Sage HRMS 2012/media/site/Sage HRMS/pdf/inproduct/ESS... · Pre-Installation Guide . ... Sage Employee Self Service (Sage ESS, ... Firewall/Security Services Configuration

Sage HRMS 2012 Sage Employee Self Service

Pre-Installation Guide

Employee Self Service

© 2011 Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service names mentioned herein are registered trademarks or trademarks of Sage Software, Inc., or its affiliated entities. Business Objects, the Business Objects logo, and Crystal Reports are registered trademarks of SAP France in the United States and in other countries. NetLib is a registered trademark of Communication Horizons. OrgPlus is a trademark of HumanConcepts, LLC. TextBridge is a registered trademark of ScanSoft, Inc. Microsoft, Outlook, Windows, Windows NT, Windows Server, the .NET logo, Windows Vista and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and /or other countries. The names of all other products and services are the property of their respective holders.

Sage has made every effort to ensure this documentation is correct and accurate but reserves the right to make changes without notice at its sole discretion. Use, duplication, modification, or transfer of the product described in this publication, except as expressly permitted by the Sage License Agreement is strictly prohibited. Individuals who make any unauthorized use of this product may be subject to civil and criminal penalties.

For additional assistance on this and other Sage products and services, visit our Web site at: http://www.sageabra.com

http://www.sageabra.com/

Pre-Installation Guide i

Table of Contents Requirements ................................................................................................................. 1

Hardware and Software Requirements and Recommendations .................................................. 1 Sage Employee Self Service (Sage ESS, Abra Benefit Enrollment, HR Actions for Sage HRMS) ............................................................................................................................................................ 1 Client Requirements for Web Access to Sage Employee Self Service ................................................... 3

Using ASP.NET 3.x ........................................................................................................... 5

Using Dynamic Information Sharing with Microsoft Windows 2008 Server .............. 7

SQL Server Installation ................................................................................................. 13

Install SQL Server .............................................................................................................................. 13

Firewall/Security Services Configuration .................................................................. 15

Sage HRMS - Firewall / Security Services Configuration ............................................................ 15

Employee Self Service - Firewall / Security Services Configuration .......................................... 15

Network Security Configurations ................................................................................................... 16 Basic Network Security – IIS behind Firewall ........................................................................................ 16 Advanced Network Security – IIS and Two Demilitarized Zones (DMZs) ....................................... 17 Enhanced Network Security – IIS in Demilitarized Zone (DMZ) ....................................................... 17 Employee Self Service - Data Execution Prevention Settings .............................................................. 17

Create a Windows User Account ............................................................................... 19

Appendix ..................................................................................................................... 27

Information Security Recommendations for Public Access Workstations ................................ 27 Software Applications ............................................................................................................................... 27 Data Security ............................................................................................................................................... 28 More Best Practices .................................................................................................................................... 29

ii Employee Self Service

Pre-Installation Guide 1

Requirements Important! This product should be installed only by a certified Business Partner.

Hardware and Software Requirements and Recommendations

Sage Employee Self Service (Sage ESS, Abra Benefit Enrollment, HR Actions for Sage HRMS)

Recommended Server Specifications

Processor Dual Core X86 Processor - 2.4 GHz or higher During Open Enrollment (if Abra Benefits Enrollment installed): • > 500 but < 1000 employees: Dual Core X86 Processor - 3.0 GHz • > 1000 but < 3000 employees: Quad Core x86 Processor - 2.0 GHz

Operating System

Install and configure one of the following: • Windows Server 2008, Standard or Enterprise Edition, latest service packs • Windows Server 2003, Standard or Enterprise Edition, latest service packs.

For Windows Server 2003, SP2 or higher, you must verify that the Data Execution Prevention (DEP) settings are correct. Refer to page 17 for details. For information about Windows Server 2003, Web Edition, refer to the note at the end of this table.

Install and configure:

• Microsoft Internet Information Services web server and the World Wide Web Publishing Service

• SMTP Service

• MDAC 2.8

• .Net Framework 3.5 (HR Actions). See page 5 for IIS setup instructions. IIS must be in WOW mode on 64-bit applications.

Use Manage Your Server to add and configure:

• the Application Server role, including ASP.NET

• the Mail Server role

Refer to the Sage Employee Self Service Technical Installation Guide for Windows 2003 and 2008 for configuration information for IIS and SMTP.


2 Employee Self Service

Recommended Server Specifications

Database Install and configure one of the following: • SQL Server 2005 Standard Edition, latest service packs. This must be set up

using mixed mode authentication and default collation sequence (SQL_Latin1_General_CP1_CI_AS).

• SQL Server 2005 Express Edition, latest service packs. This is the default database installed with Employee Self Service. Advanced Services is required to run full-text queries in Abra eRecruiter when searching resumes.

• SQL Server 2008 Standard Edition, latest service packs. This must be set up using mixed mode authentication.

• SQL Server 2008 Express Edition, latest service packs.

Refer to the Employee Self Service Technical Installation Guide for Windows Server 2003 and 2008 for configuration information for SQL Server and mixed mode authentication setup.

Sage HRMS Sage HRMS v10.x If you are installing Sage Abra Alerts and Employee Self Service on the same server, you must install Sage Abra Alerts before installing Employee Self Service.

RAM Recommended: 2048 MB for up to 1,000 employees and 50 concurrent users. You must also do the following: • Add 128 MB for every additional 500 employees in Sage HRMS • Add 128 MB for every additional 25 concurrent users* (administrators, employees, and applicants) in Employee Self Service • File Attachments require additional disk space (HR Actions) *Concurrent users are the maximum number of users logged on to Employee Self Service at the same time.

Hard Drive 100 MB available space for the server (+100 MB for HR Actions) 80 MB plus 1 MB additional available space for every 100 employees

Drive DVD-ROM drive Monitor SVGA 1024 x 768 resolution or higher Browser Internet Explorer v7 and higher Network Speed

100 Mbps minimum, 1000 Mbps preferred.

Performance may dictate moving the installed applications to a multi-server environment.

SQL Server 2005 Express Edition (the embedded database installed with Employee Self Service) is appropriate for organizations with 5 administrative HRMS users or less and 25 concurrent ESS users or less. Organizations with more than 5 administrative HRMS users or more than 25 concurrent ESS and Abra eRecruiter users (administrators, employees, applicants) should consider SQL Server.



About Windows Server 2003 Web Edition:

• SQL Server 2005 or 2008 Express Edition can be installed on the same server that is running Windows Server 2003 Web Edition

• SQL Server cannot be installed on the same server that is running Windows Server 2003 Web Edition. However, you can use SQL Server with Windows Server 2003 Web Edition if SQL Server resides on a different server.

About Windows Server 2008 Web Edition:

• SQL Server 2005 or 2008 Express Edition can be installed on the same server that is running Windows Server 2008 Web Edition.

• SQL Server can be installed on the same server that is running Windows Server 2008 Web Edition.

More helpful information:

Information concerning SQL Server security, stability, and scalability is available at the following link:

http://www.microsoft.com/sql/techinfo/default.mspx

Client Requirements for Web Access to Sage Employee Self Service

Your system must meet the minimum requirements for Microsoft® Internet Explorer version 7 or higher. At the time of release, these requirements can be found at:

http://www.microsoft.com/windows/products/winfamily/ie/ie7/sysreq.mspx

Warning: When navigating in Employee Self Service, do not click the browser’s Forward and Back buttons to navigate. You must use the navigation buttons on the application page.

http://www.microsoft.com/sql/techinfo/default.mspx

http://www.microsoft.com/windows/products/winfamily/ie/ie7/sysreq.mspx


Using ASP.NET 3.x If ASP.NET 3.x Framework is installed, you must open Internet Information Services (IIS) Manager and change the Web Service Extension for ASP.NET v2.0 from Prohibited to Allowed, or you will be unable to open the ESS Web page.

See the following figures for IIS v6.0 and IIS v7.0 setup.

IIS V6.0

IIS V7.0


Using Dynamic Information Sharing with Microsoft Windows 2008 Server

The information sharing capability allows you to share workforce data with other employees in your company. The View Builder is a highly versatile and customizable analytical tool that allows you to implement information sharing in your company. The View Builder allows you to create a View (similar to a template) that generates data and displays the output in your web browser.

Follow the steps below if you will install Employee Self Service on a server running Windows 2008 Server and plan to use the View Builder.

1. On the server, select Start > Administrative Tools > Server Manager to open the Server Manager dialog box.

2. Click the Roles node in the left-hand pane.

3. Click Add Roles Services to open the Add Role Services dialog box.



4. Select Application Development and then click Install.

5. Scroll down the list of Role services and select Security.



6. Scroll down the list of Role services and select IIS 6 Management Compatibility.



7. Click Next and then click Install to install the selected components.

8. After the install is complete, click the Features node and then click Add Features to open the Add Features Wizard.

9. Select SMTP Server. If necessary, click Install to also install the Web Server (IIS) service.



10. Click Next and then click Install to install the selected features.

11. Restart the server.


SQL Server Installation To run Sage Employee Self Service, you must have Microsoft SQL Server or Microsoft SQL Server Express Edition with Advanced Services installed. For your convenience, Sage includes an installation of SQL Server 2005 Express Edition with Advanced Services on the Sage Abra Installer DVD.

To use Microsoft SQL Server 2008 Express Edition with Advanced Services, download it from the Microsoft Web site, which at the time of release was:

http://www.microsoft.com/downloads/details.aspx?FamilyId=B5D1B8C3-FDA5-4508-B0D0-1311D670E336&displaylang=en

If you download and install Microsoft SQL Server 2008 Express Edition with Advanced Services, you must select mixed mode authentication and accept the default collation sequence (SQL_Latin1_General_CP1_CI_AS).

Install SQL Server 1. Load the Sage Abra Installer DVD into the DVD drive.



Install SQL Server


2. Select Sage Employee Self Service. The Employee Self Service Installation dialog box opens.

Important! Before installation, you must remove any beta or Community Technology Preview (CTP) versions of SQL Server Management Studio Express from your system. Otherwise, this installation of SQL Server Express Edition will fail.

3. Select Install SQL Server Express Edition. The installation of SQL Server Express 2008 R2 automatically starts.

4. After the SQL Server Express Edition installation is complete, return to the Installation page to install Sage Employee Self Service.


Firewall/Security Services Configuration Sage HRMS - Firewall / Security Services Configuration The firewall considerations for Sage HRMS clients are as follows:

The firewall considerations for Sage HRMS clients are as follows:

Outgoing connections

The following ports must be open for clients to connect to ESS:

• www-http: 80/TCP This is needed only when non-secure (http) access to the server is allowed.

• https: 443/TCP This is needed only if you want https access to the server and it is configured

When Sage HRMS is configured to connect to a non-local SQL Server, incoming and outgoing traffic for the following port is required. Refer to Microsoft Knowledge Base article “INF: TCP Ports Needed for Communication to SQL Server Through a Firewall” at: http://support.microsoft.com/?id=kb;en-us;Q287932

• mssql ms-sql: 1433/TCP

Employee Self Service - Firewall / Security Services Configuration

The firewall considerations for an Employee Self Service server are as follows:

Incoming connections

The following ports must be open for incoming connections to the server:

• www-http: 80/TCP This is needed only when non-secure (http) access to the server is allowed.

• https: 443/TCP This is needed only if you want https access to the server and it is configured

Outgoing connections

When Employee Self Service is configured to connect to a non-local SQL Server, incoming and outgoing traffic for the following port is required. Refer to Microsoft Knowledge Base article “INF: TCP Ports Needed for Communication to SQL Server Through a Firewall” at:

http://support.microsoft.com/?id=kb;en-us;Q287932



Firewall/Security Services Configuration


• mssql ms-sql: 1433/TCP

To resolve IP addresses via DNS (depending on your server configuration), the following ports need to be open:

• domain: 53/TCP

• domain: 53/UDP

To send mail from the local SMTP service, at least the following port has to be available if outgoing e-mails are configured to be sent or forwarded from the Employee Self Service server:

• smtp: 25/TCP

Network Security Configurations The following images are of common configurations that are used when implementing Employee Self Service. These are guidelines only and can be modified for your environment.

Basic Network Security – IIS behind Firewall



Advanced Network Security – IIS and Two Demilitarized Zones (DMZs)

Enhanced Network Security – IIS in Demilitarized Zone (DMZ)

Employee Self Service - Data Execution Prevention Settings

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. If you are running Employee Self Service on a Windows 2003 Server with Service Pack 1 or higher, you must verify the DEP settings are correct.

On the Employee Self Service server, follow the steps below. We recommend that these steps be performed only by the company’s IT department.

Note: After verifying the DEP settings, you will be instructed to reboot the server. Therefore, before you begin, we recommend you make the necessary preparations for this required server reboot.



1. Verify the operating system is Windows 2003 Server with Service Pack 1 or higher: click Start > Run, type winver, and press Enter.

2. Verify the processor supports hardware DEP:

a. Go to Control Panel > System > Advanced.

b. Click Settings in the Performance section.

c. Click the Data Execution Prevention tab.

d. Verify that you do not see the following text at the bottom of the tab:

“Your computer’s processor does not support hardware-based DEP. However, ...”

3. If you do not see the text and Employee Self Service is generating error 80010105, do the following to switch DEP settings:

a. Go to Control Panel > System > Advanced.

b. Click Settings in the Performance section.

c. Click the Data Execution Prevention tab.

d. Select Turn on DEP for essential Windows programs and services only.

e. Click OK to save and close all dialog boxes.

4. Reboot the server.

Tip: Refer to the following Microsoft Knowledge Base article for more information on DEP: http://support.microsoft.com/kb/875352.

http://support.microsoft.com/kb/875352


Create a Windows User Account Sage Employee Self Service (ESS) requires a Windows user account that has read and write access to the Sage HRMS data files, has permissions to log on as a service and launch processes, and is a member of the administrators group from the Employee Self Service Web/Application server. Use the following instructions to create this account if the data files are located on your Employee Self Service Web/Application server (that is, the server where you perform the Employee Self Service installation).

If the Sage HRMS database files are located on a different server and your enterprise uses workgroups, you must create the same Windows user account on both the ESS Web server and the Sage HRMS server. If your enterprise uses domains or active directory, a Windows user account at the domain level is sufficient.

If Sage HRMS is accessed through a file share, you must set both share permissions and NTFS permissions (if applicable) to allow read and write access for the account. The account should have a ‘static’ password that does not need to be changed. This prevents errors when Employee Self Service tries to access the share using the account information after the password expires or changes.

Skip the following if you already have a Windows user account that meets the aforementioned criteria.

1. From the Start menu, select (All) Programs > Administrative Tools > Computer Management > System Tools > Local Users and Groups.

Create a Windows User Account


2. Add a New User:

a. Right-click Users and select New User. The New User dialog box opens.

b. In the User Name field, enter the Windows user account that has write access to the Sage HRMS data files. This account should have the rights of a standard user account (local or domain).

c. In the Password fields, enter and confirm the password.

d. Clear User must change password at next logon.

e. Select User cannot change password and Password never expires.

f. Click Create.

g. Click Close.



3. Add the new user to the Administrator group:

a. Right-click the (ESS) user and select Properties.



b. Click the Member Of tab and then click Add to open the Select Groups dialog

c. Click Advanced and then Find Now to find the Administrators group.



d. Highlight the Administrators group and click OK.

e. Click OK.

f. Click OK to end the task. The ESS user has now been added to the Administrators group.



4. Using Windows Explorer, navigate to the Sage HRMS Data folder, right-click and select Properties.

Notes:

• If you are using a Windows XP or Windows Server 2003 machine, the default location is \Documents and Settings\All Users\Application Data\Sage\SageAbraSQLHRMSServer\Data (as shown in the following figure)

• If you are using a Windows Server 2008, Windows Vista, or Windows 7 machine, the default location is \ProgramData\Sage\SageAbraSQLHRMSServer\Data



5. In the Data folder’s Properties dialog box, select the Security tab and click Add. The Select Users, Computers, or Groups dialog box opens.

6. In the Enter the object names to select field, enter <local server name>\ESS.

7. Click OK.

8. Set the Modify user permission to Allow.

9. Click OK.


Appendix Information Security Recommendations for Public Access Workstations Employee Self Service allows users to access their personal, payroll, and benefit information via the Internet or an intranet.

When you connect to a network and communicate with others, you are taking a risk. Internet security involves the protection of a computer's internet account and files from intrusion of an unknown user. This means people will always strive to find new ways to circumvent IT security, and users will need to be continually vigilant.

Below are some recommendations for keeping your system and network secure. However, we highly recommend that you contact an Information Security expert to determine the best way for your company to keep your information secure.

Software Applications

• Install and maintain up to date and properly configured anti-virus software. Be sure that real-time protection scans all files.

• Install active spyware defenses, for example, Windows Defender.

• Install only the minimum number of applications as needed.

• Update Web plug-ins, Java Scripts, and media players on a regular basis as these are areas of increasing vulnerability.

• Periodically check the Web site of the Operating System vendor (such as Microsoft) for critical security updates that may need to be applied.

• Consider using multiple Web browsers for different software applications. Currently, Abra ESS and Abra eRecruiter can run with Internet Explorer 7.0 and 8.0; Google Chrome 4.0.223.16; Apple Safari 3.2.3 (525.29), and Mozilla Firefox 3.6.3. Employee Self Service Open Enrollment/Life Events can run with Internet Explorer 7.0 and 8.0. So, for example, you could use Mozilla Firefox to access Abra ESS and a different browser for general purpose Web browsing. This can minimize the chances of vulnerability in a Web browser, a Web site, or related software that can be used to compromise sensitive information.

• Disable other unnecessary network services.

Information Security Recommendations for Public Access Workstations


Data Security

• Keep backup copies of important documents on a secure server and not a shared workstation.

• Use certificates, especially if you modify a DNS server (or write a Java-based SSL proxy) to point your Web or XML client to another Web site.

• Configure the Employee Self Service Web server for HTTPS/SSL using a valid site certificate and do not allow access from public workstations or computers on the Internet.

• Enable or disable functionality as required to secure your Web browser. Because some software features, such as ActiveX, Java, Scripting (for example, JavaScript or VBScript), that provide functionality to a Web browser can also introduce vulnerabilities to the computer system, you must understand which browsers support which features and the subsequent risks they could introduce. If you are not sure how to define the security settings, please consult an Information Security expert.

• Disable broadcast services.

• Disable the cache on the local system and always store confidential data securely (in transit and at rest).

• Clear out temporary files.

• Require users to change their password regularly and require a strong password.

• Never allow Windows to remember your password.

• Lock the BIOS to prevent USB, CD-ROM, or Network booting and use a strong BIOS password.

• Prevent Internet Explorer from caching passwords.

• Set Internet Explorer to have a 0 day history and to clear the cache upon exit. This helps destroy session cookies.

• Perform a port scan or a network statistics on the kiosk operating system to determine active TCP connections. Block everything except the ports you need.

Information Security Recommendations for Public Access Workstations


More Best Practices

• Institute strong group policies. This is a good way to prevent security issues.

• Stress the importance of logging off and closing all applications, not opening e-mail attachments unless you know the sender and know that it was intentionally sent to you, and not clicking links without considering the risks of their actions.

Important! The best approach to adequately maintain the security of the system, without unduly inconveniencing the user, should be determined in consultation with an Information Security expert.