Connect Same Time Admin Install

Good Connect Server for IBM SametimeInstallation and Administration Guide

Product Version: 2.2Doc Rev 1.3

Last Update: 21-Apr-15

Good ConnectTM

Legal Notice

This document, as well as all accompanying documents for this product, is published by Good Technology Corporation(Good). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual propertyrights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any wayimply any license to these or other intellectual properties, except as expressly provided in written license agreements withGood. This document is for the use of licensed or authorized users only. No part of this document may be used, sold,reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, forany purpose, other than the purchasers authorized use without the express written permission of Good. Any unauthorizedcopying, distribution or disclosure of information is a violation of copyright laws.

While every effort has been made to ensure technical accuracy, information in this document is subject to change withoutnotice and does not represent a commitment on the part of Good. The software described in this document is furnishedunder a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with theterms of those written agreements.

The documentation provided is subject to change at Goods sole discretion without notice. It is your responsibility to utilizethe most current documentation available. Good assumes no duty to update you, and therefore Good recommends thatyou check frequently for new versions. This documentation is provided as is and Good assumes no liability for theaccuracy or completeness of the content. The content of this document may contain information regarding Goods futureplans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Goodcreates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims alltheories of contract, detrimental reliance and/or promissory estoppel or similar theories.

Legal Information

Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOODTECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL,GOODDYNAMICS, SECURED BY GOOD, GOODMOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOODVAULT, and GOODDYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. Allthird-party technology products are protected by issued and pending U.S. and foreign patents.

Good Connect ii

Good Connect iii

Table of Contents

Overview 1Requirements 1

System and network requirements 2

Good Dynamics requirements 2

Microsoft .NET Framework 3.5 Service Pack 1, or later, service packs 3

The Good Connect Database 3

Database Level Permissions 3

Setting Up an Oracle XE database 4

Setting Up Your Microsoft SQL Server 2008 R2 5

Configuring the IBM Sametime Community Server 6

Establishing Trust for Good Connect Server 7

Search LDAP last name support 7

UserInfoService support 8

Active Directory LDAP 9

Domino LDAP 9

Connecting to a Mux server 10

Installing the Good Connect Server 10

Good Connect Server Windows Service 20

APNS Web Proxy Support 21

Setting configuration parameters 21

Repairing/Upgrading the Good Connect Server 22

Repairing the Good Connect Server 22

Upgrading the Good Connect server 22

Configuring Good Control 23

Entering Server Pool Information and IM Platform Type 23

Listing the approved Good Connect Server hostnames and ports 24

Controlling browser and map behavior 25

Enabling Disclaimer 26

Configuring Good Connect user affinity 27

Good Connect iv

ABC Company Example 27

Enabling User Affinity 28

Enabling SSL Support via Good Proxy 29

Creating the CSR 30

Send the new CSR to a well-known third-party CA to issue your certificate 35

Binding the SSL certificate 36

Configuring the Good Connect server to use the new certificate 37

Configuring Good Connect Clients to Send Requests Over SSL 38

Troubleshooting 40Appendix A Understanding the Good Connect Server Configuration File 40

The Sametime Adapter file 42

Good Connect 1

OverviewThis manual provides step-by-step instructions for installing version 2.2 of the Good Connect Server in your IBMSametime environment. Be sure to carefully read and confirm that you meet all the listed requirements beforeyou start the installation.

There is also a detailed administration portion of this document for your reference after you finish installing theserver.

The following diagram shows how the Good Connect Server works with both the enterprise IM infrastructure andthe Good Dynamics (GD) servers behind the enterprise firewall. The Good Connect Server communicates withthe Good Dynamics Network Operation Center (NOC) to securely communicate with each mobile device.

RequirementsThis section lists the requirements for the Good Connect Server software.

If you installed an Early Access version of Good Connect, you must uninstall the Early Access version before youcan install this General Availability version.

Overview

Good Connect 2

Caution: If you dont install the required software, or fail to configure it correctly before starting installation ofthe Good Connect Server, the server may fail or behave in an unexpected manner.

System and network requirementsYou must meet the following requirements before installing the Good Connect Server.

l Microsoft Windows Server 2008 SP2 (64-bit) or Microsoft Windows Server 2008 R2 (64-bit)

l 4GB of RAM

l 20GB disk

l 4 core processor to support 10,000 concurrent connections

l The installing user must have local administrative privileges on the host computer.

l The local Windows Firewall must be disabled.

Note: A Group Firewall Policy causes the installer to fail prerequisite checks, even if the local firewall isdisabled.

l Disable local anti-virus software during installation

l The following inbound ports must not be blocked by any firewall:

l 8080 from the Good Proxy server

l 8381 from the Connect Sametime Adapter (local connection)

l The following outbound ports must not be blocked by any firewall:

l 80 to the Good Dynamics NOC/Apple Push Notification Service o443 to the Good Dynamics NOC/ApplePush Notification Service o1516 to the IBM Sametime Community Server

l 1533 to the IBM Sametime Mux Server (*if used)

l 17080 to the Good Proxy server

l 17433 to the Good Proxy server

l Good Connect will also require TCP/IP port access to the database used.

l 1433 to the Microsoft SQL Server default

l 1521 to the Oracle XE Server default

Good Dynamics requirementsl At least version 1.4.31.5 of the Good Control server

l At least version 1.4.31.3 of the Good Proxy server

You can download the Good Dynamics servers here: https://begood.good.com/docs/DOC-1053

Requirements

Good Connect 3

Microsoft .NET Framework 3.5 Service Pack 1, or later, service packsl Windows Server 2008 SP 2

Download Microsoft .NET Framework 3.5.

l Windows Server 2008 R2

Enable Microsoft .NET Framework 3.5 feature using Server Manager.

The Good Connect DatabaseGood Connect server requires a relational database, either existing in your environment or freshly installed foryour Good Connect deployment. Currently supported databases include Oracle and Microsoft SQL Server.

Important: The database must be installed and prepared before attempting to start your Good Connectserver installation. In addition, SQL scripts included in your Good Connect installer package must be executedbefore you start the Good Connect Server installation.

Microsoft and Oracle have visual and command line tools to assist you with database and schema creation. Theseinclude Microsoft Management Studio, sqlcmd, Oracle SQL Developer, sql*plus, etc.

Supported Oracle versions include:

l Oracle 10g (Standard/Enterprise)

l Oracle 11g (Express/Standard/Enterprise)

Note: Oracle Database 10.2 and 11.1 are no longer available for download. The software is available as amedia or FTP request for those customers who own a valid Oracle Database product license for any edition. Torequest access to these releases, follow the instructions in Oracle Support Document 1071023.1 (RequestingPhysical Shipment or Download URL for Software Media) from My Oracle Support.

You must also download the Oracle Data Access Components (ODAC 11.2 Release 5 for Windows x64) and installthe client libraries on the Good Connect server machine.

Supported Microsoft SQL Server Versions:

l SQL Server 2008 SP 1 (Express/Standard/Enterprise)

l SQL Server 2008 R2 (Express/Standard/Enterprise)

For POC deployments, you can download a trial of MS SQL Server 2008 R2 Express.

Database Level PermissionsThe database user for Good Connect requires the minimum set of database level permissions to:

1. Connect to the database over RCP/IP

2. Select/insert/update/delete to and from tables

Requirements

Good Connect 4

3. Create/alter tables

4. Execute stored procedures

Defined as the database level permissions, the minimum set includes:

l ALTER

l CONNECT

l CREATE TABLE

l DELETE

l EXECUTE

l INSERT

l SELECT

l UPDATE

Failure to grant these minimum database level permissions to the database user for Good Connect will renderthe product inoperable and will be unsupported.

Exclusions

These roles are not required by database user for Good Connect:

l DB_BACKUPOPERATOR

l DB_ACCESSADMIN

l DB_SECURITYADMIN

l DB_DLLADMIN

l DB_OWNER

The database user for Good Connect also does not require any of these instance roles:

l DBCREATOR

l DISKADMIN

l PROCESSADMIN

l SECURITYADMIN

l SERVERADMIN

l SETUPADMIN

l SYSADMIN

Setting Up an Oracle XE databasePrior to running the installer, you must create a schema named GoodConnect in your instance, as well as a useraccount with privileges for executing schema, stored procedures and creating table for said schema.

Requirements

Good Connect 5

To set up your Oracle database:

1. Select Start Menu > All Programs > Oracle Database Express Edition > Run SQL Command Line.

2. When prompted, enter connect system and provide the password.

3. Run the following commands:

create user GoodConnect identified by password;grant connect, resource to GoodConnect;alter user GoodConnect default role all;grant create table to GoodConnect;

@\Sql\Oracle\1_Balboa_Schema.sql;@\Sql\Oracle\1_Balboa_storedProcedures.sql;@\Sql\Oracle\2_Cardiff_Schema.sql;

grant execute on GOODCONNECT.USP_CREATENEWADTABLE to GoodConnect;grant execute on GOODCONNECT.USP_SWITCHADTABLES to GoodConnect;grant execute on GOODCONNECT.UTILS to GoodConnect;

Setting Up Your Microsoft SQL Server 2008 R2SQL Server Management Studio, which is bundled with the SQL Server 2008 R2 Express download, is required forsetting up the Good Connect database. If your SQL Server installation does not include the SQL ServerManagement Studio software, click the link immediately above.

Follow these instructions to set up the Good Connect database in SQL Server:

1. Install the SQL Server database per the directions in the installation wizard. Specify Windows Authenticationmode or SQL Server and Windows Authentication mode under the Security section of ServerProperties.

2. After installation, launch SQL Server Management Studio and log in.

3. Set up the login that will be used to manage the Good Connect database by expanding the Security item intheObject Explorer pane right-clicking Logins , then select New Login.

Here, if you selected SQL Server and Windows Authentication mode in Step 1, enter "GoodConnect" as theLogin name. Select SQL Server authentication and set a Password for this loginthis password will beneeded later when the Good Connect installer asks for Connect database informationthen click OK to addthe login.

If you selected Windows authenticationin Step 1 because you want to use a Windows account to managethe database, enter the Windows account username in domain\username format as the Login name. Thisaccount should be the same as the service or administrator account setup to run the Good Connect serverservice. Click OK to add the login.

4. Right-click theDatabases item in theObject Explorer pane, then select New Database, enterGoodConnectas theDatabase name, and set the login you configured in the previous step as the databaseOwner. ClickOK to add the database.

Requirements

Good Connect 6

5. Launch the SQL Server Configuration Manager by selecting Start > All Programs > Microsoft SQL Server2008 R2 > Configuration Tools > SQL Server Configuration Manager.

6. Expand SQL Server Network Configuration and select Protocols for SQLEXPRESS, then enable TCP/IP andadd TCP Port 1433 for IPAll. 1433 is merely a default port, which you can change as needed or desired, post-installation.

7. Restart the Microsoft SQL Server service.

8. Run the following schema and stored procedure scripts.

sqlcmd S \SQLExpress d GoodConnect i 1_Balboa_Schema.sqlsqlcmd S \SQLExpress d GoodConnect i 1_Balboa_StoredProcedures.sqlsqlcmd S \SQLExpress d GoodConnect i 2_Cardiff_Schema.sql

Important: Execute the scripts in the order specified above to properly create the GoodConnect databaseschema and stored procedures. These scripts can be found in the installation directory within the..\SQL\SQLServer folder.

Configuring the IBM Sametime Community ServerThe IBM Sametime Community Server must establish trust with Good Connect for proper communications.

Configuring the IBM Sametime Community Server

Good Connect 7

Establishing Trust for Good Connect ServerPlease ensure that the IP address used by the Good Connect Server is static or reserved in DHCP if DHCP must beused.

To establish a trust from the Sametime Community server to the Good Connect Server:

1. Log in to the IBM Integrated Solutions Console.

2. Click Sametime System Console > Sametime Servers > Sametime Community Servers.

3. Click the deployment name of the Community Server that you want to change in the Sametime CommunityServers list.

4. Click theConnectivity tab. In the Trusted Servers section, enter the IP address of the Good Connect Server(s) and click Add.

5. Click OK.

6. Restart the Lotus Sametime Community Server for the change to take effect.

Search LDAP last name supportThe default search behavior for resolving search entries in IBM Sametime does not allow searching by the lastname. In addition, it finds computer names along with peoples names. In order to improve the search behaviorfor Good Connect for IBM Sametime, follow these instructions:


Good Connect 8

1. Shutdown your Sametime and Domino server.

2. Find the stconfig.nsf file in the domino data directory.

Typically, the file is here: C:\Program Files (x86)\IBM\Lotus\Domino\data

3. Double click the file to open.

You need to install Lotus Notes to edit this file.

4. Select the Sametime Configuration tab, and double click on LDAP server in the left column.

5. Double click on your LDAP server name.

This should be the hostname of the machine where Domino Directory is installed.

6. Find the Search Filters section.

7. Edit the entry for Search filter for resolving person names as follows:

Warning: A syntax error renders the Sametime Community Server unable to start.

Make this change for theActive Directory LDAP:

l Old: (&(objectclass=user)(|(mail=%s*)(objectguid=%s) (samAccountName=%s*)(cn=%s*)))

l New: (&(objectcategory=person)(|(mail=%s*)(objectguid=%s) (samAccountName=%s*)(cn=%s*)(sn=%s*)))

Note: We are changing objectclass=user to objectcategory=person and adding the ability to search bythe surname field.

Make this change for theDomino Directory LDAP:

l Old: (&(objectclass=inetOrgPerson)(|(uid=%s*)(mail=%s*)(cn=%s*) (dominounid=%s)))

l New: (&(objectclass=inetOrgPerson)(|(uid=%s*)(mail=%s*)(cn=%s*) (dominounid=%s)(sn=%s*)))

8. Click Save.

9. Quit Lotus Notes.

10. Restart the IBM Sametime server.

UserInfoService supportThe UserInfoService is used to configure what information is shown as part of each users Contact information.

On the IBM Sametime Community Server, locate theUserInfoConfig.xml file in the Domino installationdirectory. Typically, the file is here: C:\Program Files (x86)\IBM\Lotus\Domino.

There are two sections of interest in this file:

l The section defines the directory fields that the UserInfoService object will get from your corporatedirectory service. The Id fields what Sametime refers to the data as, and the FieldName is the correlated


Good Connect 9

directory service field that it is mapped to.

l The section defines which parameters will be returned.

Depending on whether you are using Active Directory or Domino Directory, modify the sections accordingly inUserInfoConfig.xml to include the additional fields shown below in bold. Save the file and restart the IBMSametime server.

Active Directory LDAP

...

Caution: ParamSet values may not contain spaces or linefeeds as illustrated above for example purposes.

Domino LDAPYou must configure Sametime with authenticated access to LDAP. Anonymous access causes certain informationto be filtered out. More information can be found here:

http://www-10.lotus.com/ldd/stwiki.nsf/dx/Connecting_to_an_LDAP_server_st852


Good Connect 10

...

Caution: ParamSet values may not contain spaces or linefeeds as illustrated above for example purposes.

Connecting to a Mux serverEach Sametime server contains a Community Server multiplexer (or MUX) component. The function of theCommunity Server multiplexer is to handle and maintain connections from Sametime clients to the CommunityServer.

Please note that Good Connect acts as a connection multiplexer to Sametime as well which makes use of the IBMCommunity Mux server unnecessary.

If a Sametime Community Mux Server must be used, the Mux server must be added to the Trusted IPs list alongwith Good Connect Server in the IBM Integrated Console as described in Establishing Trust for Good ConnectServer .

Installing the Good Connect ServerTo install Good Connect Server:

1. Run the installer executable.

2. Introduction screen

This screen provides some basic information about the installer and the amount of space needed. Review theinformation and proceed by clickingNext.

3. License Agreement screen

Be sure to read the Good Server License and Services Agreement. If you agree with the terms, click Next.

4. Prerequisites screen

The installer checks for the prerequisites that are detailed under the Requirements section of this manual.Failure to meet all the prerequisite requirements will cause Good Connect to not run properly.

Installing the Good Connect Server

Good Connect 11

5. Good Dynamics Host Information screen

The Good Connect Server requires the hostname and port of the Good Dynamics Proxy server. If you chooseHTTPS be aware that, at this time, Good Dynamics does not support internal CA issued SSL certificates withinthe Good Dynamics Proxy server. The certificate must come from a well-known 3rd Party certificateauthority. See the Good Dynamics Good Control Server, Good Proxy Server Installation Guide for detailedinstructions on how to do so.


Good Connect 12

6. Database Server Settings screen.

Good Connect requires a database to execute properly. Database configuration parameters can be set on thisscreen.


Good Connect 13

Microsoft SQL Server 2008 R2

Microsoft SQL Server can be authenticated in two ways: Integrated Windows Authentication or SQL ServerAuthentication.

Integrated Windows Authentication

When a user connects through a Windows user account, SQL Server validates the account name andpassword using the Windows principal token in the operating system. The users credentials are confirmed viaWindows OS and it is not necessary to provide username and password.

Windows Integrated Authentication uses Kerberos security protocol that provides password policyenforcement, support for account lockout, and password expiration. A connection made using WindowsAuthentication is called a trusted connection because SQL Server trusts the credentials provided by Windows.

SQL Server Authentication

When using SQL Server Authentication, logins are created in Microsoft SQL Server directly which are not basedon Windows OS user accounts. Both the username and the password are stored and managed in SQL Server.Users connecting using SQL Server Authentication must provide their credentials when they connect. If youchoose SQL Server Authentication, you must provide username and password.


Good Connect 14

The Good Connect Installer will securely store the username and password to the Window CredentialManager. If you run the Good Connect windows service as a different user from the one that installs GoodConnect, you will need to manually add the database username and password to the Windows CredentialManager

1. Login into the Good Connect Server as the run user (this is the domain user as defined in Good ConnectServer Host Information screen).

2. Launch cmd.exe as Adminstrator

3. Execute the cmd:

cmdkey /generic:GoodConnectDatabase /user:dbadmin /pass:password


Good Connect 15

Oracle XE

Note: In order to use an Oracle database, you must install the Oracle ODAC on the Good ConnectServer. The Good Connect installer uses this to test connectivity to the Oracle database server.

7. Sametime Host Information screen

Good Connect Server requires the fully qualified domain name of the IBM Sametime Community Server aswell as the server connection port. The default port is 1516.

Note: If you use an IBM Community Mux Server, enter that hostname or IP instead. The default Mux portis 1533. Please note that Good Connect operates as a multiplexer to Sametime as well which makes use ofthe IBM Community Mux server unnecessary.


Good Connect 16

8. Good Connect Server Host Information screen

Good Connect Server supports HTTP and HTTPS connections from the Good Connect client.

HTTP Client Connections

The default port for incoming client connections to the Good Connect Server is 8080. By default, the GoodConnect installer will enable Connect server to respond to HTTP client requests.


Good Connect 17

HTTPS Client Connections

The Good Connect Server supports client SSL connections to the Good Connect Server. The Good Connectadmin will need to follow the instructions prior to installation for enabling SSL for the Connect client. Theinstructions can be found in the Enabling SSL Support Between Good Dynamics Proxy and Good ConnectServers.

After the setting up SSL, follow the instructions during installations:

1. Select Use GD SSL Binding

2. Enter Port and Certificate Friendly Name


Good Connect 18

Each Good Connect Servers host information also needs to be entered in the Good Control console. Theinstaller automatically enters the local hostname. If it cannot detect a hostname, you can enter one, howeverthe hostname must resolve properly within your networks DNS for it to operate correctly with GoodDynamics and IBM Sametime.

The default port for incoming client connections to the Good Connect Server is 8080. The default port forincoming client connections to the Good Sametime Adapter is 8381.

9. Web Proxy screen

If your Enterprise uses a web proxy to restrict access to the Internet, then you must selected the Web Proxycheckbox.


Good Connect 19

The Good Connect Server supports the following web proxy types: None, NTLM, Digest, or BasicAuthentication. Select the authentication type used by your Enterprises web proxy and enter the appropriateinformation.

The Good Connect Installer will securely store the web proxy username and password to Windows CredentialManager. If you run the Good Connect windows service as a user that is different from the user which installsGood Connect, you will need to manually add the web proxy username and password to the WindowsCredential Manager:

1. Login into the Good Connect Server as the run user (this is the domain user as defined in Good ConnectServer Host Information screen).

2. Launch cmd.exe as Administrator

3. Execute the command:

cmdkey /add:GoodConnectWebProxy /user:foouser /pass:foopass

10. Good Connect Server Location screen.

Click Next unless you want to change the default installation directory location.

11. Pre-installation Summary screen

Review the summary information and make sure the values are correct before clicking the Install button.


Good Connect 20

12. Installation screen

13. Finalize screen

The information gathered during this installation is available for review in the Good Connect Serversconfiguration file. See Good Connect Server Windows Service in this guide for complete details.

Good Connect Server Windows ServiceAfter installation, theGood Connect Server and Good Sametime Adapter will be listed in the MicrosoftWindows Services interface.

Good Connect Server should run as domain user given the following:

l The domain user must be enabled to Log on as service through the Local Security Policy tool.

The following steps explain how to make sure your account has Log on as service privileges:

1. Run the Local Security Policy admin tool on the Good Connect host.

2. Expand the Local Policies folder in the navigation pane on the left.

3. Select theUser Rights Assignments folder to see a list of policies in the right pane.


Good Connect 21

4. Double click the Log on as a service policy to add your account.

APNS Web Proxy SupportIf the host machine for the Good Connect Server must work with a proxy server to access the Internet and youdid not install the Good Connect Server with web proxy enabled, then follow the instructions to manuallyconfigure the web proxy.

To manually configure the web proxy:

1. Set the following configuration parameters.

2. Store the user credentials for "GoodConnectWebProxy" in the Windows Credential Manager.

3. Ensure that the Good Connect Server is Running As a user account that has local administrator privileges.

Setting configuration parameters

1. Edit theGoodConnectServer.exe.config file which is installed by default in C:\Program Files\GoodTechnology\Good Connect Server\

Note: You must restart the Good Connect Server after updating the parameters.

l GD_APN_PROXY_TYPE

l GD_APN_PROXY_HTTP_HOST

l GD_APN_PROXY_HTTP_PORT


Good Connect 22

2. Store the user credentials for "GoodConnectWebProxy" in the Windows Credential Manager

Execute the following from the cmd prompt as a local administrator, replacing "username" and "password"with what is required:

cmdkey /add:GoodConnectWebProxy /user:username /pass:password

3. Make sure you are using a user account that has local administrator privileges.

Repairing/Upgrading the Good Connect Server

Note: Please make a backup copy of the config file prior to repair or upgrade. Custom configuration settingsfor EWS will not be copied over, you will need to copy them back into the configuration file afterrepair/upgrade.

Repairing the Good Connect ServerThe Good Connect 2.1 installer allows restoration of the Good Connect server installation. This process revertsthe Good Connect Server executables, binary, and configuration parameters to the values of the last successfulinstallation. Any manual changes are discarded during the reparation process.

Upgrading the Good Connect serverThe Good Connect 2.2 installer does not preserve changes made to the log4net.config file before performing anupgrade. The following steps explain how to backup and restore the log4net.config file to preserver customchanges.

1. Stop the Good Connect Server service

2. Execute 2_Cardiff_Schema.sql in the SQL or Oracle folder on your database

Repairing/Upgrading is not currently support for the Good Connect Server. Please make a backup and plan torestore of the following files:

l Log4net.config

l GoodConnectServer.exe.config

Repairing/Upgrading the Good Connect Server

Good Connect 23

l Config\Log4j-config.xml

l Config\ServerConfig.xml

To upgrade:

1. Stop Good Connect Service

2. Execute 2_Cardiff_Schema.sql in SQL folder on your database.

3. Run Good Connect Installer

Configuring Good ControlThis section details the steps to configure Good Control with Good Connect Server.

Entering Server Pool Information and IM Platform TypeIn the Good Control Server Info section of Good Connect enter theHostname, Port for each Good ConnectServer, and Configuration information. This configuration information gets delivered to Good Connect clientsand dictates the available servers a client may connect to. All servers listed in theConfiguration informationshould also be listed in the table above the Configuration box.

For each Good Connect Server:

l Hostname:

l Port:

After the listing all the Good Connect Servers

l Configuration:

PLATFORM=SAMETIME

SERVERS=

Configuring Good Control

Good Connect 24

Listing the approved Good Connect Server hostnames and portsIn Good Controls Client Connections option under Settings define the allowed domains and servers that theGood Connect client application can connect to within the corporate network. We recommend you whitelist eachindividual Good Connect Server as shown in the example below.


Good Connect 25

Controlling browser and map behaviorGood Connect supports the option to control if the local device browser application can be used when tappingon a webpage URL and if the map application can be used when tapping on an address.

The following steps explain how to disable this access by using Good Controls Policy Sets option:

1. Select the policy set where you wish to disable access.

2. Select theApplication Policies tab.

3. Expand the Good Connect application.

4. Click on theApp Settings tab.

5. Uncheck or disable either or both options to disable the respective access.

6. Click Update.


Good Connect 26

Enabling DisclaimerGood Connect supports the option to display a Corporate Policy disclaimer at the top over every newconversation within the Good Connect client.

To enable this disclaimer using the Policy Sets option:

1. Select the policy set where you wish to add the disclaimer.



4. Click on theDisclaimer tab.

5. Check or enable theDisplay Disclaimer option.

6. Type or paste in your disclaimer text into the textbox.

7. Click Update.


Good Connect 27

The Good Connect client will display this disclaimer on top of each new conversation window.

Configuring Good Connect user affinityIt is possible for a Good Connect administrator to pin a user to a cluster of Good Connect servers instead ofletting the system randomly assign that user to a server from a master list.

ABC Company ExampleABC company has two Lync pools, a West Coast pool which hosts users in the west coast offices and an EastCoast pool which hosts users in the east coast offices. ABC company sets up a Good Connect server for eachpool, but only sets up one Good Control and Good Proxy cluster as shown below:

Configuring Good Connect user affinity

Good Connect 28

When Aaron Beard launches the Good Connect client, Good Control sends the list of servers to his client. In thiscase, the list of servers includes both the West Coast server and the East Coast server. The client randomlychooses a Good Connect server. Aaron has a chance of getting connected to the East Coast server instead of theWest Coast server.

Enabling user affinity allows Aaron to always connect to West Coast server.

Enabling User AffinityThe following steps explain how to create a user affinity for a given Good Control server.

1. Create/Select the policy set for which you wish to create user affinity.



4. Check the Server Configuration.

5. Type or paste your connect server host in the textbox.

6. Select Platform (Lync or Sametime).

Configuring Good Connect user affinity

Good Connect 29

7. Click Update.

8. Select theUser Accounts option and select Manage Users.

9. Select the user for whom you wish to set this policy.

10. Set theWest Coast Connect Users policy set for the user.

Enabling SSL Support via Good ProxyThe Good Connect server can be configured to run securely using SSL (https). By default, this is not enabled. Thissection describes the requirements to set up the Good Connect server for SSL connections from Good Connectclients.

Enabling SSL Support via Good Proxy

Good Connect 30

The yellow highlight in the following figure show the path to the Good Connect server from the Good Connectclient.

The Good Connect server requires a signed server SSL certificate from a third-party Certificate Authority (CA).Presently, the Good Dynamics (GD) SDK only supports the use of third-party certificates for GD applications.Good Connect is based on the GD SDK framework and is subject to this requirement.

If you are using an enterprise CA, or are familiar with how to create a no-template legacy key Certificate SigningRequest (CSR), please review this section for the required properties and recommended optional settings forcreating the CSR.

The processes covered in this section provides detailed steps to accomplish the following high-level tasks:

1. Creating the CSR.

2. Binding the SSL certificate.

3. Configuring the Good Connect server to use the new certificate.

4. Configuring the Good Connect client to start sending requests over SSL.

Creating the CSRStart by creating the CSR through the Microsoft management console (MMC) Certificates snap-in for the localcomputer hosting the Good Connect server. The following steps explain what is required to create the CSR.

1. Launch the Microsoft Management Console.

2. Select File > Add/Remove Snap-in > Select Certificate.

3. SelectComputer Account, Next, Local Computer, Finish


Good Connect 31

4. SelectCertificates>Personal > Certificates. Note that the final Certificates option is only available if thereis at least one certificate in the MMC. If not, just select Personal.

5. Select More Actions.

6. FromMore Actions, click on the following:All Tasks > Advanced Operations > Create Custom Request.

7. Select the Legacy key template, using the PKCS #10 request format.

8. If you are prompted to use your Active Directory Enrollment Policy, click on Proceed without enrollmentpolicy.


Good Connect 32

9. On theCertificate Information screen, click on the requestsDetails and then click on Properties.

10. On theGeneral tab, enter a value for the Friendly name, such as the hostname.

11. On the Subject tab, select the typeCommon name and enter the fully qualified domain name of your GoodConnect server. In this example, the server1 is a member of the servers domain, which is a subdomain ofdomain.tld.


Good Connect 33

12. Select and enter the remaining subject types and values as illustrated here.

13. On the Extensions tab, expand the Key usage section and add Data encipherment.

14. On the same tab, expand the next section titled Extended Key Usage (application policies) and add ServerAuthentication.


Good Connect 34

15. On the Private Key tab, expand the section titled Key type and select Exchange.

16. On the same tab, expand the section titled Key options.

a. Change theKey size to 2048.

b. EnableMake private key exportable.

c. EnableAllow private key to be archived.


Good Connect 35

17. Click on theOK button to proceed with generating the CSR, then click on Next and continue through to theend where you specify the .req (text file) to be created.

18. Edit the CSR request, copy the text and paste it in the VeriSign Validate a CSR validator to confirm there areno errors: https://ssl-tools.verisign.com/checker/

Send the new CSR to a well-known third-party CA to issue your certificateYou need to send the new CSR to a well-known third-party CA and purchase a certificate for your server. Thethird-party CA may also send you a file that contains the full certificate chain, including possible intermediatecertificates. Please install all relevant certificate files that you receive on the server that generated the CSR.


Good Connect 36

Binding the SSL certificateYou must import the third-party CA signed certificate and any other required intermediate certificates prior tofollowing the instructions in this section,.

This section details the steps needed to bind the third-party CA signed SSL certificate to the SSL port you wish touse on your Good Connect server. This port binding exercise must be completed prior to executing the steps inthe following sections.

Step 1: Copy the certificates thumbprint

1. Double-click on the certificate in the Certificate snap-in then click on Details to switch to that tab.

2. Change the Show value to Properties Only to filter out other details.

3. Click on Thumbprint to display the thumbprint value.

4. Copy the thumbprint value from the lower text box in this dialog window.

5. Paste the thumbprint into a text editor.

6. Use search and replace to find all spaces and delete them, so 08 82 41 2f becomes 0882412f

7. Copy this modified version of the thumbprint value into the clipboard for the next step.

Step 2: Open the cmd prompt as an administrator and type the following as one line.

1. Replace with the thumbprint copied from step 1.

2. Replace with the port number you wish to use, such as 8082.

3. Copy and paste the remainder of the parameters listed here:

netshhttp add sslcert ipport=0.0.0.0: certhash= appid={AD67330E-7F41-4722-83E2-F6DF9687BC71}


Good Connect 37

Step 3: Confirm the certificate binding by executing the following command.

netsh http show sslcert

Configuring the Good Connect server to use the new certificateThe steps detailed in this section require you to make configuration changes to the Good Connect server. Pleasemake a backup copy of your Good Connect server configuration file before making any changes. Fordocumentation purposes, we will assume that you have installed the Good Connect server in the defaultlocation. Please alter the drive:\path\ information to match your actual implementation.

1. Navigate to the C:\Program Files\Good Technology\Good Connect Server\ directory.

2. Edit theGoodConnectServer.exe.config file to administer the following changes.

The sections included below contain portions of the configuration file, showing the relative scope where thehighlighted text should be inserted.

All other sections in the configuration document not listed below do not change.


Good Connect 38

3. Restart the Good Connect server service for these changes to take effect.

Configuring Good Connect Clients to Send Requests Over SSLThis section describes what you need to change to enable client SSL connections. The changes required here areadministered entirely within the Good Control application configuration:

1. If previously installed without SSL, you will need to change the servers you have listed on theManageApplication page, in the Servers tab (illustrated below) or if you are using User Affinity in the ApplicationPolicies tab of the Policy Set (also illustrated below) you have defined.

a. You will need to add each servers fully qualified domain name with the new SSL port.

b. If you had previously installed Good Connect server with non-SSL ports, you will need to remove thoseentries from this table.

2. The format and port information for the servers you have listed after SERVERS= will need to havehttps://added, in addition to using the new SSL port. For example, if you have a cluster of two servers, both usingport 8082 for SSL, you would update SERVERS as follows:

SERVERS=https://server1.domain.tld:8082,https://server2.domain.tld:8082

Changing servers in theManage Application page, in the Servers tab.


Good Connect 39

Changing servers in Application Policy in the Policy Sets, for User Affinity implementation.


Good Connect 40

TroubleshootingThe best places to diagnose issues are the Good Connect Server, Good Sametime Adapter, and Installer log files inthe Good Connect Server folder:

C:\Program Files\Good Technology\Good Connect Server\Application-log.txt

C:\Program Files\Good Technology\Good Connect Server\ST-Adapter.log

C:\Users\\AppData\Local\GaslampInstallerConfigDetectorLog

Appendix A Understanding the Good Connect ServerConfiguration FileAfter installation, you can update Good Connect configuration file at

\Good Technology\Good Connect Server\GoodConnectServer.exe.config


ParameterName

Required Description Default

GD_HOST Yes Good Dynamics Proxy host.

GD_PORT Yes Good Dynamics Proxy port 17080

BASE_ADDRESS

Yes URL for the Good Connect Server which takes the form ofhttp://goodconnect.mycompany.com:8080/

BUILD_VERSION

Yes The version number of the Good Connect Server build. Auto-populated

SESSION_TIMEOUT_SECS

Yes The number of seconds a client is allowed to remain idle 86,400 (24 hours)

GD_USE_SSL Yes Determines whether or not the Good Connect Server uses theGood Dynamics secure port (17433) or unsecure port (17080).

False

APN_SOUND Yes Play sound when an Apple device receives a push notification.

APN_BADGE Yes Determines whether or not to use the badge graphic for Applepush notifications.

True

APN_ALERT Yes Apple push notification message string that notifies a userthat there are unread messages.

You have number unread messages.

APN_SLEEP_TIME

Yes The number of milliseconds the Good Connect Server waits inbetween queued Apple push notifications.

100

Troubleshooting

Good Connect 41

ParameterName


ACTIVE_DIRECTORY_SEARCH_RESULT_MAX

Yes The upper limit on the number of hits from a search of theGlobal Address List (GAL).

150

GD_APN_PROXY_TYPE

No Web Proxy Authentication Mechanisms. Acceptable valuesare:

l (empty string for no auth)

l Basic No Auth

l Basic

l Digest

GD_APN_HTTP_URL

Yes WebService URL for Good Dynamics Apple Push NotificationService (APNS)

GD_APN_PROXY_HTTP_HOST

No Web Proxy Host

GD_APN_PROXY_HTTP_PORT

No Web Proxy Port

GD_APNS_BLACKLIST_RETRY_NO

Yes Specifies # of retries after the server receives APNS responsewhere the token has been blacklisted.

3

SAMETIME_URL

Yes Sametime Adapter URL. This field should be set by theinstaller.

DB_TYPE Yes SQLSERVER or ORACLE depending on what database isused.

DB_AUTHTYPE

Yes USE_INTEGRATEDAUTH when the specifying windowsintegrated authentication, otherwise SQL Server authenticationwill be used.

DB_HOST No Only valid if DB_TYPE=ORACLE

DB_PORT No Only valid if DB_TYPE=ORACLE

DB_SERVICE No Only valid if DB_TYPE=ORACLE

GASLAMP_USERNAME

Yes Window Service account.

DB_INIT_ No SQL Server database name or Oracle schema. GoodConnect. Set by installer, do not

Appendix A Understanding the Good Connect Server Configuration File

Good Connect 42

ParameterName


CATALOG change.

DB_SESSION_TIMEOUT_SECS

Yes Time limit for search Lync/OCS database as defined by LYNC_DB_CONNECTIONSTRING.

300

DB_RECONNECT_WAITTIME_SEC

Yes # of seconds to wait before reconnecting attempt to database. 300

DB_RECONNECT_TRY_NUM

Yes # of times Connect server to retry reconnecting to databaseafter a failure to connect to database

3

DELAY_TERMINATE_SESSION_SECS

Yes # of seconds to delay before terminating session for clientwhich fails to ping

30

The Sametime Adapter fileAfter installation, you can update the Sametime Adapter server configuration file at

\Good Technology\Good Connect Server \config\ServerConfig.xml


Parameter Name Required Description Default

ADAPTER_PORT Yes Adapters port Set by installationprocess

SAMETIME_SERVER Yes FQDN of the Sametime Community Server (or Mux Server) Set by installationprocess

SAMETIME_PORT Yes The port of the Sametime Community server (or Mux Server). Set by installationprocess

REQUEST_TIMEOUT_MILLIS

Yes Duration in milliseconds to wait for the Sametime requests totimeout.

30000

MAX_HTTP_THREADS Yes Max http threads the Adapter creates to handle request. 100

MAX_SAMETIME_THREADS

Yes Max thread for Sametime that Adapter creates. 100

Appendix A Understanding the Good Connect Server Configuration File

OverviewRequirementsSystem and network requirementsGood Dynamics requirementsMicrosoft .NET Framework 3.5 Service Pack 1, or later, service packsThe Good Connect DatabaseDatabase Level PermissionsSetting Up an Oracle XE databaseSetting Up Your Microsoft SQL Server 2008 R2

Configuring the IBM Sametime Community ServerEstablishing Trust for Good Connect ServerSearch LDAP last name supportUserInfoService supportActive Directory LDAPDomino LDAP

Connecting to a Mux server

Installing the Good Connect ServerGood Connect Server Windows ServiceAPNS Web Proxy SupportSetting configuration parameters

Repairing/Upgrading the Good Connect ServerRepairing the Good Connect ServerUpgrading the Good Connect server

Configuring Good ControlEntering Server Pool Information and IM Platform TypeListing the approved Good Connect Server hostnames and portsControlling browser and map behaviorEnabling Disclaimer

Configuring Good Connect user affinityABC Company ExampleEnabling User Affinity

Enabling SSL Support via Good ProxyCreating the CSRSend the new CSR to a well-known third-party CA to issue your certificateBinding the SSL certificateConfiguring the Good Connect server to use the new certificateConfiguring Good Connect Clients to Send Requests Over SSL

TroubleshootingAppendix A Understanding the Good Connect Server Configuration FileThe Sametime Adapter file

Documents

Connect Same Time Admin Install