Prepare Windows Server

for Identity Maestro

Identity Maestro is a simpler wy for busy network and IT administrators to delegate user identity management and privileged access management tasks to front line staff using a powerful web portal tool. This guide provides details about preparing a Windows server for hosting an Identity Maestro server installation.

Issued January 2018

Page 2

Prepare Windows Server for Identity Maestro Topics

Contents Welcome to this guide ............................................................................... 3

Host Server Minimum Requirements ............................................................... 3

SSL Options............................................................................................. 4

Firewall Settings ...................................................................................... 4

Prepare Connection Service Accounts............................................................. 5

Active Directory .................................................................................................................... 5 Azure AD / Office 365 ........................................................................................................... 5 eDirectory ............................................................................................................................ 6

Prepare Windows 2016 / 2012 Server to Host Identity Maestro .............................. 6

Add Server Roles and Features ............................................................................................ 6 Prepare Windows 2008 Server to Host Identity Maestro ...................................... 11

Add Server Roles and Features .......................................................................................... 11 Prior to Installing Identity Maestro ............................................................... 14

If Exchange 2013 CU 15+ is a Target System ...................................................................... 14 If Office 365 is a Target System .......................................................................................... 14 If eDirectory 8.8 or 9 is a Target System .............................................................................. 14 Other Target Systems......................................................................................................... 14

Page 3

Welcome to this guide This guide provides information necessary to prepare the Windows server that will host

Identity Maestro, and to prepare the target systems that Identity Maestro will connect

with.

Host Server Minimum Requirements Windows server that will host an Identity Maestro installation must meet the following system

requirements.

Operating System: Windows 2016, 2012 R2, 2012, or 2008 R2 (x64 only),

Standard, Enterprise or Data Center editions. The OS must be activated.

Disk space:

Mininum of 1 GB above OS requirements. 10+ GB recommended.

Installation on a non-system drive is recommended.

Memory: 2+ GB above OS requirements. If performing large bulk import from

CSV actions (500+ users records per bulk action), recommended is 4 GB+ above

OS requirements

Processor: Intel or compatible (x64) - 2 core or higher recommended.

Active Directory: Joined to the primary AD Domain that will host the required

service connection user accounts and groups.

.NET Framework:

Minimum: .NET 4.5 or higher installed.

.NET 4.6.1+ is required if connecting to on-premises Exchange 2013 CU14+.

Windows Management Framework 4.0 (already installed by default with Windows

2012 and 2016).

Windows Services: Windows Management Instrumentation (enabled) – This service

should be installed on any Windows server that is hosting user home folders to allow

Identity Maestro to create user home folders when creating AD user accounts.

Office 365 Support: If Identity Maestro will connect to Office 365 to manage user

mailboxes, install the MSOnline support applications included in the download ZIP

file.

eDirectory Support: If Identity Maestro will connect to an eDirectory tree, install

the Micro Focus (Novell) eDirectory client for Windows 2.x with latest updates.

Page 4

SSL Options The Windows host server and IIS websites hosted on that server need to be protected by

SSL certificates. Two options include:

□ Ensure that domain controllers have been been issued with certificates issued by a

Enterprise Certificate Authority.

OR

□ Ensure that SSL certificate(s) obtained from trusted public certificate authorities are

applied to the IIS default website hosted on the Identity Maestro server.

Firewall Settings Internal firewall settings need to be configured to permit standard TCP and UDP ports

between the Windows server hosting Identity Maestro and servers / web applications that

will be managed. Identity Maestro will be configured with connectors that will use various

web-enabled services and protocols to facilitate remote access and management. Here is

a typical list:

Port Protocol or Purpose

389 (tcp/udp)

636 (tcp/udp)

AD LDAP connection insecure/secure

3268 (tcp), 3269 (tcp) LDAP GC, LDAP GC SSL

88 (tcp/udp) Kerberos

53 (tcp/udp) DNS resolution

137, 138 (udp)

139, 445 (tcp)

NetBIOS Browser

123 (tcp/udp) W32Time

80, 443 (tcp) Standard Web applications & Exchange connection insecure/secure

7190 (tcp) Identity Maestro connection agent port

135 (tcp) RPC + WMI connections for home folders

4000, 4002 (tcp) Workflow Center website, Azure AD Remote Agent website

1025 – 5000 (tcp) RCP dynamic

Page 5

Prepare Connection Service Accounts Each target system needs a service user account that will be used to provide privileged

access to the target system. Prepare what is required for your environment.

Active Directory

Prepare an AD user account to use as a connection user service account for Identity

Maestro. This account will provide protected full administrative access to Active Directory.

□ Create a user in the “\Users” folder in AD: Typical name could be imconnect.

□ Add to the Domain Administrators group.

□ (If required) Add to the Enterprise Administrators and Organization

Management groups (required for managing Exchange On-Premise).

□ Set the account password to never expire.

If corporate security policy requires scheduled password changes, ensure that you

schedule a task to manually reset the password before it expires in AD. There is a

procedure that needs to be followed to reset the password in the various connection

end-points in Identity Maestro.

□ Ensure that the account is not affected by GPOs that will modify password

expiration.

Azure AD / Office 365 Prepare an Office 365 user account to use as a connection user service account for Identity

Maestro.

□ Create an Office 365 user account (that is not synced by Azure ADConnect) called

imconnect.

□ This account must be assigned the Global Administrator role in Office 365.

□ This account does not need to be licensed for any SKUs or service plans.

Page 6

eDirectory

Prepare an eDirectory user account to use as a connection user service account for

Identity Maestro. This account will provide protected full administrative access to

eDirectory.

□ Create an eDirectory user. Typical name could be imconnect.

□ Assign Administrative rights to the root of the eDirectory tree.

□ Set the account password to never expire.

If corporate security policy requires scheduled password changes, ensure that you

schedule a task to manually reset the password before it expires in eDirectory. There

is a procedure that needs to be followed to reset the password in the various

connection end-points in Identity Maestro.

Prepare Windows 2016 / 2012 Server to Host Identity Maestro Here are the steps to prepare a Windows 2016 or 2012 server to host Identity Maestro.

Add Server Roles and Features

1. In Server Manager, select Manage > Add Roles and Features.

2. In the “Before you begin” page, select Next >.

3. In the “Select installation type” page, select Role-based or feature-based installation and

select Next >.

4. In the “Select destination server” page, select Select a server from the server pool option,

select the target server in the Server Pool list, and select Next >.

Page 7

5. In the “Select server role” page, ensure that Storage Services is already selected.

6. Select Web Service (IIS) and in the “Add features that are required for Web Server (IIS)”

window, select Add Features.

Page 8

7. Select Next >.

8. In the “Select features” window, expand .NET Framework 4.5 Features (2 of 7 installed)

and ensure that ASP.NET, WCF Services, and all WCF Services are selected except

Message Queuing (MSMQ) Activation are checked. If a popup window opens, accept

the changes.

9. Under Windows PowerShell (2 of 5 installed), ensure that Windows PowerShell 4.0

(Installed) and Windows Powershell ISE (Installed) are both checked (usually the

default).

Page 9

10. Select Next >.

11. On the “Web Server Role (IIS)” page, select Next >.

12. On the “Role Services” page, under Common HTTP Features, uncheck Directory

Browsing.

Page 10

13. Scroll down to Security and ensure that Basic Authentication and Windows

Authentication are checked.

14. Scroll down to Application Development and ensure that .NET Extensibikity 4.6,

ASP.NET 4.6, ISAPI Extensions, and ISAPI Filters are checked.

Page 11

15. Scroll down to Management Tools, and select IIS Management Console, IIS 6 Metabase

Compatability, IIS 6 Management Console, and IIS 6 WMI Compatibiity are checked.

16. Select Next >.

17. On the “Confirm installation selections”, window, select Install.

18. Wait until the installation is finished and then close Server Manager if it is not required.

Prepare Windows 2008 Server to Host Identity Maestro Here are the steps to prepare a Windows 2008 server to host Identity Maestro.

Add Server Roles and Features

1. In Server Manager, select Roles > Add Roles.

2. In the “Before you begin” page, select Next >.

3. In the “Select Server Roles” page, Application Server. In the “Add features required” page,

select Add Required Features.

Page 12

4. Select Files Services and Web Server (IIS) select Next >.

5. In the “Application Server” page, select Next >.

6. In the “Select Role Services” page, ensure that .NET Framework 3.5.1 is checked. Select

TCP Port Sharing, HTTP Activation, TCP Activation, and Named Pipes Activation, and

click Next >.

7. In the ”Web Server (IIS)” page, click Next >.

8. In the “Select Role Services” page, uncheck Directory Browsing.

9. Check ASP.NET, ISAPI Extensions and ISAPI Filters.

Page 13

10. Scroll down.

11. Under Security, select Basic Authentication and Windows Authentication.

12. Under Management Tools, select IIS Management Console, IIS Management Scripts

and Tools, IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility.

13. Select Next >.

14. In the “File Services” page, select Next >.

15. In the “Select Role Services” page, select Next >.

16. in the “Confirm installation selections”, window, select Install.

17. Wait until the installation is finished and then close the “Installation Results” page and the

Server Manager if it is not required.

Page 14

Prior to Installing Identity Maestro Differed target systems need additional components to be installed.

If Exchange 2013 CU 15+ is a Target System You must upgrade .NET to 4.6.1+. You must also configure Exchange to support remote

Powershell. Refer to Reenable Remote Powershell Support after upgrading Exchange 2013 from

CU14 to CU15+.

If Office 365 is a Target System 1. Download the Identity Maestro installation ZIP file (servicecontrol-latest.zip) and extract to

the server.

2. Expand the \MSOnline\1.0.8262.2\ folder.

3. Using elevated permissions, install:

a. Install msoidcli_64.msi.

b. Install AdministrationConfig-en.msi

If eDirectory 8.8 or 9 is a Target System Install the latest Micro Focus (Novell) eDirectory client for Windows 2012 R2.

Other Target Systems Contact Identity Maestro support for assistance.

Proprietary and Confidential Information of Amdocs Page 20

Identity Maestro has offices, development and support centers

worldwide, including sites in:

Headquarters

103, 10301 – 109 Street

Edmonton, Alberta T5J 1N4

Canada

Email: info@identitymaestro.com

Twitter: @IdentityMeastro

Phone: +1 408.675.5020

Fax: +1 780.423.4711

Regional Offices

Identity Maestro Europe

Kreitstrasse 5 86926

Greifenberg/Munich

Germany

Phone: +49.8192.99733.25

emea@Identity Maestro.com

Identity Maestro USA

440 North Wolfe Road

Sunnyvale, CA 94085

USA

Phone: +1 408.675.5020

info@identitymaestro.com

For the most up-to-date contact information for all Identity Maestro offices

worldwide,please visit our website at www.identitymaestro.com/contact