-In Module on the CA........................................ 75Configuring Secure iOS Connections................................................................. 76Configuring the Relay Server for iOS Connections ............................................ 77

Setting Up OMA DM Features .................................................................................. 78Setting Up the Relay Server ..................................................................................... 79

Registering the IIS User Account with ASP.NET ............................................... 79Copying Relay Server Files................................................................................ 80Creating IIS Application Pools............................................................................ 80Updating the Relay Server’s IIS Configuration................................................... 82Editing the Relay Server Configuration .............................................................. 82Starting and Restarting the Relay Server........................................................... 90Documentation Resources for Updating Afaria Configuration............................ 90Planning for Adding a Relay Server to Your Afaria Environment ....................... 91

4


Configuring Upgraded Clients with Relay Server Data ...................................... 91Relay Server Bypass.......................................................................................... 91

Installing Afaria 6.6 Feature Pack 1 .......................................................................... 92Installing the Portal Package Server .................................................................. 95Upgrading Android Clients from 6.6 to 6.6 FP1.................................................. 96

Create Client Installation Wizard............................................................................... 97Updating Passwords and Accounts on the Afaria Server ......................................... 98Removing Afaria Components .................................................................................. 99

5

Installing Afaria 6.6 FP1 Afaria Installation and Maintenance

Afaria Installation and MaintenanceAfaria installation and maintenance requires that you have proficient knowledge of the Windows operating system, Microsoft IIS, Microsoft Internet Explorer, your database server, your user directory manager, and the device types you plan to support.

Start the Afaria setup program, choose the Documentation option, and then navigate the documentation folder and use document Installing Afaria for installation guidance and instructions.

Revisions for Document Update Version 6.60.01This guide is updated to include content for installing Afaria 6.6 Feature Pack 1. See “Installing Afaria 6.6 Feature Pack 1” on page 92.

Afaria Support ServicesSybase provides industry-leading support and a variety of downloads to help you get the most out of your Sybase products and solutions.

For more information about Sybase Customer Service and Support, you can visit www.sybase.com/support.

If you have a technical support contract, you can locate your local technical support center at www.sybase.com/contactus/support.

Sybase Social Media ChannelsVisit us online for our social media channels at www.sybase.com/resources/socialmedia.

6

http://www.sybase.com/resources/socialmedia

http://www.sybase.com/support

http://www.sybase.com/contactus/support

Installing Afaria 6.6 FP1 Afaria Architecture

Afaria ArchitectureThe Afaria architecture is designed for your enterprise environment to help you manage your desktop and mobile computing devices.

The following Afaria terms help to provide an understanding of the Afaria product:

• Afaria server – Afaria is a server-based solution that can operate as a single, standalone server or as multiple servers in a server farm environment. The Afaria server communicates with the Afaria database and additional components or clients as necessary.

• Standalone Afaria server – a single Afaria server operating as the only server in an Afaria installation. The server has a one-to-one relationship with the Afaria database.

• Afaria server farm – multiple Afaria servers operating together in an Afaria installation. The servers have a many-to-one relationship with the Afaria database. A server farm includes one main Afaria server and one or more replication servers. All servers in the farm can access the database and host Afaria client sessions.

• Peer Afaria servers – Afaria servers that operate as separate Afaria installations. Peer servers access different Afaria databases and support different sets of Afaria clients.

• Afaria Administrator, the application – the Web application that provides an interface for the Afaria server. Use Afaria Administrator to define the server configuration, define access policies for Afaria Administrator users, manage Afaria clients, monitor system activity, and communicate with other Afaria servers.

• Afaria administrator, the individual – the person that installs and operates the Afaria product.

• Afaria clients – user devices, such as handheld devices, smartphones, and laptops that Afaria manages. Clients either have an Afaria agent installed or have a native capability or third-party application that Afaria features use to interact with the hosting device.

• (Optional) Relay server – operates as a proxy for HTTP and HTTPS connections between an Afaria component server, such as an Afaria server or an OMA DM server, and its clients. Using a relay server increases enterprise network security by moving the session connection point from within your firewall to outside your firewall.

• (Optional) OTA Deployment Center – Web server that provides Afaria agent deployment services for your clients. An administrator pushes Afaria agent installation packages out to the deployment center and then sends notices to device holders. Device holders can download the agent directly onto their device for installation.

• (Optional) iOS provisioning server – for iOS client management, the Afaria iOS provisioning server sends configuration payloads to iOS devices.

• (Optional) Portal Package server – for portal package operations, and for content not delivered from another source, the portal package server hosts and serves Afaria application packages to clients.

• (Optional) OMA DM server – runs authenticated sessions with OMA DM clients to deliver messages that manage OMA DM clients. Clients are devices that have native support for device management via OMA DM standards and are known to the Afaria server.

7

Installing Afaria 6.6 FP1 Afaria Architecture

Afaria ServerThe Afaria Server program is installed on the server that communicates with the database. The Afaria Server program has no user interface; settings and features are available through the Afaria Administrator Web application.

Depending upon your licensing, other Afaria programs that reside on the Afaria server include:

• Create Client Installation – a wizard that guides you through creating an agent installation package. Based on client type, you can choose different options that allow you to deploy the client via the OTA Deployment Center, a companion PC, a network, or client APIs.

• Software Catalog Editor – software reference catalog for Windows software. The Afaria Inventory Manager component references a software catalog when reporting software installed on Windows clients.

• Channel Viewer – lets you run Afaria sessions directly on your server machine.

• OTA Publisher – lets you create and publish “packages” of agent setup files to a Web server deployment center (Afaria OTA Deployment Center) for deployment to your planned client devices. A device user can download a package from the deployment center to install the Afaria agent on his device without having to connect to a companion PC or network.

Afaria AdministratorAfaria Administrator is the Afaria Server program’s “interface,” a Web-based application that you can access from any computer running appropriate versions of Microsoft .NET and Internet Explorer. Afaria uses role-based access policies to control user rights. Rights are associated with discrete functions in the user interface. An administrator with sufficient access policy rights can use Afaria Administrator to view and manage operations and data. A user with limited rights might be limited to view-only access of a single functional area.

8

Installing Afaria 6.6 FP1 System Requirements and Release Notes

System Requirements and Release NotesBefore you install your Afaria components, ensure that your environment complies with the system requirements. Complying with system requirements and reviewing the information in the release notes helps you to take full advantage of features and operate your system appropriately.

Complete system requirements are delivered with your order fulfillment. They are also available in the product release notes available on the technical support site. The release notes include information about product known issues and fixed issues.

Consider these advisories prior to starting the installation:

• Running Afaria and RemoteWare® products on the same machine is not supported; you must install each product on a separate machine.

• Installing Afaria and its associated server-side components requires that you have physical access to the target servers. Using terminal services or comparable means is not a viable method for installation.

9

Installing Afaria 6.6 FP1 Installing Afaria

Installing AfariaFollow an installation workflow to install Afaria on a server that does not have the Afaria software installed or when you want to install again to new installation path.

An installation workflow defines the process for planning and installing your Afaria environment. Identify the scenario that best describes your situation and requirements:

• (Evaluation licence only) Installing in a simplified environment

• Installing in a standard environment, including:

• A first-time install

• Installing to a new path

Installing a Simplified EnvironmentUse the express install to install an evaluation license for Afaria in a simplified, single server environment using a predefined database and local authentication.

The express install option is valid only with an evaluation license on a 32-bit environment; it is not supported as a production environment.

The express installation performs these actions:

• Installs and configures a SQL Anywhere database.

• Installs Afaria server and its related server applications with authentication enabled for local users.

• Installs the Afaria Administrator Web console.

• If licensed for OMA DM features, installs the OMA DM server.

1 Prepare for the install by creating a Windows user account for operations.

2 Start the setup program.

3 Enter your license key.

You must have an evaluation license key to continue.

4 Complete an express install.

10

Installing Afaria 6.6 FP1 Installing Afaria

Installing a Standard EnvironmentUse the standard install to install Afaria with a separately installed database, Afaria server, and Afaria Administrator Web console. A standard environment is appropriate for installations with one or multiple Afaria servers.

1 Prepare for the install, including creating a Windows user account for operations and establishing your database environment.

2 On your planned Afaria server, enter your license key and complete the Afaria server installation.

If your installation is planned to have only one Afaria server, the server is a standalone server. If your installation is planned for a farm, the first server installed is the master or main server.

3 On your planned administrator server, complete the Afaria Administrator installation.

4 Complete procedures for getting started with operations.

5 (Server farm) For each additional server, prepare for the install by creating a Windows user account for operations, enter your license key, and complete the Afaria server installation.

The additional servers in a farm are called farm or replication servers.

ReinstallationReinstall Afaria when changing your database, changing the authentication type, adding newly licensed features or capacity, or repairing Afaria.

Reinstallation is re-running an installation on an Afaria server or administrator server that already has the same version of Afaria installed. Reinstalling is appropriate for repairing problems associated with corrupted or deleted files, and for making certain types of changes to your current installation.

UpgradeUpgrade is running an installation on an Afaria server or administrator server that has a version of Afaria installed that is supported on the upgrade path. An upgrade is defined as upgrading the complete environment; the clients must upgrade along with the server and administrator components. Follow an upgrade workflow to install a more recent version without having to uninstall and install new.

You can upgrade to Afaria 6.6 from any 6.0 SP1 or 6.5 configuration.

11

Installing Afaria 6.6 FP1 Preparing to Install Afaria

Preparing to Install AfariaComplete preparatory steps before installing Afaria components.

1 Create a Windows user account with appropriate attributes.

2 (Production licences, not using express install) Create your database environment.

If you have an evaluation license and plan to install the simplified, express install, the installation process creates your database environment for you.

Creating User Accounts for Installing and Operating AfariaCreate a Windows account to provide a user context for running the Afaria server as a Windows service and authenticating domain users. Running the server as a Windows service means the server operates without an administrator logging on to start the program. If the server reboots, Afaria starts automatically.

1 On the planned server, create a local or domain Windows user account with the following attributes:

• Password Never Expires

• Logon as Service

2 Add the user to the planned server’s local administrators user group.

3 Record the account credentials to use when you install the Afaria server and the Afaria Administrator programs.

4 (Active Directory environment) On the domain controller, update the user account properties (AccountName > Properties > Account > Log On To) to ensure the “Log On To” list of logon workstations is either unrestricted or includes the planned Afaria Administrator server and all planned Afaria Administrator browser computers.

5 For each additional domain that you plan to authenticate users against for operations, and using the same credentials and attributes as the first account, create a local account on the domain’s domain controller.

The Afaria DatabaseThe Afaria server uses a database to log system activity and data. Unless you have an evaluation license and plan to install the simplified, express install, install and configure your database prior to installing the Afaria Server program. The express install includes database installation and configuration. If you are planning to create a server farm environment, all the servers in the farm access the same database.

The product supports using iAnywhere SQL Anywhere, Microsoft SQL Server, or Oracle for the Afaria database. Configure only one type of database.

12


Refer to the system requirements for complete database support information.

Estimating Your Database Size RequirementsEstimate your database size to understand your weekly disk space requirements for operations with all logging enabled. Plan disk availability based on requirements.

1 Estimate values for the following factors:

• # of sessions per day

• Average session size

2 Apply the factor estimates to the daily formula for estimated growth per day:

(# of sessions per day) * (average session size) = Estimated growth per day

3 Apply the daily estimate to the weekly formula for estimated growth per week:

(estimated growth per day) * 7 = Estimated growth per week

For example, to determine the weekly disk space growth for 1000 daily sessions with an average session size of 60 KB:

(1000 sessions per day) * (60 KB average session size) * 7 days = 420 MB

So in this example, the database is estimated to grow by 420 MB per week.

Consider the following items for calculating estimates:

• Add 1 MB of data per week to the estimate for each Inventory Manager client. Using Inventory Manager to perform client directory scans on Windows clients adds significantly more data to this estimate.

• Sessions with 100 events add an average of 40 KB in database growth per session in additional log data.

Creating a SQL Anywhere Database and UserIf you plan to use Sybase iAnywhere SQL Anywhere database with Afaria, create the database for operations, and an associated user to provide a user context to access the database.

1 Create a database. Use default configuration settings with the exception of the following attributes:

• Install jConnect metadata support – Disabled.

• Page size – 8192 KB minimum.

2 Create a database user for the Afaria service to use for database access. Assign the database administrator (DBA) authority to the user.

3 Connect to the new database using the following network database server properties:

13


• Identification – Database user name and password that you created for Afaria database access.

• Database – Indicate the Afaria database server name and start line “dbsrv11.exe,” as well as the database name and file.

Do not start the database using start line “dbeng11.exe,” which is for non-network database servers and does not support enough database connections for the Afaria service.

It is strongly recommended that you have only one instance of dbsrv11.exe per database.

For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.

Configuring the SQL Anywhere Database for OperationsFor Sybase iAnywhere SQL Anywhere operations, prepare your database environment for sustainability and availability.

To create a Windows service that automatically starts the database whenever the Afaria server is restarted:

1 In Sybase Central, select the Services tab and run the New Services Wizard.

2 Select service type.

3 Specify the executable.

4 Specify the parameters.

• -n database name.

• -x tcpip C:\AfariaDB\afaria.db. This instructs the database server to only run the TCP/IP network driver.

5 Local system account.

6 Select Automatic.

7 Start the server now.

8 Upon completion of the wizard, create a system event to backup and truncate the log.

Log size 50 MB is recommended for an initial setting.

For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.

14

http://sybooks.sybase.com

http://sybooks.sybase.com


Creating a SQL Server Database and UserIf you plan to use Microsoft SQL Server database with Afaria, create the database for operations, and an associated user to provide a user context to access the database.

1 Create a database with the following attributes:

• Datafiles – Automatically Grow File, Unrestricted Filegrowth.

• Transaction Log – Minimum size 25 MB, Automatically Grow File, Unrestricted Filegrowth.

2 Create a role called “db_executor” with the execute right.

3 For the user you plan to use for Afaria operations with the database, ensure the user has the following attributes for your Afaria database:

• Default schema – dbo

• Role – db_ddladmin

• Role – db_datawriter

• Role – db_datareader

• Role – db_executor

• Password – does not contain the semicolon (;) character

For details, see your SQL Server documentation.

15


Example – SQL Script for Creating a SQL User for Afaria Database Operations

This example script creates a new role with the execute right for a database named Afaria and assigns the user JBrowne all the required attributes the user needs for Afaria operations.

--For a database named Afaria and a login named JBrowne, create a User named JBrowne and grant the user the appropriate rights.

USE Afaria

GO

--Create a new role for executing stored procedures

CREATE ROLE db_executor

--Grant stored procedure execute rights to the role

GRANT EXECUTE TO db_executor

GO

--Assign user to dbo and required roles

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'JBrowne')

BEGIN

CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA = dbo

EXEC sp_addrolemember db_ddladmin, JBrowne

EXEC sp_addrolemember db_datawriter, JBrowne

EXEC sp_addrolemember db_datareader, JBrowne

EXEC sp_addrolemember db_executor, JBrowne

END;

16


When you install the Afaria server, use the credentials from a user like this one if you choose SQL authentication for the Afaria database. If using Windows integrated authentication instead of SQL authentication, the Windows user requires the same rights and roles.

Configuring the SQL Server Database for OperationsFor Microsoft SQL Server operations, prepare your database environment for sustainability and availability.

Verify that logs are truncated on checkpoint:

1 Right-click the database and select Properties.

2 In the Properties window, click the Options tab.

3 In the Recovery section, click the Model list box and select Simple.

For details, see your SQL Server documentation.

Setting Up Oracle for AfariaIf you plan to use Oracle database with Afaria, create a user with appropriate role and system privilege attributes and a Net service for Afaria-Oracle communications.

1 Install the Oracle client on the planned Afaria server.

2 Create a user account on the Oracle Server. Grant the account the following roles and system privileges to the database:

• Role – Connect, Resource

• System Privileges – Create Table, Create Trigger, Create View, Create Sequence, Create Procedure, Unlimited Tablespace.

3 Create a Net service to allow the planned Afaria server to communicate with the Oracle Server.

4 Restart the Afaria server.

For more details on configuring the Oracle database, see your Oracle documentation.

17

Installing Afaria 6.6 FP1 Preparing for Upgrading the Platform

Preparing for Upgrading the PlatformYou can upgrade to Afaria 6.6 from any 6.0 SP1 or 6.5 configuration. Afaria 6.0 customers must apply 6.0 SP1 to the Afaria server, and allow clients to upgrade to 6.0 SP1, before upgrading to Afaria 6.6. Afaria 6.5 clients can upgrade directly to Afaria 6.6.

Before you upgrade your Afaria components, validate all the prerequisites and system requirements in order to take full advantage of its features and to ensure that the your system operates with maximum efficiency.

Afaria Server Upgrade

The following steps summarize the procedure for upgrading an Afaria installation that includes a single Afaria server.

1 Stop Afaria services.

2 Upgrade the server. Do not start the Afaria Server service at this time.

3 Upgrade the Afaria Administrator application.

4 Start Afaria Server service.

Afaria Server Farm Upgrade

Upgrading a farm environment has additional requirements to complete the upgrade. The following steps summarize the procedure for upgrading an Afaria server farm environment.

1 Stop Afaria services on all replication servers.

2 Upgrade the main Afaria server. Do not start the Afaria Server service at this time.

3 Upgrade the replication servers.

4 Upgrade the Afaria Administrator application.

5 Start Afaria Server service on main server, then replication servers.

6 Replicate appropriate channels to replication servers.

All customers are advised to have an Afaria system backup in place prior to beginning an in-place upgrade. A system backup includes the database, application software, and application data.

Complete system requirements are available in the product release notes available on the technical support site. You must ensure that your environment complies with the system requirements before installing or upgrading Afaria.

18




Preparing for Discontinued Server/Client OperationsFor customers that use the Windows client on the Afaria server for tasks prior to upgrading, consider implementation changes to the Afaria server and adapt your operations as is appropriate for your requirements.

1 Prior to upgrading, review the role of the Afaria server’s Windows client in your environment.

2 Consider the upgrade implementation changes that impact your operations.

• The Channel Viewer interface for Windows client is supported only on 32-bit environments. The Afaria server is supported on 64- and 32-bit environments.

• The Windows client is always installed on a new Afaria server without Channel Viewer. You can add Channel Viewer on supported environments by installing a Windows client with the Channel Viewer option from the Afaria Create Client Installation program.

• If upgrading to a 64-bit server environment, Channel Viewer is removed during the upgrade, as it is not supported in a 64-bit enviroment.

• If upgrading to a 32-bit server environment, and Channel Viewer was installed prior to upgrading, then Channel Viewer is preserved during the upgrade.

• The Windows client has a separate installation path than the Afaria server.

• For Session Manager operations, consider how you are using references and variables:

- References that use absolute paths may break.

- Relative paths that use a client path variable, such as <ClientDataDir> are still correct.

- Relative paths that use a server path variable, such as <ServerInstallDir>\TestHTML may break.

3 After upgrading, adapt your operations according to the new implementation and your requirements.

19


Preparing for Continued iOS Device ManagementFor customers that used iOS configuration policies (formerly “iPhone configuration policies”) prior to upgrading, policies are no longer accessible from the Afaria Administrator application, and a new a configuration policy implementation is in place. Create or import new policies as your requirements dictate.

Upgrading retains existing iOS device definition records, as well as any associated user-defined variables that have values.

1 Upgrade Afaria to the current version.

2 To review your preupgrade iOS policies and assignments report, run the iOS upgrade utility and click View Report.

Utility path: <ServerInstallDir>\Bin\iPhoneMobileconfigExport.exe

The report identifies the Afaria 6.5 policies assigned to each Afaria 6.5 device definition.

3 (Optional) To export former iOS configuration policies for use with the new implementation, run the iOS upgrade utility and click Begin Export.

4 On the Afaria Administrator, import or create new policies. To import policies, on the Administration > Policies and Profiles page, click Import iOS Mobile Configuration File on the toolbar. To create new policies, on the Administration > Policies and Profiles page, right-click Policies and select New > Device Configuration.

5 Add iOS clients to new or existing client groups.

6 Add client types, client groups, and policies to new or existing group profiles.

7 For the group profile or the client group, send an outbound notification to apply policies.

The notification causes clients to connect to the iOS provisioning server.

20


Preparing for Continued Exchange Access Control OperationsIf you are upgrading from a pre-6.5-FP2 version of Afaria, prepare for changes to the Afaria Access Control for Exchange features. Upgrading makes changes to defined synchronization policies.

1 Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange ActiveSync Policy to review your current default policy and time frame settings.

2 After upgrading, revisit the renamed page by selecting Server Configuration > Properties > Exchange Access Policy to review your upgraded settings. Change any settings as is appropriate for your requirements.

See Afaria Reference Manual | Platform > Properties > Exchange Access Policy.

21


Preparing for Continued SSL CommunicationsIf you are upgrading from a pre-6.5 version of Afaria, check certificate requirements and password assignments to insure SSL communication is uninterrupted.

For environments that operate with SSL communications, continuing SSL support may be critical to your operations. Check these items to ensure that your SSL sessions can continue without interruption:

1 Valid certificate requirements – Afaria 6.5 allows SSL sessions to run only when the server’s certificate is valid, as evaluated against the following criteria:

• The certificate is signed by a trusted CA or a trusted self-signed CA.

• The certificate is not expired.

• The Common Name—typically the fully qualified domain name—on the certificate matches the address that the client used to initiate the session.

• The certificate is valid for encryption and authentication.

• The certificate is compliant with x.509 certificate standards. Supported formats: Base64-encoded x.509 (.CER) and Personal Information Exchange (.PFX).

You can convert a nonencoded x.509 certificate to a Base64-encoded certificate by using a “save as” or export process in a certificate editor such as the Microsoft Certificates utility (CertMgr.msc).

If the product detects an invalid certificate after the upgrade, all SSL connections are terminated until a new, valid certificate is installed.

• The certificate key is an RSA key.

2 Certificate password assignment – In contrast to previous releases, the upgraded environment requires a password for all certificates. Therefore, to facilitate a working environment after upgrade, the upgrade assigns password “password” to the certificate. You can use the Server Configuration > Properties > Client Communication > View to view your certificate and change the password to a privately known value.

22


Preparing for Continued OMA DM OperationsIf you are upgrading from a pre-6.5 version of Afaria, and currently using the OMA DM trust task, prepare for continued operations by replacing the task to adopt new implementation.

1 Upgrade server and administrator.

2 Restart services.

3 Modify existing trust task, change action to remove.

4 Add a new trust task into the same policy but after the pre-existing trust task. Define the task with an add action and select any additional rights to enforce.

5 Connect OMA DM clients to deploy updated policy.

23


Preparation for Upgrading to the Multitenancy EnvironmentMultitenancy is a separately licensed product feature introduced with Afaria 6.5 that allows hosting providers to manage multiple enterprises from a single Afaria implementation.

See also Afaria Reference Manual | Platform > “Using Tenants and Multitenancy” to learn about multitenancy and how it supports your role as a hosting administrator.

Transitioning Clients and Assets into Mutitenancy FeaturesAfter upgrading, follow this general task flow to migrate your client base from single-tenant operations to multiple-tenant operations without interrupting schedules or work.

A newly upgraded environment, one that has been upgraded from a nontenant environment to a multitenant environment, continues operations without disruption to scheduled client sessions or the work tasks operating in the pre-upgrade environment. All upgraded clients and assets, such as profiles and their associated policies and channels, default to the predefined system tenant during the upgrade.

1 Define tenants.

2 Define access policies that associate roles with tenants.

3 For each tenant, define assets and connect clients:

• Define client groups.

• Define profiles and associated assets that continue your operations according to your requirements.

You may continue to use system tenant assets, as shared by the system tenant and available to all tenants, or you can define new, tenant-specific assets.

• Assign client groups to profiles, as appropriate for your operations.

• Change client tenant associations from the system tenant to the new tenants.

• Connect clients.

When clients connect, they automatically pick up their new tenant association and begin using their assigned profiles.

Defining New Access Policies Tenant Attribute for RolesRevisit access policy roles after the upgrade to determine whether the postupgrade value for the Tenant attribute is appropriate for your requirements. The new Afaria Administrator Server

24


Configuration Tenants page introduced by the multitenancy feature introduces a new Tenant role definition item in the Server Configuration role definition tree.

1 On the Afaria Administrator application, open the Access Policies page.

2 For each role, open Role Definition > Server Configuration > Tenants and select Create, Modify, or Read, as appropriate for the role.

Re-evaluating Upgraded Custom Data Views and Custom ReportsRe-evaluate upgraded custom items after accumulating data to determine how custom views and reports are performing.

Database changes introduced by the multitenancy feature have implications for custom data views and custom reports. The upgraded environment attempts to filter results by tenant by modifying the associated SQL script at runtime. However, these modifications may not always be successful.

1 Perform the upgrade.

2 Create a few tenants.

3 Accumulate some data in each tenant.

4 Run custom views and reports.

Custom items produce one of the following results:

• Error-free results that are filtered by tenant

• Error-free results that are not filtered by tenant

• Fatal errors during execution

5 If custom items result in fatal errors, delete damaged items and re-create them in the new environment, taking the new database design into consideration.

Custom items that you create after the upgrade are available to all tenants, rather than only for the originating tenant.

See Afaria Reference Manual | Platform > “Data Views” to learn more about creating custom views in a multitenant environment.

25

Installing Afaria 6.6 FP1 Preparing for Upgrading Clients

Preparing for Upgrading ClientsAfaria clients upgrade automatically, using the Afaria Electronic Software Delivery (ESD) feature, as they connect to an upgraded Afaria server. When upgrading fails due to the Afaria platform no longer supporting a client’s operating system, the system records the event in the Messages log.

The upgrade connection performs only an upgrade and does not execute other operations, such as running requested channels. Use a subsequent connection to continue operations.

Data Security Manager Clients that use EncryptionIf you are upgrading from a pre-6.5 version of Afaria, the Data Security Manager method for interpreting paths and file names for encrypting and specifying items is changed.

A folder name now requires a backslash terminator. A folder name without a backslash is interpreted as a file. For example: \Temp\ declares a folder, while \Temp declares a file. This distinction may render previously encrypted files as decrypted. Consider the following cases:

• Pre-upgrade specification: \Temp

• if \Temp directory exists, all files in directory are encrypted.

• if \Temp directory does not exist but file “temp” does, encrypt only the file

• Upgrade specification without backslash terminator: \Temp encrypts only file “temp” without regard to presence or absence of directory of same name

• Upgrade specification with backslash terminator: \Temp\ encrypts all files in folder

See Afaria Reference Manual | Components > Data Security Manager for Handheld Clients > Lock Down Options > Path and File Name Data Items to learn defining items for encryption and items for deleting specified data.

Clients in the Multitenancy EnvironmentSee “Preparation for Upgrading to the Multitenancy Environment” on page 24.

26

Installing Afaria 6.6 FP1 Starting the Afaria 6.6 Setup Program

Starting the Afaria 6.6 Setup ProgramYour Afaria license key determines which setup options appear on the setup menu and which are enabled. Install all installation items only from the setup menu. Installing menu items directly from a product image folder may yield undesirable results.

1 On the server of interest for a planned installation item, close all running programs.

2 Copy the entire Afaria product image to a local destination.

3 On the root directory of the image, locate the setup.exe file.

4 Open setup.exe to launch the setup program and open the Afaria Setup Menu.

Locating Product DocumentationLocate documentation for help with installing and using the product. Documentation is included on the product installation image.


2 Click Documentation.

3 Click the item of interest.

• Readme – includes information about finding system requirements and release notes on the technical support site and information about what is located on the product installation image.

• Installation guide – the English version of Installing Afaria. Installing Afaria is available in additional languages by clicking Documentation folder on the documentation menu and navigating the language folders.

• Documentation folder – opens the \Documentation folder on the installation image. All product documentation is available in English. Some documents are available in additional languages.

27

Installing Afaria 6.6 FP1 Entering or Updating Your License Key

Entering or Updating Your License KeyEnter or update your license key for new installations and any time you receive a new key associated with a licensing change. The key defines which setup menu options are available.

For updating the license key, perform the update on each Afaria server.


2 Click View or Update License Key.

3 Type your license key into the key box. Choose Licensing Details to review your licensing information.

The maximum number of concurrent sessions supported per server depends on your licensing. The ability to run the maximum number of licensed concurrent sessions depends upon the amount of memory, the speed, and number of the processors on your server.

4 Choose Apply to save the license key and return to the setup menu with your licensed options available.

5 For updating your license key, complete a reinstallation for the server.

The reinstallation updates the server as necessary to support the license change.

28

Installing Afaria 6.6 FP1 Installing an Express Install

Installing an Express InstallThe express install option is valid only with an evaluation license on a 32-bit environment. Use the express install to install Afaria in a simplified environment.

Installation requires that you have a user account established for installing and operating Afaria.

The express installation performs the following actions:

• Installs and configures a SQL Anywhere database.

• Installs an Afaria server and its related server applications with authentication enabled for local users.

• Installs the Afaria Administrator Web console.

• If licensed for OMA DM features, installs the OMA DM server.


2 Click Express Evaluation Install. The program opens the End User License Agreement dialog box.

3 Click Yes or No to indicate your acceptance or rejection. The installation continues only when you accept the agreement.

4 Specify the account name and password to use to run the Afaria service.

The Express install includes an evaluation copy of SQL Anywhere. You may need to acknowledge one or more informational dialog boxes that describe the evaluation product.

5 Click Install.

See also “Creating User Accounts for Installing and Operating Afaria” on page 12.

29

Installing Afaria 6.6 FP1 Installing Afaria Server 6.6

Installing Afaria Server 6.6Install the Afaria server as the first server component in your Afaria installation.

Starting the Server Setup ProgramStart the server setup program and install a server.

Installation requires that you have your database installed and configured for Afaria, and that you have a user account established for installing and operating Afaria.


2 On the setup menu, click Install.

3 Click Server. The program opens the End User License Agreement dialog box.

4 Click Yes or No to indicate your acceptance or rejection, and then click Next.

The installation continues only when you accept the agreement. Accepting the agreement opens the Welcome dialog.

5 Select the database.

6 Continue with selecting database options.

See:

• “The Afaria Database” on page 12

• “Creating User Accounts for Installing and Operating Afaria” on page 12

• “Selecting SQL Anywhere Database Options” on page 30

• “Selecting SQL Server Database Options” on page 31

• “Selecting Oracle Database Options” on page 31

Selecting SQL Anywhere Database OptionsIf you selected iAnywhere SQL Anywhere, continue with the SQL Anywhere Server Setup dialog.

1 Select your SQL Anywhere server name from the SA Server Name list.

The list populates only with names of SQL Anywhere servers on the same subnet. If you need to locate a SQL Anywhere server outside the subnet, select the Edit Host/Port check box in order to provide the server information. The Host name may be a machine name or IP address.

2 Select a login type.

30


• Integrated login. Select this option to integrate your Windows login with your SQL Anywhere login.

• SA user login. Enter the login information for the database user with DBA authority that you created for your Afaria database.

3 Click Next to continue.

On the SQL Anywhere Server database dialog, type the name of the database you created for Afaria, and then click Next to continue. The Afaria installation program validates the database you specify. If you type the database name incorrectly or type the name of the wrong database, you may see a “Request to start/stop database denied” error.

If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server.

4 Continue with selecting server options.

See “Selecting Server Options” on page 33.

Selecting SQL Server Database OptionsIf you selected Microsoft SQL Server, continue with the SQL Server Setup dialog.

1 Select the SQL Server to use with Afaria.

2 Select either Windows Authentication to use a Windows administrator account with SQL Server privileges or SQL Server Authentication to use the SQL Server account with its associated password that you set up for Afaria.


4 On the SQL Server Database dialog, select the database you configured for Afaria.

If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server.

If you are reinstalling the Afaria server as standalone, you must select a new database.



Selecting Oracle Database OptionsIf you selected Oracle database, continue with the Oracle Setup dialog.

1 Select your Oracle driver and enter the Oracle service name.

2 Enter the credentials for the service: user name and password.


31




32


Selecting Server OptionsSelect options for naming and operating the server.

1 On the Confirm Server dialog, review the information to ensure it is consistent with your intention, and click Next to continue.

2 On the Directory Selection dialog, accept the default location or click Browse to navigate to a new location.

3 On the Service Account dialog, specify the account name and password you created for operating Afaria.

4 In the Server Selection dialog, accept the default name or enter a descriptive name for the Afaria server.

Each replication server in a server farm must have a unique name. The server name must not include the backslash (\) character.

5 If you are installing a main or standalone server, continue with selecting the authentication type. If you are installing a replication server for a farm, continue with completing the installation.

See:

• “Creating User Accounts for Installing and Operating Afaria” on page 12

• “Selecting Authentication Type” on page 34

• “Completing the Installation” on page 36

33


Selecting Authentication TypeSelect the user authentication type for client connections. Local authentication is always enabled.

1 In the Type of authentication dialog, select your authentication type.

• NT domain authentication – select NT domain-based and enter the domain you plan to use for authentication. As the administrator, you must also be a member of this domain.

• Local authentication – select NT domain-based and keep <none> as the domain.

• LDAP authentication – Select LDAP-based.

2 For NT domain or local authentication, click Next to continue with completing the installation. For LDAP authentication, click Configure LDAP and continue with configuring LDAP information.

See “Completing the Installation” on page 36 and “Configuring LDAP Information” on page 34.

Configuring LDAP InformationConfigure LDAP settings to support LDAP user authentication and channel assignments.

1 In the LDAP Server Login Information dialog, enter login information.

• Server Address – enter your LDAP server address as either a fully qualified domain name such as afaria.mycompany.com or as an IP address.

• Port Number – Afaria automatically defaults to the LDAP standard port 389. If you enter another port number, you must enter a number greater than 1024.

• Server Type – select your LDAP Server type.

• Use SSL – select to enable SSL communication with your LDAP server.

• SSL Port Number – define the LDAP server port for SSL communications.

• Anonymous Login – select Anonymous Login to allow the Afaria server to communicate with the LDAP server without using a dedicated LDAP user account for the server. If using anonymous login, configure your LDAP server to allow a search of the directory structure for users, user groups, and organizational units and all of their attributes.

• User DN – if not using anonymous login, enter the User DN (Distinguished Name) for the LDAP account the Afaria server uses to communicate with the LDAP server. If you don’t

If you do not choose a domain during installation, you can add a domain for authentication on the Server Configuration > Properties > Security page.

To allow users to use blank passwords, additional operating system settings are required. Refer to Afaria Reference Manual | Platform > Server Configuration > Properties > Security to learn more about the requirements for allowing blank passwords.

34


know the user name for the account, click Search User. You must have an LDAP proxy user configured for an anonymous login to be able to search for users.

You can enter a name using a wildcard character to search for the correct User DN. For example, you can enter “*mith” or “*mit*” to search for Smith.

• Password – enter the password for the LDAP account the Afaria server uses to communicate with the LDAP server.

2 In the LDAP Root Directory dialog, select a root directory that contains all of the groups, organizational units, and users the server requires for authentication and assignments.

3 In the LDAP User Characteristics dialog, select a characteristic.

• LDAP Class Name for Users – select or enter the LDAP Class Name for Users.

• User Name Attribute – select or enter the user name attribute to use in the LDAP environment. When client users connect to the server, they enter the user ID as the user name you specify.

4 In the LDAP Container Settings dialog, select a membership basis for assigning channels to users.

• Support OU membership – select to assign channels to users based on their organizational unit (OU).

• Support OU and group membership – select to assign channels to users based on both their OU and groups.

5 Continue with completing the installation.

See “Completing the Installation” on page 36.

35


Completing the InstallationContinue with the Ready To Start Installation dialog box to complete installation.

1 On the Ready to Start Installation dialog, click Install.

The Setup Complete dialog opens when the installation is complete.

2 If you receive a message that a file is in use, choose an appropriate action.

• Abort – quits the installation.

If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again.

• Retry – close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore.

• Ignore – continues the process but requires you to restart the computer in order to complete the installation.

You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.

3 Select whether to start the service at this time.

To allow connections immediately, start the service. To continue with additional installations and configuration, do not start the service.

4 Click Finish.

36

Installing Afaria 6.6 FP1 Installing Afaria Administrator

Installing Afaria AdministratorInstall Afaria Administrator on ether the Afaria server or a different server.


2 On the setup menu, click Install.

3 Click Administrator, and click Next to continue.

4 On the Select Virtual Directory dialog, define the virtual directory for Afaria in IIS. If you created a directory, select it from the list. If you have not created a directory, type the name for the directory to create it.

The directory appears in the IIS directory under Default Web Site.

5 On the Select Physical Directory dialog, enter the physical location to install Afaria Administrator files.

If you are installing Afaria Administrator on the same server as the Afaria server, install Afaria Administrator in a different directory.

6 On the Specify Credentials dialog, specify the account name and password you used for the Afaria server installation.

7 On the Domain Selection dialog, enter the domain for selecting Afaria Administrator users to administer the Afaria server. To limit selection to only local users, keep <none> as the domain.

8 On the Ready To Start Installation dialog, click Install to begin the installation.

The Setup Complete dialog box opens at completion.

9 If you receive a message that a file is in use, choose an appropriate action.

• Abort – quits the installation.

If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again.

• Retry – close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore.

• Ignore – continues the process but requires you to restart the computer in order to complete the installation.

You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.

10 On the Setup Complete dialog, click Finish to close the installation program.

An Afaria Administrator shortcut appears on the desktop.

11 If you used a predefined virtual directory for this installation, rather than allowing the setup program to create one for you, then verify the Afaria Administrator IIS settings before operating the Afaria Administrator program.

37


See “Verifying Afaria Administrator IIS Settings” on page 38.

Verifying Afaria Administrator IIS SettingsIf you used a predefined virtual directory when installing Afaria Administrator, rather than allowing the setup program to create one for you, or if you are having problem accessing Afaria Administrator from a browser, verify the IIS settings.

1 Using Windows IIS Manager, locate the virtual directory created for Afaria Administrator.

2 Right-click the virtual directory and select Properties.

3 Verify the appropriate settings.

• On the Virtual Directory page – verify the installation path for Afaria Administrator, verify that read and write access is enabled.

• On the Documents page – files default.asp and default.aspx appears in the list.

• On the Directory Security page – in the authentication and access area, click Edit. Ensure that anonymous access is disabled and Integrated Windows authentication is enabled.

4 To test the virtual directory, right-click it again in IIS select Browse.

The Afaria Administrator home page should open in your browser.

Changing the IIS Connection Timeout ValueChange the IIS connection timeout value to prevent the Afaria server from disconnecting with an inactive browser user. Disconnected sessions can result in data loss.

1 Using Windows IIS Manager, locate Default Web Site.

2 Right-click Default Web Site and select Properties.

3 In the connections area, increase the time out to meet your needs.

When you change this value, it impacts all the Default Web Site members. Ensure you have determined an acceptable value for all sites.

If you have stopped and restarted IIS at any time before opening Afaria Administrator, ensure that when you restarted IIS that the WWW Publishing Service also started. If it is not started, you can reset IIS, or you can restart it manually. This service must be running in order for you to open Afaria Administrator.

38


4 Click OK.

39

Installing Afaria 6.6 FP1 Starting Operations

Starting OperationsTo get started with Afaria after completing the installation, complete tasks that prepare for, and validate, basic operations.

Product documentation guide Afaria Reference Manual | Platform covers these and other tasks in greater detail.

1 Log in a first time using the installing user account context.

2 Add your Afaria server to the server list.

3 Add yourself as a user for:

• Afaria operations

• (Optional) Afaria access policies

4 Return to the default page by clicking Exit.

5 Log in a second time using your Windows user account.

6 Start the Afaria server.

See also:

• “Logging in as the Default User” on page 40

• “Adding a Server to the Server List” on page 41

• “Users and Roles in Afaria” on page 41

• “Logging in as an Added User” on page 42

• “Starting/Stopping/Restarting the Afaria Server” on page 43

Logging in as the Default UserUse the default users credentials to log into the Afaria Administrator application.

By default after installation, the only user that can log in to the Afaria Administrator application is the user that installed the product. If you are in a different user context, the application prompts you for the installing user’s credentials.

1 Open Internet Explorer and enter the Afaria Administrator address.

Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDirectory>

If your current user context is different from the user context for installing the product, then the Enter Network Password dialog opens. Enter the installing user’s name, password, and domain and click OK. Domain is not required when logging in to a local machine.

The Afaria Administrator server list opens in your browser window without any servers on the list.

40


Adding a Server to the Server ListAdd your server to the server list for users to access. The server list is what Afaria administrators see and choose from when they log in to the Afaria Administrator product.

1 On the global navigation bar, click Access policies.

The Access Policies link and page is available only to the installing user and users assigned to the Access Administrator role.

1 Right-click Servers in the left pane and select Add Server.

2 Type a name, address, and description for the server.

The address can be either an IP or DNS address. The description helps Afaria users recognize named servers.

3 Click Test Server Connection.

The test configures the connection, validates the address, and validates whether the server is running.

Users and Roles in AfariaThe Afaria Administrator application controls general access to the application.

Once a user has general access, the Administrator application controls access to different features by using roles, to which users are, or are not, assigned.

• Access policies role – Role for access to the Access Policies feature, which includes control over role assignments and adding and removing servers.

• Server operations roles – Role for server operations, such as for individuals who perform administrative operations and provide support for users.

By default after installation, the only user with access policy rights is the installing user. Add users after adding one or more servers.

For basic operations upon which you can build later, add yourself as a user in roles for:

• Access policies

• Server operations

41


Adding a User for Access PoliciesAdd users to the Access Policies role to give them rights to add or remove users and servers.

The product includes a predefined user role called “Access Administrators.” By default, the only user assigned to this role is the installing user. It is defined to enable access to the Access Policies feature, a link to which is located on the Afaria default page when logging in. Users not assigned to this role do not see the link and cannot access the feature.

1 On the Access Policies page’s left pane, select Access Administrator.

2 On the right pane, click Add.

The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.

3 Select a user or group from the “available” list and move it to the “assigned” list.

4 Click OK.

Adding a User for OperationsAdd users to the Administrator role to allow them unrestricted access to the server.

The product includes a predefined user role called “Administrators”. Users not assigned to a role for a server do not see that server on the server list when they log in.

1 On the Access Policies page’s left pane, expand the server you defined and select the Administrators role.

2 On the right pane, click the Users tab and click Add.

The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.

3 Select a user or group from the “available” list and move it to the “assigned” list.

4 Click OK.

Logging in as an Added UserUse your Windows user credentials to log in as a user.

Log in to Afaria a second time, using your Windows user credentials.You can switch your user context by using the Logon As User feature.

42


1 From the Afaria default page, click Logon As User. The Connect To dialog opens.

2 Supply your Windows user credentials and click OK.

The default page opens with content appropriate for your user role. Your user context displays on the banner.

Starting/Stopping/Restarting the Afaria ServerUse Start, Stop, or Restart commands to control the state of the Afaria Server.

Server/client sessions can run only when the server is started. You can conduct other operations, such as reviewing logs or reports, performing server configuration, or performing administration and user support tasks when the server is in a stopped or started state. Some configuration changes require restarting the server to take effect.

1 From the Afaria default page, click the role link that is associated with the server to start. The Server Status page opens.

The page includes a dynamic link that changes between “Start Server” or “Stop or Restart Server”, depending on the current state of the server.

2 Click the Start Server or Stop or Restart Server link to open the Current Status dialog. The dialog is dynamic based on the current state of the server and the relevant actions. Click on the appropriate action:

• Start – start a stopped server

• Stop – stop a started server

• Restart – stop then start a started server

43


Accessing Afaria Administrator from a Remote LocationUse remote access to log into the Afaria Administrator Web application when you do not have physical access to the Afaria Administrator server.

If a user uses only one browser type—32- or 64-bit—this process is required only once for that browser. If a user uses both browser types, it is required once for each browser.

1 Open Internet Explorer and type the address for the Afaria Administrator installation you want to view. Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDir>

A configuration message opens in your browser window, similar to the following example:

2 Right-click the Click to configure security link and select Save Target As on the shortcut menu. Save the file to your computer.

3 Open or run the downloaded file to open the Security Configuration Manager dialog box.

4 Type the Afaria Administrator address from the dialog box according to the format http://<localhost>/<VirtualDirectory> and click OK.

5 Click OK to close the Success message box.

6 Close Internet Explorer.

7 Open the Afaria Administrator shortcut on your desktop. Internet Explorer opens and launches Afaria Administrator. The server list appears. It is populated only with Afaria servers for which you have access rights. For more information, see “Adding a Server to the Server List” on page 41.

44


Server ConfigurationThe Server Configuration features let you to define system-wide parameters.

This section briefly covers each link in the Server Configuration area. For more details about server configuration, see the Afaria Reference Manual | Platform > Server Configuration.

Server Configuration: PropertiesThe Server Configuration Properties enables you to define parameters that define client communications, server performance, and settings for optional components.

Properties > Communication – use communication properties to configure parameters for communication sessions with your clients. These parameters include:

• Bandwidth throttling – increase or decrease the communication rate throughout the course of a client session, allowing client users to run other network applications more effectively when they communicate with the Afaria server.

• Compression – add files to or view the cache of compressed files that are frequently sent to clients. This reduces connection time and improves system performance.

• Client communication – use the Client Communication page to define communicating with your Afaria clients including communication protocol, SSL certificate and key, and server address seed value for creating new clients.

• Differencing – maintain different versions of files that you frequently send to clients; the server sends only the updated bytes of each file in the differencing cache.

• Server identification – set or change the server’s friendly name, which is visible to Windows Channel Viewer clients.

Properties > Server – use server properties to configure parameters for server information and behavior. These parameters include:

• Contact – provide Channel Viewer users with information regarding the person to contact if they have questions with their client devices or encounter problems during a communication session with the server.

• Exchange Access Config – for the Afaria Access Control for Microsoft Exchange feature, the Exchange Access Config property page lets you define parameters for operating the ISAPI listener on the Afaria server.

• Failed session cleanup – control how the system handles failed communication sessions between clients and the server.

• License – view information about your system, including a list of licensed components and client types, the number of licensed sessions, expiration dates (if any), and a brief description of the license type.

• Logging policy – determine the global logging policy settings. All logs are enabled by default.

45


• Log cleanup – specify the cleanup time for the individual logs.

• OTA Deployment Center – establish settings for Afaria client and Afaria server communication with the OTA Deployment Center.

• SMS Gateway – define settings for an Afaria Short Message Service (SMS) gateway.

• Security – configure settings for security measures, including authentication, domain assignments, and client approval. If you are using LDAP for authentication and assignments, you can also enable and configure SSL for LDAP to increase security when you communicate with your Windows clients.

• SMTP – establish SMTP server settings for your Afaria-initiated, SMTP-based communications.

• User-defined fields – create new fields in your database tables related to the A_CLIENTS table and read from/write to these fields using the session worklist variables Set Database Field and Get Database Field used for writing to or reading from the database.

• Outbound notification – control the volume parameters for outbound notification sessions to keep the Afaria server from being overwhelmed with incoming sessions.

• Relay server – define settings for using a relay server for your Afaria operations. The relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server and its Afaria clients.

Properties > Component configuration – use component configuration properties to configure global settings for installed optional components. These parameters include:

• AV/Firewall – define the disposition of new client files or pattern files and identifies the date of the last update.

• Backup Manager – define the physical location for backup storage and define associated log and alert thresholds.

• Document Manager – apply default location settings for your file selections and settings for alternate media sources.

• Exchange Access Policy – define a synchronization policy for your enterprise’s devices that use Microsoft Exchange ActiveSync to synchronize with your organization’s Microsoft Exchange Server.

• iOS Server – define properties for the Afaria iOS provisioning server and the certificate authority (CA) server.

• OMA DM – define the OMA DM server address properties that OMA DM clients need to communicate with the OMA DM server.

• Patch Manager – define the location for storing downloaded patches.

46


Server Configuration: SchedulesUse schedule properties to review and manage system-defined scheduled tasks. The system requires that these tasks execute on a regular basis for ongoing Afaria operations. You can change the schedule for a task or run a scheduled task on demand to suit your needs.

Server Configuration: Client TypesAfaria client types enable you to create and edit custom client types as subtypes to system-defined client types. You may want to create client types for short-term or long-term management purposes. You can create a client type that is defined by the specific operating system, the version, and service packs that have been applied, and so on. You can use these client types when you assign management tasks.

Server Configuration: AlertsAlert definitions enable you to define and manage which Afaria events—logged actions or conditions relating to your Afaria server, Afaria Administrator, or Afaria clients—raise alerts on your Afaria Administrator. Alerts appear on the Alerts page when the event is detected so you can acknowledge and resolve them. Optionally, you define alerts to notify a contact when some event of interest occurs.

Server Configuration: TenantsUse the Tenants page to maintain tenant records. A tenant is an entity that you can associated with a subset of the client base and its related operations and assets. You must create a tenant record before you can create clients for a tenant or use other multitenancy features.

Server Configuration: License ComplianceThe License Compliance page enables you to track software licenses, including their installed versus purchased state on your Afaria clients, their effective and expiration dates, and how

47


often users run specific applications. This page appears empty until you define software licenses in your database.

Server Configuration: Patch ConsoleThe Patch Console page enables you to view a Microsoft product list and applicable patches that are available download from the Microsoft site. You may use the page to research and select patches for download and initiate the download action. Downloading patches is a prerequisite action for using Afaria Patch Manager to manage patch delivery to your Afaria clients.

The Patch Manager component leverages Microsoft’s Baseline Security Analyzer (MBSA) and Windows Update Agent (WUA) technologies to keep your client information current. It requires relevant Microsoft executables for initial and ongoing operations. Refer to Afaria Reference Manual | Platform for instructions on obtaining these executables.

48

Installing Afaria 6.6 FP1 Additional Installation and Resource Items

Additional Installation and Resource ItemsAdditional installations are available on the Additional Installations and Resources menu.

These items are available:

• OTA Deployment Services on IIS – install Over-the-Air (OTA) Deployment Center in a Windows IIS environment.

• Access Control for Exchange – install the Afaria ISAPI filter on a Microsoft Exchange Server’s IIS Server to support Afaria Access Control for Microsoft Exchange features.

• SMS (Short Message Service) Gateway Resources – access third-party resources for installing SMS gateway components.

• iOS Installations – install the Afaria Provisioning server on an IIS Server or the Afaria Simple Certificate Enrollment Protocol (SCEP) Plug-In Module on your certificate authority (CA) server. These components support Afaria iOS features.

• OMA DM (Open Mobile Alliance Device Management) – install the OMA DM server to send OMA DM messages to OMA-DM-enabled devices that are known to the Afaria server.

49

Installing Afaria 6.6 FP1 Setting Up the OTA Deployment Center

Setting Up the OTA Deployment CenterSet up an Afaria Over-The-Air (OTA) Deployment Center to provide over-the-air Afaria Client deployment services to your current or planned Afaria Client device base.

The deployment center is a Web application that is a separate component from the Afaria server and Afaria Administrator. The Afaria Clients it deploys are Afaria Client software packages that you create using the Afaria Create Client Installation program. Afaria supports using the deployment center to deploy client packages to the following Afaria client types:

• BlackBerry

• Palm

• Windows Mobile Professional (including Windows CE)

• Windows Mobile Standard

• Symbian

• Windows

These client types are distinguished from other Afaria client types that do not install Afaria Client software, such as iOS clients, or OMA DM clients.

Afaria supports setting up the deployment center in the following Web server/OS environments:

• IIS Web server on a Windows OS

• Apache Web server on a Windows OS

• Apache Web server on a Linux OS

The following steps summarize the procedure for setting up an OTA Deployment Center:

1 Get prerequisite components from Sybase third-party component site.

2 (Apache on Windows) Install Apache HTTP server component.

3 Install PHP scripting engine component.

4 Install PHP Concept Library Zip component.

5 Install the OTA Deployment Center.

• (IIS) Install the deployment center by running the OTA Deployment Center setup program.

Using Afaria’s over-the-air (OTA) deployment features is not a requirement in your Afaria environment. Afaria also supports deploying Afaria clients using companion PCs, networks, and client APIs.

The Afaria Administrator Web application, which runs on a Windows IIS Web server, and the Afaria OTA Deployment Center application, which can run on either an IIS Web server or an Apache Web server, are typically on separate servers. However, the applications can coexist if they are configured to ensure that they do not share TCP ports.

50


• (Apache) Install the deployment center by copying OTA Deployment Center files from the Afaria product image.

Getting Prerequisite ComponentsGet prerequisite components that you need to prepare for setting up an OTA Deployment Center. The third-party components required for the deployment center are not included with the Afaria product, as they are not subject to unlicensed distribution. You must obtain the products and licenses directly from their issuing party.

1 Visit the Afaria third-party component dependency reference page, where you can find version information and download instructions for obtaining the required components.

2 Obtain the components required for your Web server/OS environment:

• (Apache on Windows) Apache HTTP Server, a Web server

• PHP scripting engine

• PHPConcepts PclZip

51

http://frontline.sybase.com/thirdparty


Installing Apache HTTP ServerInstall the Apache HTTP Server, a Web server, if you are setting up an OTA Deployment Center to operate using Apache on a Windows OS. If you are setting up a deployment center to operate using Apache on a Linux OS, the OS is likely to have Apache already installed.

Complete the following procedures to install the Apache server:

1 Use the Windows installer (.msi) to install the server components. Choose the “typical” install option, supplying the specific network, server, and administrator email information for your particular server.

A typical installation installs the binaries, configuration and data files under the “C:\Program Files” folder. If your Windows environment has this folder locked, it may be necessary for you to use the “custom” install option and install to a different location or modify the Apache configuration after the installation is complete. Refer to the Apache documentation for further details.

2 Secure the Apache server. Although there are many methods for securing the Apache server, a minimum recommendation is that you edit the Apache Configuration File (httpd.conf) to turn off the “Indexes” option for the directory root in order to prevent browsing. You can also access the file via the Windows Programs menu or you can locate it in the following path:

C:\Program Files\Apache Group\Apache2\conf

Place a dash (‘-‘) in front of the word “Indexes” from the root directory’s configuration. See the last line in the following excerpt from the configuration file.

## This should be changed to whatever you set DocumentRoot to.#<Directory "C:/Program Files/Apache Group/Apache2/htdocs">

## Possible values for the Options directive are "None", "All",# or any combination of:# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews## Note that "MultiViews" must be named *explicitly* --- "Options All"# doesn't give it to you.## The Options directive is both complicated and important. Please see# http://httpd.apache.org/docs/2.0/mod/core.html#options# for more information.# Options -Indexes FollowSymLinks

52


Installing PHP Scripting EngineInstall the PHP scripting engine if you are setting up an OTA Deployment Center in either a Windows or Linux environment. The engine becomes part of the deployment center’s architecture.

1 Create a new folder named “PHP” under the following path:

C:\Program Files

2 Extract the contents of the PHP distribution zip file to the new folder.

3 Edit the Apache configuration file (httpd.conf) to add the following directives.

LoadModule directives:

AddType directive:

4 Create a folder named “Includes” under the following PHP installation folder path:

C:\Program Files\PHP

5 Create a copy of file “php.ini-recommended”, from the root of the PHP installation folder, in the same folder.

6 Rename the copy to “php.ini”.

Ensure that the directory structure contained in the zip file is preserved during extraction.

LoadModule php5_module "c:/Program Files/php/php5apache2.dll" PHPIniDir "C:/Program Files/PHP"

AddType application/x-httpd-php .php

53


7 Verify or edit php.ini settings as indicated in the following sample. Many of the required and recommended settings are already set. The convention of bracketed annotations (e.g. [Required]) is introduced only in this sample to provide supplemental information.

* The setting “set safe_mode=on” requires additional settings if turned on. Please refer to the PHP documentation (including comments in php.ini) for more details.

[Strongly recommended for security] set/verify register_globals=off [Required] set post_max_size = 32M[Required] set/verify magic_quotes_gpc=off [Suggest, security reasons*] set safe_mode=on Safe_mode_gid=on safe_mode_include_dir="C:\Program Files\PHP\Includes" [Recommended for security] set open_basedir="C:\Program Files\PHP\Includes" [Recommended for security] set file_uploads=off [Recommended for security] set allow_url_fopen=off [Required] set extension_dir="C:\Program Files\PHP\ext" [Required] add extension=php_soap.dll to extensions list [Required] set soap.wsdl_cache_enabled=1

54


Installing PHPConcepts PclZipInstall the PHPConcepts PclZip library if you are setting up an OTA Deployment Center in either a Windows or Linux enviroment. The library becomes part of the deployment center’s architecture.

The following procedures describe the installation process for a Windows operating system. You must adapt these procedures for a Linux environment.

1 Extract the contents of the PclZip distribution file into the following path:

C:\Program Files\PHP\Includes

This creates a new folder named “pclzip<version>”.

2 Rename the folder to “pclzip”.

3 Open the PHP configuration file (php.ini) located in the following path:

C:\Program Files\PHP

4 Locate the include_path setting that is associated with the Windows path setting. Modify it by removing the leading semi-colon and updating the path value to match your installation’s PclZip path, as shown in the following excerpt.

;;;;;;;;;;;;;;;;;;;;;;;;;; Paths and Directories ;;;;;;;;;;;;;;;;;;;;;;;;;;

; UNIX: "/path1:/path2";include_path = ".:/php/includes" ;; Windows: "\path1;\path2" include_path = ".;C:\Program Files\PHP\Includes\PclZip"

55


Installing the Deployment Center for an IIS Web ServerInstall the OTA Deployment Center files if you are setting up an OTA Deployment Center for an IIS Web server in a Windows OS enviroment. Install the deployment center files by running a setup program located on the product image.

1 From the IIS Web server, locate the setup program on the Afaria product image:

<product image>\OTADeploymentCenter\setup.exe

2 Launch the setup program and follow the wizard to completion.

Installing the Deployment Center for an Apache Web ServerInstall the OTA Deployment Center files if you are setting up an OTA Deployment Center for an Apache Web server in either a Windows or Linux OS enviroment.

Installing the OTA Deployment Center requires that you manually copy a collection of source files from the Afaria product image onto the Apache Web server and edit some configuration text files. The path locations in this procedure are for a Windows environment. Adapt these paths for a Linux environment.

Complete the following procedures if you are installing the deployment center onto a new Web server, rather than integrating it with an existing one.

1 Under the PHP Includes folder (C:\Program Files\PHP\Includes), create the following folders:

• iAnywhere

• iAnywhere\OTA

• iAnywhere\OTA\download

• iAnywhere\OTA\management

2 Copy files from the Afaria product image to the new folders as follows:

• \Deployment Center\download\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\download\*.*

• \Deployment Center\management\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\management\*.*

• \Deployment Center\scripts\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\*.*

3 Modify the include_path setting in the PHP configuration file C:\Program Files\PHP\php.ini to add the location of the deployment center scripts, as shown in the following excerpt.

This is the same setting modified for the PclZip installation.

include_path = ".;C:\Program Files\PHP\Includes\PclZip;C:\Program Files\PHP\Includes\iAnywhere\OTA"

56


4 Add the following excerpt to the end of the Apache configuration file (httpd.conf). The Apache configuration requires using the forward slash mark “/” in path statements for proper implementation.

Deployment Center File TypesThe OTA Deployment Center uses the following types of source files for executing different roles in product implementation:

• PHP Scripts – Executable scripts that do not change at runtime.

• Scripts exposed by the Web server – These scripts are separated into two categories so that you can apply different access permissions to each.

• Download – Contains one script file (OTADownload.php). This file is referenced by Afaria client download requests. It is suggested that you obfuscate it by making it the default (index) file for the directory. This location must be referenced by the Afaria server configuration properties.

• Management – Contains the script that implements the Web services used by the Afaria server. This location must be referenced by the Afaria server configuration properties.

• Deployment center implementation scripts – These scripts are included (used) by the download and management scripts. These scripts are not intended for direct access from the Web server. Direct access is reserved for the PHP script engine, as referenced by the PHP include_path directive.

• Deployment Center data files – Files that are modified by the system at runtime.

• Database files – Contains information about the set of files published to the deployment center for download. This location is referenced by the deployment center configuration.

• Deployment files – The set of files published for download to devices. This set of files is determined at runtime through the file publication management functions. There are two classifications of these files:

### Afaria OTA Deployment Download and Management script directories# Set "Options -Indexes" and "DirectoryIndex" to allow# operation of script by access to directory only.Alias /Afaria/OTA "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" >Options -IndexesDirectoryIndex OTADownload.php</Directory>

Alias /Afaria/OTAmgmt "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" >Options -Indexes </Directory>

57


• Indirectly accessed – These files are not directly accessible from the Web server, but are served by the download scripts. This location is referenced by the deployment center configuration.

• Directly accessed – These files are directly accessible from the Web server. They reside in sub-folders under the location of the download script.

• Log files – These files are written by the system for status, audit and debug logging. This location is referenced by the deployment center configuration.

Deployment Center File LocationsIf needed to install and integrate OTA Deployment Center files with an existing Web server, rather than installing on a new Web server, you can modify file locations for the files that make up the deployment center. The following information describes the paths for the source files that make up the deployment center.

• Script locations:

• Implementation scripts – <PHP include file root>/iAnywhere/OTA

• Download scripts – <PHP include file root>/iAnywhere/OTA/download

• Management scripts – <PHP include file root>/iAnywhere/OTA/management

• Data file locations, located under the implementation scripts directory

• Database files – <PHP include file root>/iAnywhere/OTA/database

• Deployment files, indirect access – <PHP include file root>/iAnywhere/OTA/files

• Deployment files, direct access – Automatically created folders under the location of the download scripts

• Log files – <PHP include file root>/iAnywhere/OTA/logs

58

Installing Afaria 6.6 FP1 Setting Up Access Control for Microsoft Exchange

Setting Up Access Control for Microsoft ExchangeAfaria Access Control for Microsoft Exchange adds a layer of protection to your Microsoft Exchange Server. It filters Exchange ActiveSync handheld device synchronization requests by the default and exception policies you define.

If you are licensed for Windows Mobile, Symbian, iOS, or Android:

1 Prepare clients according to type:

• (Android, Windows Mobile, Symbian clients) Connect clients to the Afaria server to report their Exchange identifying data.

• (iOS) Use the Data Views > Clients page to add iOS device definitions.

See Afaria Reference Manual | Platform > Creating Clients.

2 On the Afaria Administrator, use the Server Configuration > Properties > Exchange Access Config page to configure settings for the Afaria ISAPI filter that you will install on the Microsoft Exchange Server’s IIS Server.

See Afaria Reference Manual | Platform. > Server Configuration > Properties > Exchange Access Config.

3 On the IIS Server that services your enterprise’s Microsoft Exchange Server, use the Afaria setup menu > Additional Installations > Access Control for Exchange option to install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter.

The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.

59


Afaria Access Control for Microsoft Exchange ArchitectureThe access control architecture includes integration points between the Microsoft Exchange environment and the Afaria environment. The Microsoft Exchange environment includes IIS and may be implemented as a multiserver environment.

Access Control for Exchange Architecture – ISAPI Filter Implementation

The diagram includes these items:

1 Afaria ISAPI filter – when a client connects for a Microsoft ActiveSync request, queries the Afaria PowerShell service to determine whether to allow or block the current client’s synchronization request.

2 Afaria PowerShell service – receives requests from the ISAPI filter and responds with the connecting client’s allow or block synchronization instruction. According to the polling interval, queries the Afaria server’s ISAPI filter listener to refresh the client and policy list.

3 Afaria server service – starts the Afaria ISAPI filter listener process.

4 Afaria ISAPI filter listener – receives requests from the Microsoft PowerShell service to refresh the client and policy list. Upon request, queries the Afaria database to compile a list of known devices and their associated policies and any defined policies for unknown devices.

60


Access Control for Exchange Architecture – Implementation in a Nonmultitenancy Environment


1 Microsoft Exchange environment with ISAPI filter on the IIS Server – allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter.

2 Afaria server with ISAPI filter listener – according to the polling interval, receives requests from the Exchange environment and responds with the most current list of clients and associated synchronization policies.

61


Access Control for Exchange Architecture – Implementation in a Multitenancy Environment


1 Tenant customer site’s Microsoft Exchange environment with ISAPI filter on the IIS Server – allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter. According to the polling interval, queries the Afaria environment to refresh the client and policy list.

2 (Optional) Relay server – serves as a proxy for communication from tenant sites to hosting site.

3 Hosting site – hosts the primary Afaria server components behind the hosting organization’s firewall.

4 Afaria server with ISAPI filter listener – upon request, responds to requests for a client and policy list from the Exchange environment with the most current list of clients and associated synchronization policies.

62


Installing the Afaria ISAPI FilterInstall and configure the ISAPI filter, with its supporting files and Afaria polling agent, on your Microsoft Exchange Server’s IIS Server, to begin enforcing the access control policies you defined on the Afaria server.

The Afaria Access Control for Microsoft Exchange feature requires that you install and register the Afaria ISAPI filter with its supporting files and Afaria polling agent onto the IIS Server that services your Exchange Server. ISAPI filters are DLL files that modify and leverage IIS functionality. The filter monitors all Exchange ActiveSync synchronization requests on behalf of Afaria, discarding any requests that do not meet your Afaria-defined policy for valid ActiveSync requests. The polling agent queries the Afaria server at defined intervals for a list of known devices and policies.

If you are operating a multitenant environment and plan to use a relay server for connections from each tenant’s Microsoft Exchange environment, you must first implement the relay server for your Afaria server, regardless of whether you plan to use it for Afaria client connections.

The filter, its supporting files, and the polling agent are removable.

1 Install the ISAPI filter on the IIS Server.

2 Set the authentication method for the filter.

Installing the ISAPI Filter on the IIS Server

Install the Afaria ISAPI filter on the Exchange Server’s IIS Server as part of the Afaria Access Control for Microsoft Exchange feature implementation.

Deliver this information to the IIS Server administrator for installation:

• ISAPI filter folder as provided on the Afaria product image. The folder contains the installation wizard. Choose the 32-bit or 64-bit folder to match the bit state of the IIS Server’s operating system.

• Afaria server address or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server.

• Afaria configuration data, including protocol, port, and host name data, as defined on the Afaria Administrator > Server Configuration > Properties > Exchange Access Config page.

1 On the IIS Server, store the ISAPI filter folder in a temporary directory on the IIS Server's local drive.

2 Open the folder and run the setup executable to open the Afaria ISAPI Filter Setup program wizard.

3 Follow the installation wizard until the installation is complete. The wizard includes these primary pages:

• Blocking Options – defines whether to block or allow synchronization requests that are initiated from sources other than handheld ActiveSync clients.

63


• Server Settings – address for the Afaria server or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server.

The farm ID you enter must match the Afaria server’s relay server farm ID. The relay server implementation for the ISAPI filter uses the farm ID you enter and appends “_IIS” to the string. Your relay server configuration file must have corresponding farm IDs defined for the Afaria server and the Afaria server’s ISAPI listener.

• Specify Credentials – specify the account name and password used to run the Afaria service on the Afaria server.

4 (Optional) To verify the filter properties, open the IIS Server's Default Web Site > Properties > ISAPI Filters tab. Look for filter name “XSISAPI.DLL” on the list.

You can also verify that XSISAPI service is started in the Microsoft Management Console, which corresponds to process XSSrvAny.exe. The filter’s polling frequency back to the Afaria server is determined by Afaria server configuration settings for Exchange Access Control for the Exchange Server’s unknown device policy.

Setting the Authentication Method for the ISAPI Filter

Set the authentication method for the ISAPI filter to allow basic authentication for user names and passwords.

1 Open the Microsoft IIS Manager utility and navigate to <MicrosoftServerActiveSync> > Properties > Directory Security > Edit (Authentication and access control).

2 Set authentication properties for ISAPI filter operations:

• Enable anonymous access – disable

• Integrated Windows authentication – disable

• Basic authentication – enable

See Microsoft references for information about IIS Web Site authentication methods.

Files Installed With and Used By the ISAPI Filter

The installed ISAPI filter adds files and logging to the Exchange Server’s IIS Server.

Installing the Afaria ISAPI filter adds the following files to your IIS Server:

• IIS path: <IIS_InstallDir>

• AfariaISAPIFilterUninstall.ini

• PipeServer.ps1

• HTTPSClient.ps1

• InstUtil.dll

• XSISAPI.dll

64


• XSSrvAny.exe

• IIS path: <IIS_InstallDir>\bin

InstUtil.dll

Executable XSSrvAny.exe launches PipeServer.ps1 and HTTPSClient.ps1. In turn, each of these create an event in the Windows Application Event log. The entries indicate the start action and its log file location. Consider this example event log entry:

XSISAPI PowerShell HTTPS Client was successfully started. Logfile is C:\Documents and Settings\Default User\Application Data\XSISAPI\XSISAPIHTTPS_Log.txt.

The Afaria ISAPI filter operations use and generate the following files on your IIS Server. The path for the files is described in the PiPServer.ps1 and HTTPSClient.ps1 startup Windows Application Event log entries.

• Devices.xml – list of Afaria Exchange access control clients known and managed by Afaria synchronization policies.

• (Temporary file) NewDevices.xml – iOS or Android devices that have connected to the Exchange Server for synchronization and need to send a unique Exchange identifying value to the Afaria server.

• HTTPS.txt – log file for HTTPSClient.ps1 operations. List of connections from IIS Server by the Afaria polling agent, back to the Afaria server to refresh the Devices.xml list.

• Pipe.txt – log file for PipeServer.ps1 operations. List of client synchronization requests indicating synchronization status 1 for allowed or 0 for denied.

65

Installing Afaria 6.6 FP1 Setting Up the SMS Gateway

Setting Up the SMS GatewayAfaria uses the SMS gateway—for devices and Afaria clients that support SMS messaging—to deliver outbound notifications, remote wipe commands, Open Mobile Alliance (OMA) provisioning and server notification messages, and any other Afaria communication that is addressed for SMS routing.


2 On the setup menu, click Additional Installations and Resources > Access SMS Gateway Resources.

3 On the Afaria third-party component dependency reference page, find version information and download instructions for obtaining the Cygwin components.

SMS gateway operations use only some of the components of the Cygwin product. Therefore, the installation steps describe a manual process for installing only the component that the SMS gateway requires, rather than using the Cygwin installation program.

4 Use a decompression utility to decompress the BZ2 download packages from within the <download folder> folder. For each installation package file with file extension “BZ2”, the decompression yields one extracted file with file extension “tar”.

5 Extract the decompressed packages into the same download folder. The file extraction creates the following folders:

• <download folder>\usr – folder contains additional, nested folders.

• <download folder>\etc – folder contents are not used for SMS gateway operations.

6 Modify the Afaria Server environment to include the required libraries and tools by either 1) including “<download folder>\usr\bin” in the default system path or by 2) copying the following “<download folder>\usr\bin” files into the Afaria folder “<AfariaInstallation>\bin\SMSGateway”:

• cygcrypto-0.9.8.dll

• cygiconv-2.dll

• cygssl-0.9.8.dll

• cygwin1.dll

• cygxml2-2.dll

• cygz.dll

The default value for <AfariaInstallation> is “C:\Program Files\Afaria”.

7 Using Afaria Administrator, configure the SMS gateway interface to define connectivity between the Afaria Server that is hosting the SMS gateway and the Afaria SMS gateway.

See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Gateway Interface.

8 Using Afaria Administrator, define at least one SMSC Server Configuration entity.

See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Server Configuration.

66

http://frontline.sybase.com/thirdparty

Installing Afaria 6.6 FP1 Setting Up the SMS Gateway

SMS Gateway Third-Party DependenciesThe Afaria solution leverages the Cygwin product libraries and tools and other open source tools to implement its SMS gateway. The Cygwin product is a set of libraries and tools developed by Cygnus Solutions that creates a Unix-emulating environment on a Windows operating system.

Due to the nature of open source licensing practices, cited in the GNU General Public License, the libraries and tools cannot be distributed, installed, or licensed as part of a commercial product delivery. Therefore, it is your responsibility to obtain and install the required items on behalf of your organization to enable the SMS gateway operations in the Afaria solution.

67

Installing Afaria 6.6 FP1 Setting Up iOS Features

Setting Up iOS FeaturesInstall, configure, and validate the basic iOS implementation before adding optional functionality. Basic implementation is required for all iOS operations. Optional iOS features add security enhancements.

Installing the iOS Provisioning Server (Basic)Install the iOS provisioning server without payload signing attributes as a required component for the iOS basic implementation. Record values as you complete the installation; you will need them for subsequent configuration tasks.


2 On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server.

3 On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server.

The provisioning server uses these credentials to contact the Afaria server for database credentials.

4 On the Specify Virtual Directory Names page, define these settings:

• Unauthorized virtual directory name – user-defined name, populated with a default value.

This is the first directory on the provisioning server to which clients connect.

• Authorized virtual directory name – user-defined name, populated with a default value.

This is the directory on the provisioning server that clients connect to after they are authenticated to complete the payload provisioning process.

5 On the Specify Server Address page, define the address for the Afaria server.

The Afaria iOS provisioning server uses this address to reach the Afaria server.

6 On the Specify Certificates for Signing page, unselect Sign Messages to disable the feature; it is not part of the basic iOS basic implementation.

7 Follow the setup wizard to completion.

The iOS provisioning server installation is now complete. The installation process also populates the iOS Server configuration page with corresponding values.

8 (Upgrade) If you installed the iOS provisioning server on a server other than the Afaria Administrator server, some files and services from the original iOS provisioning server are now abandoned on the Afaria Administrator server. On the Afaria Administrator server, disable unwanted services from running by opening the Microsoft Component Services utility, and then stopping and disabling service “AfariaIPhoneServer.”

68


Configuring the Certificate AuthorityConfigure a Microsoft certificate authority (CA) as a required component for the iOS basic implementation.

Consult these essential references before and during configuration:

• Afaria system requirements – to learn about requirements for your CA’s operating system and connectivity within the Afaria iOS environment.

• Microsoft documentation resources – to learn how to set up your CA to comply with the Afaria system requirements, including disabling SCEP password prompting, and to complete the configuration.

See your Microsoft documentation.

After meeting operating system and connectivity requirements:

1 On the CA server, add the Active Directory Certificate Services role with these attributes:

• Role services

- Certification Authority

- Certificate Authority Web Enrollment, including the related Web Server IIS role services

- Network Device Enrollment Service

• Setup type – Enterprise

• CA type – Root CA

• Private key – create a new private key

• Cryptography

- Cryptographic key provider – RSA Microsoft Software Key Storage Provider

- Key character length – 2048

- Hash algorithm – SHA1

• CA name – common name and suffix are user-defined; record the common name for subsequent Afaria server property configuration

• Validity period – user-defined

• Certificate database – user-defined

2 Add the Web Server IIS role with at least the default role services.

3 Add the Network Device Enrollment Service with these attributes:

• User account – specify a user account that is also a member of the domain and the local IIS_IUSRS group

• Registration Authority (RA) information – user-defined; do not use any special characters

• Cryptography

69


- Signature key cryptography service provider (CSP) – Microsoft Strong Cryptographic Provider


- Encryption key CSP – Microsoft Strong Cryptographic Provider


4 (Windows Server 2008) After adding the required roles, disable per-certificate password prompts for connecting devices by updating the CA's SCEP password registry key:

• Key – HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword

• Type – DWORD

• Value – change from 1 to 0

5 Verify that the CA has the Microsoft SCEP configured with password prompting disabled.

Verify this requirement by using a Web browser or the CA server’s IIS Manager to open the SCEP enrollment page. If using IIS Manager, the path is Default Web Site > CertSrv > mscep > right-click Browse. Successful verification displays a certificate thumbprint. Failed verification displays a temporary password.

See “System Requirements and Release Notes” on page 9.

70


Optional iOS Implementation FeaturesiOS optional functionality adds security enhancements, but also increases the complexity of installation, configuration, and troubleshooting. Install, configure, and validate the basic iOS implementation before adding optional functionality.

Optional features include:

• Signed iOS configuration payloads

• Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module installed on the certificate authority (CA) to filter certificate requests

• Secure connections between the iOS provisioning server and the clients

• Secure connections between the CA and the clients

• Using the relay server as a proxy between clients and the CA or the iOS provisioning servers

Implement optional functionality as your requirements dictate.

See also:

• “Adding Payload Signing to the Basic iOS Implementation” on page 72

• “Installing the Afaria SCEP Plug-In Module on the CA” on page 75

• “Configuring Secure iOS Connections” on page 76

• “Configuring the Relay Server for iOS Connections” on page 77

71


Adding Payload Signing to the Basic iOS ImplementationAdd payload signing as part of the optional iOS implementation to ensure that payloads are not tampered with during delivery, and to ensure that users cannot remove configuration policies from their devices.

The payload signing implementation relies on importing root and signing certificates onto the Afaria iOS provisioning server. You can either use certificates from a known certificate authority (CA), such as VeriSign or Thawte, or operate as a self-signing entity and use certificates from your own CA server.

Install, configure, and verify the iOS basic implementation.

To implement payload signing:

1 Obtain a root certificate from a known certificate authority or export it from your own CA server.

2 Obtain a signing certificate from the same CA source as your root CA.

3 Copy both certificates to a location accessible from the iOS provisioning server.

4 Reinstall the iOS provisioning server to enable signing and specify certificate information.

5 Use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings for your signing implementation.

See Afaria Reference Manual | Platform > Properties > iOS Server.


7 Provision one or more test devices and observe the user interface to determine whether the certificate is untrusted or trusted.

The expected result, after a possible user authentication prompt, is either:

• Signed, but untrusted – the Apple Profile Service dialog is exposed to the user and indicates status “Not Verified.”

• Signed and trusted – the Apple Profile Service dialog is exposed to the user and indicates status “Verified.”

8 If untrusted and you require trust, deploy a root certificate to the client that matches the root certificate that the provisioning server is using and retry the provisioning.

Afaria iOS Signing Certificate RequirementsThe Afaria iOS signing certificate must be an IP Security (IPSec) certificate in the x.509 standard and meet criteria to support Afaria iOS features, regardless of whether you get your

72


certificate from a known certificate authority (CA) or if you operate as a self-signing entity and create your own signing certificate.

The IPSec signing certificate must meet these property requirements:

• Subject – define the subject name as type “common name.”

• General – define the common name “CN” and record the value for future use.

• Extensions – add all available options for key usage and extended key (also known as application policies) usage.

• Private key – select key size 1024 and make the private key exportable. The key type is allowed for exchanges.

Exporting the Root Certificate from Your CATo operate as a self-signing entity for signing your iOS provisioning payloads, export the root certificate from your CA to be imported into your Afaria iOS provisioning server.

1 On your Windows CA server, open the Microsoft Management Console.

2 Use the Add/Remove snap-in feature to add the “Certificates” snap-in to manage certificates for a computer account.

3 From the Console Root pane, navigate the Certificates node > Trusted Root > Certificates to display the certificate list.

4 Select the root certificate for your CA server and launch the Certificate Export wizard.

5 Complete the wizard, meeting this requirement:

Certificate format – Distinguished Encoding Rules (DER) encoded binary X.509 (.cer)

Creating a Signing Certificate on Your CATo operate as a self-signing entity for signing your iOS provisioning payloads, create a signing certificate on your CA and export it to be imported into your Afaria iOS provisioning server.



3 From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list.

4 Launch the task for requesting a new certificate.

5 Define the certificate properties to meet the Afaria iOS signing certificate requirements.

73


Exporting the Signing Certificate from Your CATo operate as a self-signing entity for signing your iOS provisioning payloads, export the signing certificate from your CA for import into your Afaria iOS provisioning server.



3 From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list.

4 Select the signing certificate you created for iOS provisioning and launch the Certificate Export wizard.

5 Complete the wizard, meeting these requirements:

• Certificate format – Personal Information Exchange PKCS #12 (.pfx)

• Certificate inclusion – include all certificates in the certification path

Reinstalling Afaria iOS Provisioning Server for SigningReinstall the iOS provisioning server with payload signing attributes as part of the optional payload signing implementation.

Obtain a root certificate and a signing certificate, and copy both certificates to a location that is accessible from the iOS provisioning server.

1 On the iOS provisioning server, close all running programs.

2 On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server.

3 On the Specify Credentials page, Specify Virtual Directory Names, and Specify Server Address pages, accept the values you previously defined for the basic implementation.

4 On the Specify Certificates for Signing page, select Sign Messages to enable the feature and define the signing attributes:

• CA Certificate Filename – the path and file name for the root certificate.

• Signing Certificate Filename – the path and file name for the signing certificate.

• Signing Certificate Password – enter and confirm the password associated with signing certificate.


The iOS provisioning server installation is now complete.

Data is validated at the conclusion of the setup program as the process attempts to install the certificate. If you encounter errors at this point, retry the installation.

74


Installing the Afaria SCEP Plug-In Module on the CAInstall the Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module on the certificate authority (CA) to filter certificate requests.

The Afaria SCEP module is an optional plug-in for your CA that enhances security by prohibiting unknown devices from obtaining an enrollment certificate. If you do not use the Afaria SCEP, you can use any device that provides a correctly formatted request for an enrollment certificate.

1 On the CA server, start the setup program.

2 On the setup menu, click Additional Installations and Resources > iOS Installations > Install Afaria SCEP Plug-In Module.

3 On the setup program, enter database type and credentials.

4 On the setup program, choose an installation path and install the Afaria SCEP policy module.

5 On the CA, open Active Directory Certificate Services (ADCS). On your CA node, select the Properties and the Policy Module tab, then select XSSCEPPolicyModule.dll.

6 Restart ADCS.

7 (Optional, recommended) Power off, and then on, the CA server.

Due to a known issue reported for the Microsoft CA restart ADCS operations, Sybase recommends turning the power off, and then on, to correctly enable the Afaria SCEP module.

After startup, the CA issues certificates only to the devices that are defined in the Afaria database.

75


Configuring Secure iOS ConnectionsConfigure secure connections between your clients and your CA server, or between your clients and your Afaria iOS provisioning server when you require using SSL to encrypt the connection data. Configuring secure connections is part of the optional iOS implementation.

1 On either the Afaria iOS provisioning server or the CA server, use the IIS Certificate wizard to import a certificate and associate it with the port that clients use for a connection.

2 Use the IIS Manager utility to enable SSL for the appropriate Web site’s virtual directory.

For the provisioning server, the directory designated for unauthorized connections is the appropriate directory.

3 On the Afaria Administrator server, use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings to use HTTPS on connections.

See Afaria Reference Manual | Platform > Properties > iOS Server.

76


Configuring the Relay Server for iOS ConnectionsOptionally, set up relay server to increase your enterprise network security. A relay server operates as a proxy for HTTP and HTTPS sessions between an Afaria server component, either the certificate authority (CA) server or the Afaria iOS provisioning server, and its clients. Clients connect to the relay server instead of directly to the Afaria server component.

1 Set up the relay server, including:

• Preparing the foundation for relay server operations by copying files and creating application pools.

• Edit the relay server configuration file [options] and [relay_server] sections for basic operations.

• Edit the relay server configuration file [backend_farm] and [backend_server] sections for the component server of interest, either the CA server or the provisioning server.

2 On the Afaria Administrator server, use the Afaria Administrator application Server Configuration > Properties > iOS Server page to configure the Afaria server’s settings for using the relay server.

See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Provisioning Server, Certificate Authority, and Relay Server for complete instructions.

3 For each component server, copy an instance of the relay server outbound enabler (RSOE) to launch for relay server operations.

See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Configuring the Relay Server for iOS Components for complete instructions.

See “Setting Up the Relay Server” on page 79.

77

Installing Afaria 6.6 FP1 Setting Up OMA DM Features

Setting Up OMA DM FeaturesInstall the OMA DM server as a required component for managing OMA DM clients.


2 On the setup menu, click Additional Installations and Resources > Install OMA DM Server.

3 On the Welcome window, click Next.

4 On the Directory Selection window, select the installation path, server ID, and virtual directory.

5 Click Install.

The wait time for installation may be lengthy; possibly in excess of 10 minutes.

See also:

• Afaria Reference Manual | Platform > Properties > OMA DM Server

• Afaria Reference Manual | Platform > Creating Clients > OMA DM Clients

78

Installing Afaria 6.6 FP1 Setting Up the Relay Server

Setting Up the Relay Server

Set up an optional relay server to increase your enterprise network security. A relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server, or one of its supported server components, and its clients. Using a relay server increases network security by moving the session connection point from within your firewall to a location outside of your firewall, to your Demilitarized Zone (DMZ).

Afaria supports using the relay server with any of the following Afaria server components:

• Afaria server

• OMA DM server

• Provisioning server for iOS features

• Certificate Authority server for iOS features

The following steps summarize the procedure for installing and configuring a relay server on an IIS Server:

1 Register the IIS user account on the planned relay server with ASP.NET.

2 Copy relay server files from the Afaria product image to your planned relay server.

3 Create IIS application pools on the relay server.

4 Update the relay server’s IIS configuration.

5 Create a relay server configuration file to reside on the relay server.

6 Update your Afaria configuration settings to begin using the relay server.

7 Make your first connection to the relay server.

Use your Microsoft IIS Server documentation as a reference for additional IIS procedures.

Registering the IIS User Account with ASP.NETRegister the IIS user account on the planned relay server with ASP.NET to assign it appropriate rights for Afaria operations. Afaria operations use the relay server’s IIS built-in user account named IUSR_<MachineName> for gaining anonymous access to Internet Information Services. This account must meet the following criteria:

• have access to the IIS metabase and other directories used by IIS.NET

• be a member of the IIS built-in user group IIS_WPG

Using Afaria’s relay server is not a requirement in your Afaria environment; it is bundled with the Afaria product on the product installation image as an optional component.

Refer to Afaria Reference Manual | Platform > What is Afaria? > “About the Relay server” to learn more about the relay server, including a diagram and discussion of its components.

79


1 Navigate to the relay server command path:

C:\Windows\Microsoft.Net\Framework\<Version>

If you are operating your IIS Server with more than one version of ASP.Net, choose the version that you are using to run your Web site.

2 Execute the ASP.NET registration command on the relay server with the grant access option:

Command: aspnet_regiis.exe -ga IUSR_<MachineName>

The command is an example of the registration command with the grant access option that is valid for ASP.Net 2.0.5. The command for your version of ASP.Net may differ.

Refer to your Microsoft IIS Server and ASP.NET product documentation for more information about the IIS user and group and using the registration command.

Copying Relay Server FilesCopy relay server files from the Afaria product image to the planned relay server to make them available for use. The Afaria product image includes a folder of files that you need for setting up your relay server on an IIS Server.

1 Locate the files on the Afaria product image:

Copy folder: <product image>\relay_server\ias_relay_server

2 Copy folder “ias_relay_server” from the product image to the IIS Server’s home directory (e.g. C:\Inetpub\wwwroot). Ensure that you copy the folder, rather than just the files in the folder.

Creating IIS Application PoolsUse your relay server’s IIS Manager utility to create IIS application pools and application directories for the Afaria Server Web service and the Afaria Client Web service that runs on the relay server. After creating the pools and the application directories, associate each Web service with their respective application pool.

The following steps summarize the procedure for creating application pools:

1 Create a server application pool and associated application directory.

2 Create a client application pool and associated application directory.

3 Add Afaria Web service extensions to the IIS Server.

Refer to your Microsoft IIS Server documentation for additional IIS information.

80


Creating a Server Application PoolCreate a server application pool and an associated application directory on the planned relay server to process requests from an Afaria server.

1 Create an application pool with a user-defined Pool ID.

2 Assign the pool the following properties:

• Recycling > Recycle worker processes (minutes) – Disabled

• Performance > Idle timeout – Disabled

• Performance > Request queue limit – Disabled

• Performance > Web garden – A minimum of twice the number of servers making requests

• Health > Enable pinging – Disabled

• Health > Enable rapid-fail protection – Disabled

3 Select Web Sites in the IIS Manager’s left pane and navigate to Default Web Site > ias_relay_server > Server > right-click Properties > Directory.

4 Create an application directory with the following attributes:

• Execute permissions – Scripts and executables

• Application pool – Use the Pool ID that you created for the application pool

Creating a Client Application PoolCreate a client application pool and an associated application directory on the planned relay server to process requests from an Afaria client.

1 Create an application pool with a user-defined Pool ID.

2 Assign the pool the following properties:

• Recycling > Recycle worker processes (minutes) – Disabled

• Performance > Idle timeout – Disabled

• Performance > Request queue limit – Disabled

• Performance > Web garden – At least twice the number of servers making requests, but no less than 5

You may want to increase the value if client connections are frequently dropped or if clients experience bad throughput during sessions.

• Health > Enable pinging – Disabled

• Health > Enable rapid-fail protection – Disabled

3 Select Web Sites in the IIS Manager’s left pane and navigate to Default Web Site > ias_relay_server > Client > right-click Properties > Directory.

4 Create an application directory with the following attributes:

• Execute permissions – Scripts and executables

81


• Application pool – Use the Pool ID that you created for the application pool

Adding Web Service Extensions to IISAdd Web service extensions to identify and allow the server and client relay server requests.

1 In the IIS Manager’s left pane, select Web Service Extensions.

2 Add the Afaria Server Web service as a valid extension with the following attributes:

• Extension name – User-defined name for the server extension

• Required files – ias_relay_server\server\rs_server.dll

• Set extension status to Allowed – Enabled

3 Add the Afaria Client Web service as a valid extension with the following attributes:

• Extension name – User-defined name for the client extension

• Required files – ias_relay_server\client\rs_client.dll

• Set extension status to Allowed – Enabled

Updating the Relay Server’s IIS ConfigurationRun the relay server’s IIS adsutil.vbs script to define the IIS Server client request buffer handling for the application pool.

1 Locate the adsutil.vbs script.

Script location example: C:\Inetpub\AdminScripts

2 Run the script to set the UploadReadAheadSize property.

Script command: cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 0

The command returns the current value of the uploadreadaheadsize variable.

Editing the Relay Server ConfigurationA sample configuration file is provided with the relay server files that you copied from your Afaria product image. Edit the sample with settings for your environment.

1 Locate the sample configuration file.

Location: <wwwroot location>\ias_relay_server\server\rs.config

82


2 Using a text editor, edit the configuration file’s [options] and [relay_server] sections for the relay server’s basic operations.

3 For each server component that you want relay server to support, edit or create sections [backend_farm] and [backend_server] with settings for your environment, according to the configuration file definitions.

4 Start the relay server.

See also:

• “Configuration File Definitions for Basic Operations” on page 85

• “Configuration File Definitions to Support Server Components” on page 86

• “Starting and Restarting the Relay Server” on page 90

The configuration file must contain only ASCII characters.

83


Sample configuration file rs.config part 1 of 21

1. The actual file is a single, continuous file. The file is represented here in two parts for the sake of page for-matting.

#-------------------------------------# Relay server#-------------------------------------[options]start = autoverbosity = 1

# Note: When auto start is used, the default log file is# <tmpdir>\ias_relay_server_host.log while rshost is active. # The value of <tmpdir> is filled using the following environment variables# searched in this order:# SATMP# TMP# TMPDIR# TEMP

#--------------------# Relay server#--------------------

[relay_server]enable = yeshost = 123.45.6.78http_port = 80https_port = 443description = Machine #1 in RS farm

84


Sample configuration file rs.config part 2 of 21

Configuration File Definitions for Basic OperationsThe relay server configuration file rs.config consists of several sections, each indicated by the “[section]” convention. Define sections [options] and [relay_server] for basic relay server operations. The remaining sections are for supported server components. Restart the relay server engine (rshost.exe) and its supporting components any time you make changes to the configuration file.

Section: [options] – General options for relay server operations.

• start – Set value to “auto” to automatically start the relay server engine when an Afaria server connects successfully.

• verbosity – Controls the level of logging. Logs always include errors. Log levels 1-5 always include warnings.

• 0 – No logging 1. The actual file is a single, continuous file. The file is represented here in two parts for the sake of page for-matting.

#---------------# Backend farms## Notice that the case sensitive farmID must match the farmID set in the Afaria Administrator's# relay server configuration page. Default value in Afaria is farmID=Afaria.#---------------

[backend_farm]enable = yesid = farmIDdescription = Afaria Farm

#-----------------# Backend servers## id must match regKey HKLM\Software\Afaria\Afaria\Server\TransmitterId# on your afaria server#-----------------

[backend_server]enable = yesfarm = farmIDid = sctoken = zyyxpj22p

85


• 1 – Session-level logging

• 2 – Request-level logging

• 3 – Packet-level logging, terse

• 4 – Packet-level logging, verbose

• 5 – Transport-level logging

Section: [relay_server] – Identifies your relay server and its respective ports for HTTP and HTTPS communications. The relay server’s ports must match IIS Server’s ports.

• enable – Controls whether the relay server operates.

• yes – Operate.

• no – Do not operate.

• host – Relay server’s own IP address or host name.

• http_port – Set value to match the relay server’s IIS setting for HTTP communications.

• https_port – Set value to match the relay server’s IIS setting for SSL communications.

• description – User-defined description.

See “Starting and Restarting the Relay Server” on page 90.

Configuration File Definitions to Support Server ComponentsThe relay server configuration file rs.config consists of several sections, each indicated by the “[section]” convention. To configure the relay server to support any of the Afaria operations, such as Afaria server or OMA DM server, define sections [backend_farm] and [backend_server] for each of those server components. Restart the relay server engine (rshost.exe) and its supporting components any time you make changes to the configuration file.

Afaria supports using the relay server with any of the following Afaria server components:

• Afaria server

• OMA DM server

• Provisioning server for iOS features

• Certificate Authority server for iOS features

Section: [backend_farm] – Creates a single, case-sensitive identifier for a component server environment, regardless of whether you are operating a single component server or a farm of component servers.

• enable – Controls whether the farm operates.


86



• id – User-defined, case-sensitive value for identifying a server farm. Each farm in the relay server configuration file must have a unique ID.

• description – User-defined description.

• client_security – Specifies the secure communication protocol requirement for clients connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value.

• on – HTTPS is required.

• off – Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.

• backend_security – Specifies the secure communication protocol requirement for component servers connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value.

• on – HTTPS is required.

• off – Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.

Section: [backend_server] – Identifies a single component server to the relay server. You must have one [backend_server] section for each component server in your component server environment.

• enable – Controls whether the server operates.



• Farm – The case-sensitive farm value is the same for each server. Use the same farm ID as from section [backend_farm].

• ID – The ID value is unique for each server in the farm.

If a server hosts more than one supported server component, then all server IDs on the host must be unique. For example, if a server hosts both an Afaria server and an OMA DM server, and both are defined in separate farms in the relay server configuration file, then the server IDs used for the two server components must be must be different.

• Token – The token is any string that you create. Use the same token value for each server in a farm.

Configuration for Afaria Server

Defining the relay server configuration file to support an Afaria environment requires that you define some matching values in both the configuration file and the Afaria environment. Consider

87


the following items when defining the relay server configuration file [backend_farm] and [backend_server] sections.

• Section: [backend_farm]

id – User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the farm ID you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page. On the Relay Server page, the default value is “afaria”.

• Section: [backend_server]

• ID – Define the server ID value to match the TransmitterID value defined in each Afaria server’s registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId.

• Token – Farm token you define must match the farm token you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page.

Configuration for OMA DM Server

Defining the relay server configuration file to support one or more OMA DM servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section.

id – User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the Farm ID you define on the Afaria Administrator > Server Configuration > Properties > OMA DM Server page.

Configuration for Access Control for Exchange Feature’s ISAPI Filter

Defining the relay server configuration file to support one or more ISAPI filters requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section.

id – Syntax is <AfariaServerFarmID>-IS, where AfariaServerFarmID is the same farm ID you define for the Afaria server in the relay server configuration file, and “-IS” is a suffix. For example, if you define your Afaria server farm ID as “Afariafarm,” then define your ISAPI filter’s farm ID as “Afariafarm-IS” to match.

Configuration for iOS Provisioning Server

Defining the relay server configuration file to support one or more iOS Provisioning servers requires that you define some matching values in both the configuration file and the Afaria

88


environment. Consider the following item when defining the relay server configuration file [backend_farm] section.

id – User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for PS you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.

Configuration for iOS Certificate Authority Server

Defining the relay server configuration file to support one or more iOS Certificate Authority servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section.

id – User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for CA you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.

See “Starting and Restarting the Relay Server” on page 90.

Configuration File Implementation ExamplesThe following environment models indicate the structure of the relay server configuration file needed to match different sample Afaria server environments.

• Single Afaria server – In an environment that includes a single relay server supporting a single Afaria server, the configuration file includes one instance of each section:

• [options] – one instance

• [relay_server] – one instance

• [backend_farm] – one instance

• [backend_server] – one instance

• Afaria server farm with four servers – In an environment that includes a single relay server supporting an Afaria server farm with four servers, the configuration file includes the following sections:



• [backend_farm] – one instance

• [backend_server] – four instances

89


• Single Afaria server plus an Afaria server farm with four servers – In an environment that includes a single relay server supporting a single Afaria server and an Afaria server farm with four servers, the configuration file includes the following sections:



• [backend_farm] – two instances

• [backend_server] – five instances

Starting and Restarting the Relay ServerRestart the relay server any time the relay server is already running and you change the relay server configuration file or have another reason to restart the relay server engine. Restarting the relay server updates it’s configuration, as per the configuration file, without restarting IIS and without causing any disruption to other IIS applications.

The relay server starts automatically when configured to do so as part of its basic operations. The automatic start feature is defined when you use the start=auto attribute in the relay server’s configuration file [Options] section. The IIS Server must be running before the automatic start feature can take effect.

1 On a command line, use DOS command Change Directory to navigate to the Afaria Server Web service extensions folder, typically IIS path inetpub\wwwroot\ias_relay_server\server:

CD <WebServiceFolder>

2 Issue the rshost restart command:

rshost.exe -u -qc -f rs.config

You may want to create a batch file for the commands and store it in a convenient location in your relay server environment.

See “Configuration File Definitions for Basic Operations” on page 85.

Documentation Resources for Updating Afaria ConfigurationFor Afaria-related server components and clients, update your Afaria environment’s configuration settings to begin using the relay server. You need to align several configuration settings with values in the relay server’s configuration file. It may be helpful to have a copy of the file for reference.

Refer to Afaria Reference Manual | Platform for more information about configuring Afaria server components and clients to work with the relay server.

90


Planning for Adding a Relay Server to Your Afaria EnvironmentAdding a relay server to your Afaria environment required product development changes to both server-side settings and operations and client-side settings and operations. Therefore, using a relay server has Afaria client upgrade implications.

It is recommended that you upgrade all clients prior to starting relay server operations.

1 Upgrade the Afaria server.

2 Connect clients to the server to receive a client update.

3 Begin relay server operations.

4 Configure clients for relay server operation using one of the following methods:

• New client installations – Create new client installation packages with relay server information as the seed data. Install and connect new clients.

• Update client configuration – Update client configuration settings with relay server information. Connect clients.

Configuring Upgraded Clients with Relay Server DataFor customers that are licensed for Session Manager and have upgraded clients that require a configuration update to seed relay server connection data, you can automate the client update.

Consider the following upgrade strategy, as described for Windows Mobile clients:

1 Configure the relay server information on your upgraded Afaria server.

2 Create a new client package with relay server seed data.

3 Install the client on test device.

4 Use Session Manager to extract the values for the client’s relay server data registry keys HKLM\Software\Afaria\Afaria\Client\Config “RSFarmID” and “RSInfo”.

5 Use Session Manager to update the client configuration data for upgraded devices that need the relay server data.

Relay Server BypassEven after your relay server is operational, the Afaria server continues to support direct client connections. If it is appropriate for your environment, you may allow clients to continue to connect to the Afaria server directly. Afaria clients are still able to initiate connections directly with the Afaria server, bypassing the relay server altogether.

91

Installing Afaria 6.6 FP1 Installing Afaria 6.6 Feature Pack 1

Installing Afaria 6.6 Feature Pack 1Install Afaria 6.6 Feature Pack 1(FP1) to install new functionality to your existing Afaria 6.6 installation.

Validate your Afaria 6.6 operations before installing FP1.

FP1 includes these enhancements:

• Afaria Access Control for Microsoft Exchange

• iOS management

• Application management for iOS and Android clients

Follow the installation that match the features and clients for which you are licensed. If you are licensed for all the enhancements, then follow a combination of the installations.

Installing FP1 for Afaria Access Control for Microsoft Exchange

If you are licensed for Windows Mobile, Symbian, iOS, or Android, install the access control update.

1 (iOS) Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange Access Policy to review your current default policy and time frame settings.

2 Stop Afaria services on your server or farm.

3 On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key.

4 On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program.

5 On the Afaria Administrator server, run the FP1 administrator setup program.

6 Start Afaria services on your server or farm.

7 Revisit Server Configuration > Properties > Exchange Access Policy page to review your upgraded iOS settings and new policy options. Change any settings as is appropriate for your requirements.

8 Prepare clients according to type.

• (iOS) Use Data Views > Clients to change the access control policy for any iOS devices as is appropriate for your requirements.

• (Android, Symbian, Windows Mobile) Connect clients to the Afaria server to report their Exchange identifying data.

92


9 On the IIS server that services your enterprise’s Microsoft Exchange Server, install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter.

The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.

Installing FP1 for iOS Management

If you are licensed for iOS clients, install the iOS Mobile Device Management (MDM) management update.

iOS MDM management requires that you obtain an Apple iOS Developer Program enterprise certificate (.p12) with push notification privileges, an Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate (.cer), and an Apple root certificate (.cer), as licensed to your enterprise by Apple.

1 On the Afaria server, using either the Microsoft Management Console with the Certificates snap in for the local computer, or the Afaria Install Apple Push Certificate utility (<ServerInstallationDirectory>\Bin\InstallPushCert.exe), install the Apple certificates in the appropriate certificate stores.

• Apple root certificate – trusted root store

• Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate - trusted root store

• Apple iOS Developer Program enterprise certificate – personal store

If using the Afaria utility, and the iOS provisioning server is installed on the same server, and you want to enable the possibility of signing iOS provisioning payloads with your Apple enterprise certificate, select Modify ACL to modify the Windows Access Control List to grant read-only privileges to iOS components that require it.


3 On the Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key.

4 On the Afaria server, starting with the master server if you have a farm, run the FP1 server setup program.


6 On the Afaria iOS provisioning server, run the FP1 provisioning server setup program.

7 Start Afaria services on the server or farm.

8 In the Afaria Administrator application, select Server Configuration > Properties > iOS Notification page to add your Apple iOS Developer Program certificate.

See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server.

9 In the Afaria Administrator application, select Server Configuration > Properties > iOS Server page to verify or modify the addresses for using the Apple Push Notification Service

93


for notifications and feedback services, as provided by Apple as part of the iOS Developer Program.

See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Notification.


11 In the Afaria Administrator application, select Data Views > Clients, right-click an iOS client and select Outbound notification > Provision device to force a device to connect and receive a management policy.

The device user must allow the policy to install to begin MDM management.

Verify management status by reviewing the new client inventory data added as a result of MDM management.

Installing FP1 for Application Management

If you are licensed for iOS or Android clients, install the application management update.

For more robust iOS application management, install FP1 for iOS management prior to installing FP1 for application management.

1 If you created any portal application packages in Afaria 6.6 before installing FP1, open the Afaria Administrator application and select Administration > Policies and Profiles page and delete any packages you created.

Packages created prior to installing FP1 are rendered invalid when you install FP1.


3 On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key.

4 On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program.


6 On your planned portal server, run the FP1 portal package server setup program, recording the server’s virtual directory and address.

7 Start Afaria services on your server or farm.

8 In the Afaria Administrator application, select Server Configuration > Properties > Portal Package Server page to verify the portal package server’s virtual directory and address.

See Afaria Reference Manual | Platform > Server Configuration > Properties > Portal Package Server.


94


See also:

• Afaria Reference Manual | Platform > Administration > Portal Packages > Managing Packages.

• Afaria Reference Manual | Platform > Administration > Portal Packages > Package Category – Application.

Installing the Portal Package ServerInstall the portal package server as the primary component for portal package features. Record values as you complete the installation; you will need them for subsequent configuration tasks.

1 On the planned portal package server, close all running programs.

You can install the portal package server on the same server as the Afaria Administrator server or on a separate server.

2 Locate the Afaria portal package server setup file (.exe), distributed with the feature pack.

3 On the Directory Selection page, accept the default location or click Browse to navigate to a new location.

4 On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server.

The provisioning server uses these credentials to contact the Afaria server for database credentials.

5 On the Specify Virtual Directory Name page, define these settings:

• Virtual directory name – user-defined name, populated with a default value.

• Use Windows Authentication – select to use Windows Integrated Authentication for client connections.

If selected, users are prompted for credentials when they use the package features on their device.

6 On the Specify Server Address page, define the address for the Afaria server.

The portal package server uses this address to reach the Afaria server.


The portal package server installation is now complete. The installation process also populates the Portal Package Server configuration page with corresponding values.

95


Upgrading Android Clients from 6.6 to 6.6 FP1Uninstall the Android client prior to installing the Afaria Client application (Afaria agent) from the Android Market.

1 On the device, deactivate the privilege associated with the Afaria application (Settings > Location and Security > Device Administrators).

2 Uninstall the Afaria agent.

3 Navigate to the Android Market and install the Afaria Client application (Afaria agent).

96

Installing Afaria 6.6 FP1 Create Client Installation Wizard

Create Client Installation WizardSome Afaria client types require an installed Afaria agent to support Afaria management. After the agent is installed on the device, the device can connect to the Afaria server. Use the Afaria Create Client Installation program to create Afaria agent installation packages and then use one of Afaria’s deployment methods to get the agent onto the computing device for installation.

The Afaria Create Client Installation program is located on your Afaria server.

Start > Programs > Afaria > Afaria Create Client Install

This wizard guides you through creating an Afaria agent installation package. Based on client type and your environment, you can choose different options that allow you to deploy the agent via a companion PC, a network, or the OTA Deployment Center.

97

Installing Afaria 6.6 FP1 Updating Passwords and Accounts on the Afaria Server

Updating Passwords and Accounts on the Afaria ServerWithout reinstalling the Afaria server, change the user account and password associated with the Afaria server service, or the user password associated with the database, to meet your requirements.

1 Close all Afaria programs.

2 Using a command line, run the setup program (“setup”) with parameters to change the service account or password.

The setup program accepts parameters in any order. Available command-line parameters:

• -Maintenance – required for all commands

• -ServiceAccount=”name” – required if changing the user account and password associated with the Afaria server service

• -ServicePassword=”password” – required if changing the user account and password associated with the Afaria server service

• -DatabasePassword=”password” – required if changing the database user account password

3 Allow program to run to completion.

The Afaria setup program runs silently. It may take several minutes to complete. You may not know when it has finished unless you watch the task list or run the setup from a batch file. To check for errors, see C:\silent.log.

Afaria Server Command-Line Password Update Syntax Examples

The Afaria command-line setup program accepts parameters in any order.

Examples:

• setup -Maintenance -DatabasePassword=”password”

• setup -Maintenance -ServiceAccount=”name” -ServicePassword=”password”

• setup -Maintenance -DatabasePassword=”password” -ServicePassword=”password2”

98

Installing Afaria 6.6 FP1 Removing Afaria Components

Removing Afaria ComponentsRemove Afaria software components as needed by using the Microsoft Add/Remove Programs utility. If you are removing the Afaria server, any instance of Afaria Administrator or Afaria Windows client is removed at the same time.

Removing the Afaria server deletes the software component and all defined channels but preserves the Afaria database.

The OTA Deployment Center is an independent component that you need to remove separately from the Afaria software components.

1 Close all Afaria programs.

2 Stop all Afaria-related services.

3 Using the Microsoft Add/Remove Programs utility, select the component and remove it.

The most common reasons for the step to fail are:

• An Afaria program or related service is still running. Stop the programs and related services and retry the step.

• Windows Explorer or some other program is using at the Afaria installation directory. Close all programs, then restart the machine and retry the step.

• Afaria system folders are shared with client users. Remove the share from the folder and run the retry the step.

4 If removing a replication server from a server farm environment, delete the server’s entry from the farm’s A_SERVER database table.

If you do not delete this server from the database, it continues to appear in the channel replication window in Afaria Administrator as an available server, even though it is no longer an eligible target for replication.

99

installing afaria

Documents

program filesphpincludespclzip

program filesphpincludes

recycle worker

program filesphp

ota deployment

microsoft

deployment

portal package