Embed Size (px)
Citation preview
Prepare Windows Server
for Identity Maestro
Identity Maestro is a simpler way for busy network and IT administrators to delegate user identity management and privileged access management tasks to front line staff using a powerful web portal tool. This guide provides details about preparing a Windows server for hosting an Identity Maestro server installation.
Issued April 2019
Page 2
Prepare Windows Server for Identity Maestro Topics
Contents Welcome to this guide ............................................................................... 3
Host Server Minimum Requirements ............................................................... 3
SSL Options............................................................................................. 4
Firewall Settings ...................................................................................... 4
Prepare Connection Service Accounts............................................................. 5
Active Directory ........................................................................................................................ 5 Azure AD / Office 365 ............................................................................................................... 5 eDirectory................................................................................................................................. 6
Prepare Windows 2019 / 2016 / 2012 Server to Host Identity Maestro ..................... 6
Add Server Roles and Features ............................................................................................... 6 Prior to Installing Identity Maestro ............................................................... 12
If Exchange 2013 CU 15+ is a Target System ........................................................................ 12 If Office 365 is a Target System ............................................................................................. 12 If eDirectory 8.8 or 9 is a Target System ................................................................................. 12 Other Target Systems ............................................................................................................ 12
Page 3
Welcome to this guide This guide provides information necessary to prepare the Windows server and
environment that will host Identity Maestro and to prepare the target systems that
Identity Maestro will manage.
Host Server Minimum Requirements Windows server that will host an Identity Maestro installation must meet the following system
requirements.
• Operating System: Windows 2019, 2016, and 2012 R2 (Standard, Enterprise or
Data Center editions). The OS must be activated.
• Disk space:
• Minimum of 2 GB above OS requirements. 10+ GB recommended.
• Installation on a non-system drive is recommended.
• Memory: 2 GB+ above OS requirements. If performing large bulk import from
CSV actions (500+ users records per bulk action), recommended is 4 GB+ above
OS requirements
• Processor: Intel or compatible (x64) - 2 core or higher recommended.
• Active Directory: Joined to the primary AD Domain that will host the required
service connection user accounts and groups.
• .NET Framework: Minimum of .NET 4.6.1 or higher installed. (For Windows 2012
R2 server, refer to How to Determine which .NET versions are installed to use the
Regedit tool to determine the version of .NET Framework installed.)
• Windows Management Framework (WMF): Minimum of WMF 5.1+ (installed by
default in Windows 2016+. Refer to Install and Configure WMF 5.1 to download and
install on Windows 2012 R2 host server).
• Windows Services: Windows Management Instrumentation (enabled) – This
service should be installed on any Windows server that is hosting user home folders
to allow Identity Maestro to create user home folders when creating AD user
accounts.
• Office 365 Support: If Identity Maestro will connect to Office 365 to manage user
mailboxes, install the MSOnline 1.0.8262.2 client applications included in the
download ZIP file.
Page 4
• eDirectory Support: If Identity Maestro will connect to an eDirectory tree, install
the Micro Focus (Novell) eDirectory client for Windows 2.x with the latest updates.
SSL Options The Windows host server and IIS websites hosted on that server need to be protected by
SSL certificates. Two options include:
□ Ensure that domain controllers have been issued with certificates issued by a
Enterprise Certificate Authority.
OR
□ Ensure that SSL certificate(s) obtained from trusted public certificate authorities are
applied to the IIS default website hosted on the Identity Maestro server.
Firewall Settings Internal firewall settings need to be configured to permit standard TCP and UDP ports
between the Windows server hosting Identity Maestro and servers / web applications that
will be managed. Identity Maestro will be configured with connectors that will use various
web-enabled services and protocols to facilitate remote access and management. Here is
a typical list:
Port Protocol or Purpose
389 (tcp/udp)
636 (tcp/udp)
AD LDAP connection insecure/secure
3268 (tcp), 3269 (tcp) LDAP GC, LDAP GC SSL
88 (tcp/udp) Kerberos
53 (tcp/udp) DNS resolution
137, 138 (udp)
139, 445 (tcp)
NetBIOS Browser
123 (tcp/udp) W32Time
80, 443 (tcp) Standard Web applications & Exchange connection insecure/secure
7190 (tcp) Identity Maestro connection agent port
135 (tcp) RPC + WMI connections for home folders
4000, 4002 (tcp) Workflow Center website, Azure AD Remote Agent website
1025 – 5000 (tcp) RCP dynamic
Page 5
Prepare Connection Service Accounts Each target system needs a service user account that will be used to provide privileged
access to the target system. Prepare what is required for your environment.
Active Directory
Prepare an AD user account to use as a connection user service account for Identity
Maestro. This account will provide protected full administrative access to Active Directory.
□ Create a user in the “\Users” folder in AD: Typical name could be imconnect.
□ Add to the Domain Administrators group.
□ (If required) Add to the Enterprise Administrators and Organization
Management groups (required for managing Exchange On-Premise).
□ Set the account password to never expire.
If corporate security policy requires scheduled password changes, ensure that you
schedule a task to manually reset the password before it expires in AD. There is a
procedure that needs to be followed to reset the password in the various connection
end-points in Identity Maestro.
□ Ensure that the account is not affected by GPOs that will modify password
expiration.
Azure AD / Office 365 Prepare an Office 365 user account to use as a connection user service account for Identity
Maestro.
□ Create an Office 365 user account (that is not synced by Azure ADConnect) called
imconnect.
□ This account must be assigned the Global Administrator role in Office 365.
□ This account does not need to be licensed for any SKUs or service plans.
Page 6
eDirectory Prepare an eDirectory user account to use as a connection user service account for
Identity Maestro. This account will provide protected full administrative access to
eDirectory.
□ Create an eDirectory user. Typical name could be imconnect.
□ Assign supervisor rights to the root of the eDirectory tree.
□ Set the account password to never expire.
If corporate security policy requires scheduled password changes, ensure that you
schedule a task to manually reset the password before it expires in eDirectory. There
is a procedure that needs to be followed to reset the password in the various
connection end-points in Identity Maestro.
Prepare Windows 2019 / 2016 / 2012 Server to Host Identity Maestro Here are the steps to prepare a Windows 2019, 2016 or 2012 R2 server to host Identity
Maestro.
Add Server Roles and Features
1. In Server Manager, select Manage > Add Roles and Features.
2. In the “Before you begin” page, select Next >.
3. In the “Select installation type” page, select Role-based or feature-based installation and
select Next >.
4. In the “Select destination server” page, select Select a server from the server pool option,
select the target server in the Server Pool list, and select Next >.
Page 7
5. In the “Select server role” page, ensure that “Storage Services” is already selected.
6. Select Web Service (IIS) and in the “Add features that are required for Web Server (IIS)”
window, select Add Features.
Page 8
7. Select Next >.
8. In the “Select features” window, expand .NET Framework 4.5 Features (2 of 7 installed)
and ensure that ASP.NET, WCF Services, and all WCF Services are selected except
Message Queuing (MSMQ) Activation are checked. If a popup window opens, accept
the changes.
.NET Framework 4.6 will be displayed for Windows 2016.
.NET Framework 4.7 will be displayed for Windows 2019.
Page 9
9. Under Windows PowerShell (2 of 5 installed), ensure that Windows PowerShell 4.0
(Installed) and Windows Powershell ISE (Installed) are both checked (usually the
default).
For Windows 2019, Windows PowerShell 5.0 (installed) will be displayed.
10. Select Next >.
11. On the “Web Server Role (IIS)” page, select Next >.
12. On the “Role Services” page, under Common HTTP Features, uncheck Directory
Browsing.
Page 10
13. Scroll down to Security and ensure that Basic Authentication, URL Authorization, and
Windows Authentication are checked.
14. Scroll down to Application Development and ensure that .NET Extensibility 4.5,
ASP.NET 4.5, ISAPI Extensions, and ISAPI Filters are checked.
.NET Extensibility 4.6 and ASP.NET 4.6 will be displayed for Windows 2016.
.NET Extensibility 4.7 and ASP.NET 4.7 will be displayed for Windows 2019.
Page 11
15. Scroll down to Management Tools, and select IIS Management Console, IIS 6 Metabase
Compatability, IIS 6 Management Console, and IIS 6 WMI Compatibility are checked.
16. Select Next >.
17. On the “Confirm installation selections”, window, select Install.
18. Wait until the installation is finished and then close Server Manager if it is not required.
19. For Windows 2012 R2 host servers, upgrade .NET Framework to 4.6.1+. See .NET 4.6.1 for
Windows 2012R2 Update Instructions for steps.
20. For Windows 2012 R2 host servers, upgrade Windows Management Framework to 5.1+.
Refer to Install and Configure WMF 5.1 to download and install on Windows 2012 R2 host
server to version 5.1+.
Page 12
Prior to Installing Identity Maestro Differed target systems need additional components to be installed.
If Exchange 2013 CU 15+ is a Target System You must upgrade .NET to 4.6.1+. You must also configure Exchange to support remote
Powershell. Refer to Reenable Remote Powershell Support after upgrading Exchange 2013 from
CU14 to CU15+.
If Office 365 is a Target System 1. Download the Identity Maestro installation ZIP file (identitymaestro-latest.zip) and extract it
to the server.
2. Expand the \MSOnline\ folder.
3. Using elevated permissions, install the following MSOnline 1.0.8262.2 client applications:
a. Install msoidcli_64.msi.
b. Install AdministrationConfig-en.msi
If eDirectory 8.8 or 9 is a Target System Install the latest Micro Focus (Novell) eDirectory client for Windows 2012 R2.
Other Target Systems Contact Identity Maestro support for assistance.
Proprietary and Confidential Information of Amdocs Page 20
Identity Maestro has offices, development and support centers
worldwide, including sites in:
Headquarters
103, 10301 – 109 Street
Edmonton, Alberta T5J 1N4
Canada
Email: [email protected]
Twitter: @IdentityMeastro
Phone: +1 408.675.5020
Fax: +1 780.423.4711
Regional Offices
Identity Maestro Europe
Kreitstrasse 5 86926
Greifenberg/Munich
Germany
Phone: +49.8192.99733.25
emea@Identity Maestro.com
For the most up-to-date contact information for all Identity Maestro offices
worldwide,please visit our website at www.identitymaestro.com/contact
