Prepare Windows Server
for Identity Maestro
Identity Maestro is a simpler wy for busy network and IT administrators to delegate user identity management and privileged access management tasks to front line staff using a powerful web portal tool. This guide provides details about preparing a Windows server for hosting an Identity Maestro server installation.
Issued January 2018
Page 2
Prepare Windows Server for Identity Maestro Topics
Contents Welcome to this guide ............................................................................... 3
Host Server Minimum Requirements ............................................................... 3
SSL Options............................................................................................. 4
Firewall Settings ...................................................................................... 4
Prepare Connection Service Accounts............................................................. 5
Active Directory .................................................................................................................... 5 Azure AD / Office 365 ........................................................................................................... 5 eDirectory ............................................................................................................................ 6
Prepare Windows 2016 / 2012 Server to Host Identity Maestro .............................. 6
Add Server Roles and Features ............................................................................................ 6 Prepare Windows 2008 Server to Host Identity Maestro ...................................... 11
Add Server Roles and Features .......................................................................................... 11 Prior to Installing Identity Maestro ............................................................... 14
If Exchange 2013 CU 15+ is a Target System ...................................................................... 14 If Office 365 is a Target System .......................................................................................... 14 If eDirectory 8.8 or 9 is a Target System .............................................................................. 14 Other Target Systems......................................................................................................... 14
Page 3
Welcome to this guide This guide provides information necessary to prepare the Windows server that will host
Identity Maestro, and to prepare the target systems that Identity Maestro will connect
with.
Host Server Minimum Requirements Windows server that will host an Identity Maestro installation must meet the following system
requirements.
Operating System: Windows 2016, 2012 R2, 2012, or 2008 R2 (x64 only),
Standard, Enterprise or Data Center editions. The OS must be activated.
Disk space:
Mininum of 1 GB above OS requirements. 10+ GB recommended.
Installation on a non-system drive is recommended.
Memory: 2+ GB above OS requirements. If performing large bulk import from
CSV actions (500+ users records per bulk action), recommended is 4 GB+ above
OS requirements
Processor: Intel or compatible (x64) - 2 core or higher recommended.
Active Directory: Joined to the primary AD Domain that will host the required
service connection user accounts and groups.
.NET Framework:
Minimum: .NET 4.5 or higher installed.
.NET 4.6.1+ is required if connecting to on-premises Exchange 2013 CU14+.
Windows Management Framework 4.0 (already installed by default with Windows
2012 and 2016).
Windows Services: Windows Management Instrumentation (enabled) – This service
should be installed on any Windows server that is hosting user home folders to allow
Identity Maestro to create user home folders when creating AD user accounts.
Office 365 Support: If Identity Maestro will connect to Office 365 to manage user
mailboxes, install the MSOnline support applications included in the download ZIP
file.
eDirectory Support: If Identity Maestro will connect to an eDirectory tree, install
the Micro Focus (Novell) eDirectory client for Windows 2.x with latest updates.
Page 4
SSL Options The Windows host server and IIS websites hosted on that server need to be protected by
SSL certificates. Two options include:
□ Ensure that domain controllers have been been issued with certificates issued by a
Enterprise Certificate Authority.
OR
□ Ensure that SSL certificate(s) obtained from trusted public certificate authorities are
applied to the IIS default website hosted on the Identity Maestro server.
Firewall Settings Internal firewall settings need to be configured to permit standard TCP and UDP ports
between the Windows server hosting Identity Maestro and servers / web applications that
will be managed. Identity Maestro will be configured with connectors that will use various
web-enabled services and protocols to facilitate remote access and management. Here is
a typical list:
Port Protocol or Purpose
389 (tcp/udp)
636 (tcp/udp)
AD LDAP connection insecure/secure
3268 (tcp), 3269 (tcp) LDAP GC, LDAP GC SSL
88 (tcp/udp) Kerberos
53 (tcp/udp) DNS resolution
137, 138 (udp)
139, 445 (tcp)
NetBIOS Browser
123 (tcp/udp) W32Time
80, 443 (tcp) Standard Web applications & Exchange connection insecure/secure
7190 (tcp) Identity Maestro connection agent port
135 (tcp) RPC + WMI connections for home folders
4000, 4002 (tcp) Workflow Center website, Azure AD Remote Agent website
1025 – 5000 (tcp) RCP dynamic
Page 5
Prepare Connection Service Accounts Each target system needs a service user account that will be used to provide privileged
access to the target system. Prepare what is required for your environment.
Active Directory
Prepare an AD user account to use as a connection user service account for Identity
Maestro. This account will provide protected full administrative access to Active Directory.
□ Create a user in the “\Users” folder in AD: Typical name could be imconnect.
□ Add to the Domain Administrators group.
□ (If required) Add to the Enterprise Administrators and Organization
Management groups (required for managing Exchange On-Premise).
□ Set the account password to never expire.
If corporate security policy requires scheduled password changes, ensure that you
schedule a task to manually reset the password before it expires in AD. There is a
procedure that needs to be followed to reset the password in the various connection
end-points in Identity Maestro.
□ Ensure that the account is not affected by GPOs that will modify password
expiration.
Azure AD / Office 365 Prepare an Office 365 user account to use as a connection user service account for Identity
Maestro.
□ Create an Office 365 user account (that is not synced by Azure ADConnect) called
imconnect.
□ This account must be assigned the Global Administrator role in Office 365.
□ This account does not need to be licensed for any SKUs or service plans.
Page 6
eDirectory
Prepare an eDirectory user account to use as a connection user service account for
Identity Maestro. This account will provide protected full administrative access to
eDirectory.
□ Create an eDirectory user. Typical name could be imconnect.
□ Assign Administrative rights to the root of the eDirectory tree.
□ Set the account password to never expire.
If corporate security policy requires scheduled password changes, ensure that you
schedule a task to manually reset the password before it expires in eDirectory. There
is a procedure that needs to be followed to reset the password in the various
connection end-points in Identity Maestro.
Prepare Windows 2016 / 2012 Server to Host Identity Maestro Here are the steps to prepare a Windows 2016 or 2012 server to host Identity Maestro.
Add Server Roles and Features
1. In Server Manager, select Manage > Add Roles and Features.
2. In the “Before you begin” page, select Next >.
3. In the “Select installation type” page, select Role-based or feature-based installation and
select Next >.
4. In the “Select destination server” page, select Select a server from the server pool option,
select the target server in the Server Pool list, and select Next >.
Page 7
5. In the “Select server role” page, ensure that Storage Services is already selected.
6. Select Web Service (IIS) and in the “Add features that are required for Web Server (IIS)”
window, select Add Features.
Page 8
7. Select Next >.
8. In the “Select features” window, expand .NET Framework 4.5 Features (2 of 7 installed)
and ensure that ASP.NET, WCF Services, and all WCF Services are selected except
Message Queuing (MSMQ) Activation are checked. If a popup window opens, accept
the changes.
9. Under Windows PowerShell (2 of 5 installed), ensure that Windows PowerShell 4.0
(Installed) and Windows Powershell ISE (Installed) are both checked (usually the
default).
Page 9
10. Select Next >.
11. On the “Web Server Role (IIS)” page, select Next >.
12. On the “Role Services” page, under Common HTTP Features, uncheck Directory
Browsing.
Page 10
13. Scroll down to Security and ensure that Basic Authentication and Windows
Authentication are checked.
14. Scroll down to Application Development and ensure that .NET Extensibikity 4.6,
ASP.NET 4.6, ISAPI Extensions, and ISAPI Filters are checked.
Page 11
15. Scroll down to Management Tools, and select IIS Management Console, IIS 6 Metabase
Compatability, IIS 6 Management Console, and IIS 6 WMI Compatibiity are checked.
16. Select Next >.
17. On the “Confirm installation selections”, window, select Install.
18. Wait until the installation is finished and then close Server Manager if it is not required.
Prepare Windows 2008 Server to Host Identity Maestro Here are the steps to prepare a Windows 2008 server to host Identity Maestro.
Add Server Roles and Features
1. In Server Manager, select Roles > Add Roles.
2. In the “Before you begin” page, select Next >.
3. In the “Select Server Roles” page, Application Server. In the “Add features required” page,
select Add Required Features.
Page 12
4. Select Files Services and Web Server (IIS) select Next >.
5. In the “Application Server” page, select Next >.
6. In the “Select Role Services” page, ensure that .NET Framework 3.5.1 is checked. Select
TCP Port Sharing, HTTP Activation, TCP Activation, and Named Pipes Activation, and
click Next >.
7. In the ”Web Server (IIS)” page, click Next >.
8. In the “Select Role Services” page, uncheck Directory Browsing.
9. Check ASP.NET, ISAPI Extensions and ISAPI Filters.
Page 13
10. Scroll down.
11. Under Security, select Basic Authentication and Windows Authentication.
12. Under Management Tools, select IIS Management Console, IIS Management Scripts
and Tools, IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility.
13. Select Next >.
14. In the “File Services” page, select Next >.
15. In the “Select Role Services” page, select Next >.
16. in the “Confirm installation selections”, window, select Install.
17. Wait until the installation is finished and then close the “Installation Results” page and the
Server Manager if it is not required.
Page 14
Prior to Installing Identity Maestro Differed target systems need additional components to be installed.
If Exchange 2013 CU 15+ is a Target System You must upgrade .NET to 4.6.1+. You must also configure Exchange to support remote
Powershell. Refer to Reenable Remote Powershell Support after upgrading Exchange 2013 from
CU14 to CU15+.
If Office 365 is a Target System 1. Download the Identity Maestro installation ZIP file (servicecontrol-latest.zip) and extract to
the server.
2. Expand the \MSOnline\1.0.8262.2\ folder.
3. Using elevated permissions, install:
a. Install msoidcli_64.msi.
b. Install AdministrationConfig-en.msi
If eDirectory 8.8 or 9 is a Target System Install the latest Micro Focus (Novell) eDirectory client for Windows 2012 R2.
Other Target Systems Contact Identity Maestro support for assistance.
Proprietary and Confidential Information of Amdocs Page 20
Identity Maestro has offices, development and support centers
worldwide, including sites in:
Headquarters
103, 10301 – 109 Street
Edmonton, Alberta T5J 1N4
Canada
Email: [email protected]
Twitter: @IdentityMeastro
Phone: +1 408.675.5020
Fax: +1 780.423.4711
Regional Offices
Identity Maestro Europe
Kreitstrasse 5 86926
Greifenberg/Munich
Germany
Phone: +49.8192.99733.25
emea@Identity Maestro.com
Identity Maestro USA
440 North Wolfe Road
Sunnyvale, CA 94085
USA
Phone: +1 408.675.5020
For the most up-to-date contact information for all Identity Maestro offices
worldwide,please visit our website at www.identitymaestro.com/contact