Installation and Configuration Guide Good Enterprise Mobility Server

Good Enterprise
Mobility ServerTM
Installation and
Configuration Guide
Product Version: 1.1
Doc Rev 2.0
Last Updated: 8-Oct-14
© 2014 Good Technology, Inc.
All Rights Reserved.
Table of Contents
Introducing Good Integrated Mobile Services
1
GEMS Prerequisites
4
Core Requirements
4
System and Network Requirements
5
Good Dynamics Requirements
7
Configuring the Java Runtime Environment
8
Setting Up a Windows Service Account for GEMS
8
Push Notification Service (PNS) Prerequisites
9
Create an Exchange Mailbox for the Service Account
9
Grant Application Impersonation Permission to the Service Account
9
Set Authentication for the EWS Protocol
10
Set Up Exchange Autodiscover
10
Database Requirements
11
Connect Prerequisites
11
Microsoft Lync Server Requirements
11
Preparing the Lync Topology for GEMS
19
SSL Certificate Requirements for Lync
21
Database Requirements
29
Presence Prerequisites
30
Installing GEMS
30
Configuring GEMS Core
33
Changing the GEMS Dashboard Admin Password
34
Configuring SSL
34
Configuring GEMS Services
Configuring the Push Notification (Mail) Service
Enabling Exchange ActiveSync (EAS)
37
37
37
ii
Preparing the Database for GEMS-PNS
38
Configuring PNS (Mail) in the GEMS Dashboard
39
Configuring a Proxy for GEMS-PNS
43
Configuring Good Control
44
Configuring GEMS-PNS for HA
47
Device Verification and Testing
47
PNS Logging and Diagnostics
49
Configuring the Connect Service
Preparing the Database for Connect
56
Configuring Connect in the GEMS Dashboard
57
Configuring Good Control for Connect
68
Enabling SSL Support Via Good Proxy
77
Configuring Connect for High Availability (HA)
87
Configuring Support for the Global Catalog
91
Configuring Windows Services
92
Connect Service Logging and Diagnostics
94
Configuring the Presence Service
96
Enabling GEMS HTTP
97
Configuring Presence in the GEMS Dashboard
98
Configuring Good Control for Presence
99
Configuring Presence for Good Work
iii
55
99
Updating the Connect and Presence Services Using Lync Director
102
Maintaining GEMS Cluster Identification in Good Control
103
Device Provisioning and Activation
103
Appendix A – GEMS with Push Notifications ServicePre-Installation Checklist
106
Appendix B – GEMS with Connect and Presence Pre-Installation Checklist
110
Appendix C – Understanding the GEMS-Connect Configuration File
114
Appendix D – Fine-Tuning Your Java Memory Settings
118
Appendix E – IIS SSL Offloading
119
iv
Introducing Good Integrated Mobile Services
Introducing Good Integrated Mobile Services
Leveraging a services-based approach to integrated enterprise mobility, Good Enterprise
Mobility Server (GEMS) consolidates the Good Connect and Good Mobile Messaging servers
as mobiles on a standardized architecture. The integrated services offered by GEMS
currently comprise Connect, Presence, and Push Notifications.
The Connect service boosts user communication and collaboration with secure instant
messaging, corporate directory lookup, and user presence from an easy-to-use interface on
IT-provisioned mobile devices.
The Presence service furnishes real-time presence status to third-party Good Dynamics
applications—giving them a powerful add-in for mobile collaboration.
The Push Notifications Service (PNS) accepts push registration requests from hand-held
mobile devices—iOS, Android etc.—and then communicates with Microsoft Exchange via its
Exchange Web Services (EWS) protocol to monitor the user's enterprise mailbox for changes.
A browser-based administration console—called the GEMS Dashboard—gives you the
flexibility to configure all server components and services after installation completes. GEMS
Web Console, also browser-based, provides real-time monitoring and logging of device
connectivity, traffic load and throughput in real time.
"Services," in the context of Good Dynamics (GD), refer to concrete atomic business-level
functionality that can be consumed by a plurality of GD Applications. Examples of this are
"Look up this contact in the directory", "Subscribe to Presence for these contacts", "Save this
file to SharePoint", and so forth. The Good Dynamics Services Framework allows client
applications on an authenticated device to discover and utilize services by providing API
publication, as well as life cycle and visibility management of services via the Good
Developer Network (GDN).
At a high level, the GEMS architecture looks like this:
1
Introducing Good Integrated Mobile Services
A slightly different view, limited to the Connect and Presence architecture , looks like this—
again at a high level:
The PNS architecture, leveraging Microsoft's Exchange Web Services (EWS) with Exchange
ActiveSync (EAS) can be viewed from a slightly different perspective, like this:
2
Introducing Good Integrated Mobile Services
Note: While it is possible to consolidate Good Control/Good Proxy and GEMS on the
same server, such a configuration will require more memory and CPU on the single server.
A single server approach is feasible in a proof-of-concept (POC) environment only.
Moreover, if using a single server, you are likely to encounter a port conflict between Good
Dynamics and the Lync Presence Provider (LPP). To rectify this conflict on a single
machine, start Good Control and Good Proxy after Good Presence.
Another important point to note in the diagram above is that the GEMS-PNS service is
utilizing the same database server as Good Control. The database server can be local to
Good Control, as depicted, or remote.
These diagrams and the balance of this document assume that necessary supporting
infrastructure components like Microsoft Exchange, Microsoft Lync, Active Directory, and
Good Control/Good Proxy are present and configured to support existing enterprise
network operations.
This guide, therefore, restricts itself to step-by-step instructions and guidance for installing
GEMS and its Connect, Presence and Push Notification services. The overall process
comprises:
l
Preparing the Service Environment
l
Setting Up a Windows Service Account
3
GEMS Prerequisites
l
Installing GEMS
l
Configuring GEMS Services
l
Device Provisioning and Activation
Before attempting installation, be sure to carefully read and confirm that you meet all of the
listed requirements.
GEMS Prerequisites
Successful GEMS installation and configuration requires that a supporting infrastructure
comprising necessary hardware and software components is already place. These
prerequisites include:
l
Core Requirements
l
Push Notifications Service (PNS) Requirements
l
Connect Requirements
l
Presence Requirements
Based on the services you have chosen to deploy, only after verifying that each of the
respective prerequisites are in place and operating properly should you begin the GEMS
service installation and configuration procedures prescribed.
Important: If you don’t install the required software or fail to configure the requirements
correctly prior to beginning installation of GEMS, the server may fail or behave in an
unexpected manner.
Core Requirements
Certain basic requirements must be satisfied, in place, and correctly functioning regardless
of the service modules—PNS, Connect, or Presence—you are deploying.
The core requirements include:
l
System and Network Requirements
l
Good Dynamics Requirements
l
Configuring the Java Runtime Environment (JRE)
l
Setting Up a Windows Service Account for GEMS
4
GEMS Prerequisites
System and Network Requirements
Verify that the designated GEMS machine and its associated environment meet the
following (minimum) system and network requirements, bearing in mind that different
services and combinations of services—Connect, Presence, and/or Mail—and their
respective traffic and use patterns will strongly influence your actual requirements. Refer to
the GEMS Deployment Planning and Upgrade Guide for additional scalability and sizing
guidance, as well as high availability and disaster recovery recommendations.
Hardware1
l
4-core / 2.4 GHz CPU or higher
l
16 GB RAM
l
50 GB disk space
l
100 / 1000 Ethernet Card
Software
l
Java Runtime Environment (JRE) 7 Update 67 (7up67) for Microsoft Windows (64-bit),
available for download directly from Oracle.
Operating System
Because GEMS uses Microsoft's Unified Communications Managed API (UCMA) to integrate
Microsoft Lync with the GEMS Connect and Presence services, the latter also used by the
Mail component of Good Work, the OS version required to run GEMS is dependent upon
the version of Microsoft Lync deployed. Per guidance from Microsoft, use the following
criteria to determine the version of MS Windows Server supported by GEMS:
l
l
For MS Lync 2010 Deployments use Windows Server in one of these 64-bit versions:
o
2008 R2
o
2008 R2 SP1
For MS Lync 2013 Deployments use Windows Server in one of these 64-bit versions:
o
2008 R2 SP1
o
2012 R2
1See GEMS Deployment Planning and Upgrade Guide for scalability and sizing guidelines for your specific enterprise traffic and use profile.
5
GEMS Prerequisites
If Lync is not utilized in your environment, the above OS requirements are still required from
an installation standpoint. Due to a limitation in the installer, you will need to choose a
version of Lync during the installation process, even though Lync may not be used in your
environment.
Supported Microsoft Exchange versions include:
l
Exchange 2010 (SP2 RU4 +)
l
Exchange 2013 (CU1, CU2, CU3, SP1 [CU4])
Supported Microsoft Lync versions include
l
Lync 2010
l
Lync 2013
Administration Rights
l
User performing the installation must have local administrative privileges on the host
machine
l
GEMS must be able to connect with Microsoft Exchange for PNS
l
GEMS must be in the same domain as the Microsoft Lync Server for Connect
l
GEMS must be able to communicate with the enterprise’s Microsoft Active Directory
l
GEMS must have "logon as a service" right
l
Local antivirus software must be disabled during installation
l
Local Windows firewall must be disabled
Important: A Group Firewall Policy will cause the installer to fail its prerequisite checks,
even if the local firewall is disabled.
Inbound TCP Ports (open and ready for GEMS; not blocked by any firewall)
l
8080 from the Good Proxy (GP) server; or 8082, if SSL is required for inbound GP
communications
l
8181 from the Good Proxy server (required for Presence);
l
8443 from the Good Proxy server for Push Notifications
6
GEMS Prerequisites
l
Optional: 49555 from the Lync Server for the Connect Service
l
Optional: 49777 from the Lync Server for the Presence Service
Outbound TCP Ports (not blocked by any firewall)
l
443 to Good NOC/APNS
l
443 to Exchange
l
5061 to the Lync Server
l
17080 to the Good Proxy server
l
17433 to the Good Proxy server
Internal Ports (used by GEMS):
l
8080, 8082 by the Connect Server
l
8101 for SSH connectivity to GEMS
l
8443
l
8099 by the .NET Component Manager
l
8060 by the Lync Presence Provider (LPP)
TCP/IP Port Access to the Database
l
1433 to the Microsoft SQL Server default
Good Dynamics Requirements
The following minimum GD Server versions should be appropriately installed and
configured according to the instructions in the GD Servers Installation Guide.
l
Good Control (GC) Server 1.7.38.19
l
Good Proxy (GP) Server 1.7.38.14
For best performance results, the most current software version available is strongly
recommended and is available from the Good Developer Network.
Important: Your Good Dynamics Server(s) must be operating prior to installation of
GEMS.
7
GEMS Prerequisites
Configuring the Java Runtime Environment
JRE 7 Update 67 for Windows x64 is integral to GEMS support of intranet applications and
other e-business solutions that are the foundation of corporate computing. After installing
the JRE, the JAVA_HOME system environment variable must be set.
To set the JAVA_HOME system environment variable for GEMS:
1. First, edit the system environment variables:
a. Select Computer from the Start menu, then click on System Properties.
b. Click on the Advanced tab, then click the Environment Variables... button.
2. If the JAVA_HOME variable does not exist under PATH, create it and set it to the Java install
folder; e.g., C:\Program Files\Java\jre7. Make sure the path is set to the 64-bit JRE.
3. Click OK and you're done.
Setting Up a Windows Service Account for GEMS
For the required service account, "GoodAdmin" is recommended. In fact, you can use the
same Windows Service Account to install all GEMS service modules; e.g.,
goodadmin@yourcompany.com. Of utmost importance here is to make sure the service
account (goodadmin@yourcompany.com) has the appropriate administrative privileges
for all the GEMS service modules you plan to configure and deploy. Permissions for
individual service modules may not require the same privilege level as others. Consequently,
as you add services to GEMS, you will want to adjust the permissions accordingly.
8
GEMS Prerequisites
Important: If you use this same account for GEMS Connect and Presence, you will need
to give "GoodAdmin" the RTCUniversalReadOnlyAdmins privledge.
Create an Active Directory Account for GEMS Services
Set the following attributes for the Good-GEMS AD Account:
l
The preferred UID is "GoodAdmin"
l
Account Password must not contain these characters: ';', '@', '/'.
l
Password Expires option must be set to Never for this account.
l
This account (GoodAdmin) should be a member of local administrator group on the
GEMS host machine.
Push Notification Service (PNS) Prerequisites
GEMS-PNS requires a database, and that you set up a Windows Service Account for GEMS in
support of your Exchange environment.
Create an Exchange Mailbox for the Service Account
Using the Exchange Management Console or Exchange shell, create a mailbox for the
GoodAdmin service account. If you are not familiar with how to create a mailbox on
Exchange, please refer to the respective Microsoft Exchange resource for additional details
and tutorials:
l
Exchange Server 2010
l
Exchange Server 2013
Grant Application Impersonation Permission to the Service Account
In order for the GEMS Push Notification service to monitor mailboxes for updates, the
GEMS Push Notification service account (GoodAdmin), must have impersonation
permissions.
Execute the following Exchange Shell command to apply Application Impersonation
permissions to the GoodAdmin service account:
New-ManagementRoleAssignment -Name:GoodAppImpersonation
-Role:ApplicationImpersonation -User:GoodAdmin
Note: This is very important. Do not omit this step.
9
GEMS Prerequisites
Set Authentication for the EWS Protocol
The GEMS Push Notification service supports Basic, NTLM and Windows Authentication
when connecting with Exchange via EWS. Basic authentication is turned off by default on
the Exchange server.
Optionally, if Basic authentication is in fact desired, the command that follows can be used
to update Exchange to use Basic authentication for EWS connectivity. Regardless of
authentication method used on Exchange for EWS, however, no extra configuration is
necessary for GEMS.
Execute the following Exchange Shell command to configure Basic authentication for
the EWS protocol on Exchange:
Set-WebServicesVirtualDirectory -Identity “Contoso\EWS(Default Web Site)”
-BasicAuthentication $true
Note: Replace "Contoso\EWS (Default Web Site)" with the proper identity for the EWS
virtual directory. Be sure to enclose the string in quotes.
Set Up Exchange Autodiscover
Ensure that your Exchange Autodiscover is setup correctly. This is very important!
The Autodiscover feature in Exchange is often overlooked during setup but is an important
factor in ensuring smooth day to day running of your Exchange environment. Its main
function is to provide the mail client with all the configuration options it needs, sharing only
the user's email address and password. This is particularly useful for remote users and
smartphone users, who no longer have to enter advanced settings like server names and
domains. It is also vital for the correct functioning of features such as Out Of Office and the
Offline Address Book in Outlook.
Use EWSEditor to test if there are any doubts.
Note: Please reference KB3496 for additional details on using EWSEditor.
Please see also "Exchange Autodiscover" by Jaap Wesselius (2010) for more helpful
information on Exchange Autodiscover.
10
GEMS Prerequisites
Database Requirements
A relational database is required for the GEMS Push Notifications Service. The database can
be part of your existing environment or newly installed. GEMS currently supports Microsoft
SQL Server. In all cases, the database must be installed and prepared before starting GEMS
installation. This means the necessary SQL scripts included in the GEMS installation zip file
must be executed before beginning GEMS installation proper.
Microsoft has visual and command line tools to assist with database and schema creation;
i.e., Microsoft Management Studio or sqlcmd.
The following versions of MS SQL Server are supported:
l
SQL Server 2008 and 2008 R2 (Standard/Enterprise)
l
SQL Server 2012 and 2012 SP1 (Standard/Enterprise)
l
SQL Express 2008 R2 with Management Tools
If you do not have an existing supported database available, you can obtain one from the
Microsoft Download Center. MS SQL Server 2008 R2 is recommended.
Connect Prerequisites
Among the most important prerequisites for the Connect IM service is the availability of an
established Microsoft Lync environment. These requirements comprise:
l
MS Lync 2010 Requirements
l
MS Lync 2013 Requirements
l
Database Requirements
l
Preparing the Lync Topology for GEMS-Connect
l
SSL Certificate Requirements for Lync
Microsoft Lync Server Requirements
Antivirus software should be OFF for computers running GEMS with Connect-Presence.
The respective GEMS prerequisites for Lync 2010 and Lync 2013 are included in the
following topics:
l
Microsoft Lync 2010 Requirements
l
Microsoft Lync 2013 Requirements
11
GEMS Prerequisites
Note: Even if you're not using Lync, however, for planned deployments of GEMS-PNS
running on Windows 2008 R2, you will need to install .NET Framework 4.5.
Microsoft Lync 2010 Requirements
If you have deployed or are deploying Microsoft Lync 2010, the following components are
required on the GEMS machine to properly support Lync connectivity and operations.
Important: For GEMS support of Lync 2010, .NET Framework 3.5 SP1 and .NET
Framework 4.5 must both be installed.
Windows Management Framework 3.0/PowerShell 3.0
Built on the Microsoft .NET Framework, Windows PowerShell 3.0 is a command-line shell
and scripting language designed for system admin and automation. Windows Server 2012
comes with PowerShell 3.0 already installed. Enable the Windows PowerShell 3.0 feature
using Windows Server Manager.
If you are using Windows 2008 R2 SP1, however, you must install Windows Management
Framework 3.0, which includes Windows PowerShell 3.0.
To install Windows Management Framework 3.0:
1. Go to Windows Management Framework 3.0.
2. Review the information on the web page, then click Download.
3. Select Windows6.1-KB2506143-x86.msu and click Next.
4. Close all Windows PowerShell windows.
5. Uninstall any other version of Windows Management Framework 3.0.
6. Run the Windows6.1-KB2506143-x86.msu executable.
7. Open Windows PowerShell (x86) and run the following command to enable execution of
remote-signed scripts:
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
If you need to troubleshoot the installation, refer to the WMF 3.0 Release Notes.
For more complete information about Windows Management Framework 3.0 and Windows
PowerShell 3.0, visit the following Microsoft resources:
12
GEMS Prerequisites
l
Windows PowerShell Web site
l
Windows PowerShell Online Help
l
Windows PowerShell Blog
l
Windows PowerShell Software Development Kit (SDK)
l
Windows Management Framework 3.0 Compatibility Update
.NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 is a cumulative update containing many new features
that incrementally build upon .NET Framework 2.0, 3.0, 3.5, and includes .NET Framework
2.0 service pack 2 and .NET Framework 3.0 service pack 2 cumulative updates.
Windows Server 2008 R2 comes with .NET Framework 3.5 SP1 already installed. Enable the
.NET 3.5 Framework feature using Windows Server Manager.
If you are using Windows Server 2008 SP2, however, you must install .NET Framework 3.5
SP1. Always make sure you have the latest service pack and critical updates for the version
of Windows Server running on your machine.
To look for recent Windows Server 2008 updates:
Click the Start button, click All Programs, and then click Windows Update.
To install Microsoft .NET Framework 3.5 SP1:
1. Go to Microsoft .NET Framework 3.5 Service Pack 1 (Full Package).
2. Review the information on the web page, then click Download near the top of the page.
3. When the download is complete, click Finish.
If you prefer to download the bootstrapper, rather than the full package, go to .NET
Framework 3.5 Service Pack 1 (Bootstrapper).
13
GEMS Prerequisites
For additional information about .NET Framework 3.5 SP1, visit the following Microsoft
resources:
l
.NET Framework 3.0 SP1 KB Article
l
.NET Framework 3.5 SP1 Update
.NET Framework 4.5
Microsoft .NET Framework 4.5 is a highly compatible, in-place update to .NET Framework 4.
It includes significant language and framework enhancements, the blending of control flow
in synchronous code, a responsive UI, and web app scalability. .NET Framework 4.5 adds
substantial improvements to other functional areas such as ASP.NET, Managed Extensibility
Framework, Windows Communication Foundation, Windows Workflow Foundation, and
Windows Identity Foundation, in addition to delivering better performance, reliability, and
security.
Windows Server 2012 comes with .NET Framework 4.5 already installed. Enable the .NET
4.5 Framework feature using Windows Server Manager.
If you are using Windows Server 2008 R2, however, you must install .NET Framework 4.5.
Always make sure you have the latest service pack and critical updates for the version of
Windows Server running on your machine.
To look for recent Windows Server 2008 R2 updates:
Click the Start button, click All Programs, and then click Windows Update.
To install Microsoft .NET Framework 4.5:
1. Go to the Microsoft .NET Framework 4.5.
2. Review the information on the web page, then click Download near the top of the page.
3. To install the software immediately, click Run.
14
GEMS Prerequisites
4. To install the software later, click Save. Then, when you actually do the install, make sure
the server machine is connected to the Internet.
For additional information about .NET Framework 4.5, visit the following Microsoft
resources:
l
.NET Framework Developer Center
l
.NET Framework 4.5 Language Pack
64-bit UCMA 3.0 Runtime
Microsoft’s Unified Communications Managed API (UCMA) 3.0 is a managed-code platform
which developers use to build applications that provide access to and control over Microsoft
Enhanced Presence information, instant messaging, telephone and video calls, and
audio/video conferencing.
Note: You must have elevated permissions to install UCMA 3.0 Runtime. A reboot is
required to install and enable Windows Media Format after UCMA 3.0 Runtime setup is
finished.
To install the UCMA 3.0 Runtime:
1. Go to Unified Communications Managed API 3.0 Runtime in the Microsoft Download
.NET Framework 3.5 SP1 Center and click Download.
2. Launch UcmaRuntimeSetup.exe and accept the End-User License Agreement (EULA).
The setup wizard will install all the necessary components.
3. Follow the onscreen instructions to complete the installation.
The setup program installs English versions of the Speech Recognition and Text-toSpeech engines. The final screen of the installer provides a link that can be used to
download additional engines for other languages. Included in the setup is an additional
installer called OCSCore.msi that is also required for GEMS. Find OCSCore.msi by
navigating to the following directory:
C:\ProgramData\Microsoft\Lync
Server\Deployment\cache\4.0.7577.0\Setup\OCSCore.msi
By default, the ProgramData folder is hidden, so it might not appear in Windows
Explorer. You can change this (unhide it) in folder settings.
4. Launch OCSCore.msi and use the default settings in the wizard.
15
GEMS Prerequisites
Microsoft Lync 2013 Requirements
If you have deployed or are deploying Microsoft Lync 2013, the following components are
required on the GEMS machine to properly support Lync connectivity and operations:
Windows Management Framework 3.0/PowerShell 3.0
Built on the Microsoft .NET Framework, Windows PowerShell 3.0 is a command-line shell
and scripting language designed for system admin and automation. Windows Server 2012
comes with PowerShell 3.0 already installed. Enable the Windows PowerShell 3.0 feature
using Windows Server Manager.
If you are using Windows 2008 R2 SP1, however, you must install Windows Management
Framework 3.0, which includes Windows PowerShell 3.0.
To install Windows Management Framework 3.0:
1. Go to Windows Management Framework 3.0.
2. Review the information on the web page, then click Download.
3. Select Windows6.1-KB2506143-x86.msu and click Next.
4. Close all Windows PowerShell windows.
5. Uninstall any other version of Windows Management Framework 3.0.
6. Run the Windows6.1-KB2506143-x86.msu executable.
7. Open Windows PowerShell (x86) and run the following command to enable execution of
remote-signed scripts:
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
If you need to troubleshoot the installation, refer to the WMF 3.0 Release Notes.
For more complete information about Windows Management Framework 3.0 and Windows
PowerShell 3.0, visit the following Microsoft resources:
l
Windows PowerShell Web site
l
Windows PowerShell Online Help
l
Windows PowerShell Blog
l
Windows PowerShell Software Development Kit (SDK)
l
Windows Management Framework 3.0 Compatibility Update
16
GEMS Prerequisites
.NET Framework 4.5
Microsoft .NET Framework 4.5 is a highly compatible, in-place update to .NET Framework 4.
It includes significant language and framework enhancements, the blending of control flow
in synchronous code, a responsive UI, and web app scalability. .NET Framework 4.5 adds
substantial improvements to other functional areas such as ASP.NET, Managed Extensibility
Framework, Windows Communication Foundation, Windows Workflow Foundation, and
Windows Identity Foundation, in addition to delivering better performance, reliability, and
security.
Windows Server 2012 comes with .NET Framework 4.5 already installed. Enable the .NET
4.5 Framework feature using Windows Server Manager.
If you are using Windows Server 2008 R2, however, you must install .NET Framework 4.5.
Always make sure you have the latest service pack and critical updates for the version of
Windows Server running on your machine.
To look for recent Windows Server 2008 R2 updates:
Click the Start button, click All Programs, and then click Windows Update.
To install Microsoft .NET Framework 4.5:
1. Go to the Microsoft .NET Framework 4.5.
2. Review the information on the web page, then click Download near the top of the page.
3. To install the software immediately, click Run.
4. To install the software later, click Save. Then, when you actually do the install, make sure
the server machine is connected to the Internet.
For additional information about .NET Framework 4.5, visit the following Microsoft
resources:
17
GEMS Prerequisites
l
.NET Framework Developer Center
l
.NET Framework 4.5 Language Pack
64-bit UCMA 4.0 Runtime
Microsoft’s Unified Communications Managed API (UCMA) 4.0 is a managed-code platform
which developers use to build applications that provide access to and control over Microsoft
Enhanced Presence information, instant messaging, telephone and video calls, and
audio/video conferencing.
Note: You must have elevated permissions to install UCMA 4.0 Runtime. A reboot is
required to install and enable Windows Media Format after UCMA 4.0 Runtime setup is
finished.
UCMA 4.0 requires Desktop Experience on Windows Server 2008 R2 SP1. Enable this
feature using Windows Server Manager.
UCMA 4.0 requires Media Foundation on Windows Server 2012. Enable this feature using
Windows Server Manager.
To install the UCMA 4.0 Runtime:
1. Go to Unified Communications Managed API 4.0 Runtime in the Microsoft Download
Center and click Download.
2. Launch UcmaRuntimeSetup.exe and accept the End-User License Agreement (EULA).
The setup wizard will install all the necessary components.
3. Follow the onscreen instructions to complete the installation.
The setup program installs English versions of the Speech Recognition and Text-toSpeech engines. The final screen of the installer provides a link that can be used to
download additional engines for other languages. Included in the setup is an additional
installer called OCSCore.msi that is also required for GEMS. Find OCSCore.msi by
navigating to the following directory:
C:\ProgramData\Microsoft\Lync
Server\Deployment\cache\5.0.8308.0\Setup\OCSCore.msi
By default, the ProgramData folder is hidden, so it might not appear in Windows
Explorer. You can change this (unhide it) in folder settings.
4. Launch OCSCore.msi and use the default settings in the wizard.
18
GEMS Prerequisites
Preparing the Lync Topology for GEMS
The Connect service and Lync Presence Provider (LPP) are Microsoft Lync trusted-UCMA
applications. In order to establish trust with Microsoft Lync, you must first use the Lync
Management Shell to complete the following:
l
Create a trusted application pool.
l
Designate trusted applications for the use of the GEMS computer.
l
Create a trusted-computer entry for every GEMS in the environment.
l
Publish these changes to the Lync Topology.
l
Create a Trusted Endpoint for the GEMS-Presence Service.
Important: You must be a member of the RTCUniversalServerAdmins and Domain
Admins security groups to provision and publish new applications in the Microsoft Lync
Topology. If you have a designated Lync administrator within your organization, that
person should perform all subsequent preparation steps for this procedure.
You must complete the application provisioning process described in the following
instructions:
l
Preparing to install GEMS for the first time
l
Preparing subsequent GEMS machines
After updating the Lync topology, the Lync administrator must delegate
RTCUniversalReadOnlyAdmins permission to the GEMS service account in order for the
GEMS Dashboard to access the provisioning information during the GEMS configuration
process.
Preparing the Initial GEMS Machine
Preparations vary if the Lync Topology has already been set up for GEMS. Hence, the
preparation instructions included here apply only if you are installing GEMS for the first
time. If GEMS is already installed in your environment, see Preparing Additional GEMS
Machines.
Otherwise, when you create a trusted application pool for the installation of GEMS, you also
create the trusted-computer entry. Subsequent installations of GEMS machines do not
require a new trusted application pool or designated trusted applications. Because these are
19
GEMS Prerequisites
merely added to the existing trusted application pool, you only need to create trusted
application computers.
To prepare your topology, you must:
1. Create a Trusted Application Pool.
2. Create a Trusted Application for GEMS Connect.
3. Publish changes to the Lync Topology.
To accomplish these tasks, first launch the Lync Management Shell by selecting: Start > All
Programs > Microsoft Lync Server [2010 or 2013] > Lync Management Shell.
Next, enter the following commands (highlighted areas represent recommended values):
PS> Get-CsSite
If your organization has more than one site in its topology, look up the appropriate siteId
number and the corresponding registrar value and jot them down. You will need this
information to create the application pool.
PS> New-CsTrustedApplicationPool -Force -Identity "pool_gems.mycompany.com"
-Registrar <registrar> -RequiresReplication $false -Site <siteId number>
-ComputerFqdn "FQDN of GEMS machine"
The value for registrar can be either a Director pool or a Lync pool. Director pools are
recommended in large deployments as the better director of user requests to the
appropriate front-end server.
PS> New-CsTrustedApplication -Force -ApplicationId "appid_
connect.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com"
-Port 49555
PS> New-CsTrustedApplication -Force -ApplicationId "appid_
presence.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com"
-Port 49777
Create the second application (appid_presence.mycompany.com) only if you are deploying
the GEMS Presence service.
PS> New-CsTrustedApplicationEndpoint -ApplicationId "appid_
presence.mycompany.com" -TrustedApplicationPoolFqdn "pool_gems.mycompany.com"
-SipAddress "sip:presence_<GEMS hostname>@mycompany.com"
Create an application endpoint only if you are deploying the GEMS Presence service.
PS> Enable-CsTopology
20
GEMS Prerequisites
This completes topology preparations for your initial GEMS machine. If you are deploying
additional GEMS machines, see Prepping Additional GEMS Machines.
If you are installing only one GEMS machine, proceed to Installing GEMS.
Preparing Additional GEMS Machines
The instructions presented here apply only if you have already installed at least one GEMS.
If you are installing GEMS for the first time, refer to the instructions in Preparing the Initial
GEMS Machine
Prepare your Lync Topology for additional GEMS machines by launching the Lync
Management Shell via Start > All Programs > Microsoft Lync Server [2010 or 2013] >
Lync Management Shell.
Next, you need to create a trusted computer for the GEMS trusted application pool. To do
so, enter the following command line:
PS> New-CsTrustedApplicationComputer -Identity "<FQDN of GEMS machine>" -Pool
"<name of GEMS pool previously created>"
With the Lync topology now prepped for the new GEMS, you may proceed to Installing
GEMS after reviewing the next section on creating/acquiring a valid SSL certificate.
SSL Certificate Requirements for Lync
If your enterprise doesn’t already have one—or one designated for use by GEMS—you must
obtain and install a digital certificate.
Your enterprise can sign its own digital certificates, acting as its own certificate authority
(CA), or you can submit a certificate request to a well-known, third-party CA. Although you
can preinstall the root authority for your own CA on each user’s device, to forestall the
continuous tedium and management, especially as new employees come and go, it makes
sense to get an independent CA-validated certificate.
Mutual TLS (MTLS) Certificates
Connect and LPP connections to Lync rely on mutual TLS (MTLS1) for mutual
authentication. On an MTLS connection, the server originating a message and the server
receiving it exchange certificates from a mutually trusted CA. The certificates prove the
identity of each server to the other. In Lync Server 2010 deployments, certificates issued by
1For more on TLS and MTLS for Lync Server 2010, see http://technet.microsoft.com/en-us/library/gg195752(v=ocs.14).aspx.
21
GEMS Prerequisites
the enterprise CA that are still in their validity period and not revoked by the issuing CA are
automatically considered valid by all internal clients and servers because all members of an
Active Directory domain trust the Enterprise CA in that domain. In federated scenarios, the
issuing CA must be trusted by both federated partners. Each partner can use a different CA,
if desired, so long as that CA is also trusted by the other partner. This trust is most easily
accomplished by the Edge Servers having the partner’s root CA certificate in their trusted
root CAs, or by use of a third-party CA that is trusted by both parties.
Hence, GEMS must form a mutual trust relationship for MTLS communications supporting
its network server environment. Mutual trust requires a valid SSL certificate that meets the
following criteria:
l
The private certificate issued for GEMS by a trusted CA must be stored in the GEMS
machine’s Console Root\Certificates local_host_name\Personal\Certificate folder.
l
The GEMS computer’s private certificate and the Lync Server’s internal computer
certificate must both be trusted by root certificates in GEMS’s Console Root\Certificate
local_host_name\Trusted Root Certification Authorities\Certificates folder.
l
Intermediate certificates for both the GEMS private certificate and the Lync Server’s
internal computer certificate must be located in the GEMS Console Root\Certificates
local_host_name\Trusted Root Certification Authorities\Certificates folder (similar to
the one pictured next).
Important: The account used to run GEMS must have read access to the certificate
store and the private key. You can assign read rights to the private key by right-clicking
on the certificate.
22
GEMS Prerequisites
l
The Subject Name (SN) of the certificate must contain the Common Name (CN) for
GEMS’s fully qualified domain name (FQDN), such that
CN=server.subdomain.domain.tld.
l
The Subject Alternative Name (SAN) must contain the DNS for the trusted pool for the
GEMS machine, as well as the GEMS machine FQDN. SANs let you protect multiple host
names with a single SSL certificate.
l
The certificate must be signed by a CA that is mutually trusted by both the Lync Server
and GEMS.
For more complete information regarding Microsoft Lync SSL certificate requirements, visit
the MSDN Office Dev Center’s Lync page. For instructions on creating a certificate for GEMS,
see Creating and Adding the GEMS SSL Certificate.
Creating and Adding the GEMS SSL Certificate for Lync
These certificate request procedures are based on a Windows Server 2012 certificate
authority but will also work for earlier versions of Windows Server. Please make sure to
execute the steps that follow on the Certificate Authority server.
If you are deploying the Connect Service only, skip to Requesting a GEMS Certificate from a
Local AD Certificate Authority. However, if you are deploying the GEMS Presence service,
you will need a Subject Alternative Name (SAN) certificate.
Creating a SAN Certificate Template
To create a SAN certificate template:
1. Open a CMD window and type MMC to open the MMC window.
2. Click File> Add/Remove Snap-in and then click Add > Certificate Templates.
3. In the center panel, right-click Computer, then Duplicate Template.
23
GEMS Prerequisites
4. In the General tab, change the name to Computer – SAN Cert, or something like it. Just
be sure to make note of it for future reference.
5. In the Subject Name tab, select “Supply in the request”.
6. Click Apply, then click OK.
Adding the SAN Certificate Template to the CA
In order for requestors to see the new template, it must first be added to the CA using the
following steps:
1. Open the Certificate Authority utility and right-click on Certificate Templates.
2. Select New > Certificate Template to Issue.
24
GEMS Prerequisites
3. Select the template that was created above in Creating a SAN Certificate Template.
Requesting a GEMS Certificate from a Local AD Certificate Authority
Use the following procedure if you are requesting a certificate for the GEMS machine from a
local AD certificate authority.
On the GEMS machine:
1. Open a CMD window and type mmc to open the Microsoft management console.
2. Click File > Add/Remove Snap-In.
3. Select Add Certificate > Computer Account > Local computer.
4. Right-click Personal, then select Certificate (or Personal) > All Tasks > Request New
Certificate.
25
GEMS Prerequisites
5. Click Certificate Enrollment, then click Next and Next again.
6. If you are only deploying the GEMS Connect Service, choose a Computer certificate
request template. Otherwise, choose the Computer-SAN Cert certificate request
template.
If there is no Computer SAN certificate request template, refer to Creating a SAN
Certificate Template above.
26
GEMS Prerequisites
7. If you chose a regular Computer certificate request, click Enroll and you’re done.
Otherwise, you will need to supply both the Common Name (CN) and the Subject
Alternative Name (SAN).
8. If you choose a Computer-SAN Cert, you will need to supply both the Common Name
(CN) and the Subject Alternative Name (SAN). Click on the More information is
required... link to enter this information.
9. In the Certificate Properties popup:
a. Under the Subject tab, change the Subject name Type to Common Name.
b. For Value, enter the FQDN of the GEMS machine.
c. Click Add.
d. Change the Alternative name Type to DNS.
e. Add two Values, one with the FQDN of the GEMS machine and the other with the
FQDN of the GEMS Lync pool.
27
GEMS Prerequisites
f. Click Apply, then click OK.
g. Click Enroll.
After creating the certificate, make sure the Subject Name and Subject Alternative Name
are correct. To do this, simply double-click on the certificate, then click the Details tab.
Correctly reflecting the name you gave it or chose, the Subject Name should look
something like this:
28
GEMS Prerequisites
And the Subject Alternative Name should look like this:
10. Right-click the certificate, then select All Tasks > Manage Private Keys.
11. Under rthe Security tab, add the service account and grant it read access to the
certificate.
Database Requirements
A relational database is required for the Connect and the Push Notification components of
GEMS. The Presence service does not require a database. The GEMS database can be part of
29
Installing GEMS
your existing environment or newly installed. GEMS currently supports Microsoft SQL
Server. In all cases, the database must be installed and prepared before starting GEMS
installation. This means the necessary SQL scripts included in the GEMS installation zip file
must be executed before beginning GEMS installation proper.
Microsoft has visual and command line tools to assist with database and schema creation;
i.e., Microsoft Management Studio or sqlcmd.
The following versions of MS SQL Server are supported:
l
SQL Server 2008 and 2008 R2 (Standard/Enterprise)
l
SQL Server 2012 and 2012 SP1 (Standard/Enterprise)
l
SQL Express 2008 R2 with Management Tools
If you do not have an existing supported database available, you can obtain one from the
Microsoft Download Center.
For MS SQL Server 2008 R2 setup guidance, see SQL Server Setup.
For test lab guidance on setting up SQL Server 2012 Enterprise Edition, click here.
Presence Prerequisites
The Presence service has the same predeployment requirements as the Connect service.
Please refer to the complete list of Connect Prerequisites.
Installing GEMS
A successful GEMS installation hinges on all prerequisites for each service you are deploying
being in place. These include, respectively:
l
Core Prerequisites
l
PNS Prerequisites
l
Connect Prerequisites
l
Presence Prerequisites
It is strongly recommended that installation be done with the GEMS service account.
Upon verifying that all prerequisites have been satisfied, download and unzip the GEMS
installer package, then continue with the steps below.
30
Installing GEMS
To download and run GEMS Setup:
1. Download the installation zip package from the GEMS product page.
2. Unpack the contents of the zip and run GoodEnterpriseMobilityServerSetup.exe.
3. Choose either Lync Server 2010 or Lync Server 2013, then click Next.
Note: If you have a Lync environment, select the appropriate version. Otherwise,
accept the default, even if you don't use Lync.
The installer now runs a check of required components.
31
Installing GEMS
4. If all Prerequisites indicate Pass, click Next. If not, make a note of the failed
components so that any issues can be resolved during the configuration process, then
click Next.
5. Accept the default installation path or click Browse to change it.
6. Accept the license agreement by clicking the checkbox, then click Install. The Install
button becomes active only upon your acceptance of the license agreement. Click the
link to the License and Service Agreement to read the terms and conditions.
7. It typically takes 3-5 minutes for the installer to finish. When complete, click Configure
and when the Dashboard launches, you'll see:
32
Configuring GEMS Core
If the GEMS Dashboard fails to launch automatically in your browser, open your browser
and manually enter http://localhost:8181/dashboard in the address bar.
Note: HTTP access is only allowed from the localhost.
Google's Chrome browser is recommended.
8. The default Username and Password are both "admin." Enter admin in each respective
field, then click Login.
This diplays the Good Services Configuration page, also called the GEMS Dashboard
home page.
You're now ready to select a service to configure. The Push Notifications Service is
required to run the Good Work mobile collaboration app. The Presence service furnishes
the Lync Presence Provider (LPP) to Good Work and other Good Dynamics applications,
while the Connect service provides both presence and instant messaging services on client
devices provisioned with the Good Connect app.
Configuring GEMS Core
The first phase in the configuration process is to set up the server irrespective of the services
you choose to put in place. This includes:
l
Changing the GEMS Dashboard administration password
l
Installing the GEMS SSL Certificate
33
Configuring GEMS Core
Changing the GEMS Dashboard Admin Password
To change the administration password for the GEMS Dashboard:
1. In your favorite text editor, open <GEMS Machine Path>\Good Enterprise Moblity
Server\Good Server Distribution\gems-karaf-<version>\etc\users.properties.
2. Change the current password from admin (the SHA-1 Hash highlighted in yellow) to
something else, after which, this will be the password for the GEMS Dashboard.
admin={CRYPT}a0089182becd921781d5ba1e58fa4d129b24060f{CRYPT},
_g_:admingroup ð admin=<new_password>,_g_:admingroup
You can enter a plain text value. It will automatically be replaced with a salted SHA-256 Hash
the next time an admin user logs in.
To confirm the change:
Restart Good Technology Common Services and login to the Dashboard by going to
http://localhost:8181/dashboard. You will be asked for the new password (username will
still be admin).
Note: If not on localhost, use https://<gems_host_fqdn>:8433/dashboard for secure
access. Please refer to subsequent sections on how to enable HTTPS for GEMS.
This admin password shall apply for the admin user of the GEMS Web Console.
Configuring SSL
By default, GEMS is only remotely accessible using the HTTP/S protocol. Therefore, you
need to create a self-signed certificate, and then you will need to configure GEMS to use this
self-signed certificate to enable remote access over HTTP/S.
The GEMS Self-Signed Certificate Tool is distributed as part of the tools and utilities zip
package included with your GEMS software. It is provided to help you quickly set up GEMS
to support SSL when you don't have a trusted SSL certificate from a well known third-party
CA.
34
Configuring GEMS Core
To generate and properly configure a self-signed certificate:
1. Unzip/extract the Tools folder from your downloaded GEMS installation zip file.
Note: You can only download the installation package after logging into the Good
Community Portal.
2. From this folder, unzip/extract the file tech-tools-<version >.zip to a folder on your local
desktop.
3. Inside the uncompressed folder, find the tech-tools/utils/sslcert/ folder and
unzip/extract the contents of sslcert-<version>-all.zip to expose the following:
README
sslcert.bat
sslcert.sh
sslcert-<version>.jar
sslcert-<version>-jar-with-dependencies.jar
4. Open a command prompt and change directory to the folder with the above content,
then execute the following command:
sslcert.bat <choose a JKS Keystore private key password> <choose a JKS
Keystore password> <gems_fqdn>
For example:
sslcert mypassword mypassword gems-1.corp.mycompany.com
After the tool executes, you'll see:
INFO: Key Manager Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
INFO: Key Store Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
INFO: Trust Store Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
You will need these values to complete the configuration steps below.
In the current working directory, a JKS KeyStore file called gems.jks is produced containing
your new SSL self-signed certificate.
Next, to properly configure the certificate:
5. In the GEMS installation directory, locate the folder /etc/keystores, typically found in
C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good Server
Distribution\gems-karaf-<version>\.
35
Configuring GEMS Core
6. Copy the gems.jks file generated in Step 3 above to this folder.
7. Now open /etc/jetty.xml in a text editor, revealing:
8. Uncomment the entire <Call name="addConnector"> block by deleting the comment
markers (see highlighted "<!--" and "-->" above).
9. Ensure that the file location matches the location where you copied your gems.jks in
Step 4; e.g., C:\Program Files\Good Technology\Good Enterprise Mobility
Server\Good Server Distribution\gems-karaf-<version>/etc/keystores/gems.jks.
10. From Step 3 above, provide the obfuscated values for:
a. KeyManagerPassword
b. KeyStorePassword
c. TrustedStorePassword
For example:
Key Manager Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
Key Store Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
Trust Store Password:OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
36
Configuring GEMS Services
11. Finally, restart GEMS and check that you can now access it under its secure HTTP/S port.
For example, opening the GEMS Dashboard in your browser using
https://localhost:8443/dashboard.
Note: As expected, the browser will report that your SSL certificate is untrusted because it
is a self-signed certificate.
Configuring GEMS Services
As previously indicated, you can configure one or more services at any time in any order
desired according to your organization's mobile user demand and deployment
requirements. Once again, these services currently comprise:
l
Push Notifications (Email)
l
Connect
l
Presence
Configuring the Push Notification (Mail) Service
Configuring GEMS for PNS support of the Good Work app, which includes Mail, Contacts,
and Calendar, entails:
l
Enabling Exchange ActiveSync (EAS)
l
Preparing the SQL database
l
Configuring Mail in the GEMS Dashboard
l
Configuring Good Control
l
Configuring GEMS-PNS for High Availability
Enabling Exchange ActiveSync (EAS)
EAS is a protocol designed for the synchronization of email, contacts, calendar, tasks, and
notes from the messaging server to the Good Work client. GEMS does not participate in EAS
activity, but if EAS is not properly enabled, then GEMS cannot support Good Work clients
with PNS.
Consequently, if you plan to deploy the Good Work client to your users, please ensure that
EAS is enabled on port 443 and that connections are permitted to the Good Proxy server.
37
Configuring GEMS Services
Note: By default, ActiveSync is enabled when you install the Client Access server role on
the computer that's running Microsoft Exchange Server 2010 or Exchange 2013.
For detailed guidance on Exchange EAS and how it works with Good apps, please refer to
Good Work EAS Security Information and Guidance.
For additional information on how to enable and manage EAS in your existing Exchange
environment, see Microsoft's Exchange and IIS documentation.
Preparing the Database for GEMS-PNS
If you are deploying the Push Notifications Service (PNS), you must configure a SQL Server
database and create the database tables that GEMS will use for push notification storage.
Included in the downloaded GEMS .zip distribution is the database schema setup files.
For the Push Notification Service (PNS), the schema setup scripts are in the EWS folder.
To prepare the new database:
1. Create a new SQL database. The preferred database name is “EWS”.
2. For database authentication, the GEMS-PNS supports both SQL and Windows
Authentication. If Windows Authentication is used, then the GEMS service account
(GoodAdmin) can be used. If SQL authentication is used, then a separate local SQL
account must be created on the SQL server. Regardless of which authentication type is
used, the account will require DBO rights to the database created in Step 1.
3. From GoodEnterpriseMobilityServerSetup.<version>.zip, extract the file named
pushnotify-dbmanager-<version>-sql, located in the EWS folder.
4. Next, locate createMSSQLUTF8.sql in the EWS folder.
5. Open the createMSSQLUTF8.sql file in Microsoft SQL Server Management Studio and
then execute the script against the database that was created in step 1 (i.e., EWS).
38
Configuring GEMS Services
Configuring PNS (Mail) in the GEMS Dashboard
Important: Remember that your Good Dynamics Servers must be operating before the
GEMS Push Notifications Service can be configured.
Upon clicking Mail, complete its service configuration in the following order:
Good Dynamics
1. On the Good Mail Service Configuration page, click Good Dynamics.
2. Enter the Good Proxy Hostname. If you have more than one Good Proxy server, pick
any one you wish. Autodiscover will correctly identify the others.
39
Configuring GEMS Services
3. Enter the Good Proxy Port.
4. Select either HTTP or HTTPS, the latter being the more secure transport protocol.
5. Use the Test button to verify the connection.
6. Click Save to record the setting.
Microsoft Exchange
1. Returning to the Good Mail Service Configuration page, click Microsoft Exchange.
Then, as pictured below...
2. Enter the Domain, Username ("GoodAdmin" is recommended), and Password of the
Windows Service Account. This account should have impersonation rights on Exchange.
40
Configuring GEMS Services
3. Click Save when done
Database
If Windows Authentication is used for database connectivity between GEMS and SQL, the
following procedure must to be completed on the GEM host. If you are using SQL
authentication, skip the following procedure and simply enter in the server, database name,
and then select SQL authentication.
The Microsoft SQL Server JDBC driver supports the use of Type 2 integrated authentication
on Windows operating systems through the integratedSecurity connection string
property.
Note: Because you are running a 64- bit JVM on a x64 processor, use the sqljdbc_auth.dll
file in the x64 folder.
To use Windows Authentication to access the database:
1. Download the JDBC driver from Microsoft.
2. Unzip the download and find the appropriate sqljdbc_auth.dll for your operating
system in <unzip directory>\auth\<operating system>.
3. Copy the sqljdbc_auth.dll file to <GEMS installation directory>\Good Technology\Good
Enterprise Mobility Server\Good Server Distribution\gems-karaf-<version>\lib
4. Using Windows Services Manager, locate the service named Good Technology Common
Services, then select Properties and click the Log On tab.
41
Configuring GEMS Services
5. Select Log On as “This Account”, and enter the GEMS service account name—
GoodAdmin—and the account password.
6. Now, still in Windows Services Manager, restart the service named Good Technology
Common Services.
7. Returning to the Good Mail Service Configuration page, click Database.
8. Enter the Server host name and instance name; i.e., <your_sqlserver_
hostname>\<instance_name>.
9. Enter the Database name.
10. Select an Authentication Type (Windows Authentication is recommended).
11. Click Save to commit your changes.
12. Finally (and critical to the configuration process), use the Windows Services Manager to
locate the service named Good Technology Common Services, then select Restart so
that the service is restarted to allow these settings to take effect.
To use SQL Authentication to access the database:
1. Enter the database Server host name and instance; i.e., <your_sqlserver_
hostname>\<instance_name>.
2. Enter the Database name.
3. Select SQL Authentication as the Authentication Type.
42
Configuring GEMS Services
4. Click Save to commit your changes.
5. Use the Windows Services Manager to locate the service named Good Technology
Common Services, then select Restart so that the service is restarted to allow these
settings to take effect.
Tip: After restart, check the table dbo.KeyValueRecord to verify that your SQL Server
database is now being used by GEMS ,
Configuring a Proxy for GEMS-PNS
Because APNS pushes are sent via the Good Network Operations Center (NOC), which
resides outside of your enterprise network, a proxy may be needed to access the NOC. This
proxy can be configured from the GEMS Web Console.
To configure a proxy for GEMS-PNS:
1. Go to http://<fqdn_of_your_gems_host>.com:8443/system/console/configMgr
2. Login as an administrator (the default uid/pwd is "admin"/"admin").
3. Click on OSGi, then select Configuration.
4. Scroll down to com.good.server.notifications.ApnsRelayConfig and click on it.
43
Configuring GEMS Services
5. Enter the following values corresponding to the proxy you wish to configure:
l
http.proxy.host – the FQDN of the proxy server
l
http.proxy.port – its port number
l
http.proxy.password – proxy authentication password, if required.
Note: The password is optional. If the proxy accepts anonymous connections, leave it
blank. If the proxy requires authentication, you must enter a password. Currently, only
basic authentication to the proxy is supported by GEMS.
6. Click Save.
Configuring Good Control
A few basic configuration settings are necessary so that Good Control can properly support
Good Work application users. These include:
l
Configuring EAS for the Good Work app
l
Adding Applications and Users
l
Device Provisioning and Activation
Note: The Good Work application must be published in Good Control. For prerequisite
details on setting up Good Control, see Good Dynamics Requirements. To learn how to
add the application in Good Control, see "Registering a New Application" in the GC
console's online help.
With respect to GEMS, to complete configuration of PNS, please login to Good Control with
full admin rights.
Configuring Exchange ActiveSync (EAS) for Good Work™
To allow your users to easily enroll in EAS when they activate their Good Work app, the app
must be configured in Good Control to connect to EAS. This is accomplished from your
Good Control console.
Important: Before the Good Work app can be configured to use PNS, it must first be
configured for EAS.
There are two parts to this procedure:
44
Configuring GEMS Services
l
Whitelisting the EAS server(s) in Good Control
l
Adding the correct JSON configuration
If this has not already been accomplished, please see the Good Work Product Guide for the
correct setup instructions.
Adding Applications and Users in Good Control
By default, every user is assigned to the “Everyone” group. If you plan to use the default,
simply add the Good Work app to the Everyone Application Group.
Refer to your Good Control online help utility for complete instructions on adding
applications like Good Work, Good Connect, Good Presence, along with adding new user
accounts, as well as modifying policies and permissions.
Whitelisting Your GEMS Host(s) in Good Control
The GEMS host must be whitelisted in Good Control to enable proper communication
between the Good Proxy server and GEMS.
To whitelist GEMS in Good Control:
1. Open the Good Control console, then under Server Configuration, click Client
Connections.
2. Scroll down to Additional Servers and click
.
3. In the Server field, add the FQDN of the GEMS machine and enter 8443 for the Port.
Choose a primary GP cluster and a secondary GP cluster (if available).
Caution: At this stage, you are adding a configuration that will cause devices to
connect to GEMS over its secure HTTP/S port 8443, which is the only port that is open
for remote access, by default. Therefore, you should ensure that you have already
followed the steps to configure GEMS Core for HTTP/S. Otherwise, your devices will
not be able to connect to GEMS.
45
Configuring GEMS Services
4. Whitelist additional GEMS hosts with GP Clusters by repeating from Step 2.
5. Click Submit to save your changes.
Adding GEMS to the Good Work Application Server List
Note: If you haven't yet registered the Good Work app in Good Control, do so now.
To add GEMS to the Good Work application server list:
1. From the Good Control console navigator (left-hand panel) under Applications, click
Manage Applications.
2. Scroll or search for Good Work and click it.
3. Click the Servers tab.
46
Configuring GEMS Services
4. Enter the GEMS host FQDN in the Host Name field, then enter 8443 under Port.
Caution: At this stage, you are adding a configuration that will cause devices to
connect to GEMS over its secure HTTP/S port 8443, which is the only port that is open
for remote access, by default. Therefore, you should ensure that you have already
followed the steps to configure GEMS Core for HTTP/S. Otherwise, your devices will
not be able to connect to GEMS.
5. If you have additional GEMS hosts, configure them for the application in the same way,
after clicking
to add a new row.
6. Click Submit to save your changes.
Configuring GEMS-PNS for HA
High Availability for GEMS-PNS is based upon multiple active instances with no instances in a
passive/standby mode.
When adding a new GEMS instance, you will need to:
1. Configure your new GEMS instance to use the existing database.
2. Configure your new GEMS instance to point same Good Proxy server.
3. Configure your new server host and port in the Good Control server list.
The GEMS Push Notifications Service (PNS) supports high availability (HA) by adding
additional GEM servers running PNS. The GEMS instances hosting PNS that you designate to
participate in HA must share the same database.
To setup a HA GEMS PNS host, simply provision an additional server and install GEMS-PNS.
Use of the same service account ("GoodAdmin") for all HA servers is strongly
recommended. In the GEMS dashboard configuration on the HA server, be sure to point the
HA server to the same database.
From the Good Control console, add each HA server to the Good Work application server list
in accordance with the instructions above for configuring the Good Work App with EAS.
Device Verification and Testing
The Good Work app is publicly available from the Apple App Store or the Google Play store.
By default the app will only use HTTP/S to communicate with GEMS when it registers for
47
Configuring GEMS Services
push notifications. If you would like to do device verification and testing in a test
environment, you can configure communications to use HTTP instead of HTTPS.
This is a matter of making additional changes to the Good Control configuration (JSON) we
set up when configuring the Good Work app with Active Sync earlier.
{
"disableSSLCertificateChecking":"true",
"<email domain for end users>": {
"EASDomain":"<EAS Windows domain for end users>",
"EASServer":"<EAS server fully qualified DNS name>",
"AutodiscoverURL":"https://autodiscover.good.com/autodiscover/
autodiscover.xml",
"EASServerPort":"<EAS server port number>",
"EASUseSSL":"true"
}
}
If you haven’t already done so, download the Good Work app to your device.
Upon launching the Good Work app for the first time, you will be prompted for an email
address and a provisioning PIN. If you don’t have this information, refer to the previous
section on device activation keys.
Good Work will continue the provisioning process once the email address and PIN is entered
correctly. Depending on the Good Control policy for the device, you may be prompted to
create a password for the app. After the app password is set, you will be prompted for your
enterprise email address and Active Directory password. If the system is not able to
correlate your email address to an Exchange Active Sync (EAS) server, you will be prompted
for a different EAS server and domain credentials.
When everything is setup correctly, Good Work will automatically start synchronizing with
Exchange and you will start to see mail, calendar and contact information in the app. If
Good Presence is configured, you will also see presence information for each contact.
To test from GEMS as to whether a device is actually connected, go to Push Channels and
query GEMS. You can also query users by going to EWS Listener. If these tests fail or are
inconclusive, investigate Autodiscover troubleshooting.
Refer to Logging and Diagnostics for any additional issues encountered.
48
Configuring GEMS Services
PNS Logging and Diagnostics
Helpful performance logs and diagnostic information for GEMS and the Push Notification
Service can be found in the GEMS Web Console. To set/change the administrator's password
see Changing the GEMS Web Console Password.
GEMS Web Console
The GEMS Web Console provides advanced configuration and tuning options for GEMS. It
should be used with care as it offers advanced maintenance capabilities intended for expert
users of the system.
To see the relevant logs in your browser:
1. Go to http://<fqdn_of_your_gems_host>.com:8443/system/console/configMgr
2. Login as an administrator (the default uid/pwd is "admin"/"admin").
49
Configuring GEMS Services
3. Click on OSGi, then select Log Service.
4. Scroll the log activity. It's listed in chronological order.
A more robust and complete administration guide covering how to use the advanced
features of the GEMS Web Console is scheduled for publication later this year.
Log File Location
The actual log files are stored in the GEMS installation directory. Its default location is:
C:\Program Files\Good Technology\Good Enterprise Mobility Server
All log directories are relative to this path.
The GEM Server Log can be found in:
\Good Server Distribution\gems_karaf-<version>\data\log\
Problems Connecting to Exchange
In some test environments you may need to configure GEMS to communicate with an
Exchange Server that does not have a trusted SSL Certificate. This is very rare, except in
environments that do not yet have a properly configured Exchange Server. It is strongly
recommended that you do not deploy this type of set up in a production environment.
However, when necessary or desired for testing purposes, you can turn off certificate
verification in the GEMS Web Console by locating the configuration called "Good
Technology Async HTTP Client Configuration" and disabling SSL certificate checking.
Caution: Do not modify the DisableSSLv2Hello property unless you know what you are
doing. Contact Good Technical Support for additional details.
To disable SSL certificate checking for test purposes:
1. Login to the GEMS Web Console as an administrator (uid/pwd = "admin" / "admin").
2. Select OSGi > Configuration.
3. Scroll down to Good Technology Async HTTP Client Configuration and click it.
50
Configuring GEMS Services
Caution: Editing this configuration will affect all your SSL clients, not just EWS Clients, as
well as APNS & GNP.
4. Check Disable SSL certificate checking.
51
Configuring GEMS Services
5. Click Save.
Autodiscover Override
In certain environments, the system may not be able to dynamically retrieve the
autodiscover endpoint URL. If this happens, the autodiscover endpoint URL will need to be
set manually. Push notification failure and EWS Listener queries returning NULL are common
symptoms.
To set the override from the GEMS machine:
1. Login to the GEMS Web Console as an administrator.
2. Select OSGi > Configuration.
3. Scroll down to GEMS Autodiscover Configuration and click it.
52
Configuring GEMS Services
6. Enter an Autodiscover override URL in the field provided. This typically takes the form
https://mycas.mydomain/autodiscover/autodiscover.svc.
7. Click Save.
8. Restart the “Good Technology Common Services” service.
53
Configuring GEMS Services
To remove the override, return to the GEMS Autodiscover Configuration in the GEMS Web
Console and remove the override URL, then save the configuration.
Checking EWS Listener and Push Channels
GEMS provides diagnostic URLs to help you determine whether GEMS-PNS is working
properly. However, these diagnostic URLs are not remotely accessible. They can only be
accessed on the same machine on which GEMS-PNS is running. Therefore, you must use
"127.0.0.1" as the hostname in each of the URLs below.
A quick way to check whether or not the Push Channels and EWS Listener are working is to
query GEMS with the following URLs:
Push Channels
http://127.0.0.1:8181/pushnotify/pushchannels
Sample Output:
[{"registrationId":"acooc@demolair.com#3EFED82C-BE27-4A71-BF647F68424122B4","account":"acooc@demolair.com","pushToken":"8FAE82462C794005BFC9
0C7A4B654B523CDB2FCC59A922BDAFBAFD30D2460614","bundleId":
"com.good.gcs.g3.enterprise","ewsProfileId":"51","deviceType":"ios"}]
If the outputs are NULL ([]), check the log for the reasons why. If outputs are not found,
then refer to the SSH console for additional detail.
EWS Listener
http://127.0.0.1:8181/ewslistener/user
Sample Output:
[{"connectionId":45946713,"email":"acooc@demolair.com","stage":"Streaming",
"lastErrorTime":null,"status ":null}]
Using the first check, you will see a push channel registration if the device successfully
connected to GEMS. Then, if your Exchange Configuration is set up properly you will see a
streaming EWS Listener subscription.
54
Configuring GEMS Services
Note that in the diagnostic URLs above, the HTTP protocol is used. This is permissible for
connections made to GEMS from same machine on which GEMS is running but not from
remote clients. Occassionally, for evaluation or demonstration purposes, you may not yet
have configured SSL for GEMS Core. In this situation, you can permit remote connections
to GEMS via HTTP. Even when doing so, please note that traffic between the device and
the Good Proxy remains protected over a secure channel.
To do so, add the following line to the JSON configuration above:
"serverProtocol":"http",
For example:
{
"serverProtocol":"http",
"disableSSLCertificateChecking":"true",
"<email domain for end users>": {
"EASDomain":"<EAS Windows domain for end users>",
"EASServer":"<EAS server fully qualified DNS name>",
"AutodiscoverURL":"https://autodiscover.good.com/autodiscover/
autodiscover.xml",
"EASServerPort":"<EAS server port number>",
"EASUseSSL":"true"
}
}
Complete instructions are available under Enabling GEMS HTTP.
Configuring the Connect Service
The Connect service governs IM and presence capabilities of the Good Connect app.
Configuring the GEMS Dashboard and Good Control are critical phases in the deployment of
Good Connect. This entails:
l
Setting up the SQL database
l
Configuring Connect in the GEMS Dashboard
l
Configuring Good Control for Connect
l
Enabling SSL via Good Proxy
55
Configuring GEMS Services
l
Configuring Connect for High Availability
l
Configuring support for the Global Catalog
Preparing the Database for Connect
If you are deploying the Connect Service, you must configure a SQL Server database and
create the database tables that GEMS will use for data storage.
Included in the downloaded GEMS .zip distribution is the database schema setup files.
For the Connect Service, the schema setup scripts are found in the Connectfolder.
To prepare the new database:
1. Create a new SQL database. The preferred database name is “GoodConnect”.
2. For database authentication, Connect supports both SQL and Windows Authentication.
If Windows Authentication is used, then the GEMS service account (GoodAdmin) can be
used. If SQL authentication is used, then a separate local SQL account must be created
on the SQL server. Regardless of which authentication type is used, the account will
require DBO rights to the database created in Step 1.
3. From GoodEnterpriseMobilityServerSetup.<version>.zip, extract the folder named
SQL\SQLServer, located in the Connect folder.
4. Open Microsoft SQL Server Management Studio and run the following SQL script files
against the database you created in step 1 (i.e., GoodConnect):
56
Configuring GEMS Services
1_Balboa_Schema.sql
1_Balboa_StoredProcedures.sql
2_Cardiff_Schema.sql
Important: It is critical that the above script files are ran in the listed order.
When all scripts have been executed, the database is preconfigured and ready for Connect
service installation and connectivity.
Configuring Connect in the GEMS Dashboard
Using Good Connect, employees can track coworker availability, initiate or receive an instant
message, make a phone call, share and open file links in Good Share or send an email
securely via Good for Enterprise™. Best of all, Good Connect lets you efficiently embrace
BYOD programs without compromising corporate security or employee privacy.
To set up the Good Connect service for GEMS, complete the configuration steps for each of
the following components:
l
Service Account
l
Database
l
Good Dynamics
l
Lync 2010 or Lync 2013
l
Microsoft Exchange (optional)
l
Web Proxy (optional)
57
Configuring GEMS Services
Configuring the Service Account
1. Be sure to stop the "Good Technology Connect" service before making any of the
changes that follow. This is very important.
2. In the Good Connect Server Configuration page, click Connect to configure the Good
Connect service.
58
Configuring GEMS Services
As you'll see, the necessary components are grayed-out until you provide the correct
GEMS Windows Service Account credentials.
2. Click Service Account to provide the GEMS Domain Service Account credentials.
3. Login with the proper authentication credentials—Username and Password—then click
Save. GEMS uses this information to securely connect to Microsoft Services like Active
Directory, Lync, Exchange, and SQL Server.
Make sure this service account has RTCUniversalReadOnlyAdmins rights.
As stated on the Dashboard page, your Service Account credentials are not stored after
the current browser session ends.
If an account has not yet been created, contact your Windows domain administrator to
request an account.
59
Configuring GEMS Services
If the credentials are valid, the service is connected and the links to the other components
on the page are activated.
Configuring the Database
1. In the Good Connect Service Configuration page click Database.
2. Enter the Server and Database name, then select the appropriate Authentication Type
When you choose Windows Authentication, the credentials for the Windows Service
Account configured for the Good Connect Service are used. If you select SQL Server
Login, you will then need to enter a valid Username and Password for the SQL Server
Database prescribed in the Prerequisites section of this guide.
4. Click Test to verify that a connection with the database can be made.
60
Configuring GEMS Services
If the test is successful, a confirmation is displayed at the top of the page in blue. If
testing fails, check that System and Network Requirements, plus all Database
Requirements, have been met. Correct as needed, then return to Step 1 above.
5. Click Save when done.
Configuring Good Dynamics
Before continuing with this setup phase, make sure that your Good Dynamics servers—
Good Connect and Good Proxy—are installed and operating. For details, see the Good
Dynamics Server Installation Guide available on GDN.
To configure GEMS connectivity with Good Dynamics:
1. In the Good Connect Service Configuration page (breadcrumb: Services > Connect),
click Good Dynamics.
2. Next, in the Good Dynamics Server Configuration page, enter the Hostname and Port
number of the Good Proxy server, then choose communication via HTTP or HTTPS.
61
Configuring GEMS Services
Important: An HTTPS connection requires a well-known 3rd Party CA-signed SSL
certificate. See Enabling SSL Support Via Good Proxy for details. See also your GD
Server Installation Guide.
3. Click Test to verify that a connection to the Good Proxy server can be made. If the test is
successful, a confirmation is displayed at the top of the page in blue. If testing fails, check
that all System and Network Requirements, plus all Good Dynamics Requirements have
been met. Correct as needed, then return to Step 1 above.
4. Click Save to record these settings.
Next, use the respective instructions for the Lync Server version you have deployed: Lync
2010 or Lync 2013.
Configuring Lync 2010
1. From the Good Connect Service Configuration page, click Lync 2010. The system will
query the Lync server to verify that the appropriate GEMS Lync topology has been
added. Allow a few moments for the query to complete.
62
Configuring GEMS Services
2. From the Application ID drop-down list, select the pool_gems.<mycompany.com>
application id. If the list is empty, this means that either the GEMS Lync topology was not
setup correctly or the service account does not have the proper permissions to query for
these settings. Refer to Microsoft Lync 2010 Requirements and correct your topology or
permissions as needed.
3. Click Test to verify that a connection to the Lync 2010 Server can be made. If the test is
successful, a confirmation is displayed at the top of the page in blue. It testing fails, check
that all System and Network Requirements, plus all Microsoft Lync 2010 Requirements,
have been met. Correct as needed, then return to Step 1 above.
4. Click Save to record these settings.
Configuring Lync 2013
1. From the Good Connect Service Configuration page, click Lync 2013. The system will
query the Lync server to verify that the appropriate GEMS Lync topology has been
added. Allow a few moments for the query to complete.
63
Configuring GEMS Services
2. From the Application ID drop-down list, select the pool_gems.<mycompany.com>
application id. If the list is empty, this means that either the GEMS Lync topology was not
setup correctly or the service account does not have the proper permissions to query for
these settings. Refer to Microsoft Lync 2013 Requirements and correct your topology or
permissions as needed.
3. Click Test to verify that a connection to the Lync 2010 Server can be made. If the test is
successful, a confirmation is displayed at the top of the page in blue. It testing fails, check
that all System and Network Requirements, plus all Microsoft Lync 2013 Requirements,
have been met. Correct as needed, then return to Step 1 above.
4. Click Save to record these settings.
Configuring Microsoft Exchange Conversation History
Enable this component connection only if you wish to access saved conversations from
Microsoft Exchange. Bear in mind that before configuring conversation history for the Good
Connect Service, you must first make sure that it is enabled on the enterprise Lync Server
for which you are configuring Good Connect. As indicated on the Dashboard, consult your
Microsoft Lync 2010 Administration Guide and Windows PowerShell Supplement.
64
Configuring GEMS Services
To configure GEMS to access Exchange conversation histories:
1. From the Good Connect Service Configuration page, click on Microsoft Exchange.
2. Check Enable Conversation History.
3. Enter the URL for your Microsoft Exchange Server in the field provided.
4. Select the supported Exchange Server Type (version) from the drop-down list.
5. Enter the desired Server Write Interval in minutes. This determines the frequency with
which each unique conversation will be sent to Exchange.
65
Configuring GEMS Services
6. Click Test to verify that a connection to the Exchange Server can be made. If the test is
successful, a confirmation is displayed at the top of the page in blue. If testing fails, check
that System and Network Requirements, plus all Microsoft Lync Server Requirements,
have been met. Correct as needed, then return to Step 1.
7. Click Save to record these settings.
Configuring a Web Proxy
If your company uses a web proxy server to connect to the Internet, you must enter the
required information necessary to enable a connection with the Good Connect Service. Skip
this setup phase if your enterprise does not use a web proxy.
To configure the GEMS Internet connection using a web proxy:
1. From the Good Connect Service Configuration page, click on Web Proxy.
2. Check Use Web Proxy.
66
Configuring GEMS Services
3. Enter Proxy Address and Proxy Port number. Both of these value should be exclusive
to your organization.
4. Select a Proxy Authentication Type.
Basic authentication requires that a user name and password be supplied by the GEMSConnect Service to authenticate a request. Digest authentication is more secure because
it applies a hash function to the password before sending it over the network.
If no authentication is required or desired, select None.
67
Configuring GEMS Services
If you choose an authentication type, the Connect Service Username and Password are
automatically populated based on the Windows Domain Service Account you assigned to
the Connect Service under Configuring Windows Services.
5. Next, you can specify the Domain, although this is not required.
6. Click Test to verify that connection to the Web Proxy can be made. If the test is
successful, a confirmation is displayed at the top of the page in blue. If testing fails, check
that you entered the correct Proxy Address in Step 3 above, and that all System and
Network Requirements have been met. Correct as needed, then retry by clicking Test
again.
7. Click Save to record these settings.
Restart the Good Technology Connect Service
Now that GEMS is configured, you must restart the Connect service for your changes to take
effect.
Configuring Good Control for Connect
Next, it’s important to associate deployed GEMS and the Good Connect Client within Good
Control’s application management handler. This is required for each GEMS machine,
individually and clustered. This configuration information dictates the available servers to
which a Good Connect client may connect.
Important: The Good Connect application must be published in Good Control. For
prerequisite details on setting up Good Control, see Good Dynamics Requirements. To
learn how to add the Good Control app, see "Registering a New Application" in the GC
console's online help.
To add server pool and IM platform information, you must launch the Good Control
management console in your browser.
Then, with the Good Control management console loaded in your browser, complete the
following steps (as pictured):
1. In the navigator on the left side of the display, click Manage Applications, then select
Good Connect.
68
Configuring GEMS Services
2. Click the Servers tab.
3. For each GEMS machine deployed:
a. Click the Add icon
.
b. In the new Host Name field, enter the FQDN of the Connect service host.
c. In the Port field, enter the corresponding port (typically 8080).
d. For each GEMS machine, enter the following information in the Configuration field:
PLATFORM=LYNC
SERVERS=<comma-separated list of available GEMS hosts using the format FQDN:port>
Consult the Good Control online help utility for additional information.
Next, you’re ready to list the approved GEMS hostnames and ports for client connections.
Defining Allowed Domains and Servers
Allowed domains and servers within your enterprise network to which the Good
Collaboration client apps can connect are defined in Good Control’s Client Connections
option under Settings in the Server Configuration navigator. It is strongly recommended
that you whitelist each individual GEMS.
69
Configuring GEMS Services
Here, the domain you are trying to configure is the one that allows GD connections to your
Microsoft Exchange server and your host and port(s) for Connect IM.
Whitelisting means that domains and servers on the list will be accepted, approved or
recognized. It is the reverse of blacklisting—the practice of identifying those that are denied
or unrecognized.
First, locate Additional Servers under Client Connections.
This is a list of specific servers with which all GD applications can connect. Add servers to this
list instead of using the Allowed Domains list if you want to restrict access so that GD
applications can only connect to certain servers—like GEMS and Exchange—and not to
every machine in a domain.
To add an allowed server:
1. Click
to add a blank row to the list.
2. Enter the Server fully qualified hostname and Port in the respective fields.
3. Assign a primary and secondary GP cluster for the server, if applicable. Connections
through GP servers in the primary cluster are attempted first, and if no responses are
received, connections are attempted through GP servers in the secondary cluster.
70
Configuring GEMS Services
4. Click Submit .
As indicated at the beginning of this topic, you can also whitelist or block domains.
To edit information for an allowed server:
1. Click the
Edit icon for the server.
2. Modify the server name or GP cluster configuration.
3. Click Submit to commit the change.
To remove a server from the list:
1. Click the
Delete icon for the server.
2. Click Submit .
71
Configuring GEMS Services
To whitelist GEMS:
1. Click the Edit
icon.
2. Under Additional Servers, add an entry for the GEMS Connect service that will use port
8080. Reflecting your specific machine information, the entry should look something like
this:
goodconnect<n>.<mycomany.com>:8080
3. Make sure to save your changes.
Setting Policy Governing Disclaimer Text
Via Good Control, you can choose the option to display a Corporate Policy disclaimer at the
top over every new conversation (IM) within each Connect Service client; for example: “Use
of this service, a company IT asset, is subject to the proper conduct, secure use and handling
policies found in the XYZ Employee Handbook.”
To set or add a disclaimer via Good Control:
1. In the navigator, click Policy Sets, then select the policy set governing Good Connect.
2. Click the Application Policies tab, then expand the Good Connect application listing.
3. Click the Disclaimer tab.
4. Enable (check) the Display Disclaimer option.
5. Type or paste in your approved Disclaimer Text (250 characters max).
6. Click Update to display this disclaimer at the top of each new client conversation
72
Configuring GEMS Services
window.
Establishing User Affinity
In clustered environments, client affinity can be used to map a client to a GEMS machine for
the duration of the client session. This makes it possible for a GEMS administrator to pin a
user to a cluster of GEMS machines, instead of letting the system randomly assign this
particular user to a server from a master list.
To better understand how to use affinity assignments, consider the following example.
XYZ Inc. has two Lync pools—a West Coast pool hosting users in XYZ’s West Coast offices,
and an East Coast pool, which hosts users in the firm’s East Coast offices—so IT deploys a
Connect server for each pool, while only setting up one Good Control and Good Proxy
cluster, as pictured.
73
Configuring GEMS Services
Unless affinity is configured, when Aaron Beard launches his Good Works client, Good
Control sends a list of servers that includes both East Coast and West Coast servers and
Aaron’s client randomly chooses which one with which to connect. Even though Aaron is a
West Coast user, there’s a strong chance he’ll actually be served by the East Coast server. By
contrast, when user affinity is enabled, it means Aaron will always connect to the West Coast
server.
Note: User Affinity is not currently supported for the Presence Service.
To enable User Affinity for Connect:
1. In the navigator, click Policy Sets, then select the policy set corresponding to user
affinity assignments for Good Connect; e.g., “West Coast Connect Users.”
2. Click the Application Policies tab, then expand the Good Connect application listing.
3. Click the Server Configuration tab.
4. Enter (type or paste) your Connect Server Hosts separated by commas in the following
format:
<server_1_fqdn>:<port>,<server_2_fqdn>:<port>,<server_n_fqdn>:<port>
74
Configuring GEMS Services
Example:
westcoast1.xyzcorp.com:8080,westcoast2.xyzcorp.com:8080,eastcoast1.xyzcorp.c
om:8080
5. In the navigator on the left, select Manage Users under User Accounts.
6. Select the User for whom you want to establish an affinity policy.
7. From the Policy Set dropdown, assign the user to an appropriate policy set.
8. Click Refresh to confirm the change and update the user account.
75
Configuring GEMS Services
Enabling/Disabling Conversation History
Saving conversation histories on respective user devices in enabled by default in Good
Control. The GEMS Connect Service supports the option to limit storing conversation
histories of more than 40 messages on client devices. The decision to do so could be in
support of standard enterprise security policy, to conserve physical storage availability on
devices, or for any other reason.
To disable/enable the conversation history option:
1. In the Good Control navigator, click Policy Sets, then select the policy set governing
collaboration suite apps; i.e., Good Connect.
2. Click the Application Policies tab, then expand the Good Connect application listing.
3. Click the Conversation History tab, then check/uncheck Save more than 40 messages
in a conversation history on the device.
4. Click Update.
Controlling Browser and Map Behavior
GEMS supports the option to control whether or not the local device browser application is
invoked when tapping on a Web page URL within a Good Work or Good Connect contact,
conversation, or email, and if the device’s map application can be used when tapping an
address. Both browser and map access are allowed by default in Good Control.
To disable either browser or map access or both from Good Work or Good Connect
in Good Control (see screenshot below):
1. In the navigator, click Policy Sets, then select the policy set governing the application
you want to set; i.e., Good Connect or Good Work.
2. Click the Application Policies tab, then expand the Good Connect or Good Work
application listing.
3. Click the App Settings tab.
76
Configuring GEMS Services
4. Disable (uncheck) either option or both, then click Update.
Here, it's important to remember that Good Control Policy Sets are assigned to provisioned
devices running the application governed by the policy's permissions. When the app is
activated by the user, a policy's permissions and restrictions are applied immediately.
Enabling SSL Support Via Good Proxy
In the diagram below, the blue lines indicate the path to the GEMS machine from each Good
Work client. Although SSL is disabled by default, GEMS can be configured to run securely
using SSL/TLS (HTTPS) to communicate with clients through Good Proxy.
77
Configuring GEMS Services
As discussed under prerequisites, GEMS requires a signed server SSL certificate from a thirdparty Certificate Authority (CA).
The following step-by-step details will guide you in enabling SSL support via Good Proxy:
l
Importing the CA-signed certificate to the GEMS machine
l
Binding the SSL certificate to the Connect SSL port
l
Adding the certificate to the GEMS configuration file
l
Configuring Good Control to send requests over SSL
l
Troubleshooting SSL certificate exceptions
Submitting the CSR to a Certificate Authority (CA)
If you need to send the new CSR to a well-known third-party CA and purchase a certificate
for your server, the third-party CA may also send you a file that contains the full certificate
chain, including possible intermediate certificates.
Well-known third-party CAs include:
l
Symantec
l
Thawte
l
GeoTrust
l
GlobalSign
l
DigiCert
When the issued certificate is received, it is important that it be installed on the same server
that generated the CSR. To do so, after the new certificate is issued, you must:
l
Import the CA-signed SSL certificate to the GEMS machine
l
Bind the issued certificate to the GEMS machine's SSL port
l
Add the new certificate information to the GEMS configuration file
l
Configure Good Control to send requests over SSL
Importing the Signed Certificate
Installing the signed certificate is done on the GEMS machine with the GEMS service
account.
78
Configuring GEMS Services
Thus, to install a well-known third-party CA-signed SSL certificate for GEMS, login with the
GEMS service account, and then:
1. Click Start > Run, enter mmc, and click OK.
2. After the MMC launches, click File > Add/Remove Snap-in…
3. Select Certificates in the left panel and click Add to move it into the right panel, then
click OK.
79
Configuring GEMS Services
4. Select the Computer account option and click Next.
80
Configuring GEMS Services
5. Confirm that Local computer is selected and click Finish.
6. Click OK to confirm Certificates in the Console Root.
7. Launch import of the trusted root certificate by expanding Certificates (Local
Computer) in the panel on the left, then right-clicking Personal > All Tasks > Import.
81
Configuring GEMS Services
8. Once the Certificate Import Wizard opens, click Next.
9. Specify the file you want to import; e.g., the certificate received after submitting a CSR to
a well-known, third-party CA; and click Next.
10. Click Next to confirm placing the certificate in the Personal store, then click Finish to
import the certificate.
11. Click OK when informed that the import was successful.
Next, you’re ready to bind the certificate to the server.
Binding the SSL Certificate to the Connect SSL Port
Before binding the certificate to the GEMS machine’s SSL port, you must first import the
third-party CA-signed certificate to the GEMS machine. If import was successful, complete
the binding exercise that follows here. Binding must be completed prior to configuring
Good Control to use the new certificate.
82
Configuring GEMS Services
To bind the new certificate to the GEMS machine's SSL port:
1. Login to the GEMS machine with the correct service account.
2. In the MMC’s Certificate Snap-in, double-click the certificate, then click on Details to
switch to that tab.
3. Change the Show value to Properties Only.
4. Click Thumbprint.
5. Copy the thumbprint value in the lower textbox.
6. Paste the copied thumbprint into a text editor and remove all the spaces, so that “80 82
41 2f …” becomes “0882412f…”
7. Copy this edited version of the thumbnail to the clipboard.
8. Open a command prompt as an administrator and enter the following command string:
> netsh http add sslcert ipport+0.0.0.0:<port> certhash=<thumbprint> appid=
{AD67330E-7F41-4722-83E2-F6DF9687BC71}
replacing <port> with the port number you want to use (e.g., 8082) and <thumbprint>
with the contents of the clipboard.
9. Confirm the certificate binding by executing the following command:
> netsh http show sslcert
If the certificate is properly bound, you’re ready to:
l
Add the new certificate information to the GEMS configuration file
l
Configure Good Control to send requests over SSL
If binding fails, see Troubleshooting SSL Certificate Exceptions.
83
Configuring GEMS Services
Modifying the GEMS Configuration File with the New Certificate
Some important configuration file changes are necessary to allow Good Connect to use the
new SSL certificate. Before continuing, however, it is recommended that you make a backup
copy of the current Good Connect server configuration file.
Next, for discussion purposes here, it is assumed that you have installed GEMS in the
default directory location on the server. Adjust the drive:\path\ for your deployment as
necessary.
To modify the server configuration to use the correct SSL certificate, open C:\Program
Files\Good Technology\Good Server\Good Connect\GoodConnectServer.exe.config
and make the following change:
<addkey="USE_SSL" value="false" />
Note: Save your changes, then restart the Good Technology Connect service in the
Windows Service Manager for these changes to take effect.
Configuring Good Control to Send Requests over SSL
There are only a couple of changes needed in the Good Control console to enable client SSL
connections with GEMS. These configuration settings involve making sure that:
l
Any server previously installed without SSL, including prior implementations of Good
Connect and Connect Server, has its FQDN added and associated with the new SSL port.
Previously installed non-SSL Good Connect servers and Connect Service servers must be
removed from Good Control.
l
The format and port information for servers listed in the configuration must be
prepended with https:// and assigned to the new SSL port.
To change the necessary application server settings in Good Control (pictured
below):
1. Open your Good Control console.
2. In the navigator under Applications, click Manage Applications.
3. Select the Good Connect app, then click the Servers tab.
4. Click the Add icon
84
.
Configuring GEMS Services
5. Under Host Name, enter the fully qualified domain name (FQDN) of each GEMSConnect Server.
6. Under Port, enter the SSL port.
7. In the Configuration textbox, prepend each listed FQDN with https:// and change its
port assignment to the Connect SSL port; e.g., 8082.
To change user affinity-clustering:
1. Click on Policy Sets in the navigator, then select the Application Policies tab.
2. Expand the Good Connect policy set, then click the Server Configuration tab.
3. Change the port numbers in Connect Server Hosts to the new SSL port for GEMS.
85
Configuring GEMS Services
Troubleshooting SSL Certificate Exceptions
Despite meeting all of the SSL certificate requirements defined under Enabling SSL Support
via Good Proxy, you may continue to get the following error:
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.Rtc.Internal.Sip.TLSException
If so, the most likely explanation is that the SSL certificate was not created with the correct
CSP and key spec. The KeySpec property sets or retrieves the type of key generated. Valid
values are determined by the cryptographic service provider (CSP) in use, typically Microsoft
RSA.
To check the certificate’s CSP and KeySpec:
1. Open cmd/powershell on the GEMS machine and execute the following command:
certutil.exe –v –store “my” <name of ssl cert>” > c:\temp\ssl.txt
2. Open c:\temp\ssl.txt in a text editor and search for “CERT_KEY_PROV_INFO_PROP_ID.”
The search should return the following:
86
Configuring GEMS Services
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0cd24435fe903
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
Flags = 20
KeySpec = 1 -- AT_KEYEXCHANGE
If the values for Provider, ProviderType, and KeySpec are not exactly the same as those
shown above, you will need to have the CA reissue a new SSL with appropriate provider and
key spec values.
Configuring Connect for High Availability (HA)
GEMS Connect utilizes an active/active model for HA. Refer to the GEMS Deployment
Planning Guide for details on how Connect HA works.
To setup Connect HA, simply provision each additional server required and install Connect.
Follow the same installation process as setting up a standalone GEMS-Connect server with
the following exceptions:
1. All High Availability Connect servers must share the same database.
2. After installing a Connect server, the “Good Connect” application configuration in Good
Control must be updated (see Updating the Good Connect Application for HA).
3. If “user-affinity” is used in Good Control, user Policies must also be updated (see
Updating the Good Connect Application for HA).
Updating the Good Connect Application for HA
To add each Connect HA server to the Good Connect application configuration in
Good Control:
1. Under Applications, select Manage Application > Good Connect > Servers.
2. As pictured below, add each Connect HA server to the server list, as well as to the
configuration box, in accordance with the instructions found in Configuring Good
87
Configuring GEMS Services
Control for Connect.
Note: For the configuration box, remember to use a comma to separate each server.
Updating Client Connections for Good Connect HA
Each GEMS Connect HA Server must also be added to Client Connections in Good Control.
To add a Connect HA server to Client Connections in Good Control:
1. In the console navigator under Server Configuration, click Client Connections.
2. Add each GEMS Connection HA server to the Additional Servers list so that the result
reflects what's pictured below, albeit showing information pertinent to your
environment.
88
Configuring GEMS Services
Updating User Policy for Good Connect HA (optional)
This step is only required if user-affinity is used for Good Connect.
For each user policy that is utilizing user-affinity with Good Connect:
1. In the console navigator click Policy Sets, then select the correct Good Connect user
policy from the list by clicking on it.
2. Click the Application Polices tab, click Good Connect, then click the Server
Configuration tab.
3. Add each GEMS Connect server to the Connect Server Hosts list.
Caution: Servers defined via Application Policies will override any defined via Manage
Applications.
Managing the Pool of Servers via the Good Control Console
The list of available servers in a pool is managed by a setting in the GC's console
administration interface.
To update the list:
1. Log into your Good Control console account.
2. Select Manage Applications from Application Groups in navigator.
3. Select Good Connect from the list of applications.
89
Configuring GEMS Services
4. Select the Server Info tab and look for the Server, Port, and Configuration fields.
5. Update the Configuration field as shown in the following example with host information
corresponding to your configuration:
Good Dynamics delivers this information to the client device at start up. Any additional
servers added to the pool need their host information added through the Good Control
console to become active.
HA/DR Failover Measures
There are various measures you can take to manage problematic instances of the GEMS in a
server pool.
Secondary Server Failure
If a secondary server stops working, remove that host entry from the GC console. Any
modification to this information in the Good Control console is pushed to all clients.
In the event of the unexpected shutdown of a GEMS-Connect secondary server, a mobile
client's active session terminates and automatically joins an alternate server in the pool.
Primary Server Failure
It is recommended that you create a passive-standby primary server for a given server pool
in case the primary server fails unexpectedly. Setting up a passive-standby primary server is
essentially no different from the installation and setup of an active primary GEMS instance.
To set up a passive-standby primary server:
1. Install a GEMS with Connect on a new machine, but don't start the service.
2. Set the value of PROXY_URL in machine's configuration file to localhost.
90
Configuring GEMS Services
To activate the standby primary server:
1. Stop any existing GEMS-Connect servers (although additional servers will shut
themselves down if a primary fails).
2. Update each additional server's configuration file to point to the new passive standby
host.
3. Update the Good Control console with the new primary host information.
4. Start all servers with the new primary being first.
Configuring Support for the Global Catalog
In a multi-domain Active Directory Domain Services (AD DS) forest, the global catalog
provides a central repository of domain information for the forest by storing partial replicas
of all domain directory partitions. These partial replicas are distributed by multimaster
replication to all global catalog servers in a forest. In this way, the global catalog makes the
directory structure within a forest transparent to users who perform a search. Without a
global catalog server, this query would require a search of every domain in the forest.
During an interactive domain logon, the domain controller authenticates the user by
verifying the user’s identity, and also provides authorization data for the user’s access token
by determining all groups of which the user is a member. Because the global catalog is the
forest-wide location of the membership of all universal groups, access to a global catalog
server is a requirement for authentication in a multidomain forest. A global catalog server is
also required for Microsoft Exchange Server.
To support Good collaboration suite users from multiple domains within the same forest,
the following modifications using the Active Directory Schema MMC Snap-In will enable
users to be accessed from the Global Catalog:
1. Click the Attributes folder in the snap-in.
2. In the right panel, scroll down to the desired attribute, right-click it, and then click
Properties.
3. Click to select the Replicate this attribute to the Global Catalog check box.
4. Click OK.
91
Configuring GEMS Services
5. Verify that the following attributes are published to the Global Catalog:
l
msrt-primaryuseraddress
l
mail
l
telephoneNumber
l
displayname
l
title
l
mobile
l
givenName
l
sn
l
sAMAccountName
6. Edit the following configuration parameters in the GoodConnectServer.exe.config file
installed by default in the C:\Program Files\Good Technology\Good Enterprise
Mobility Server\Good Connect folder:
<addkey = "AD_USERS_SOURCE" value = "GC"/>
<addkey = "AD_USERS_SOURCE_DOMAIN" value="<root GC domain; LDAP format>"/>
Note: You must restart Good Technology Connect Service in the Windows Service
Manager after updating the parameters.
Configuring Windows Services
Good Connect Server is now listed in the Microsoft Windows Services UI. By opening it, you
can review its current status.
92
Configuring GEMS Services
If you select the Log On tab, you should see the Service Account user you entered for the
Connect service the GEMS Dashboard.
In order for Connect to run as another domain user, the following must be true:
l
The alternate domain user must have access to the private key of the computer
certificate. See Identifying/Acquiring a Valid SSL Certificate for details.
l
The alternate domain user must be enabled to “Log on as service” through the Local
Security Policy tool.
93
Configuring GEMS Services
To give your GEMS account Log on as service privileges:
1. Run the Local Security Policy admin tool on the Good Connect host.
2. Expand the Local Policies folder in the navigator on the left.
3. Select the User Rights Assignments folder to see a list of policies.
4. Double-click Log on as a service to add this policy to the Good Connect account.
Connect Service Logging and Diagnostics
Server logs and performance information for the Connect Service can be found in the GEMS
installation direction directory.
Log File Location
The default GEM server installation directory is:
C:\Program Files\Good Technology\Good Enterprise Mobility Server
All log directories are relative to this path.
94
Configuring GEMS Services
GEMS Connect Service Log
\Good Connect\logs\Application-log_<data>.txt
Common Good Connect Issues
The most common issues can be diagnosed by properly analyzing the appropriate log file
when encountering IM or preference issues.
For troubleshooting, entries like the following examples are generally the most revealing:
Example 1
Log Entry: Failed to start GoodConnectServer:
Microsoft.Rtc.Signaling.ConnectionFailureException: Unable to establish a
connection. ---> System.Net.Sockets.SocketException: No such host is known.
Issue: The hostname value in the configuration file for the key OCS_SERVER does not exist or
is not recognized as a valid server.
Resolution: Correct the OCS_SERVER value in the configuration file.
Example 2
Log Entry:
DeregisterReason=None
ResponseCode=480
ResponseText=Temporarily Unavailable
Microsoft.Rtc.Signaling.RegisterException: The endpoint was unable to
register. See the ErrorCode for specific reason.
Issue: The port number specified in OCS_PORT_TLS is not valid.
Resolution: Correct OCS_PORT_TLS value in the configuration file.
Example 3
Log Entry:
ErrorCode=-2146233088
FailureReason=RemoteDisconnected
LocalEndpoint=10.120.165.137:5060
RemoteEndpoint=10.120.167.109:55118
RemoteCertificate=<null>
95
Configuring GEMS Services
Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x80131500) -->
Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Remote disconnected
while outgoing tls negotiation was in progress -->
System.Net.Sockets.SocketException: An existing connection was forcibly closed
by the remote host.
Issue: OCS_TRANSPORT was specified as TLS, however the port number provided was TCP.
Resolution: Change the OCS_PORT_TLS to 5061.
Example 4
Log Entry:
Failed to start GoodConnectServer:
Microsoft.Rtc.Signaling.ConnectionFailureException: Failed to listen on any
address and port supplied.
Issue: UCMA_APPLICATION_PORT number specified in the configuration file is either blocked
by a firewall or used by another application.
Resolution: Unblock port if it is a firewall issue or choose another port number.
Example 5
Log Entry:
Failed to start GoodConnectServer:
WCFGaslampServiceLibrary.OCSCertificateNotFoundException: Certificate not
found.
Issue: The certificate's subjectName must contain the local host's FQDN and the private
key for the cert must be enabled for the user which executes the GEMS software.
Resolution: Enable private keys for this cert for the user running the GEMS machine.
Configuring the Presence Service
Configuring the GEMS-Presence to support both Good Work and other third-party apps
running on the Good Dynamics platform entails a few steps. These include:
l
Enabling GEMS HTTP
l
Configuring Presence in the GEMS Dashboard
l
Configuring Good Control for Presence
96
Configuring GEMS Services
Enabling GEMS HTTP
In this initial release of the GEMS Presence service, only HTTP Presence subscriptions are
supported. By default, however, the HTTP Presence service is disabled. This means that the
GEMS HTTP Presence service will need to be manually enabled in order for the Presence
service to work.
To enable GEMS HTTP Presence subscriptions:
1. On the GEMS host, locate the org.ops4j.pax.web.cfg file and open it in a text editor. Its
default location is C:\Program Files\Good Technology\Good Enterprise Mobility
Server\Good Server Distribution\gems-karaf-<version>\etc .
2. Comment out the “org.ops4j.pax.web.listening.addresses=127.0.0.1” line by
prefixing it with a “#” sign. It should look like this:
#org.ops4j.pax.web.listening.addresses=127.0.0.1
3. Save the file.
4. Locate the jetty.xml file. Its default location is C:\Program Files\Good
Technology\Good Enterprise Mobility Server\Good Server Distribution\gemskaraf-<version>\etc and open it in your text editor.
5. Find the following block of lines and delete the comment markers highlighted in yellow:
97
Configuring GEMS Services
6. Save the file.
7. Restart Good Technology Common Services.
Note: Currently, this must be done regardless of the applications that will consume the
Presence service.
Configuring Presence in the GEMS Dashboard
The Presence service exposes the Lync Presence Provider (LPP) to third-party Good
Dynamics applications. Setting up the Presence service is similar to configuring the Connect
service, and can be reduced to the following four steps:
1. Service Account: Enter the GEMS Service Account, but only after making sure this
service account has RTCUniversalReadOnlyAdmins rights. Click Save to record these
settings.
2. Good Dynamics: Enter the Good Proxy Hostname. Use the Test button to test the
connection. Click Save to record these settings.
3. Settings: Default settings are typically sufficient.
98
Configuring GEMS Services
4. Lync 2010/2013 – After clicking on this setting, the system will dynamically query the
Lync Server to see if the appropriate GEMS Lync topology has been added. It will
typically take a few moments for the query to complete, so please be patient.
For Application ID, select the Lync Presence Provider application ID, then select the
corresponding Application Endpoint. If the listboxes are empty, this means that either
the GEMS Lync topology was not setup correctly or the service account does not have
the proper permissions to query these settings.
Use the Test button to test connectivity. Click Save when done.
Additional resources for Good Presence Developers
If you are a Good Presence developer, the following will be useful links:
l
Good Presence Service API
l
Good Presence Sample app
Configuring Good Control for Presence
Depending on how you are implementing the Presence service, setting it up in Good Control
is two-fold:
l
Configuring Presence for the Good Work app
l
Configuring Presence for Third-Party apps
Configuring Presence for Good Work
Presence for the Good Work app is configured in Good Control's Application Policies.
To enable Presence for Good Work:
1. In the Good Control console navigator click Policy Sets, then locate the policy you want
to apply and click it.
2. Click the Application Policies tab.
3. Scroll down to Good Work and click it, then click the App Settings tab.
4. In the Server Hosts field, enter in the FQDN of your GEMS host, followed by port 8181.
99
Configuring GEMS Services
5. Click Update.
6. Now, repeat Steps 1 through 5 for every policy that will use Good Work Presence.
Configuring Presence for Third-Party Apps
If you're making the Presence service available to third-party GD apps, the Presence
app/service must be configured in Good Connect's management handler. This is required
for each GEMS machine, individually and clustered.
Again, for prerequisite details on setting up Good Control, see Good Dynamics
Requirements.
Important: The Good Presence application is not published to Good Control by default.
You must request this app and then add it to Good Control.
To learn how to add the Good Presence app, see "Registering a New Application" in the GC
console's online help.
Then, with the Good Control management console loaded in your browser, complete the
following steps:
100
Configuring GEMS Services
1. Under Applications, click Manage Applications, and select Good Presence.
2. Click the Servers tab.
3. In the new Host Name field, enter the FQDN of the GEMS-Presence Service host.
4. In the Port field, enter the corresponding port (typically 8181).
5. For each GEMS machine entered, click
in the Actions column, then repeat Steps 3
thru 5.
6. Click Submit to save the configuration.
Consult the Good Control online help utility for additional information.
Logging and Diagnostics
The default GEM server installation directory is:
C:\Program Files\Good Technology\Good Enterprise Mobility Server
All log directories are relative to this path.
GEM Server Log
\Good Server Distribution\assembly-<version>\data\log\<gems_server_
name+timestamp>.log
Note: At 23:59 the timestamp resets to 0:00. It is also reset by a service
restart or when the file size reaches 100 MB.
101
Configuring GEMS Services
GEMS Presence Service
\Good Presence\Logs\LPP-log.txt
Updating the Connect and Presence Services Using Lync
Director
The Lync Director role provides functionality for users accessing Lync, internally and
externally1.
To support this capability, Lync Server is deployed as one or more pools, based on Standard
Edition or Enterprise Edition Lync Server. Users can be homed on only a single pool. Clients
can be configured to find their Lync pool automatically. However, the DNS records that
support this functionality can point to only a single pool. In a multi-pool environment, this
"primary" pool will have to redirect users to their correct home pool. This is an overhead on
the primary pool. The Lync Director is used to offload this redirection functionality. The
Director does not home any users itself but instead redirects the user to their correct pool
home. The requirement for the Lync Director is therefore for multi-pool environments with
high user numbers.
Once the user has been redirected to their correct pool, the Director plays no further role in
communications between the client and the pool server.
To update the Connect and Presence services to use a Director:
1. From the GEMS host, stop the following services:
l
Good Technology Connect
l
Good Technology Presence
2. Locate the Good Connect configuration file. Its default location is:
C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good
Connect\GoodConnectServer.exe.config
3. Open the file in notepad, locate the LYNC_SERVER key, then update its value with the
FQDN of the Director pool you want to use.
4. Locate the Good Presence configuration file. Its default location is:
1From http://social.technet.microsoft.com/wiki/contents/articles/3933.lync-director.aspx. ©2014 Microsoft Corporation. Used with permission.
102
Device Provisioning and Activation
C:\Program Files\Good Technology\Good Enterprise Mobility Server\Good
Presence\LyncPresenceProviderService.exe.config
As with Connect, open the file in notepad and locate the LYNC_SERVER key. Update this
value with the FQDN of the Director pool you want to use.
5. Start the two services that you stopped in Step 1.
Maintaining GEMS Cluster Identification in Good Control
Always ensure that Connect servers listed in the Good Control application configuration for
Good Connect identifies installed GEMS machines in that cluster.
If you add a server to the cluster, please correlate the timing of both the server’s installation
with updating the Good Control application configuration for Good People, to include that
additional server after it has been installed and is up and running.
If you temporarily remove a server from the cluster for maintenance, it is not necessary to
change the Good Control application configuration for GEMS. The Good People client will
detect that the server is offline and will automatically connect to another GEMS machine in
the cluster.
If you permanently remove a server from the cluster, first shut down the GEMS machine,
then remove it from the Good Control application configuration.
Device Provisioning and Activation
Users invited to install and activate Good Connect on their device(s), require an access key.
The access key must be entered when the user opens Good Connect for the first time on a
given device.
The access key is a 15-character alphanumeric code sent to the user’s (registered) company
email address and has the following properties:
l
It can be used only once and is consumed immediately upon the activation of an
application.
l
It is not application-exclusive. In other words, a user who has been sent four access keys
can use them to activate any four applications to which s/he is entitled.
l
It does not support reactivation. Hence, if the client software is uninstalled, then
reinstalled on the same device, a new access key is required. This is also true if a new or
103
Device Provisioning and Activation
factory-reset device is in use, or if a device emulator is in use and its state is not persisted.
However, a user who has been issued multiple access keys could use them to activate the
same application multiple times.
l
It can be configured to expire after a specified period of time. This is done in
Provisioning Policies by enabling the Access Keys expire option, and then selecting the
number of days after which access keys expire if not consumed.
To grant access to all your enterprise users complete the following steps:
1. Assign the default policy set or create a new policy set in accordance with your
enterprise’s user access protocols. The default policy set is automatically applied to all
new users.
For each user, the policy currently applied is located at the top of the user’s account
page. To apply a different policy set, hover your cursor over it and select from the
available policy sets in the listbox. It should be noted that the user must be granted
access to the app in order to activate it. This is done by assigning the user to an
Application Group that includes the app (Good Connect) for which the user is being
permitted access.
2. Go to User Accounts > Manage Users in the navigation panel, locate the user you want
to provision, and click Edit. You can also click anywhere on the user’s row to view account
information.
3. Click on the Access Keys tab to set the number of keys to send to the user.
4. Click Provision.
104
Device Provisioning and Activation
The appropriate number of access keys will then be sent to the user’s registered enterprise
email address—one email message per key. Hashes of the access keys are also copied to the
GD NOC for validation.
Assuming the user has received the email message containing the access key and
downloaded and installed the GD client application from the pertinent online marketplace—
App Store or Google Play—on the device, they can now activate the application until its GCspecified expiration date. At application start-up, the Good Dynamics user activation
interface opens, whereupon the user must enter the access key and his/her enterprise email
address in the input fields provided on the client so that the GD Client Library can promptly
transmit the access key to the NOC.
Additional provisioning and activation options are also available in Good Control. For more
on these features see:
l
Easy Activation
105
Appendix A – GEMS with Push Notifications ServicePre-Installation Checklist
Appendix A – GEMS with Push Notifications Service
Pre-Installation Checklist
It is highly recommended that this checklist be completed prior to implementation of your
Good Enterprise Mobility Server (GEMS) with Push Notifications and Presence Services.
#
Task
Check
Registration
1.1
Register with the GDN Portal (click here)
c
1.2
Download the latest GEMS software
c
1.3
Request the Good Work App (click here — very important!)
c
Network
2.1
Ensure the following ports are open for GEMS:
c
Inbound TCP ports:
l
8443 from the Good Proxy server (required for Presence
and Push notifications); add port 8181 if SSL is not going to
be used
Outbound TCP ports:
l
443 to Good NOC/APNS
l
443 to Exchange
l
17080 to the Good Proxy server (17433 for SSL)
Active Directory and Exchange
3.1
3.2
Verify Exchange version support; either:
l
Exchange 2010 (SP2 RU4 +)
l
Exchange 2013 (CU1, CU2, CU3, SP1 [CU4])
Create an AD account for Good. Preferred UID is "GoodAdmin" with the
c
c
106
Appendix A – GEMS with Push Notifications ServicePre-Installation Checklist
#
Task
Check
following attributes:
l
Password must not contain ':', '@', or '/'
l
Password Expired option must be set to Never for this account
l
GoodAdmin should be a member of the local administrator group on
the GEMS host machine
3.3
Create an Exchange mailbox for the GoodAdmin account.
3.4
Grant Application Impersonation Permissions to the GoodAdmin account in
Exchange (very important!). For your convenience, the Exchange Shell
command to apply Application Impersonation is included here.
c
Command Format:
New-ManagementRoleAssignment Name:impersonationAssignmentName
-Role:ApplicationImpersonation -User:serviceAccount
Example:
New-ManagementRoleAssignment -Name:GoodAppImpersonation
-Role:ApplicationImpersonation -User:GoodAdmin
For additional details, see Configuring Exchange Impersonation, in addition to
Grant Application Impersonation Permission to the Service Account under
Setting Up a Windows Service Account for GEMS above.
3.6
Ensure that your Exchange Autodiscover is set up correctly (very
important!).
c
Use EWSEditor to test. Please reference KB3496 for more information on how
to use EWSEditor.
3.7
Ensure that Exchange EAS is enabled on port 443 and that connections are
permitted for the Good Proxy server.
c
GEMS
4.1
4.2
Verify OS support. The following are supported by GEMS:
l
Windows Server 2008 R2
l
Windows Server 2008 R2 SP1
l
Windows Server 2012 R2
Verify minimum hardware requirements.
POC:
107
c
c
Appendix A – GEMS with Push Notifications ServicePre-Installation Checklist
#
Task
Check
l
Dual Core / 2.4 GHz CPU or higher
l
4 GB RAM / 50 GB HDD
l
100 / 1000 Ethernet Card
Production:
l
Pentium 4 Quadcore / 2.4 GHz CPU or higher
l
16 GB RAM / 50 GB HDD
l
100 / 1000 Ethernet Card
4.3
Verify Good Dynamics support. GEMS requires Good Dynamics 1.7.38.x or
newer. Good Dynamics must already be installed and operational before
installing GEMS.
c
4.4
Ensure that the GoodAdmin Service account is a local administrator on the
server
c
4.5
Ensure that the GC Service account has Logon As a Service rights
c
4.6
Ensure that the server's date/time is correctly set
c
4.7
Ensure that the server has been joined to the domain
c
4.8
Ensure that Windows Firewall is OFF.
c
4.9
Ensure that all antivirus/backup and backup software is stopped during the
installation.
c
4.16 Install JRE 7 Update 67 or higher (click here to download)
c
4.11 Set JAVA_HOME environment variable to the Java install folder; e.g.,
C:\Progam Files\Java\jre7
c
4.12 Ensure connectivity to SQL Server (typically TCP port 1433)
4.13 Ensure connectivity to Exchange (EWS).
Database
5.1
Verify Database server support.The following database servers are
supported:
l
All editions of MS SQL Server 2008 and 2008 R2
l
All editions of MS SQL Server 2012 and 2012 SP1
l
MS SQL Express 2008 R2 with Management Tools
c
To download MS SQL Express, click here.
5.2
Create a database for the PNS service. The recommended DB name is “EWS”.
Extend the DB scheme with the schema file provided with the GEMS binary
c
108
Appendix A – GEMS with Push Notifications ServicePre-Installation Checklist
#
Task
zip file.
5.3
109
Ensure that the SQL account or the GEMS Windows Service Account has db_
owner privileges to the GEMS PNS database.
Check
Appendix B – GEMS with Connect and Presence Pre-Installation Checklist
Appendix B – GEMS with Connect and Presence
Pre-Installation Checklist
It is highly recommended that this checklist be completed prior to implementation of your
Good Enterprise Mobility Server (GEMS) with Connect and Presence Services.
#
Task
Check
Registration
1.1
Register with the GDN Portal (click here)
c
1.2
Download the latest GEMS software
c
1.3
Request the Good Connect App (click here — very important!)
c
1.4
Request the Good Presence App ONLY if you are using third-party GD apps
that require presence. The Good Presence app can be requested from Mobile
App Sales (mobileappsales@good.com)
c
Network
2.1
Ensure the following ports are open for GEMS:
c
Inbound TCP ports:
l
8080/8082 from the Good Proxy Server
l
8181 from the Good Proxy Server (for Presence)
l
49555 from the Lync Server (for Connect)
l
49777 from the Lync Server (for Presence)
Outbound TCP ports:
l
443 to the Good Technology NOC
o
206.124.114.0/24
o
206.124.121.0/24
o
206.124.122.0/24
110
Appendix B – GEMS with Connect and Presence Pre-Installation Checklist
#
2.2
Task
Check
l
5061 to the Lync server
l
17080 to the Good Proxy server
l
17433 to the Good Proxy server
l
1433 to the MS SQL server (default)
If GEMS requires a Proxy server for external access, please note it here:
c
Proxy Server Make/Model: __________________________
Authentication Method: _____________________________
Active Directory and Lync
3.1
Create an AD service account for the GEMS software (can be the same
account used for Good Dynamics)
c
3.2
Ensure that the GEMS service account has RTCUniversalReadOnlyAdmins
c
permission during the GEMS install. This permission is granted via AD.
3.3
Create a Trusted Application, trusted application, and trusted application
endpoint for GEMS via the Lync Shell Console (very important!)
c
Note: The user creating the Tusted Application Pool must have
RTCUniversalServerAdmins and Domain Admins persmissions.
GEMS
4.1
Verify OS support. The following are supported by GEMS:
l
l
4.2
4.3
111
c
For MS Lync 2010 Deployments use Windows Server in one of these 64-bit
versions:
o
2008 R2
o
2008 R2 SP1
For MS Lync 2013 Deployments use Windows Server in one of these 64-bit
versions:
o
2008 R2 SP1
o
2012 R2
Verify minimum hardware requirements:
l
Pentium 4 Quadcore / 2.4 GHz CPU or higher
l
16 GB RAM / 50 GB HDD
l
100 / 1000 Ethernet Card
Verify Good Dynamics support. GEMS requires Good Dynamics 1.7.38.x or
c
c
Appendix B – GEMS with Connect and Presence Pre-Installation Checklist
#
Task
Check
newer. Good Dynamics must already be installed and operational before
installing GEMS.
4.4
Verify Lync Support. Lync 2010 and Lync 2013 are supported.
c
4.5
Ensure that the GC Service account is a local administrator on the server
c
4.6
Ensure that the GC Service account hasLogon As a Service rights
c
4.7
Ensure that the server's date/time is correctly set
c
4.8
Ensure that the server has been joined to the domain
c
4.9
Ensure that .NET 3.5 SP1 or later is enabled (Server manager > Add
Features)
c
4.10 Ensure that either .NET Framework 4.5 or 4.5.1 is installed. Click here to
download.
c
4.11 Ensure that MS Windows PowerShell is installed:
c
l
l
For both Lync 2010 and Lync 2013, install PowerShell 3.0 RTM (click here to
download)
Open “Windows PowerShell (x86)” and run the following command to
enable execution of remote signed scripts:
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
4.12 Ensure that the Microsoft Unified Communications Managed API is
installed:
l
For Lync 2010, install UCMA 3.0 (click here to download)
l
For Lync 2013, install UCMA 4.0 (click here to download)
c
After installing UcmaRuntimeSetup.exe, you must also run the OCSCore.msi
file. By default, this file is located at:
C:\Program Data\Microsoft\Lync
Server\Deployment\cache\5.0.8308.0\Setup\OCSCore.msi
Note: The version number in the path will vary.
4.13 Request and install a SSL certificate on GEMS (very important!). See
c
Creating/Acquiring a Valid SSL Certificate.
4.14 Ensure that all antivirus/backup and backup software is stopped during the
installation.
c
4.15 Ensure that all GEMS software is installed with the GEMS service account
c
4.16 Install JRE 7 Update 67 or higher (click here to download)
c
112
Appendix B – GEMS with Connect and Presence Pre-Installation Checklist
#
Task
Check
4.17 Set JAVA_HOME environment variable to the Java install folder; e.g.,
C:\Progam Files\Java\jre7
c
Database
5.1
Verify Database server support. The following database servers are
c
supported:
l
All editions of MS SQL Server 2008 and 2008 R2
l
All editions of MS SQL Server 2012 and 2012 SP1
l
MS SQL Express 2008 R2 with Management Tools
To download MS SQL Express, click here.
5.2
Create a DB for the GEMS Connect Service and extend its scheme (very
important!). This must be done prior to installing GEMS. For more
information, see Database Requirements.
c
5.3
Ensure that the GEMS service account has db_owner permission on the
GEMS Connect database.
c
113
Appendix C – Understanding the GEMS-Connect Configuration File
Appendix C – Understanding the GEMS-Connect
Configuration File
Configuration settings can be manually updated directly in the GEMS configuration file
located in <install path>\Good Technology\Good Server\Good Connect
Server\GoodConnectServer.exe.config. After updating any of the configuration
parameters, you must restart the GEMS machine for the changes to take effect.
Parameter
Name
Required
(Y/N)
Description
Default Setting
UCMA_
Yes
APPLICATION_NAME
Name of application as defined through the
installation provisioning process
Generated during
application provisioning
UCMA_GRUU
GRUU = Globally Routable User-Agent URI that
uniquely defines the Session Initiation Protocol
(SIP) URI for the application
Generated during
application provisioning
Yes
UCMA_
Yes
APPLICATION_PORT
The fixed port used by the Good Connect Server 49555
to receive messages from the enterprise IM server
OCS_SERVER
Yes
FQDN (Full Qualified Domain Name) of the
Microsoft Lync Front-End server or Front-End
server pool
GD_HOST
Yes
Good Dynamics Proxy host
GD_PORT
Yes
Good Dynamics Proxy port
BASE_ADDRESS
Yes
URL for the Good Connect Server which takes the
form
17080
http://goodconnect.mycompany.com:8080/
BUILD_VERSION
Yes
The version number of the Good Connect Server Auto-populated
build
SESSION_TIMEOUT_ Yes
SECS
The number of seconds a client is allowed to
remain idle
ACTIVE_
Yes
DIRECTORY_CACHE_
REFRESH_SECS
The number of seconds the Good Connect Server 86,400 (24 hours)
waits before synchronizing with the Active
Directory (any value smaller than 7200 is ignored
in favor of 7200 seconds)
GD_USE_SSL
Yes
Determines whether or not the Good Connect
Server uses the Good Dynamics secure port
(17433) or unsecured port (17080).
APN_SOUND
Yes
Play sound when an Apple device receives a push
notification
86,400 (24 hours)
False
114
Appendix C – Understanding the GEMS-Connect Configuration File
Parameter
Name
Required
(Y/N)
APN_BADGE
Description
Default Setting
Yes
Determines whether or not to use the badge
graphic for Apple push notifications
True
APN_ALERT
Yes
Apple push notification message string that
notifies a user that there are unread messages
“You have number
unread messages.”
APN_SLEEP_TIME
Yes
The number of milliseconds the Good Connect
Server waits in between queued Apple push
notifications
100
ACTIVE_
DIRECTORY_
SEARCH_RESULT_
MAX
GD_APN_PROXY_
TYPE
Yes
The upper limit on the number of hits from a
search of the Global Address List (GAL)
150
No
Web Proxy Authentication Mechanisms.
Acceptable values are:
""
"" (empty string for no proxy)
"Basic No Auth"
"Basic"
"Digest"
GD_APN_HTTP_URL Yes
WebService URL for Good Dynamics Apple Push
Notification Service (APNS)
No
Web Proxy Domain
Deprecated
No
Web Proxy Username
Deprecated
No
Web Proxy Password
Deprecated
GD_APN_PROXY_
HTTP_HOST
No
Web Proxy Host
GD_APN_PROXY_
No
Web Proxy Port
GD_APN_PROXY_
AUTH_DOMAIN
GD_APN_PROXY_
AUTH_USERNAME
GD_APN_PROXY_
AUTH_PASSWORD
HTTP_PORT
GD_APNS_
Yes
BLACKLIST_RETRY_
NO
Specifies # of retries after the server receives
APNS response where the token has been
blacklisted
DB_TYPE
Yes
SQLSERVER or ORACLE depending on what
database is used
DB_AUTHTYPE
Yes
USE_INTEGRATEDAUTH when the specifying
windows integrated authentication, otherwise
SQL Server authentication will be used
GASLAMP_USERNAME Yes
115
Window Service account
3
Appendix C – Understanding the GEMS-Connect Configuration File
Parameter
Name
Required
(Y/N)
DB_INIT_CATALOG No
Description
Default Setting
SQL Server database name; only valid if DB_
GoodConnect
TYPE=SQLSERVER Caution: This value is set by the
installer, so do not change
LYNC_DB_
No
CONNECTIONSTRING
SQL Server connection string for the Lync/OCS
database
DB_SESSION_
Yes
Time limit for search Lync/OCS database as
defined by LYNC_DB_CONNECTIONSTRING
No
FQDN of the Exchange server to which the Good
Connect Server will write conversation history
TIMEOUT_SECS
EWS_HOST
EWS_HISTORY_
No
INTERVAL_MINUTES
EWS_VERSION
No
300
Defines the number of interval in minutes Good 5
Connect server will wait before writing to
Conversation history. 0 means that conversation
history is written only after conversation has been
terminated
Version of Exchange server:
2
0 = Exchange 2007 SP1
1 = Exchange 2010
2 = Exchange 2010 SP1
3 = Exchange 2010 SP2 or SP3
4 = Exchange 2013
DB_RECONNECT_
Yes
# of seconds to wait before reconnecting attempt 300
to database
Yes
# of times Connect server to retry reconnecting to 3
database after a failure to connect to database
WAITTIME_SEC
DB_RECONNECT_
TRY_NUM
AD_USERS_SOURCE No
Parameter indicates if Good Connect server
should read AD or GC for SIP-enabled users;
value can be “GC” or “LDAP” (default is LDAP if
empty)
AD_USERS_SOURCE_ Yes, if users Domain for the for AD or GC to query. This value
source is GC should be in LDAP format; i.e., DC=GOOD,DC=COM
DOMAIN
RESTRICT_CERT_ No
BY_FRIENDLY_NAME
Allows naming of certificate so that Connect
server can load correct certificate; the certificate
friendly name must match the name specified
here
DISABLE_
MESSAGEUPDATE
Disable message not delivered errors which may False
potentially be due client/network latencies
No
116
Appendix C – Understanding the GEMS-Connect Configuration File
Parameter
Name
Required
(Y/N)
Description
Default Setting
LONG_INVITATION_ No
TIME_DELAY
Time (in milliseconds) that a Connect client will
wait for invitation received to confirm/ignore a
request to a conversation
60 000
ACK_TIME_WAIT
No
90 000
Time (in milliseconds) that the Connect server
waits for acknowledgement from client for a
message received before sending message failed
to deliver
SEND_TIME_WAIT
No
120 000
Time (in milliseconds) the Connect server waits
after sending message before reporting message
failed to deliver
117
Appendix D – Fine-Tuning Your Java Memory Settings
Appendix D – Fine-Tuning Your Java Memory Settings
Java settings for GEMS are found in the configuration file Good Server Distribution\gemskaraf-<version>\etc\GoodServerDistribution-wrapper.conf.
You may wish to review or modify the default Java settings used by GEMS. However, as a
general rule, you won't need to make changes to these settings.
In particular, the default memory settings for GEMS can be viewed at:
Initial memory allocation:
# Initial Java Heap Size (in MB)
wrapper.java.initmemory=2048
# Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=2048
Java memory settings:
wrapper.java.additional.14=-XX:PermSize=512m
wrapper.java.additional.15=-XX:MaxPermSize=1024m
By default, this means that the Java process used by GEMS will always need approximately 3
GB of memory free for its use on the machine hosting it.
118
Appendix E – IIS SSL Offloading
Appendix E – IIS SSL Offloading
SSL offloading takes all the processing of SSL encryption and decryption off the main Web
server and moves it to the GEMS host.
To set up IIS on the GEMS host:
1. Download the IIS Application Request Routing extension directly from Microsoft and
install it.
2. When installation completes, select Start > IIS Manager.
3. Under Connections, select Server > Server Certificates, then double-click Import to
import a trusted third-party certificate, which is usually a .PFX file you have received
from your Certificate Authority.
119
Appendix E – IIS SSL Offloading
4. When the certificate has been successfully added, once again click Server under
Connections, double-click Application Request Routing, then click Server Proxy
Settings... under Actions in the far left panel.
5. Check Enable proxy, then click Apply.
6. Next, click Server under Connection, double-click URL Rewrite, then click Add Rule(s)...
under Actions.
7. Select Blank Rule and click OK.
8. On the Edit Inbound Rule screen, enter a Name for the rule—e.g., "gems"—in the field
provided.
120
Appendix E – IIS SSL Offloading
9. With Requested URL: Matches the Pattern Using: Regular Expressions displayed,
enter "pushnotify/pushchannels" in the Pattern field.
10. Scroll down and expand the Conditions section, then click Add...
121
Appendix E – IIS SSL Offloading
11. For Condition input enter {REQUEST_METHOD}.
12. For Pattern enter POST, then click OK.
13. Scroll down and expand the Action section.
14. For Rewrite URL enter http://localhost:8181/{R:0}.
15. In the Actions panel on the far left, click Apply.
Finally, verify that you can now access GEMS under its secure HTTP/S port by opening the
GEMS Dashboard in your browser using https://localhost:8443/dashboard.
122
Legal Notice
This document, as well as all accompanying documents for this product, is published by Good
Technology Corporation (“Good”). Good may have patents or pending patent applications,
trademarks, copyrights, and other intellectual property rights covering the subject matter in these
documents. The furnishing of this, or any other document, does not in any way imply any license to
these or other intellectual properties, except as expressly provided in written license agreements
with Good. This document is for the use of licensed or authorized users only. No part of this
document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in
any form or by any means, electronic or physical, for any purpose, other than the purchaser’s
authorized use without the express written permission of Good. Any unauthorized copying,
distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is
subject to change without notice and does not represent a commitment on the part of Good. The
software described in this document is furnished under a license agreement or nondisclosure
agreement. The software may be used or copied only in accordance with the terms of those written
agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is your
responsibility to utilize the most current documentation available. Good assumes no duty to update
you, and therefore Good recommends that you check frequently for new versions. This
documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of
the content. The content of this document may contain information regarding Good’s future plans,
including roadmaps and feature sets not yet available. It is stressed that this information is nonbinding and Good creates no contractual obligation to deliver the features and functionality
described herein, and expressly disclaims all theories of contract, detrimental reliance and/or
promissory estoppel or similar theories.
Legal Information
© Copyright 2014. All rights reserved. All use is subject to license terms posted at
www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD
FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD,
GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD
DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All
third-party technology products are protected by issued and pending U.S. and foreign patents.
123