These instructions are written for system administrators and explain how to install Apex's software products. To skip these instructions and install everything except ISS on one computer, complete a typical single-user installation. These instructions do not explain how to set up communication between Apex Software and biometric\proximity terminals. If you have any questions then call (317) 225-4415 or e-mail tsupport@iHRsoftware.com.
|Table of Contents|
1. Planning Installation|
2. Database Server Installation
3. Client Installation
4. Configuring File Attachments and Portraits
5. Security Configuration
6. Configuring Apex Task E-mailer Service
7. Installing Instant Self Serve
8. Notes regarding Setup.exe and Uninstallation
The software contains two core components: a SQL Server Database and a client, and the software contains three optional components: a Web add-on (ISS), a file share that holds attachments, and a service that e-mails reminders and tasks (e-mailer service). In a typical single-user installation, the Database and client are installed on the same computer. In a typical client/server installation, the Database, file share, e-mailer service, and Web add-on are installed on one server, and the client is installed on each end-user's workstation. In use cases involving more than 500 users, Apex recommends that you reserve a dedicated database server as shown in Table 3 below.
Table 1 lists the system requirements for the server and client components. You may install all of the server components on one computer, or you may install them separately. The client uses an auto-update function that is similar to Windows Updates. For auto-updates to work, firewalls must allow traffic over HTTP port 80 to/from ihrsoftware.com. Apex recommends that all of the workstations, users, and server(s) are joined to the same Windows AD domain.Table 1. System Requirements
|Component||Prerequisites||Client/Server||Permissions||Additional Memory (MB)||Additional Hard Drive Space (MB)|
|Apex Client||Windows Vista, 7, 8, 2003, 2008 or 2012|
.NET Framework 4.0 or better
Apex Client is not needed for general users. Only needed for admin users.
Windows Vista, 7, 8, 2003, 2008 or 2012
SQL Server: SQL 2005 Express, 2008, or 2012
.NET Framework 4.0 or better
|Server||Default SQL Server installation permissions||1024||500|
|Share for File Attachments||Windows XP, Vista, 7, 8, 2003, 2008 or 2012
All Apex thick clients must be able to use a UNC path to access this share. Web clients do not require access.
|Task E-mailer Service||Windows Vista, 7, 8, 2003, 2008 or 2012
Relay Access to SMTP Server
.NET Framework 4.0 or better
|Server||Service must run under an account that can read apexTaskEmailer.xml in the program installation folder||10||10|
|Instant Self Serve||Windows 7 Pro, 8 Pro, 2003, 2008 or 2012
Internet Information Services
.NET Framework 4.0 or better
|Server||Depends on SQL Authentication or Windows Authentication. See ISS, section 7.||128||10|
Table 2 lists server configurations for a typical client/server installation with less than 500 active users. The best configuration uses RAID drives or at least two hard drives: one drive holds system files and the SQL Server transaction log. The other drive holds the database and the network share for the file attachments. Note that Apex provides software builds for both 32bit and 64bit architectures.Table 2. Single Server Configurations for Less than 500 Active Users
|Microprocessor||P3 1Mhz||P4+ Dual\Quad Core > 2Mhz|
|OS||Windows 7 Pro or Windows 2003 Server||Windows 2008, 2012 Server|
|Hard Drive||IDE 80+ G||RAID SCSI/SAS 4x20+ G|
Table 3 lists server configurations for installations with 500 to 10,000 active users. In these configurations, a database server that is dedicated to running the Apex database communicates with a Web server that optionally hosts other low-traffic Web applications. Note that Integrated Windows Authentication will not work in a two-server configuration. SQL Authentication or Basic Authentication must be used. (Basic Authentication uses the same Windows login\password as Integrated Windows Authentication.)Table 3. Two-Server Configurations for 500 to 10,000 Active Users
|Server 1, Dedicated Database Server||Microprocessor||P4+ Dual\Quad Core > 2Mhz||P4+ Dual\Quad Core > 2Mhz|
|RDMS||SQL Server 2012 Express||SQL Server 2012|
|OS||Windows 2003 Server||Windows 2008, 2012 Server|
|Hard Drive||IDE 2x40+ G||RAID SCSI/SAS 4x20+ G|
|Server 2, Web Server||Microprocessor||P4+ Dual\Quad Core > 2Mhz||P4+ Dual\Quad Core > 2Mhz|
|May be shared with low-traffic sites||OS||Windows 2003 Server||Windows 2008, 2012 Server|
|Hard Drive||IDE 2x40+ G||RAID SCSI/SAS 4x20+ G|
If your server already runs SQL Server 2012 then log on to your SQL Server as an administrator. Confirm that the collation on the server is set to the US default, SQL_Latin1_General_CP1_CI_AS. You can look up collation by looking at the general tab/node on the server's properties. If you see a different collation setting then you should install a separate SQL Server instance. Download the compressed database backup file...
Extract the file and use SQL Management Studio to restore it as a database named iHR. During the restore, you may want to change the locations of the mdf and ldf files. Also, the iHR database must have an owner. After restoring the database, set the owner by opening the database properties. Alternatively, run the script below.
If SQL Server 2012 is unavailable then log on to the server as an administrator. Download and run the self extracting executable...
The installer will open. Click Server Installation.
IMPORTANT! With the No SQL Server installation, append \IHR to the server's name when the system prompts you for the name of the database server. If your server were named MyServer then you would enter MyServer\IHR
For every user, log on to the workstation with the user's account. You do not need administrative permissions. Download and execute the file...
iHR can associate files like portraits, resumes, and MS Office documents with an employee. If you choose to take advantage of this feature then use Windows Explorer and/or Computer Management to create a network share that will hold the documents. Set appropriate security on the share, and enter the share's UNC path into the software.
To enter the UNC path, log on as an administrator and open the client. Click Company > Settings. Click the File Associations tab. Enter the UNC path. On that same tab, you can also edit the subfolders that will be created for each employee. Note that iHR does not automatically manage the security on any of those folders.
Before you configure security, decide whether users will use Windows Authentication or SQL Authentication. Windows is preferred because, after the initial setup, it allows you to use Active Directory to control accces. Unlike Windows Authentication, SQL Authentication requires that you create a new SQL login for each user. Note that Windows Authentication requires that all of the users are enrolled in the same domain as the computer that hosts the SQL Server. To set up typical security for Windows Authentication, read Section 5.1. To set up typical security for SQL Authentication, read Section 5.2. For additional security information refer to the help manual at http://iHRsoftware.com/ftp/help.doc.
Typical security setup for Windows Authentication requires that you create an AD group, join it to the db_owners role, confirm the permissions on the public role, and then associate Windows Accounts with Apex employee records. If you will install Instant Self Serve then you must also grant database access to the staff by clicking Company > Security and adding the Domain Users role.
Create an AD group that holds all of the users who need full access to the database. To create it, open Active Directory and create a group named something like "HR Admin" and join the necessary users. Then, in Apex, click Company > Security and open the security window. Click Add Windows User or Group. Enter the name of the AD group in the format domain\group. Save it. Then click the tab named Membership and click the checkbox named db_owner. Save your changes.
The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about himself. Now select "User Viewing Subordinates". These permissions define what a user can see about his subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)
For each user, associate his Windows Account with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the Windows Accounts by opening each person and entering their domain\account in the Security Account field on theirGeneral tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the Windows Accounts for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.
Typical security setup for SQL Authentication requires that you create a SQL login for each administrative user, join the logins to the db_owners role, confirm the permissions on the public role, create a SQL login for each user, and then associate the SQL logins with Apex employee records.
Click Company > Security. Click Add SQL Login. Enter the login and password. Click Save. If this login should have full permissions then click the tab named Membership and click the checkbox named db_owner. Save your changes and repeat these steps for each user.
The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about herself. Now select "User Viewing Subordinates". These permissions define what a user can see about her subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)
For each user, associate his login with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the logins by opening each person and entering their SQL login in the Security Account field on their General tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the SQL login for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.
If the server that you choose is not an SMTP server then the service will need to use a remote SMTP server. The remote SMTP server must grant relay permissions to your chosen\local server. Also, the e-mailer service cannot pass SMTP credentials. If authentication and relaying create problems then work around them by installing the SMTP service on your chosen server from your Windows Server CD-ROM.
In the connectionString element, decide whether to use Windows Authentication (recommended) or SQL Authentication. With Windows Authentication, database permissions will be determined by the Windows Account in which the service runs. Example connection strings are listed below. If you do not know the value of the Data Source attribute then open Apex Software and click Company > Reconnect to Database. Use the text in the Server textbox.
-- Connect to the local server on the default instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=.;Trusted_Connection=Yes;Database=iHR" />
-- Connect to the local server on the SQLExpress instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=.\SQLExpress;Trusted_Connection=Yes;Database=iHR" />
-- Connect to a remote server on the default instance. Use the SQL login "daemon" to log in.
<connectionString value="Data Source=Server1;Database=iHR;User ID=daemon;Password=colts2008" />
-- Connect to a remote server on the IHR instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=Server1\IHR;Trusted_Connection=Yes;Database=iHR" />
Connection errors are usually caused by one of the following problems.
- Wrong type of slash before the instance name (use Server1\iHR, do not use Server1/iHR)
- Using Windows Authentication to connect to a remote databaase when the task e-mailer service is running under a local account. To fix this problem, change the service's "run as" account to a domain account or use SQL authentication in the connection string. The domain account should have administrative database access (member of db_owner). The account needs read permissions on the local apexTaskEmailer.xml file.
- Running the service as LocalSystem (the default account) and using Windows Authentication to connect to a local SQL Server that is not set to run as LocalSystem. To fix this problem, check the account name that the MS SQL Server service is using. If the account is NOT named NetworkService then use that account to run the service. If it is named NetworkService then create a Windows account and assign it to the service as explained in step 3.
E-mail errors are usually caused by one of the following problems.
- Failing to grant relay permissions on the remote SMTP server.
- Setting a blank or invalid "send from" e-mail address in the Apex Software client (Company > Settings, Reminders tab).
Instant Self Serve is an Internet Information Services (IIS) Web application. To install it, open IIS manager. Decide whether Instant Self Serve will be (1) the default Website, (2) an application within the default Website, or (3) a new Website.
Download and run the Instant Self Serve self-extracting executable. When prompted, verify that the target folder matches the IIS folder from the previously completed steps.Decide whether you will use SQL Authentication or Windows Authentication. Windows Authentication allows users to use their Windows login and password to log into the site, but it requires that all users have Windows AD accounts.
Verify that basic authentication is an option by clicking the site. Click the authentication icon. If basic authentication is not an option then go to Server Manager > Roles > Web Server > Add Role Services. In the role services treeview, add Internet Information Services > World Wide Web Services > Security > Basic Authentication.Delete the web.config file and rename web.windowsAuthenticationHttp.config to web.config . Verify that site authentication is set to basic by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for basic. Right-click basic and click edit. Enter your AD domain (the domain prefix in domain\username).
Verify that basic authentication is an option by clicking the site. Click the authentication icon. If basic authentication is not an option then go to Server Manager > Roles > Web Server > Add Role Services. In the role services treeview, add Internet Information Services > World Wide Web Services > Security > Basic Authentication.Delete the web.config file and rename web.windowsAuthenticationHttps.config to web.config . Verify that site authentication is set to basic by clicking the site. Click the authentication icon. Verify that every authentication option is disabled except for basic. Right-click basic and click edit. Enter your AD domain (the domain prefix in domain\username).
Change the configuration file to point the application to your database and e-mail server. Open web.config in notepad. Confirm the ConnectionString setting. By default, it points to the IHR instance on the local server. Change the SMTPServer setting to point to your e-mail server. If your e-mail server is local then insure that the Web server has permission to relay through your e-mail server. (In Exchange, that access is controlled by a receive connector.) If your e-mail server is remote then add your public IP address to your host's list of authorized servers. (In Gmail, that access is controlled by the Authorized Servers list in main Gmail settings.) Scroll through the rest of the elements in appSettings and change them to meet your needs.After you install ISS, insure that you followed Section 5 so that users can access their ISS accounts.
Setup.exe is designed to be a no-hassle installer for a typical single-user installation. It wraps Apex Business Software, Apex Setup and Database Restoring Utility, and Microsft SQL Server Express 2012. After the user selects the type of installation, setup may download .NET framework 4.0.