Prepare for Installation

  • Article

Applies To: Opalis 6.3

Perform the following tasks before you install Opalis Integration Server to make sure that the installation will be successful.

Preparing the Action Server and Management Server Computers

Opalis Integration Server automates tasks across the entire server architecture. This type of automation requires high levels of access permissions. It is imperative to restrict access to the action server and management server computers such that only authorized administrators can alter the settings on these computers. To prepare the computers that will host these services, we recommend the following:

  • Restrict interactive login access to the Local Administrators group.

  • Add only the minimum necessary user accounts or groups to the Local Administrators group. For more information about configuring user permissions, see the Microsoft Windows documentation about security policies and user privileges.

Defining the Service User Account

Identify an existing account, or create a new one, that the management server service and action server service on each computer where you install these items will use to access system resources. You can use a local account on the computer where the management server service or action server service is running; however, this may not have access to network resources. Instead, you could use an Active Directory account.

The account does not have to be an Administrator account, but it should be a member of the Administrators group on the computer where the management server service and action server service are installed. Additionally, the account does not have to be a domain Administrator.

Granting Authentication to the Service User Account

Because Opalis Integration Server uses services to operate, the account that you identify for use by the Management service and Action service must have the Log on as a Service user right assigned to it. You can use Active Directory Group Policy to grant authentication to the service user account, or if you are using a local account, you can assign this right using the Local Group Policy Editor (GPEDIT.MSC) on the computer.

To grant authentication to the Service User account

  1. In the Local Group Policy Editor, navigate to Local Computer Policy > Computer Configuration > Security Settings > Local Policies > User Rights Assignment > Log on as a service and add the service user account.

  2. Verify that the account is not included in the Deny logon as a service user right located at Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny logon as a service.

  3. Add the service user account to the Act as part of the Operating System right, located at Local Computer Policy > Computer Configuration > Security Settings > Local Policies > User Rights Assignment > Act as part of the Operating System.

Granting Authorization to the Action Server Service User Account

Any remote computers on which the action server service performs operations must allow the ability for the service user account to access information.

To grant authorization to the Action Server Service user account

  • Verify that the user account that you have assigned to the action server service has permission on the remote computer to perform read and write operations.

Some objects in Opalis Integration Server enable you to use impersonated credentials for performing operations on remote computers. In the Properties dialog of objects that use impersonated credentials, you will be asked to provide the credentials for the remote computer. The credentials will be supplied to the remote computer when the object runs. However, if impersonation settings on the remote computer use non-default settings, this behavior may not function as expected.

Windows Firewall

Enable the following firewall rules as they apply to your operating system and deployment configuration.

Windows Firewall with Advanced Security for Windows Server 2008 and 2008 R2

Windows Firewall with Advanced Security is enabled by default on all Windows Server 2008 and 2008 R2 computers, and blocks all incoming traffic unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.

If you are running Windows Server 2008 or 2008 R2, enable the following rules to allow all Monitor Event activities function correctly:

  • Windows Management Instrumentation (Async-In)

  • Windows Management Instrumentation (DCOM-In)

  • Windows Management Instrumentation (WMI-In)

Automated Deployment of Action Servers or Clients

When action servers or clients need to be installed behind a firewall, specific firewall rules are required between the deployment manager and the remote computers that are used to deploy action servers or clients. An additional rule is required for the remote connection between the client and the management server to enable the Opalis management service to accept remote connections. If you are using the Monitor WMI object, the action server requires a special firewall rule on the computer that will use PolicyModule.exe.

Enable the following firewall rules as they apply to your operating system.

Firewall Rule between the Client and the Management Server (the Computer running OpalisManagementService)

Operating system Firewall rule

64-bit

%ProgramFiles(x86)%\Opalis Software\Opalis Integration Server\Management Service\OpalisManagementService.exe

32-bit

%ProgramFiles%\Opalis Software\Opalis Integration Server\Management Service\OpalisManagementService.exe

Firewall Rules between the Deployment Manager and the Remote Computers

Operating system Firewall rules

Windows Server 2008 or 2008 R2
  • File and Printer Sharing

  • Windows Management Instrumentation (WMI)

  • Program rule for OpalisRemotingService to accept remote connections. This rule must be enabled through Advanced Firewall mode:

    • %SystemRoot%\SysWOW64\OpalisRemotingService.exe (for a 64-bit operating system)

    • %SystemRoot%\System32\OpalisRemotingService.exe (for a 32-bit operating system)

Windows Server 2003
  • File and Printer Sharing

  • Windows Management Instrumentation. To enable this rule, run the following command: netsh firewall set service RemoteAdmin enable.

  • Program rule for OpalisRemotingService to accept remote connections.

    Important

    This rule must be enabled after Opalis Integration Server has been installed. To enable this rule, start the Deployment Manager and attempt to deploy an action server. The deployment will fail; however, the program rule file will be copied to the destination server. Now you can add the following program rule: %SystemRoot%\System32\OpalisRemotingService.exe.

Firewall Rule between the Action Server and the Server that will use PolicyModule.exe

Operating system Firewall rule

64-bit

%ProgramFiles(x86)%\Opalis Software\Opalis Integration Server\Action Server\PolicyModule.exe

32-bit

%ProgramFiles%\Opalis Software\Opalis Integration Server\Action Server\PolicyModule.exe

For more information aboutadding firewall rules, see Add or Edit a Firewall Rule (https://go.microsoft.com/fwlink/?LinkID=201019).