Installation Instructions for iHR and ISS

These instructions are written for system administrators and explain how to install Apex's software products. To skip these instructions and install everything except ISS on one computer, complete a typical single-user installation. These instructions do not explain how to set up communication between Apex Software and biometric\proximity terminals. If you have any questions then call (317) 225-4415 or e-mail tsupport@iHRsoftware.com.

Table of Contents

1. Planning Installation
2. Database Server Installation
3. Client Installation
4. Configuring File Attachments and Portraits
5. Security Configuration
6. Configuring Apex Task E-mailer Service
7. Installing Instant Self Serve
8. Notes regarding Setup.exe and Uninstallation

1. Planning Installation

The software contains two core components: a SQL Server Database and a client, and the software contains three optional components: a Web add-on (ISS), a file share that holds attachments, and a service that e-mails reminders and tasks (e-mailer service). In a typical single-user installation, the Database and client are installed on the same computer. In a typical client/server installation, the Database, file share, e-mailer service, and Web add-on are installed on one server, and the client is installed on each end-user's workstation. In use cases involving more than 500 users, Apex recommends that you reserve a dedicated database server as shown in Table 3 below.

Table 1 lists the system requirements for the server and client components. You may install all of the server components on one computer, or you may install them separately. The client uses an auto-update function that is similar to Windows Updates. For auto-updates to work, firewalls must allow traffic over HTTP port 80 to/from ihrsoftware.com. Apex recommends that all of the workstations, users, and server(s) are joined to the same Windows AD domain.

Table 1. System Requirements
Component Prerequisites Client/Server Permissions Additional Memory (MB) Additional Hard Drive Space (MB)
Apex Client Windows Vista, 7, 8, 2003, 2008 or 2012
.NET Framework 4.0 or better

Apex Client is not needed for general users. Only needed for admin users.
Client 128 32
Database Windows Vista, 7, 8, 2003, 2008 or 2012
SQL Server: SQL 2005 Express, 2008, or 2012
.NET Framework 4.0 or better
Server Default SQL Server installation permissions 1024 500
Share for File Attachments Windows XP, Vista, 7, 8, 2003, 2008 or 2012

All Apex thick clients must be able to use a UNC path to access this share. Web clients do not require access.
Server
  • Typically, HR has full permissions over the share
  • HR assistants need read/write/create
  • Managers may need read on folders for individual employees
0 4000
Task E-mailer Service Windows Vista, 7, 8, 2003, 2008 or 2012
Relay Access to SMTP Server
.NET Framework 4.0 or better
Server Service must run under an account that can read apexTaskEmailer.xml in the program installation folder 10 10
Instant Self Serve Windows 7 Pro, 8 Pro, 2003, 2008 or 2012
Internet Information Services
.NET Framework 4.0 or better
Server Depends on SQL Authentication or Windows Authentication. See ISS, section 7. 128 10

Table 2 lists server configurations for a typical client/server installation with less than 500 active users. The best configuration uses RAID drives or at least two hard drives: one drive holds system files and the SQL Server transaction log. The other drive holds the database and the network share for the file attachments. Note that Apex provides software builds for both 32bit and 64bit architectures.

Table 2. Single Server Configurations for Less than 500 Active Users
Component Minimum Best
MicroprocessorP3 1MhzP4+ Dual\Quad Core > 2Mhz
OSWindows 7 Pro or Windows 2003 ServerWindows 2008, 2012 Server
RAM2G4G
Hard DriveIDE 80+ GRAID SCSI/SAS 4x20+ G

Table 3 lists server configurations for installations with 500 to 10,000 active users. In these configurations, a database server that is dedicated to running the Apex database communicates with a Web server that optionally hosts other low-traffic Web applications. Note that Integrated Windows Authentication will not work in a two-server configuration. SQL Authentication or Basic Authentication must be used. (Basic Authentication uses the same Windows login\password as Integrated Windows Authentication.)

Table 3. Two-Server Configurations for 500 to 10,000 Active Users
Server Component Minimum Best
Server 1, Dedicated Database ServerMicroprocessorP4+ Dual\Quad Core > 2MhzP4+ Dual\Quad Core > 2Mhz
RDMSSQL Server 2012 ExpressSQL Server 2012
OSWindows 2003 ServerWindows 2008, 2012 Server
RAM2G8G
Hard DriveIDE 2x40+ GRAID SCSI/SAS 4x20+ G
Server 2, Web ServerMicroprocessorP4+ Dual\Quad Core > 2MhzP4+ Dual\Quad Core > 2Mhz
May be shared with low-traffic sitesOSWindows 2003 ServerWindows 2008, 2012 Server
RAM2G4G
Hard DriveIDE 2x40+ GRAID SCSI/SAS 4x20+ G

2. Database Server Installation

The database server requires Windows 7 or better. If you use a Windows domain then the server should be a member of the domain. The procedure for server installation depends on whether or not you are attaching the database to an existing SQL Server 2005 or better.

2.1. Attaching the Database to an Existing SQL Server

If your server already runs SQL Server 2012 then log on to your SQL Server as an administrator. Confirm that the collation on the server is set to the US default, SQL_Latin1_General_CP1_CI_AS. You can look up collation by looking at the general tab/node on the server's properties. If you see a different collation setting then you should install a separate SQL Server instance. Download the compressed database backup file...

http://iHRsoftware.com/FTP/iHRDb.zip (3M)

Extract the file and use SQL Management Studio to restore it as a database named iHR. During the restore, you may want to change the locations of the mdf and ldf files. Also, the iHR database must have an owner. After restoring the database, set the owner by opening the database properties. Alternatively, run the script below.

EXEC sp_changedbowner 'sa'

2.2. "No SQL Server" Installation

If SQL Server 2012 is unavailable then log on to the server as an administrator. Download and run the self extracting executable...

http://iHRsoftware.com/FTP/iHRSetup.exe (16M)

The installer will open. Click Server Installation.

IMPORTANT! With the No SQL Server installation, append \IHR to the server's name when the system prompts you for the name of the database server. If your server were named MyServer then you would enter MyServer\IHR

3. Client Installation

For every user, log on to the workstation with the user's account. You do not need administrative permissions. Download and execute the file...

http://iHRsoftware.com/Updates/Client/setup.exe (16M)

4. Configuring File Attachments and Portraits

iHR can associate files like portraits, resumes, and MS Office documents with an employee. If you choose to take advantage of this feature then use Windows Explorer and/or Computer Management to create a network share that will hold the documents. Set appropriate security on the share, and enter the share's UNC path into the software.

To enter the UNC path, log on as an administrator and open the client. Click Company > Settings. Click the File Associations tab. Enter the UNC path. On that same tab, you can also edit the subfolders that will be created for each employee. Note that iHR does not automatically manage the security on any of those folders.

5. Configuring Security

Before you configure security, decide whether users will use Windows Authentication or SQL Authentication. Windows is preferred because, after the initial setup, it allows you to use Active Directory to control accces. Unlike Windows Authentication, SQL Authentication requires that you create a new SQL login for each user. Note that Windows Authentication requires that all of the users are enrolled in the same domain as the computer that hosts the SQL Server. To set up typical security for Windows Authentication, read Section 5.1. To set up typical security for SQL Authentication, read Section 5.2. For additional security information refer to the help manual at http://iHRsoftware.com/ftp/help.doc.

5.1. Setting up Security for Windows Authentication

Typical security setup for Windows Authentication requires that you create an AD group, join it to the db_owners role, confirm the permissions on the public role, and then associate Windows Accounts with Apex employee records. If you will install Instant Self Serve then you must also grant database access to the staff by clicking Company > Security and adding the Domain Users role.

5.1.1. AD Group for HR Administrators

Create an AD group that holds all of the users who need full access to the database. To create it, open Active Directory and create a group named something like "HR Admin" and join the necessary users. Then, in Apex, click Company > Security and open the security window. Click Add Windows User or Group. Enter the name of the AD group in the format domain\group. Save it. Then click the tab named Membership and click the checkbox named db_owner. Save your changes.

5.1.2. Public Role for Managers and Their Staff

The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about himself. Now select "User Viewing Subordinates". These permissions define what a user can see about his subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)

5.1.3. Associating Windows Accounts with Apex Employee Records

For each user, associate his Windows Account with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the Windows Accounts by opening each person and entering their domain\account in the Security Account field on theirGeneral tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the Windows Accounts for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.

-- Adds access for windows accounts: john doe --> YOURDOMAIN\jdoe
-- Sets work e-mail address based on account name
-- Associates each user account with the correct Apex employee record
USE IHR
DECLARE @username varchar(50), @person_id int, @wdomain varchar(50), @edomain varchar(50)
SET @wdomain='CHANGE_ME_TO_YOUR_WINDOWS_DOMAIN'
SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'
DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), PersonID FROM Person
OPEN p_cursor

FETCH p_cursor INTO @username, @person_id
WHILE @@FETCH_STATUS = 0
BEGIN
  UPDATE Employee SET [SID] = SUSER_SID(@wdomain + '\' + @username) WHERE EmployeeID = @person_id
  UPDATE Person SET [Work E-mail] = @username + '@' + @edomain WHERE PersonID = @person_id
  FETCH p_cursor INTO @username, @person_id
END

CLOSE p_cursor
DEALLOCATE p_cursor

5.2. Setting up Security for SQL Authentication

Typical security setup for SQL Authentication requires that you create a SQL login for each administrative user, join the logins to the db_owners role, confirm the permissions on the public role, create a SQL login for each user, and then associate the SQL logins with Apex employee records.

5.2.1. Creating SQL Logins

Click Company > Security. Click Add SQL Login. Enter the login and password. Click Save. If this login should have full permissions then click the tab named Membership and click the checkbox named db_owner. Save your changes and repeat these steps for each user.

5.2.2. Public Role for Managers and Their Staff

The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about herself. Now select "User Viewing Subordinates". These permissions define what a user can see about her subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)

5.2.3. Associating SQL Logins with Apex Employee Records

For each user, associate his login with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the logins by opening each person and entering their SQL login in the Security Account field on their General tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the SQL login for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.

-- Creates SQL Logins with SSN as the password for each employee: john doe --> jdoe
-- Sets work e-mail address based on login
-- Associates each login with the correct Apex employee record
-- Make sure you delete old SQL logins before running
USE IHR
DECLARE @login varchar(50), @person_id int, @edomain varchar(50), @ssn varchar(50)
SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'
DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), P.PersonID, X.SSN FROM Person P
INNER JOIN PersonX X ON P.PersonID = X.PersonID
OPEN p_cursor

FETCH p_cursor INTO @login, @person_id, @ssn
WHILE @@FETCH_STATUS = 0
BEGIN
  PRINT @login
  EXEC sp_addlogin @loginame=@login, @passwd=@ssn, @defdb='iHR'
  EXEC sp_grantdbaccess @login
  UPDATE Employee SET [SID] = SUSER_SID(@login) WHERE EmployeeID = @person_id
  UPDATE Person SET [Work E-mail] = @login + '@' + @edomain WHERE PersonID = @person_id
  FETCH p_cursor INTO @login, @person_id, @ssn
END

CLOSE p_cursor
DEALLOCATE p_cursor

6. Installing the Apex Task E-mailer Service

To enable automatic e-mails, insure that your Windows Account is a member of Domain Admins and follow the steps below.
  1. Choose the server that will host the service. The server needs network access to the Apex database and an SMTP server. Apex recommends that you install the e-mailer service on an existing SMTP server that does not require SMTP authentication.
    If the server that you choose is not an SMTP server then the service will need to use a remote SMTP server. The remote SMTP server must grant relay permissions to your chosen\local server. Also, the e-mailer service cannot pass SMTP credentials. If authentication and relaying create problems then work around them by installing the SMTP service on your chosen server from your Windows Server CD-ROM.
  2. Log on to the target server. Download and run http://iHRsoftware.com/ftp/ApexTaskEmailer.msi (6M).
  3. Create a Window's Account for the service and grant the account permissions. If the service and the database are on the same computer then create a local Windows Account. Otherwise create a domain account. Grant the account read permissions on C:\Program Files\Apex\Apex Task Emailer\apexTaskEmailer.xml . Grant the account full permissions on the database (In Apex Software, click Company > Security, add the account, and join it to the db_owner group).
  4. Assign the account to the service. Open Service Manager, edit the service properties, and enter the new account in the "run as" text box.
  5. Point the service to the database. Open C:\Program Files\Apex\Apex Task Emailer\apexTaskEmailer.xml . Edit the file (right-click it and open with Notepad) and change the connectionString and SMTP elements to point to your database and SMTP server.
    In the connectionString element, decide whether to use Windows Authentication (recommended) or SQL Authentication. With Windows Authentication, database permissions will be determined by the Windows Account in which the service runs. Example connection strings are listed below. If you do not know the value of the Data Source attribute then open Apex Software and click Company > Reconnect to Database. Use the text in the Server textbox.

    -- Connect to the local server on the default instance. Use the service's Windows credentials to log in.
    <connectionString value="Data Source=.;Trusted_Connection=Yes;Database=iHR" />

    -- Connect to the local server on the SQLExpress instance. Use the service's Windows credentials to log in.
    <connectionString value="Data Source=.\SQLExpress;Trusted_Connection=Yes;Database=iHR" />

    -- Connect to a remote server on the default instance. Use the SQL login "daemon" to log in.
    <connectionString value="Data Source=Server1;Database=iHR;User ID=daemon;Password=colts2008" />

    -- Connect to a remote server on the IHR instance. Use the service's Windows credentials to log in.
    <connectionString value="Data Source=Server1\IHR;Trusted_Connection=Yes;Database=iHR" />

  6. Start the service. Open the computer's list of services, find Apex Task E-mailer Service, right-click it and start it.
  7. Verify it worked. Review your application event log to confirm that the service started successfully. If the event log shows success then you can review the log of outgoing e-mails by opening Apex Software and clicking Reports > Tasks > Log of E-mailed Reminders.
  8. Troubleshoot errors in the event log.
    Connection errors are usually caused by one of the following problems.
    • Wrong type of slash before the instance name (use Server1\iHR, do not use Server1/iHR)
    • Using Windows Authentication to connect to a remote databaase when the task e-mailer service is running under a local account. To fix this problem, change the service's "run as" account to a domain account or use SQL authentication in the connection string. The domain account should have administrative database access (member of db_owner). The account needs read permissions on the local apexTaskEmailer.xml file.
    • Running the service as LocalSystem (the default account) and using Windows Authentication to connect to a local SQL Server that is not set to run as LocalSystem. To fix this problem, check the account name that the MS SQL Server service is using. If the account is NOT named NetworkService then use that account to run the service. If it is named NetworkService then create a Windows account and assign it to the service as explained in step 3.

    E-mail errors are usually caused by one of the following problems.
    • Failing to grant relay permissions on the remote SMTP server.
    • Setting a blank or invalid "send from" e-mail address in the Apex Software client (Company > Settings, Reminders tab).

7. Installing Instant Self Serve

Instant Self Serve is an Internet Information Services (IIS) Web application. To install it, open IIS manager. Decide whether Instant Self Serve will be (1) the default Website, (2) an application within the default Website, or (3) a new Website.

  1. Default Website. No special action is required.
  2. Application. Installing Instant Self Serve as an application will let users access the site using an URN like http://yoursite.com/hr . To create a new application, right-click the default Website.
  3. New Website. New websites require that you either assign a different IP address than the default Website or a non-standard port (resulting in an URN like http://yoursite.com:8080 ). To install Instant Self Serve as a new site, right-click the sites node.
Decide whether Instant Self serve will use (1) HTTP or (2) HTTPS.
  1. HTTP. Login handshaking over HTTP is insecure and should only be used when the site is inaccessible outside of your network. HTTP is the IIS default and requires no special action.
  2. HTTPS is secure but requires an SSL certificate. If you do not already have a certificate then you have two options: self-sign or buy a certificate from a third party like NameCheap. In general, self-signing will create a bad first impression for your users because they will see "untrusted" warnings when they visit the site. Set the site to support https over port 443 by clicking the site. Click the bindings link. Verify that https over port 443 is listed. If it is not listed then add it. Set the site to requite SSL by clicking the site. Click SSL Settings. Check the "Require SSL" checkbox . Verify that the "Client Certificates" setting is set to ignore.

Download and run the Instant Self Serve self-extracting executable. When prompted, verify that the target folder matches the IIS folder from the previously completed steps.

Decide whether you will use SQL Authentication or Windows Authentication. Windows Authentication allows users to use their Windows login and password to log into the site, but it requires that all users have Windows AD accounts.
  1. SQL Authentication over HTTP is the default and requires no special changes to the web.config file. Verify that site authentication is set to anonymous by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for anonymous.
  2. SQL Authentication over HTTPS. Delete the web.config file and rename web.sqlAuthenticationHttps.config to web.config . Verify that site authentication is set to anonymous by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for anonymous.
  3. Windows Authentication over HTTP.
    Verify that basic authentication is an option by clicking the site. Click the authentication icon. If basic authentication is not an option then go to Server Manager > Roles > Web Server > Add Role Services. In the role services treeview, add Internet Information Services > World Wide Web Services > Security > Basic Authentication.
    Delete the web.config file and rename web.windowsAuthenticationHttp.config to web.config . Verify that site authentication is set to basic by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for basic. Right-click basic and click edit. Enter your AD domain (the domain prefix in domain\username).
  4. Windows Authentication over HTTPS.
    Verify that basic authentication is an option by clicking the site. Click the authentication icon. If basic authentication is not an option then go to Server Manager > Roles > Web Server > Add Role Services. In the role services treeview, add Internet Information Services > World Wide Web Services > Security > Basic Authentication.
    Delete the web.config file and rename web.windowsAuthenticationHttps.config to web.config . Verify that site authentication is set to basic by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for basic. Right-click basic and click edit. Enter your AD domain (the domain prefix in domain\username).

Change the configuration file to point the application to your database and e-mail server. Open web.config in notepad. Confirm the ConnectionString setting. By default, it points to the IHR instance on the local server. Change the SMTPServer setting to point to your e-mail server. If your e-mail server is local then insure that the Web server has permission to relay through your e-mail server. (In Exchange, that access is controlled by a receive connector.) If your e-mail server is remote then add your public IP address to your host's list of authorized servers. (In Gmail, that access is controlled by the Authorized Servers list in main Gmail settings.) Scroll through the rest of the elements in appSettings and change them to meet your needs.

After you install ISS, insure that you followed Section 5 so that users can access their ISS accounts.

8. Notes regarding Setup.exe and Uninstallation

Setup.exe is designed to be a no-hassle installer for a typical single-user installation. It wraps Apex Business Software, Apex Setup and Database Restoring Utility, and Microsft SQL Server Express 2012. After the user selects the type of installation, setup may download .NET framework 4.0.

http://ihrsoftware.com