installation guide user guide...variable information appears in italic type. this includes...

Fusion UDM Installation Guide of 82

Installation Guide User Guide

Fusion UDM Premium and Professional Manage and maintain your IT environment


Table of Contents

INFORMATION ....................................................................................................................................................... 4

COPYRIGHTS .......................................................................................................................................................... 4

DOCUMENT REVISION INFORMATION ......................................................................................................................... 4

ABOUT THIS GUIDE AND WHO SHOULD USE IT ..................................................................................................... 5

TYPOGRAPHICAL CONVENTIONS................................................................................................................................. 5

INTRODUCTION ...................................................................................................................................................... 6

ARCHITECTURE....................................................................................................................................................... 7

SYSTEM REQUIREMENTS AND SERVER SIZING ...................................................................................................... 8

COMPATIBILITY ...................................................................................................................................................... 9

INSTALLATION PREREQUISITES CHECKLIST .......................................................................................................... 10

FOR FUSION UDM SERVER INSTALLATION ................................................................................................................. 10

FOR FUSION UDM ENDPOINT DEVICE INSTALLATION .................................................................................................. 10

FOR FUSION ANDROID MDM (MOBILE DEVICE MANAGEMENT) ................................................................................... 11

PORT AND SERVICE REQUIREMENTS ......................................................................................................................... 12

INSTALLATION OF FUSION UDM .......................................................................................................................... 15

STEP 1: SERVER COMPONENTS INSTALL ................................................................................................................... 15

STEP 2: MS SQL SERVER CONFIGURATION .............................................................................................................. 17

STEP 3 - SINGLE SERVER INSTALLATION .................................................................................................................... 19

DISTRIBUTED SERVER INSTALLATION ......................................................................................................................... 26

HA/FAILOVER/CLUSTERING SERVER INSTALLATION ..................................................................................................... 29

INSTALLATION OF FUSION UDM AGENT .............................................................................................................. 33

MANUAL INSTALLATION OF THE FUSION .................................................................................................................... 33

DEPLOYING AGENT FROM WITHIN FUSION UDM SERVER ............................................................................................. 35

DOMAIN GROUP POLICY TO INSTALL FUSION UDM AGENT ........................................................................................... 37

FUSION MDM SETUP AND CONFIGURATION ....................................................................................................... 40

DOMAIN IDENTITY ................................................................................................................................................ 40

CONFIGURING ENTERPRISE SERVICE ACCOUNT (ESA) .................................................................................................. 42


MOBILE DEVICE MANAGEMENT CONFIGURATION ....................................................................................................... 54

UPGRADING FUSION UDM SERVER AND AGENT ................................................................................................. 63

FUSION UDM SERVER SOFTWARE ............................................................................................................................ 63

UPGRADING THE FUSION AGENT SOFTWARE .............................................................................................................. 64

SSL CERTIFICATE CREATION AND INSTALLATION ................................................................................................. 65

CREATE SELF-SIGNED SSL CERTIFICATE USING OPENSSL ............................................................................................... 65

PROCEDURE TO INSTALL SSL CERTIFICATE .................................................................................................................. 67

NETWORK LOAD BALANCING WINDOWS 2012/R2 ............................................................................................. 70

DISCLAIMER ......................................................................................................................................................... 82


Information

This document is a user guide and has been written by VXL Technology/Software. The information within this

guide is correct at the time this guide was authored, using the version of software available at that time. You

may find that there are instances within this guide that vary with the actual version of software you are

evaluating or using. We apologize for this and request that you check the VXL website at http://www.vxl.net

to see if there are any later revisions or addendums available for download.

Every effort has been made to make this guide as complete and as accurate as possible, but no warranty of

fitness is implied. The authors and the publisher shall have neither responsibility nor liability to any person or

entity with respect to loss or damages arising from the use of information contained in this guide.

Copyrights

This guide and its contents are the copyright of VXL Instruments Limited. ©2016 All rights reserved.

Information in this document is subject to change without prior notice and does not represent a commitment

on the part of the manufacturer. No part of this guide may be reproduced or transmitted in any form or

means, electronic or mechanical, including photocopying and recording, for any purpose, without the express

written permission of the manufacturer.

The VXL Logo, Fusion UDM, Fusion UDM Logo, VXL Software logo are all trademarks and registered

trademarks of VXL Instruments Ltd. All other logos and names are the trademarks and registered trademarks

of the respective owners.

Document Revision Information

Date of release Version number Information

7/6/2016 V6.0x Release of master template

28/7/2016 V7.0x Android add-ons

http://www.vxl.net/


About this guide and who should use it

Explain here about the guide, its purpose and who should be using this guide – end users, system

administrators etc.

This guide assumes that you have sufficient knowledge of the installation methods used by the operating

system the software is installed on. Should you have any doubt on installing the software you should contact

your partner or VXL for further assistance.

Typographical Conventions

This document uses the following typographical conventions:

Command and option names appear in bold type in definitions and examples. The names of directories, files, machines, partitions, and volumes also appear in bold.

Variable information appears in italic type. This includes user-supplied information on command lines.

Screen output and code samples appear in monospace type.

In addition, the following symbols appear in command syntax definitions.

Square brackets [ ] surround optional items.

Angle brackets < > surround user-supplied values.

Percentage sign % represents the regular command shell prompt.

Pipe symbol | separates mutually exclusive values for an argument.


Introduction

This installation guide has been written with the aim of guiding you through the steps of correctly setting up

and installing the Fusion UDM software suite. The guide describes the different steps, along with illustrations

to help you install Fusion UDM within your IT environment.

The architecture and deployment scenarios provided within the guide is an example and you should ensure that

you plan the database server construction so that responses from the server are as fast as possible. We have

included a ‘System requirements and server sizing’ section within the guide, should you need to understand the

best setup you require. The term used ‘Endpoint’ generally refers to the physical devices you intend to manage

within your IT environment.

There are two other guides which accompany the installation guide and are available as part of the Fusion

UDM downloadable suite;

Quick start-up guide - gives you basic understanding of using Fusion UDM core features for the first

time

Administrator guide - gives you a full in-depth understanding of all Fusion UDMs feature set

Administrator guide is also available online within Fusion UDM software, to access this

Within Fusion’s main device manager screen

Select the toolbar > Help

For more technical supported knowledgebase, FAQ’S and video tutorials please http://www.vxl.net/support

http://www.vxl.net/support




Architecture

Fusion UDM software is based on multi-tier Service oriented architecture (SOA) consisting of Smart client agent,

SOAP based messaging framework and web services based middleware.

The core application framework is based on web services architecture using SOAP over HTTP(S) protocol, thus

inherits & exhibits the robustness, reliability, scalability, security & high availability features over LAN and WAN

networks.

The software can connect over Wireless (VSAT, GPRS, CDMA, and 3G) & wired networks (Dial up, Broadband &

Leased line).

The solution consists of following elements:

Fusion UDM middleware software (IIS, MS SQL)

Fusion UDM administrator GUI software (IIS)

Fusion UDM Agent software

Windows XP / 7 / 8 / 10 / Embedded Versions GNU Linux / Gio Linux v6

Apple iOS / Google Android / Windows Phone/10

Fusion UDM supports the following deployment scenarios:

Installation on a single server

Installation on distributed servers or multitier


System Requirements and Server Sizing

The following is the recommended server set-up for POC/Testing and for a Live production environment for

hosting a Fusion UDM installation;

POC / Testing

All Management suite services hosted on one server

OS options: Microsoft 2008 R2 and above

CPU: Intel Xeon Dual Core or Intel i7 Quad Core 64-bit processor RAM: 4 GB

HDD Sizing: 4 GB of free disk space on 7.2K RPM or faster drives or arrays

Database: Microsoft SQL Express, Microsoft SQL

Up to

1000 endpoint devices

Single Server

All Management Suite Services Hosted on One Server

OS options: Microsoft 2008 R2 and above

CPU: Intel Xeon Dual Core or Intel i7 Quad Core 64-bit processor RAM: 6 GB min

Architecture: Central system, no high availability

Average system utilisation <70%

Network Adapter: Gigabit Network adapter

HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays Database: Microsoft SQL Express, Microsoft SQL

Up to

2000 endpoint devices

Single Server

All Management Suite Services Hosted on One Server

CPU: Intel Xeon Quad Core 64-bit processor

RAM: 8 GB min

Architecture: Central system, no high availability

Average system utilisation <70%


HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays

Database: Microsoft SQL Express, Microsoft SQL

Up to

6000 endpoints devices

Single Server

Server 1 – The IIS Server

CPU: Intel Xeon Quad Core 64-bit processors

RAM: 16GB Min


HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays Server 2 - The Database Server

CPU: Dual Intel Xeon Quad Core 64-bit processor

RAM: 32 GB Min


HDD Sizing: 500 GB of free disk space on 7.2K RPM or faster drives or arrays Database: Microsoft SQL Full

Up to 6000+ endpoint

devices

For larger environments than those listed, please refer to server sizing

documentation or speak to your VXL representative


Compatibility Fusion UDM has been strenuously tested on various different platforms and environments.

Software Type Compatibility detail

Server OS Microsoft Windows 2008 R2 64 bit all (GUI editions) Microsoft Windows Server 2012 / R2 64bit all (GUI editions) Citrix Xen Desktop, Microsoft Hyper V &VMware virtualized instances of any of the above

IIS Version IIS 7.5 for Windows Server 2008 R2;

IIS 8.0 for Windows Server 2012

.net runtime version

Microsoft .NET Framework 4.5 full version (4.5.50709.378389) and above

Microsoft .NET Framework 4.5.1 full version (4.5.50709.378389) and above

SQL Database: SQL Server 2008, 2012, 2014 and its express editions

SSL certificate OpenSSL compatible SSL certificate for HTTPS & FTPS communication.

Admin

console

Internet browser

Microsoft Internet Explorer version 9.0, 10.0 & 11.0 and Edge browser 12 and above Mozilla Firefox version 21 and above (for Windows, Linux & Android OS) Google Chrome version 28 and above (for Windows, Linux & Android OS) Apple Safari Browser 5.1.7 and above (for Windows, MAC OSX, iOS)

Endpoint

devices

Thin client devices

Microsoft XP Embedded

Microsoft WES 2009, Microsoft WES 7 and P (32, 64 Bit)

Microsoft WES8, Microsoft Windows 10 IoT Enterprise

VXLs own GIO6 Linux

Desktop/Laptop

devices

Microsoft Windows XP SP2

Microsoft 7 - Professional, Enterprise and Ultimate editions

Microsoft Windows 8 - Professional and Enterprise editions

Microsoft Windows 10 – Professional, Enterprise and Education editions

Citrix Xen Desktop, Microsoft Hyper V &VMware based virtualized instances of the

above.

Mobile or Tablet

Devices

All devices based upon the below, with ‘Google Play-store’ access

Android OS 5.0 (Lollipop)

Android OS 6.0 (Marshmallow)


Installation Prerequisites Checklist

For Fusion UDM Server Installation

The installation requires full ‘Administrator’ user login (local/domain) on the host/server operating sys-

tem to install the Fusion UDM server application, modules and other components needed.

IIS 7.5 or later with following server components included

IIS Management Console, IIS Management Scripts and Tools

IIS Management Service, Default Document, Directory Browsing, Static Content, HTTP Errors,

Static content, HTTP errors, Static content compression and Request filtering.

If IIS 8.0 is required, include the optional ASP.net 4.5 component as well.

For assistance on ‘Server components install’ please refer to this section within the guide

Microsoft .NET Framework 4.5 full version (For Windows 2008 R2) is required to be installed

Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=30653

Microsoft SQL 2008 and above including express editions

Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=42299

In addition to although not required we recommend adding the SQL Management tool, should

the SQL database require managing;

Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=8961;

For assistance on ‘MS SQL database configuration’ please refer to this section within the guide

Ports and Service requirements are needed to be adhered to. For assistance on ‘Port and service require-

ments’ please refer to this section within the guide.

For Fusion UDM Endpoint Device Installation

In order to install the Fusion UDM Agent software successfully, you will need to ensure that “Administra-

tor” user is enabled, or the “Run as Administrator” option is available when manually installing the soft-

ware onto endpoint devices

For Patch management (Fusion Premium) the Windows Update Agent (WUA) service needs to be running

on the Windows OS endpoint device for the patch management feature to operate.

https://www.microsoft.com/en-gb/download/details.aspx?id=30653













For Fusion Android MDM (Mobile Device Management)

The below prerequisites are required if administrators want to monitor, manage, audit, and secure corporate

data on Android mobile/tablet devices.

Firstly, you need to complete the process of “Google claimed customer Domain”

https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK

You need to create and configure customer enterprise service account (ESA) from Google developer

Console, as per instructions mentioned in Fusion UDM administrator’s user guide. Obtain the ESA ID,

generate the OAuth secret key (.json) file for web application and generate (.json) file for directory api

service account.

Create/claim EMM token using the Google admin console.

In case of bulk license management, Google apps subscription for concern customer is required.

https://play.google.com/work

In case of private apps deployment, a play store publisher account is required for concerned customer

domain. https://play.google.com/apps/publish

Android devices consisting of minimum OS version 5.0 / Lollipop onwards.

The devices should also consist of the following OEM pre-installed system packages for BYOD/work pro-

file support: android.software.managed_users, android.software.device_admin.

List of officially supported devices are available at https://www.android.com/work/

NOTE: For assistance configuring mobile device management please refer to the Administrator guide




https://play.google.com/apps/publish

https://play.google.com/apps/publish

https://www.android.com/work/

https://www.android.com/work/


Port and Service Requirements

In order for Fusion UDM to communicate from the server to endpoint and from the endpoint back to the server,

various ports are required to be opened on your firewall. During the install of Fusion UDM these exceptions are

added into the software firewall, but any ports may need to be open on the switch/VLANs to allow full

uninterrupted communication.

Ports quick chart reference Listed below are ALL the ports which Fusion UDM uses;

Source Destination Ports TCP/UDP

Direction (Uni

or Bi) Description

Agent Server 80 TCP BI HTTP communication

Agent Server 443 TCP BI HTTPS Communication

Agent Server 21 TCP Uni For Normal FTP(FTP)

Agent Server 990 TCP Uni For Secure FTP(FTPS)

Browser Server 9001 to

9020 TCP Uni

For VNC shadowing used by

browser

Agent Server 5500 TCP Uni For VNC (Used by FUDM Agent)

Agent Server 5901 TCP Uni For VNC (Used for connection)

Server Server 1433 TCP Uni For SQL Connection

Server Agent 139 TCP Uni Agentless discovery and

Remote installation (Push)

Server Agent 445 TCP Uni Agentless discovery and Remote installation (Push)

Server Agent 137 UDP Uni Agentless discovery and


Server Agent 138 UDP Uni Agentless discovery and


Server Agent 9000 TCP/UDP Uni For Discovery

Server Agent 7 UDP Uni For Wake On Lan (WOL)

Server Agent 9 UDP Uni For Wake On Lan (WOL)


Ports and Services explained HTTPS Port 443 - if you are doing a secure SSL installation of Fusion UDM server

HTTP Port 80 – if you are doing a none SSL installation of Fusion UDM server

For remote VNC Shadowing functionality using HTML5;

TCP Ports 9001-9020 are used by the browser to connect to the Fusion UDM server.

TCP Port 5500 is used by the Fusion UDM agent to connect to the FUSION UDM Server.

TCP Port 5901 is used for connection within processes on the server itself.

For agent based discovery of devices and remote installation of agent software across multiple LAN subnets,

certain ports and services are required for this;

TCP and UDP Port 9000 on both Fusion UDM server and endpoint for initiated device discovery.

TCP ports 139, 445 and UDP ports 137,138 on both

File and printer sharing service needs to running i.e. C$ sharing capability to transfer the agent to the

endpoint

Windows Firewall requires the ‘File and printer sharing service’ exception to be added.

Agentless discovery across VLAN & VPN environments:

VPN should be configured to allow NetBIOS broadcast forwarding, or alternatively WINS should be im-

plemented on each side of VPN.

VLAN setup within a domain environment the WINS/computer browsing service needs to running on all

domain controllers. All endpoints should be configured as WINS clients.

For Wake-On-LAN (WOL) functionality:

WOL must be supported and enabled within the BIOS

Wake on Magic Packet option must be enabled. This is located in the power management tab within the

network interface properties, accessed using device manager

Simple TCP/IP services should be running

Open UDP port 9 in Windows firewall settings

For Wake-On-LAN (WOL) functionality within an VLAN:

Directed broadcasts should be enabled on the router

Enable and open UDP ports 7 and 9


Using Ping, Telnet and Net stat for port testing (Troubleshooting) If you are not sure that the required ports are open and are communicating between the server and endpoint

device, there are various tools to check this. Ping is a method of checking if the computer is connected to a

network. Net stat displays active TCP/UDP connections, ports on which the computer is listening to and Telnet

can be used to test the port to the server or endpoint.

Ping command

From the Fusion UDM server

Open CMD prompt

Type ping <IP address of the endpoint>

If there is a response from the IP address, then it is communicating ok

If there is no response, it could well be that the firewall is blocking this

Net stat command From the Fusion UDM server

Open CMD prompt

Type netstat -ano

This will list all the ports that are established and are in the listening state.

If ports are not listening or showing time wait there is problem that needs to investigated

Telnet Command

From the endpoint device, Open CMD prompt

Type telnet < Server hostname/IPaddress> 9000

If the screen goes blank, this means the port is open and communicating

Connection refused means that nothing is running on that port

Timeout generally means the firewall is blocking access


Installation of Fusion UDM

The following section will list the various steps required to correctly install and configure Fusion UDM on to your

server environment adhering to the ‘Installation Prerequisites checklist’.

STEP 1: Server Components Install

For Windows Server 2012 / R2 1. On the taskbar select Server Manager

2. Select Add Roles and Features

3. Follow the prompts until you reach Server Roles

4. Scroll up/down and tick Web Server (IIS)

This will prompt with the management tools dialog, select ‘Add Features’

5. Follow the prompts until you reach ‘Role Services’

6. Expand the Web Server and ensure the following is ticked to be installed:

Web Server > Common HTTP Features-> Default Document, Directory Browsing, HTTP Errors,

Static Content

Web Server > Performance-> Static Content Compression

Web Server > Security-> Request Filtering

Web Server > Application Development-> ASP NET 4.5 (which will add additional features), Web

socket protocol

Management Tools-> IIS Management Console

Management Tools-> IIS Management Scripts and Tools


On confirmation select ‘Restart the destination server automatically if required’

Select Install

After completion of installation select Close button.

For Windows Server 2008 R2 1. On the taskbar select Server Manager

2. Select Add Roles

3. Follow the prompts until you reach Server Roles

4. Select Web Server (IIS) and select Next

5. Expand the Web Server (IIS) and tick the following to be installed:

Common HTTP Features-> Static Content, Default Document, Directory Browsing, HTTP Errors

Security-> Request Filtering

Performance-> Static Content Compression

Management Tools-> IIS Management Console

Management Tools-> IIS Management Scripts and Tools

Management Tools-> IIS Management service

Select Install, after completion of installation, select the Close button.


STEP 2: MS SQL Server Configuration

Once the Microsoft SQL database is installed, there are some configurations required for Fusion UDM to

communicate correctly with Microsoft SQL.

Make sure that during installation of MSSQL user should be select following minimum features.

Ensure that during the installation of SQL management that the “sa” account is enabled and that you

are aware of its valid credentials as this will be required during Fusion UDM installation. If you do not

know the credentials for the “sa” account, please speak to your database administrator responsible

for SQL.

On a default installation of Microsoft SQL, the protocols within SQL Server Configuration Manager are

usually enabled, but to ensure this please check the following;

1. Open SQL Server Configuration Manager.

Expand SQL Native Client 10.0 Configuration module

Select Client Protocols

Right-click on each of the below and enable the following:

Shared Memory

TCP/IP

Named Pipes

VIA (if applicable)


2. The next step is to configure the protocol port to be used.

Select SQL Server Network Configuration

Select Protocols for SQL EXPRESS (this can vary depending on version of SQL installed)

Right click on TCP/IP and Select IP Addresses.

For IP section, change the TCP Port to 1433

Click apply and then OK

3. Once the above has been completed a restart of the SQL server services is required

4. Select SQL Server Services.

Right-click SQL Server (MSSQLSERVER) in this instance

Select Restart


Close the SQL Server Configuration Manager.

STEP 3 - Single Server Installation

The Fusion UDM software can be installed one a single server comprising of IIS, SQL database and Fusion

UDM managing up to a maximum of 2000 endpoint devices. If you are installing onto a larger environment we

recommend following the distributed server installation included within the guide.

To download the latest version of Fusion UDM Software at;

http://www.vxl.net/contact/request-evaluation

Copy the downloaded installer package onto the hard drive of the server you are going to use for Fu-

sion UDM.

1. When you are ready, click on the setup file you copied earlier. The following startup wizard will appear

2. Select the Next button. The End User License Agreement (EULA) will be displayed.






3. Select the “I accept the terms in the license Agreement” check box and then click the “Next” button.

4. The following screen is displayed allowing you to choose the installation path. You can change the default

installation path which is set to “C:\VXL” or choose alternatively location using the “Browse” button.

Once you are ready click the “Next” button to continue.

5. The following screen will be displayed where you can choose from one of the two installation types. For

installation on a single server choose “complete” installation option. Click the “Next” button to continue.


6. An information screen similar to the one below will be displayed listing the components that will be in-

stalled on your system. You can see how much disk usage is needed and used by clicking the Disk Usage

button. Keep the defaults options and Click the “Next” button to continue.

7. The “Requirements” screen will be displayed. The installer will automatically identify and display the sta-

tus of prerequisites, indicating whether the component is installed or unavailable on your system.

8. In case the installation prerequisites are met the “Next” button will be visible and one can proceed with

the installation. Click the “Next” button to continue.


NOTE: If the prerequisites are found to be installed on your System, a tick mark () will be displayed indicating

component compliance. In case any prerequisite is not fulfilled, a Red Cross (X) will be shown alongside the

missing component and the setup will not proceed further. The prerequisite needs to be installed before

continuing the installation.

9. The next step is database connection setup and is displayed next as the “Database setup” screen. Enter

the correct credentials to establish the SQL server connection. Once you have entered this click the”

Next” button, a connection to the SQL server will be tested.

10. In FUDM database can be installed on remote machine to do so select database connection type Remote

while installing database. When Remote type is selected then Database get connected to remote ma-

chine of which details have mentioned in the form.


Note: It is essential to uninstall Fusion UDM entry from Add Remove Programs from system through which we

have install the FUDM database. If we want to install the Fusion UDM application on the same system through

which the database was remotely installed.

Ensure that the correct credentials and setup of SQL is adhered to. If not, then the following message

can occur

11. Once the SQL connection is established, the next screen is the communication server setup that is re-

quired for the configuration of the web server’s hostname and port requirements. Since the IIS server is

located on the current installation server we have populated the host name of the server along with SSL

communication ticked on default (this is recommended for Live secure Fusion UDM environment) If the

server is part of a domain infrastructure a FQDN is required using the following syntax:

Hostname.Fulldomainname for example fusion.test.com

NOTE: This is important if you wish to register devices over a WAN environment or register mobile devices


12. In case a default website is already running on the selected port, you will be shown a dialog as shown

below and asked if you wish to stop the site using the port in question.

13. The next screen(s) will prompt you to start the installation process. If you wish to change any of the pro-

vided information you can do so by clicking the “Back” button.


14. After completion of the installation process the installer will launch the Fusion UDM web console. You

can prevent this by un-ticking the “Launch Fusion UDM Web Console” checkbox and clicking “Finish”.

15. In order to log into the Fusion UDM server, you can begin by using the default logon credentials. We

strongly recommend you to change the credentials as quickly as possible. The default credentials are:

Username: admin

Password: admin

NOTE - You can access Fusion UDM Admin console from anywhere without having to remotely login, by

enabling port forwarding on the router to the static IP/hostname of the server.

To learn and help you understand the features of Fusion UDM please refer to the Administration’ guide.


Distributed Server Installation

If you are installing onto a larger environment for over 2000+ endpoint devices, we recommend a distributed

server method.

It is assumed that both the servers used this are of similar configuration and that you have copied the

Installer package onto the hard drive of the computer system prepared for installation of the web com-

ponent with the server running the IIS server role.

1. The initial part of installation is the same as single server installation mentioned in the previous section,

from steps 1 – Server components Install and Step 2 – MS SQL installation.

2. During the Fusion UDM installation at ‘Step 5’ of the install process, select the ‘Custom’ installation op-

tion and proceed to next step.

3. Select the ‘Install Fusion UDM Database’ option first as the server installation requires the database to

be present and prepared in readiness for the server installation to connect to.

4. Once installed, you will be required to re-run the installation setup. First time for the database installa-

tion and the second time for the server installation.


5. When requested you will need to specify the database server and connection parameters, as shown be-

low;

6. Select ‘Connect to remote database server’ and populate the correct credentials


7. Once you have completed and connected to the database successfully, you can continue the installation.

Please refer to steps 10 onwards, mentioned in the previous chapter for assistance.


HA/Failover/Clustering Server Installation

If you require a high-availability installation for Fusion UDM server with an example of how it operates below,

please follow through the following steps;


The prerequisites for the server installation are the same as the ones required for the single server

installation. It is assumed that the servers used in the clusters are of similar configuration and that

you have copied the Installer package onto the hard drive of the computer system prepared for in-

stallation of the web component – the servers running the IIS server role.

It is assumed that both the servers used this are of similar configuration and that you have copied the

Installer package onto the hard drive of the computer system prepared for installation of the web

component with the server running the IIS server role.

1. The initial installation is the same as single server installation mentioned in the previous section

2. At ‘Step 5’ of the installation process, select the ‘Custom’ installation option and proceed to next step.

3. Select the ‘Install Fusion UDM Database’ option first as the server installation requires the database to be

present and prepared in readiness for the server installation to connect to.

You will be required to run the installation once for the database installation and on the servers in

the cluster for the server installation.

Install Fusion UDM Database Install Fusion UDM Server Application

4. Install Fusion UDM database on local server

For the install of the Fusion UDM Database, the administrator will require the local database server

details along with connection parameters:


Important: (Remote IP Address) SQL instance should be configured to accept TCP/IP connections from remote

computers

This configuration change may be required when a Fusion UDM connect to remote database and also at the

time of installation of Fusion UDM remote database is required to access a remote SQL Server instance as part

of a distributed installation.

5. On the SQL Server, open 'SQL Server Configuration Manager'. For example:

Start > All Programs > Microsoft SQL Server 2008/2008

R2sss > Configuration Tools > SQL Server Configuration Manager.

i. For MS SQL 2012: Use the Windows key or hover over the left lower corner of the

ii. desktop and select All Programs > Microsoft SQL Server 2012 > Configuration Tools >

SQL Server Configuration Manager

6. Expand 'SQL Server Network Configuration' and highlight the 'Protocols for [InstanceName]'option.

7. In the right-hand window, if 'TCP/IP' currently has the 'status' of 'Disabled', right click on 'TCP/IP' and se-

lect 'Enable'.

Note: You will be requested to restart the SQL Server service to complete the configuration change.

8. To restart the service, you can use the same Microsoft Management Console (MMC) window.

Highlight the 'SQL Server Services' option at the top of the tree. In the right-hand window,

Right click on the SQL Server [Instance]' entry and choose 'Restart'.


The SQL instance has now been configured to accept TCP/IP connections from remote

computers

9. Require local database server details with connections


Installation of Fusion UDM Agent

This section covers in-depth the manual and domain group policy installation method. For agentless install we

have provided a brief method, with this explained more in-depth within the Fusion UDM Administrator guide.

There are various methods of installing the Fusion UDM Agent software

Manual installation of the Fusion UDM Agent onto the endpoint

Deploying the Fusion UDM Agent using the Agentless install feature within Fusion UDM server

Domain group policy to install Fusion UDM Agent

Manual installation of the Fusion

Ensure the endpoint compatibility on page 9 before attempting the installation.

Copy the Fusion UDM installer package onto the hard drive of the target endpoint.

NOTE: For Windows XP-SP2 OS based endpoints, the latest version of Windows Installer component is

required for successful installation.

1. Double-click on setup file, which will start the install wizard. Click “Next”.

2. You will be shown a lists of changes that are made by the installer and Prerequisites that are required

to install the Fusion agent software.


3. If you agree select the checkbox and click on the “Next” button to proceed with the installation.

4. Click the “Finish” button to complete the installation of Fusion UDM Agent setup.


Deploying Agent from within Fusion UDM Server

In this section we explain how to discover and install devices from within Fusion UDM server using a

straight forward LAN IP range. For other searches this is explained in-depth within the Administrator guide

Ensure that the prerequisites per ports and service requirements are adhered to first.

1. Within Fusion UDM, select the toolbar and select “Discovery”

2. Select Discover and from Scan Type, select LAN

3. Type in a valid from and to IP address range and click OK


This will populate the endpoints available for the agent software to be installed on to

If you wish to quicken the search process, click on refresh.

4. Select install and tick the endpoint device(s) you wish to the install agent onto.

5. Within a domain environment you would need to populate the administrator account credentials avail-

able on the endpoints and then click on Install.

The process of deploying the agent to selected endpoints will begin

Any in-progress and completion alerts will appear within the Discovery area.

NOTE: Ensure that ‘File and Print sharing’ and ‘ports’ mentioned within the ‘Ports and service requirements’

section are adhered to or the installation will fail with ‘Share rights access denied’


Domain group policy to install Fusion UDM Agent

In this section we show you how to use Group Policy to automatically distribute Fusion Agent to client

computers or users. You can use Group Policy to distribute computer programs by using the following

method:

If you assign the program to a user, the agent is installed when the user logs on to the computer.

When the user first runs the program, the installation is completed. If you assign the program to a

computer, the agent is installed when the computer starts, and it is available to all users who log on

to the computer.

STEP1: Create a distribution point To publish or assign a computer program, you must create a distribution point on the publishing server. To do

this, please follow these steps:

1. Log on to the server as an administrator.

2. Create a shared network folder where you are going to put the Microsoft Windows Installer package

(.msi file) that you want to distribute.

3. Set permissions on the share to allow access to the distribution package.

4. Copy the Fusion UDM agent installer (FUDMAgent.MSI) package to the distribution point.

Please use the installer version of the ‘Agent MSI file’ which is a silent installer, normally this resides within the

Fusion server or contact your VXL support representative for this

STEP2: Create a Group Policy Object To create a Group Policy Object (GPO) to use to distribute the software package, follow these steps:

5. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative

Tools, and then click Active Directory Users and Computers.

6. Right-click your domain name and create Organization Unit[OU]. (for example FUDM).


7. Add the client machine in that OU on which the application gets the install.

8. Go to run and type gpmc.msc following window will appear, right click on OU and create new GPO.

When you have finished, click OK.

STEP 3: Assign a package 9. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative

Tools, and then click Active Directory Users and Computers.

10. In the console tree, right-click your domain, and then click Properties.

11. Click the Group Policy tab, select the policy that you want, and then click Edit.

12. Under Computer Configuration, expand Software Settings.

13. Right-click Software installation, point to New, and then click Package.

In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared

installer package that you want. For example, \\file server\share\file name.msi.

Do not use the browse button to access the location. Make sure that you use the UNC

path of the shared installer package.


14. Click Open.

15. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.

16. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers

snap-in.

17. When the client computer starts, the managed software package is automatically installed. Appendix


Fusion MDM Setup and Configuration

Domain Identity

In this section we show you the process to setup and configure your Android devices to work within Fusion

UDM.

STEP 1: Register the Managed Domain

The “Google claimed customer domain” registration process is required to follow in order for the below steps


1. : Admin enters basic business contact information

2. Admin enters basic information about the business

Business name

Address

Number of Employees



STEP 2: Create the Admin Account Admin creates the account for the Managed Domain

STEP 3: Verify Domain Ownership Admin verifies Domain ownership

1. Add Meta tag to corporate homepage

Google verifies by scanning homepage

2. Add a TXT or CNAME record to domain’s DNS

Google verifies by checking DNS records

3. Add an HTML file to root of company’s website

Google verifies by scanning the company website


STEP4: Generate EMM API Token

Generated for binding to Customers EMM Provider

Enables Android for Work management via API’s

Allows management of ONLY specific Managed Domain devices

Configuring Enterprise Service Account (ESA)

Creation and configure customer Enterprise Service Account (ESA) from the Google developer console.

To do this, sign into https://console.developers.google.com using your administrator account setup

previously.

STEP1 - Create the project Register your application for Admin SDK in Google API Console. Google API Console allows you to manage

your application and monitor API usage. Create a project where your application will be registered you can

use one project to manage all of your applications, or you can create a different project for each application.

To add the project, navigate to:

Google API -> Project dropdown -> Create project.

Here, we enter the Project name.

https://console.developers.google.com/


Step 2 - Enable APIs for the project To get started using Admin SDK, you need to first use the setup tool, which guides you through creating a project in the Google API Console, enabling the API, and creating credentials.

1. On the developer’s console page, go to API Manager. 2. Then go to Library. 3. Search and Enable APIs required for your project. 4. The following APIs need to be enabled:

Google Play EMM API Admin SDK Android Device Verification API App Engine Admin API Big Query API

5. List of the enabled APIs will be displayed in Dashboard section.


6. To enable the API, click on ENABLE button. After we enable a particular API, the button gets changes to DISABLE.

STEP3 - Working with credentials You need credentials to access the APIs. Depending on the API, you need an API key, a service account or an

OAuth 2.0 Client ID.

3.1 - Creation of Service account key:

Service account key enables server-to-server, app-level authentication using robot accounts.

3.1.1 - Service account addition:

To set up a new service account, do the following:

1. If the API Manager page isn't already open, open the console menu and select API Manager.

2. On the left, click Credentials.

3. Click Create credentials > and select Service account key.

4. On the create service account key form, click New Service account.

5. Enter the service account name and select the role as Project > Owner.

6. A service account id name will be automatically generated.

7. Click Create to generate a service account.

8. Your new public/private key pair (Service JSON) is auto-generated and downloaded to your ma-

chine.

This information is required for configuring Fusion MDM. Please save this information in a

separate folder.

Important: It serves as the only copy of this key, so it is highly recommended to store it securely.


3.1.2 – Domain Verification:

You need to verify domain ownership to allow web hook notifications to be sent to your external domains. Google verifies that the user owns each of the listed domains via Search Console.

1. Domain Verification > Add Domain. Enter the name of the domain.

2. After successful addition of domain name, the entered domain gets listed on the Google

console.

3.1.3 – OAuth consent screen:

If this is your first time creating a client ID, you can configure your consent screen by clicking OAuth

consent screen.

You won't be prompted to configure the consent screen after you do it the first time.


3.1.4 – Domain-wide delegation

1. One last step remaining in Service account section. 2. Navigate to API Manager > Credentials. Next to Service accounts, click on Manage service

accounts. The service accounts form will be displayed.

3. Find the service name you’ve created previously. Click on the Options button next to it and select Edit.

4. On the Edit service account form, select the checkbox against Enable Domain-wide delega-tion. Click on Save to save the changes.

3.2 - Creation of OAuth client ID:

This id requests user consent so that an app can access user’s data. To create an OAuth 2.0 client ID in the console:


1. If the API Manager page isn't already open, open the console menu and select API Manager. 2. On the left, click Credentials. 3. Click New Credentials, then select OAuth client ID. 4. Select the application type as Web application for project and enter any additional information as

required. 5. Enter the OAuth client ID name. 6. Authorized JavaScript origins: For use with requests from a browser. This is the origin URI of the

server/client application. (e.g.: https://fusion.vxl.net) 7. Authorized redirect URIs: For use with requests from a web server. This is the path in your applica-

tion that users are redirected to after they have authenticated with Google. The path will be ap-pended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address. Recommended urls are as follows (e.g. with edit URLs)

a. https://<FQDN>/Handlers/Tools/MDMConfiguration_Handler.ashx b. https://<FQDN>/authorize/ c. https://<FQDN>/AuthCallback/IndexAsync/ d. https://<FQDN>/oauth2callback/

8. Click Create to create the Client ID. 9. Now, a Client JSON file is automatically generated which can be downloaded by clicking the Down-

load JSON button on top of the page. 10. Along with the Client JSON, we also have a Client secret key listed below it.


This Client JSON & Client secret key information is required for configuring Fusion MDM. Please save this information in a separate folder.

3.3 - API Key generation:

Identifies your project using a simple API key to check quota and access.

To create an API key in the console:

1. If the API Manager page isn't already open, open the console menu and select API Manager. 2. On the left, click Credentials. 3. Click New Credentials, then select API key. 4. On the create new key form, click on Server key.

5. Enter the name for the API key. 6. Click Create to generate the API Key.

This API key should also be kept secret and is required for configuring Fusion MDM. Please save this information in a separate folder.


Important: It may take up to 1 hour for settings to take effect.

3.4 - Project ID:

The project we have created has an ID associated with it.

1. In order to retrieve the ID of the project, navigate to API manager, then click on Credentials.

2. Under the Service account keys section, click on Manage service accounts.

3. From the left menu, click on Settings.

4. On the Settings page, the Project number will be our required Project ID.

This Project ID information is required for configuring Fusion MDM. Please save this information in a

separate folder.

With the above steps, our configuration on Google developer console is completed.

Step 4 - Managing APIs

We now move on to Google admin console. Sign in to https://admin.google.com with the same mail id which

was used to login previously in Google developer console.

The service account that you created needs to be granted access to the Google Apps domain’s user data that you want to access. The following tasks have to be performed by an administrator of the Google Apps domain:

1. Click on Security > Show more > Advanced Settings > Manage API Client Access.

https://admin.google.com/


Manage API Class Access: API class access allows admins to control access to user data by applications that use OAuth protocol.

Here, we require two things:

1. Client Name - Authorized API clients.

Your client name will be the Client key generated previously on Google developer console. Navigate to Google developer console page. Then from left menu, go to API Manager > select Credentials. In the OAuth 2.0 client IDs section, click on the Client name you’ve previously created. The Client ID on this page will be required. Copy the client ID and paste it into the Google admin page > Manage API Client Access > Client name section.

2. API scopes - API client domains are registered with Google and authorized to access data for your users.

You can directly use the following links as API scopes which are recommended:

https://www.googleapis.com/admin/directory/v1,

https://www.googleapis.com/admin/directory/v1/users,

https://www.googleapis.com/androidenterprise/v1/enterprises,

https://www.googleapis.com/auth/admin.directory.customer,

https://www.googleapis.com/auth/admin.directory.device.mobile,

https://www.googleapis.com/auth/admin.directory.device.mobile.action,

https://www.googleapis.com/auth/admin.directory.domain,

https://www.googleapis.com/auth/admin.directory.group,

https://www.googleapis.com/auth/admin.directory.group.member,

https://www.googleapis.com/auth/admin.directory.group.member.readonly,

https://www.googleapis.com/auth/admin.directory.group.readonly,


https://www.googleapis.com/auth/admin.directory.notifications,

https://www.googleapis.com/auth/admin.directory.orgunit,

https://www.googleapis.com/auth/admin.directory.orgunit.readonly,

https://www.googleapis.com/auth/admin.directory.resource.calendar,

https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,

https://www.googleapis.com/auth/admin.directory.rolemanagement,

https://www.googleapis.com/auth/admin.directory.user,

https://www.googleapis.com/auth/admin.directory.user.alias,

https://www.googleapis.com/auth/admin.directory.user.alias.readonly,

https://www.googleapis.com/auth/admin.directory.user.readonly,

https://www.googleapis.com/auth/admin.directory.user.security,

https://www.googleapis.com/auth/admin.directory.userschema,

https://www.googleapis.com/auth/admin.directory.userschema.readonly,

https://www.googleapis.com/auth/apps.licensing,

https://www.googleapis.com/auth/calendar,

https://www.googleapis.com/auth/contacts,

https://www.googleapis.com/auth/contacts.readonly,

https://www.googleapis.com/auth/drive,

https://www.googleapis.com/auth/plus.login,

https://www.googleapis.com/auth/plus.me,

https://www.googleapis.com/auth/plus.profiles.read,

https://www.googleapis.com/auth/userinfo.profile

3. Copy the above links all together and paste them in API scopes section. 4. Click on Save to save your settings.

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. You are ready to instantiate an authorized Admin SDK Directory service object on behalf of your Google Apps domain's users.

Step 5 - Working with Service account & Tokens

4.1 – Service account

A service account's credentials include a generated email address that is unique, a client ID, and at least one public/private key pair.

If your application runs on Google App Engine, a service account is set up automatically when you create your project. If your application doesn't run on Google App Engine or Google Compute Engine, you must obtain these credentials in the Google Developers Console.

1. In order to retrieve the ID of the project, navigate to API manager, then click on Credentials.

2. Under the Service account keys section, click on Manage service accounts.

3. Select the service account name that we have created previously.

4. The value in the Service account ID column against that service account name is our required Service

Account Email.

5. This Service account email will be required further in MDM Configuration process.


5.2 - Generating the token:

Part of binding your third-party provider involves sharing your company’s EMM token with the provider. After you generate a token, you have 30 days to share it. If the token expires, you have to generate a new one.

1. Sign in to the Google Admin console as a super administrator to generate an EMM token or see an unexpired one.

2. Click Security > Android for Work Settings. Copy the token (a string of characters) or click Generate Token to generate a new token.


Important: When a new token is generated, copy the token and save it as a token once generated cannot be retrieved again.

After successful enrolment with MDM Configuration, the service account email used for configuration is only displayed on Google admin console.

In General Settings section, the checkbox against the Enforce EMM policies on Android devices is unchecked by default. Make sure you have checked the checkbox.


You can't view previously generated token or generate a new token. A new token can only be generated when

the MDM Configuration is unenrolled from the server.

Mobile Device Management Configuration

In general, the EMM console is the mechanism through which an enterprise manages its entire mobile fleet

(platform-agnostic). This will also be the place that a customer’s IT admin goes to manage policies for Android

for Work. Policy files are generated by the EMM console and sent down to the device-side DPC, which will

then enforce the policies within the Managed Profile.

AFW EMM ENROLMENT It’s the process of binding with domain and getting token from MDM.

Steps for binding with domain i.e. enrollment of domain:

1. Select Configuration Setup -> MDM Configuration.

2. Select AFW EMM Enrollment.

3. Click on Add.

4. Enter Domain name, Service Account Email and Token name.

5. Click on Enroll.

6. The service account gets enrolled.

You can unenroll an existing account by clicking on Delete button next to it.

You can configure an existing account by clicking on Configure button next to it.

The following details are to be entered for configuration:


1. Service Json: A service account represents a Google Cloud service identity. A .json file of enrolled do-

main is to be uploaded.

2. Client Json: Service account clients are created when domain-wide delegation is enabled on a service

account. A .json file of enrolled domain is to be uploaded.

3. Client secret: OAuth2 uses the client secret mechanism as a means of authorizing a client. It acts as a

secret passphrase that proves to the authentication server that the client app is authorized to make a

request on behalf of the user.

4. API Key: You need an API key to call certain Google APIs. The API key identifies your project.

5. Product ID: The ID of the project that owns the service account.

Steps for configuring the service account:

In this step, we will need the json files & keys which were previously created during the configuration of

Enterprise Service Account.

1. Click the Configuration button.

2. Upload the Service json file.

3. Upload the Client json file.

4. Enter the Client secret key, API key and Product ID.

Settings saved successfully message is displayed.

AFW USER PROVISIONING User Provisioning

The provisioning system usually takes information about employees from the Human Resource (HR) system.

E.g. if a new employee is entered into the HR system the provisioning system detects that and pulls the

information. This information is processed to determine a set of roles that each user should have. The roles

determine which accounts the user should have and such accounts are created. All of that usually happens in


a matter of seconds. Therefore everything is prepared for the user to work on the very first day. Similar

processes also apply when user is transferred to another department, when his responsibilities change and

when he leaves the company.

It can take data from Customer Relationship Management (CRM) system and create accounts for customers.

As provisioning can also maintain passwords this usually reduces the load of customer support centres.

Provisioning can synchronize user accounts in portal and service provider environments. Provisioning is

especially useful in cloud environments to manage very large number of accounts in many applications -

something that is not feasible to do manually. Identity provisioning is without any doubt a foundation of

Identity and Access Management.

1. Select Domain name from dropdown list.

2. User list with respective selected domain gets listed out.

3. Click on Sync to sync user provisioning data from the selected domain.

4. User is able to add single user to the list by clicking on Add button.

5. Enter First name, Last name, Email ID and Password.

6. Click on Save to save the entered data.


7. To add users from a domain, click on Add Domain Users button.

8. Enter Domain name, Username and Password.

9. Domain users get added to the list.

APPLICATION MANAGEMENT Applications in Android for Work are managed via Google Play for Work, which provides full Play catalog ac-

cess to an enterprise. IT admins can explicitly approve applications for use in Managed Profiles, and also have

options for bulk purchasing of paid application licenses via Play for Work.

Once applications have been approved, the admin can use the EMM console to distribute applications in one

of two ways. The first way is to collate the approved applications into subsets (called “collections”) and push

them down to the Managed Play Store Client on target devices.

1. Select Domain from dropdown list

2. Install/ Uninstall software list with package name, License count, Permissions, Status, Actions, Type

get listed out.


Additionally, an Admin has the ability to silently install and uninstall applications into target Managed Profiles

through Google Play. This allows for seamless management of application deployments without requiring any

end-user intervention.

Bulk Purchasing (License)

Aside from permissions acceptance, an admin must also purchase licenses prior to approving a paid

application.

Purchases can be conducted with a credit card or online payment (Google Wallet).

Device Policy Client (DPC)

The Device Policy Client is the EMM’s client-side component. Even though it only resides in the Man-

aged Profile, it is the only managed application to be downloaded from the personal Play Store.

This is because the DPC must be installed on the device prior to the initial setup of the Managed Pro-

file.

Once it is installed, the user can launch the DPC and enter their EMM credentials to begin the An-

droid for Work enrolment process.

Following completion of the setup flow, the DPC will be badged and scoped only to the Managed Pro-

file context by the OS.

If the DPC is removed from the device, the entire Managed Profile will disappear along with it. The

Managed Profile cannot exist unless there is a DPC running inside of it to enforce policy compliance.

Adding an Application

In order to add an application manually into the application list, you need to select the domain first in which

you want to add an application and then click the Add button. The add application form will be displayed.


Simultaneously, you will need to login into Google Play for Work page (https://play.google.com/work/ ). Visit

the page of the app you want to add into your company domain. Refer the browser URL of the app page.

The name mentioned in the ‘id=’ section is the required package name of that particular application.

For example: If you visit page of ‘Asana’ app, the browser URL is (https://play.google.com/store/apps/de-

tails?id=com.asana.app&hl=en ). In this case, the package name would be com.asana.app

1. On the Add Application form, enter the Application Name.

2. Enter the Package Name which you have copied from Play for Work application page.

3. Select the Type of the app.

4. Click Save to save the entered details.

Application saved successfully message is displayed.

The added application will now be listed in the application table below that particular domain.


USER APPLICATION PROVISION

In User Application Provisioning, we can assign applications to various users which were previously approved

by the company.

1. Select the Domain name.

2. Select the users to which applications are to be assigned.

3. The list of company approved applications of the respective selected domain will be displayed in the

list below.

4. Select the applications to be assigned for the selected user.

5. On click of Save, summary details popup is displayed showing that the product set is assigned to the

users.

STORE LAYOUT MANAGEMENT

Google Play for Work lets you design and create a store layout unique to your users’ needs. After you give

your users access to apps, you can group the apps into clusters to be display on pages in the Google Play for

Work storefront.

The Google Play EMM API Reference has information on the resources and associated methods you use to de-

sign a store layout.


Localized names for pages and clusters

Google Play for Work store layout supports localized names for store pages and store clusters. When you cre-

ate a page or cluster you provide a list of supported locales, as IETF language tags, and associated localized

names. If a user’s locale is not on the supported list, the system will chose a close match if one is available.

As an EMM, you can create a unique customized store layout for each of your customers. A typical layout con-

sists of a set of pages to display to users in the Google Play for Work store front. Each page you create con-

tains one or more clusters, and each cluster contains a set of apps. Because you select which apps are in a

cluster, you can use the clusters to group related apps together.


For example, you could create a page just for work apps that contains a Document cluster and a Planning clus-

ter. The Document cluster might contain apps such as Google Docs, Google Sheets, and Google Slides, and the

Planning cluster could contain work tracking, calendar, and meeting planner apps.

Unbind/Unenrolment of the domain In order to enroll the domain again, first you need to unbind/unenroll the domain which was previously

enrolled.

To unbind a domain, go to AFW EMM Enrolment -> click the Unbind button next to the account name you

want to unbind.

Once your domain is successfully unenrolled from the server, the token which was previously used for

enrollment is expired. You will now be able to generate a new token from Google admin console page.

Refer Step 5.2 in Configuring Enterprise Service Account (ESA) section regarding how to generate a new token.

Important: It is highly recommended to save the token details before uninstalling the Fusion UDM server.


Upgrading Fusion UDM Server and Agent

Fusion UDM server software

When new Fusion UDM server software updates are available to download, upgrading the existing version to

the latest is straightforward to do.

Copy the Installer onto the hard drive of the server where you have installed the currently used

Fusion UDM server.

1. Double click on the setup file. The familiar start-up wizard will appear.

2. Select “Next” button to proceed. The installer should detect a previously installed version of Fusion

UDM message similar to the one below.

3. Select “Yes” to begin the upgrade process


4. During the upgrade process the installer will display the progress. Click the “Finish” button to finish

and close the installer.

Upgrading the Fusion Agent software

On default when the Fusion UDM server is updated, Fusion UDM will automatically update any endpoint

devices which have been already registered to the latest version

If you wish to manually control a scheduled time for agent updates, or change the amount of connec-

tions at one time this is updated to, please refer to the administration guide for more information.


SSL Certificate Creation and Installation

In this section we show how to create and install a self-signed SSL certificate using the OpenSSL tool.

Create self-signed SSL certificate using OpenSSL

Method 1: 1. Access the following link and download the OpenSSL Package

http://ibox.vxl.net/main.html?download&web-

link=382c47bedc3d7f578f9418d47b2987f7&realfilename=OpenSSL.zip

2. After extracting the zip file folder, it will contain the following files:

CreateCertificate.bat

OpenSSL.exe

ReadME.txt

3. Install OpenSSL.exe application

4. Copy CreateCertificate.bat file into the directory C:\OpenSSL-Win32\bin\

5. Run Batch file CreateCertificate.bat

6. Enter required details.

The Common Name - Enter the current Hostname of the Fusion UDM server you have just in-

stalled. This is a mandatory requirement.

Other details are optional and you can ignore these and proceed with blank entries for these.

7. After you have completed the above steps, the following files will get generated in the

"C:\OpenSSLWin32\bin\" directory location:

fusion.ca.cert.pfx

fusion.ca.cert

fusion.ca.key

Method 2: 8. Download and Install latest version of precompiled win-32 binaries of OpenSSL for windows from the

following link https://www.openssl.org/related/binaries.html

9. Open Command prompt, Go to c:\openssl-win32\bin Path

10. Type the following command and input desired information to generate a certificate request:

http://ibox.vxl.net/main.html?download&weblink=382c47bedc3d7f578f9418d47b2987f7&realfilename=OpenSSL.zip




https://www.openssl.org/related/binaries.html

https://www.openssl.org/related/binaries.html

openssl.exe req –pass out pass: abcdefg -new >fudm.csr

11. Enter the two-digit country code using the acceptable short form. These can be found at the fol-

lowing location: https://www.ssl.com/csrs/country_codes

12. Enter CN Name: IP Address of IIS Server.

13. Type the following command to create the key

openssl.exe rsa–passin pass:abcdefg -in privkey.pem –out fudm.ca.key

14. Type the following command to generate certificate file for the agent.

Openssl.exe x509 -in fudm.csr –out fudm.cert -req –signkey fudm.ca.key -days 365

This will generate the certificate to be used for the Agent/Endpoint - fudm.cert

https://www.ssl.com/csrs/country_codes




15. Upload the certificate to the Fusion UDM server repository using the repository module on the Fu-

sion UDM server, this will be used for automatic transfer to the agent during the discovery and en-

rolment process.

16. Generate the .pfx certificate for use with IIS using the following command.

openssl pkcs12 –passout pass:fusion -export -cacerts -in fudm.cert -out fudm.pfx –inkey fudm.key

17. Import the generated .pfx certificate in the certificate store of server certificates. Use the password

specified in above command (pass: fusion)

Procedure to install SSL certificate

1. Run->inetmgr on the Fusion UDM server, Open IIS -> Start- Administrative tools – IIS manager.


2. Select server certificates, then select Import certificate, enter the path of certificate file and pass-

word, then press OK.

3. After successful import you can see the newly added certificate i.e.: fusion

4. Go to Sites > Site name (FDM Site) > Select Bindings > add > Select type: https-port: 443

5. Go to SSL Certificate: Select added certificate and click ok.


6. Restart the Webserver.

7. After successful completion of the binding will be active and you can access the site using HTTPS

8. After completion of the installation and certificate binding process in case the default launch op-

tion is enabled then the installer will launch the server application web console with https request.

The login page for Fusion UDM software will be displayed.


Network Load Balancing Windows 2012/R2

In this section we talk about applying network load balancing in a Windows 2012/12 environment.

1. Open Server manager.

2. Select Add roles and Features select next.

3. Select role based or feature-based installation and Click next.


4. Select server from server pool and click next.

5. Select Add IIS role and NLB feature from the list click next.

http://subhashsingh.com/wp-content/uploads/2013/12/Screenshot-391.png


6. Select the service for IIS role which you want to install



7. Check the IIS is running properly

8. Find the NLB in administrative tool or control panel if the icon is not on the dashboard and open




9. NLB Manager will open as shown below

10. Right click on the NBL select new cluster


11. Add the host IP

12. Set Host Priority

13. Select to add the Cluster IP Addresses


14. Setting Cluster IP and Subnet mask


15. Set Full internet name of NLB cluster and set it to multicast mode


16. Host Added successfully in the cluster

17. Do the same process to install NLB feature for another Host

18. Add host in same cluster according to the steps given below.

19. Connect to existing cluster


20. Add new host in existing cluster


21. Set host priority


22. Added both host in same NLB cluster and green color is showing good health of cluster


Disclaimer

Installation Guide

Published on 15th July 2015

Last Updated on 20th September 2016

Document Version 7.0

Documentation Disclaimer

Screenshots and graphics in this manual may differ slightly from your product due to differences in your

product release version or your computer operating system. Reasonable efforts were made to ensure that

the information in this document was complete and accurate. VXL Instruments Ltd. assumes no liability

for any errors. Changes and corrections to the information in this document may be incorporated in future

releases.

Copyright

© 2004-2015 VXL Instruments Limited.

Information in this document is subject to change without prior notice and does not represent a

commitment on the part of the manufacturer. No part of this guide may be reproduced or transmitted in

any form or means, electronic or mechanical, including photocopying and recording, for any purpose,

without the express written permission of the manufacturer. Registered trademarks are properties of

their respective owners. Every effort has been made to make this guide as complete and as accurate as

possible, but no warranty of fitness is implied. The authors and the publisher shall have neither

responsibility nor liability to any person or entity with respect to loss or damages arising from the use of

information contained in this guide.

Trademarks

The VXL Logo, Fusion UDM, Fusion UDM Logo, VXL Software logo are all trademarks and registered

trademarks of VXL Instruments Ltd. All other logos and names are the trademarks and registered

trademarks of the respective owners.

VXL Support

To access our support systems please navigate to http://vxlsupport.me and log a ticket.

VXL Instruments Ltd.

House of Excellence,

No. 17, Electronics City,

Hosur Road,

Bangalore – 560 100, INDIA www.vxlsoftware.com

http://vxlsupport.me/



http://www.vxlsoftware.com/

http://www.vxlsoftware.com/

installation guide user guide...variable information appears in italic type. this includes...

Documents