Complete each item in this checklist to ensure the OnBase Application Server is successfully installed. This checklist is applicable for supported versions of Windows Server and the versions of IIS included with Windows Server.
Application Server Installation Steps |
Notes |
|||
---|---|---|---|---|
1 |
|
Follow Microsoft best practices for securing Windows Servers, IIS, and ASP.NET Web applications throughout the install. |
Additional information is available on securing different versions of Windows Server: Windows Server 2012:
Windows Server 2016 and Windows Server 2019:
|
|
2 |
|
Verify that the Application Server machine meets OnBase Application Server Requirements. |
See the OnBase Installation Requirements manual for hardware requirements for the Application Server. |
|
CPU |
2.4GHz dual-core / dual processor (Intel ® XEON ™ processor with multiple cores or processors recommended) |
|||
System Memory |
32-bit Application Server: 4 GB (8 GB recommended) 64-bit Application Server: 6 GB (12 GB recommended) |
|||
Internet Browser |
Internet Explorer 11, with all related security patches, must be installed on the server. |
|||
Server Deployment Notes |
OnBase Application Servers must be dedicated purpose servers; NOT USED as a domain controller, DNS server, non-OnBase Web or application server, email server, print/database/file server, index server, proxy server, network backup server, jukebox manager, network performance monitor, Client processing workstations or Workflow/API Client brokers. Network and disk I/O hardware should be optimized for performance and redundancy. Two network cards can reduce server bottlenecks by using a segmented network for external and internal requests, where external requests are sent to the Web clients and internal requests are sent to the file and database servers. It is strongly recommended that you complete these installation procedures on a clean operating system. |
|||
Virtual Machine Deployment Notes |
Hyland Software develops, tests, and supports the OnBase suite of products on specific Operating Systems, not specific hardware configurations. When OnBase is operated in a virtual environment (such as Citrix, VMware, Hyper-V, or Windows Remote Desktop) there may be limitations or subtle differences imposed by the environment. The customer and the virtual environment vendor are responsible for any interactions or issues that arise at the Hardware or Operating System layer as a result of their use of a virtual environment. When it appears that a performance-related issue in OnBase is either caused by (or is unique to) the virtual environment, organizations may be asked to validate that the issue occurs in a non-virtual environment. Hyland Software will make this request if there is reason to believe that the virtual environment is a contributing factor to the issue. Each OnBase site is unique. Hyland Software depends on the customers who deploy OnBase in virtual environments to do so only after careful design and adequate planning (that takes into account the workloads of your organization), and in accordance with recommendations provided by the virtual environment's vendor. As with any implementation, Hyland Software strongly recommends that any customer deploying the OnBase solution in a virtual environment thoroughly test the solution before putting it into production. For information about using OnBase in a Citrix and Microsoft Windows Remote Desktop environment, please see the Citrix and Microsoft Windows Remote Desktop Environment Deployment Guide, available from your solution provider. |
|||
Supported Database Versions |
See the OnBase Installation Requirements manual for a list of supported database versions. |
|||
OnBase Database Version |
Version 3.5-409 or greater |
|||
3 |
|
Install or verify installation of Windows Server. |
||
4 |
|
Install or verify installation of IIS. |
||
Install only the necessary IIS components. |
Use the Add Roles and Features Wizard in Windows Server Manager to install IIS and ASP.NET.
CAUTION:
Do not add the Dynamic Content Compression feature. This feature interferes with the XML sent between the Application Server and other servers or applications, and it should not be installed or enabled on the Application Server. Other roles may be needed depending on network security and other functionality needed for your solution. Add these required roles when prompted. |
|||
Restart the IIS service. |
Recommended: Use the Microsoft iisreset.exe utility located in C:\WINDOWS\system32. |
|||
5 |
|
Apply any required Windows Server service packs and updates. |
||
6 |
|
Install or verify installation of the Microsoft .NET Framework. |
||
Verify that .NET Framework has been successfully installed. |
OnBase requires Microsoft .NET Framework 4.7.2 or later. The .NET Framework can be obtained from the Microsoft Download Center at http://www.microsoft.com/downloads. |
|||
7 |
|
Uninstall OnBase Core Services. |
Search the entire server system path for older versions of the Web Server or Application Server files that may have been installed in a previous installation. |
Unregister any registered Core Services files from previous versions using REGSVR32 /U. Then, delete the unregistered files. It is critical that multiple copies of the Core Services DLL files not be registered on the server. The Application Server will not function correctly with multiple or mismatched versions of the Core Services DLLs. |
8 |
|
Install the OnBase Diagnostics Service. |
The Diagnostics Service monitors low-level Application Server error and informational messages. It is available in the ..\apps\NTServices\Hyland.Diagnostics directory in the build distribution package. See the Diagnostics Service & Diagnostics Console module reference guide for information about installing and configuring the service and using the Diagnostics Console. Note:
If you are upgrading your Core Services installation, uninstall previous versions of the Diagnostics Service and Diagnostics Console before installing the latest version. |
|
9 |
|
Create a Web site. For high-security deployments, follow Microsoft best practices. |
Create a new Web site in the IIS Manager. |
A Web site root directory must be designated. |
Configure IIS logging as needed. |
Use the IIS Logging feature to configure logging at either the site or server level. The following W3C Logging Fields are recommended:
To access these logging fields, open the Logging feature for the server or site, ensure W3C is the selected format, and click Select Fields. |
|||
10 |
|
Install the current OnBase Application Server build. |
Create a Web content sub-directory within the Web site root directory: |
It is recommended that you name the new subdirectory whatever you plan to name your Web application/virtual directory. ..\YourWebSiteRoot\YourApp |
Copy the standard OnBase Application Server files, including subdirectories, from the ..\AppServer (for 32-bit) or ..\AppServer64 (for 64-bit) build directory into the virtual directory file location as configured for the virtual directory in IIS Manager. |
||||
11 |
|
Create an application pool. |
In IIS Manager, create a unique application pool for each Web application/virtual directory you plan on creating. |
For high security deployments, the default, well-known Default application pool should NOT be used. |
12 |
|
Configure the Web site properties. |
Convert the directory you created in step bvv1646163894008.html#bvv1646163894008__entry_hx2_s1v_mtb to an application. |
In IIS Manager, right-click the directory you created in step bvv1646163894008.html#bvv1646163894008__entry_hx2_s1v_mtb and select Convert to Application. When prompted, select the application pool you created in step bvv1646163894008.html#bvv1646163894008__entry_y5g_sdv_mtb. If you did not install the OnBase Application Server files in the Web site content directory, right-click the Web site in IIS Manager and select Add Application. Follow the prompts to create the Application Server application. |
Set service.asmx as the default document. |
||||
For the entire virtual directory, set Expire Web content to Immediately. |
This setting is found in HTTP Response Headers under the Set Common Headers action. |
|||
For the entire virtual directory, ensure that Enable HTTP keep-alive is selected. |
This setting is found in HTTP Response Headers under the Set Common Headers action. |
|||
In the Authentication feature for the Application Server application, enable Anonymous Authentication and configure the specific local machine user account. |
The anonymous account is normally named IUSR by default and should not need to be changed. |
|||
Set Preload Enabled to True. |
This setting is found in the Advanced Settings dialog box for the Web application. |
|||
Assign your newly created application pool to the virtual directory. |
A unique application pool should be assigned to each separate Web application/virtual directory you plan on operating. |
|||
13 |
|
Configure the application pool. |
For recommended settings, see Application Pool Configuration. To access all configuration settings, select the application pool in IIS Manager, and click Advanced Settings from the Actions pane. |
|
Set .NET CLR Version to v4.0. |
This setting is under (General) in the Advanced Settings dialog box. |
|||
Set Enable 32-Bit Applications to:
|
||||
Ensure the Managed Pipeline Mode is set to Integrated. |
||||
Set the Queue Length to 65535. |
Setting this value is the same as clearing the Limit the kernel request queue (number of requests) option in IIS. |
|||
Set the Start Mode to AlwaysRunning. |
||||
Set the Limit Interval to 0. |
This setting is under CPU in the Advanced Settings dialog box. |
|||
Set the Identity to NetworkService. |
This setting is under Process Model in the Advanced Settings dialog box. You can also select another built-in service account, or you can enter a user name and password for a custom service account to run the application pool worker process and potentially access domain resources.
CAUTION:
Use of the LOCAL SYSTEM account is a significant security vulnerability that must be avoided in any production or customer data environment. |
|||
Set the Idle Time-out to 0. |
||||
Ensure the Maximum Worker Processes is set to 1. |
The OnBase Application Server requires that this value be set to the default value of 1. |
|||
Set Ping Enabled to False. |
||||
Under Rapid-Fail Protection, set Enabled to False. |
||||
Set Regular Time Interval to 0. |
This setting is under Recycling in the Advanced Settings dialog box. |
|||
14 |
|
Assign NTFS permissions for the IUSR Anonymous Account to access the Web content directory. |
Web content directory and sub-directories: C:\inetpub\wwwroot\YourWebApp (or the path that the virtual directory points to) |
Anonymous access account: Read and Execute Read |
15 |
|
This step is optional. For high-security deployments, create a custom, least-privileged service account for identity impersonation. The built-in ASP.NET process accounts are well-known least-privileged accounts and are suitable for most environments. |
CAUTION:
Do not use IIS Manager to configure impersonation. IIS Manager enters the account's credentials into Web.config in plain text. Use the following steps to configure the account, enable impersonation in web.config, and encrypt the account's credentials in the registry. |
|
Create a new local user account. |
||||
Assign ASP.NET permissions to the new account. |
At a Command Prompt, enter: aspnet_regiis -ga MachineName\AccountName This command grants access to IIS resources and permissions to write to the ASP.NET Temporary files folder. |
|||
Assign permissions to the Web content directory and subdirectories: C:\inetpub\wwwroot\YourWebApp(or the path that the virtual directory points to) |
New account permissions: Modify |
|||
Assign local security policy user rights for the account. |
If you created a new account, you must change its local security policy user rights. Assign the following:
If you are using a built-in process account (e.g., ASPNET), skip this step. |
|||
16 |
|
Create registry keys containing encrypted user name and password values to use in production Application Server installations. |
A copy of the ASPNET_SETREG tool is located in the ..\UTILITIES\MISC sub-directory in the build distribution package. Full details on creating Encrypted account registry keys are available in the Microsoft article: “How To Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings” available at: http://support.microsoft.com/kb/329290 |
|
Create registry keys containing encrypted user name and password values for the impersonated identity account. |
Use the Microsoft ASPNET_SETREG.EXE tool: aspnet_setreg.exe -k:SOFTWARE\Hyland\YourApp\identity -u:"DOMAIN\name" -p:"password" |
|||
Assign NTFS permissions for the registry keys. |
ASP.NET application pool identity account: Read Note:
If the application pool is configured to use the built-in ApplicationPoolIdentity account, then the IIS_IUSRS group must be granted Read access to the registry key. |
|||
17 |
|
Encrypt the ASP.NET impersonated identity account for the Application Server. |
Assign a registry reference pointing to the encrypted user name and password created in step bvv1646163894008.html#bvv1646163894008__entry_hfd_2cv_mtb, for the user name and password values. |
Within the application pool's virtual directory's web.config file's <identity> element: 32-bit <identity impersonate="true" userName="registry:HKLM\SOFTWARE\Hyland\YourApp\identity\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\Hyland\ YourApp\identity\ASPNET_SETREG,password" /> 64-bit: <identity impersonate="true" userName="registry:HKLM\SOFTWARE\Wow6432Node\Hyland\YourApp\identity\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\Wow6432Node\Hyland\ YourApp\identity\ASPNET_SETREG,password" /> |
18 |
|
Configure the OnBase Log in Event Viewer. |
The default log file sizes in Event Viewer need to be increased to avoid error messages. |
In the Event Viewer, right click on the OnBase Log and select properties. The maximum log size should be set to 16384 KB. Overwrite events as needed should be selected. |
19 |
|
Configure your antivirus, backup, or indexing service software to exclude OnBase application files. Note:
Refer to Impact of Running Antivirus Software on the Application Server for more information. |
Modifying the contents of the Web Server or Application Server's virtual directory will cause the application to restart. When this occurs, connected users will lose their sessions and their applications will become unresponsive. This behavior occurs because the OnBase Web Server and Application Server are ASP.NET Web Applications. ASP.NET detects file changes, including changes to file system attributes and time stamps, and restarts the application if a change is detected. Unintended application restarts can occur when virus scanning software, backup software, or indexing services access the contents of an application's virtual directory. These processes don't modify the contents of an application's files, but they can modify the files' attributes, which is enough for ASP.NET to restart the application. To properly configure virus scanning, backup software, or indexing service software, follow the guidelines below. |
|
Exclude both the OnBase Web Server's and Application Server's virtual directories from antivirus, backup, or indexing service scanning. |
If these files are scanned by antivirus, backup, or indexing software, IIS will restart the application pool for the OnBase application. When an application pool restarts, all existing OnBase sessions are reset, causing errors for connected users. |
|||
Exclude the ASP.NET Temporary Files directory from antivirus, backup, or indexing service scanning. |
The ASP.NET Temporary Files directory is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files. |
|||
Real-time scanning of script execution, which is available in some antivirus software, should only be engaged according to the software manufacturer's instructions. Some manufacturers do not intend this functionality to be used on servers. |
Consult your antivirus, backup, or indexing software documentation for other recommended settings for Application Servers. |
|||
Ensure that any antivirus, backup, or indexing service changes will not be overwritten by the automatic policy settings configured for your network. |
||||
20 |
|
The OnBase Application Server is installed. Perform testing as necessary. |
Access http://hostname/AppServer/Service.asmx to determine whether the installation is correct. (Replace hostname with the machine name and AppServer with the Application Server's virtual directory.) |