Performing A Custom Installation of ObserveIT
Performing A Custom Installation of ObserveIT
In a custom installation, each of the ObserveIT components can be installed separately and you can dis-
tribute the components and use advanced configuration options as needed.
Custom Installation is often used in environments with higher security procedures, requiring each com-
ponent of the ObserveIT product to be installed separately and using dedicated service accounts; or in
large-scale environments requiring custom modifications of some of the server-side components.
Assumptions 2
The following is assumed:
Assumptions 3
FILEsrv File Server Windows Server 2016 Standard
OITAgent ObserveIT Agent Windows Server 2016 Standard
The reader has prior knowledge of Public Key Infrastructure (PKI) and its related terminology.
Assumptions 4
Your organization has an SQL server administrator who follows best practices for deploying and main-
taining SQL server.
Your organization has a backup administrator, who follows best practices for backing up databases, Oper-
ating Systems, and file shares.
Assumptions 5
Table of Contents
Assumptions 2
Storage Types 15
Preparing Permissions 22
6
Installing the ObserveIT Databases 33
Creating a New Website in IIS 8.X for the ObserveIT Application Server 60
Creating a New Website in IIS 8.X for the ObserveIT Web Console 62
7
Website Categorization Prerequisites 75
Requirements 95
Configuring Simple Recovery Model for the ObserveIT Databases on the SQL Server 110
8
Configuring Simple Recovery Model for the ObserveIT Databases via SQL Query 111
9
Downloading the Latest Version
When you're ready to install or update to a new version, you can download the files you need. Files are
located in the Downloads page of the ObserveIT Support Portal.
2. Log in and from the Downloads page, click the Link you want.
DB: Contains the setup files for the 4 ObserveIT SQL databases
DB_Analytics: Contains the setup files for the ObserveIT analytics database
Insider Threat Library: Contains the exported rule library for duplication and review
Mac Agent: Contains the Mac agent install binaries
ScreenshotsStorageOptimizer: Optimizes screenshot storage for efficiency
SQLEXPR_x64_ENU: Installation package for SQLExpress for the purpose of the trial (you can use
your own instance of SQL in lieu of SQL Express if you prefer)
TrialAssistant: Install cleanup scripts
Typical Install: ObserveIT One-Click installation scripts and data
Unix-Linux Agent: Various unix/linux agent install packages
Utilities: Several useful tools such as the ObserveIT field-marking utility and Statistics collector
The diagram below shows an example of a file server. This is where the configuration starts.
The following tasks describes how to prepare your Windows Server machines for ObserveIT installation.
As a matter of best practice, for medium to large scale deployments, ObserveIT recorded images are
stored on a file share server in the network. Configuring all recorded graphic screenshots to be stored in
the file system network share (a UNC path) instead of in the SQL database reduces the overall I/O over-
head on the SQL Server.
This section describes how to configure the disks before creating the file share.
For information about creating the file share, see Creating and Sharing the Graphics Image Folders.
By default, all the recorded graphic screenshots are stored in the ObserveIT_Data database.
If using a file share, it is highly recommended to use a Windows Server 2016 machine with appropriate
disk capacity, where the disk drive(s) are connected either locally, or on a storage device such as SAN/NAS
using either iSCSI or Fiber Channel (FC). Where this is not possible, use virtual disks that are stored on the
fastest and most optimized storage array for write IOPS.
Hot storage: Recording screenshot data is written immediately after being received from a remote
ObserveIT Agent. Because all the graphic images stored on the hot storage are typically small, the
disk needs to be formatted with NTFS file system for Windows Server 2016 using the allocation unit
size of 4KB (4096K). This ensures best disk location usage and reduce disk space waste.
Warm storage: Recording screenshot data is stored after an active ObserveIT session is closed. The
recording screenshot data stored on the warm and archive storage is stored in a ZIP format, with
each ZIP file containing all images for a single ObserveIT session. To optimize performance, format
the warm and archive storage with 64KB block size. This configuration can be done using Disk Man-
agement or the DISKPART command line utility.
In this example, assume the new disk has just been connected to the machine, but no further
action was taken.
3. Expand Computer Management (Local), expand Storage, and click Disk Management.
4. Find the new disk in the list. Usually, it is the only one with the status Offline.
7. Click the GPT (GUID Partition Table) radio button and click OK.
17. The disk is formatted and you are returned to the Computer Management window.
1. From the Computer Management window, expand the Computer Management (Local) node,
expand the Storage node, and click the Disk Management node.
2. In the main window, locate the volume designated for the ObserveIT screenshot data.
4. Make sure the Allow files on this drive to have contents indexed in addition to file properties check
box is unchecked.
If you want to use Network Access Storage (NAS) or a different storage type, see your storage
vendor documentation.
2. Open Windows File Explorer. (You can open the Start menu and type in explorer, then Enter.)
3. In Windows File Explorer, navigate to a disk where the ObserveIT image store folder is to be loc-
ated.
4. Create a new folder. (Click New and then Folder) and right-click some empty space inside the File
Explorer window).
6. Right-click the folder, click Share With, and click Specific people.
7. Type in the account name, for example OITServiceAccount and click Add.
10. Create folders for the ObserveIT Archive folder, for example: OITWarmStorage and OITArchive by
repeating the previous steps.
Make a note to remember the paths to the current shares. You'll need them later.
For example:
\\filesrv\OITData\OITHotStorage
\\filesrv\OITData\OITWarmStorage
\\filesrv\OITData\OITArchive
1. Mount a Windows Server 2016 installation DVD to the virtual machine or insert a Windows Server
2016 DVD into the DVD drive of the server.
The following steps are similar for Windows Server 2012/2012R2 Operating Systems. If using
one of these systems, mount or insert the appropriate DVD to the machine.
4. If prompted, Do you want to allow this app to make changes to your device? Click Yes.
2. If prompted Do you want to allow this app to make changes to your device?, click Yes.
3. Copy and paste the following code into the PowerShell window:
2. If prompted Do you want to allow this app to make changes to your device?, click Yes.
3. Copy and paste the following code into the PowerShell window:
New-NetFirewallRule -DisplayName “HTTPS” -Direction Inbound –
Protocol TCP –LocalPort 443 -Action allow
Preparing Permissions
In a custom installation, make sure the following permissions are configured:
Preparing Permissions 22
CREATING A SERVICE ACCOUNT USER IN ACTIVE DIRECTORY
This topic describes how to configure permissions to create a service account user in Active Directory. Act-
ive Directory is used connect to ObserveIT databases and to run ObserveIT services.
Permissions are required to set up a an Active Directory. For more information about this, contact
the Active Directory team.
1. Connect to a Domain Controller or to a computer with Active Directory Remote Server Admin-
istration Tools installed.
3. Navigate to the Organizational Unit where the ObserveIT Service Account will be located.
Optional: Type ObserveIT into the First Name field and Service Account into the Last Name field.
5. Type OITServiceAccount into the User logon name field and choose the appropriate UPN suffix.
Click Next.
6. Configure a password based on your organization's password policy requirements, uncheck the
User must change password at next logon checkbox, and check the Password never expires check-
box. Click Next. Click Finish.
Use the following steps to grant the ObserveIT Service Account user the dbcreator role on the SQL
server. This permission is required only during the installation phase and may be removed when
the installation is complete. Removing this permission will prevent ObserveIT from creating addi-
tional archive databases with the service account and will require appropriate credentials when
creating a new archive.
Preparing Permissions 23
1. Connect to the SQL server or to a computer with SQL Server Management Studio installed.
2. Open SQL Server Management Studio, type the SQL server's FQDN or IP address in the Server
name field and click Connect.
Choose Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, choose SQL Server Authentication and log in with a sysadmin-level account. Click OK to
connect.
4. From the menu on the left, expand Security right-click Logins and select New Login.
5. Click Search.
Preparing Permissions 24
6. Click Locations and choose the location where the ObserveIT Service Account is located. Click OK.
7. In Enter the object name to select area, type the username for the ObserveIT Service Account user
account, for example, OITServiceAccount. Click OK.
8. In the Login screen from the menu on the left, select Select a Page > Server Roles.
Preparing Permissions 25
9. Select dbcreator and click OK.
This is only required during the installation phase; the Service Account can be removed as soon as
the installation has completed successfully.
Preparing Permissions 26
1. On the ObserveIT Application Server, from Start, type Computer Management.
2. Expand System Tools and click Local Users and Groups. Expand Groups folder.
Preparing Permissions 27
4. Click Add.
The Select Users, Computers, Service Accounts, or Groups dialog box opens.
5. In the Enter the object name to select area, for example, OITServiceAccount.
6. Click OK.
The Administrator Properties dialog box opens and OITServiceAccount appears in the Members
list.
Preparing Permissions 28
7. Click OK.
8. If you plan to deploy more than one ObserveIT Application Server, or if you plan to install the
ObserveIT Web Console on a separate machine, repeat on all the computers that will host the
ObserveIT Application and Web Console applications.
This step is only required during the installation phase; the Service Account can be removed as
soon as the installation has completed successfully.
2. Expand System Tools and click Local Users and Groups. Expand Groups folder.
Preparing Permissions 29
3. From the list of Groups, double-click IIS_IUSRS group.
4. Click Add.
Preparing Permissions 30
The Select Users, Computers, Service Accounts, or Groups dialog box opens.
6. Click OK.
The IRS_IUSRS Properties dialog box opens and OITServiceAccount appears in the Members list.
7. Click OK.
8. If you plan to deploy more than one ObserveIT Application Server, or if you plan to install the
ObserveIT Web Console on a separate machine, repeat on all the computers that will host the
ObserveIT Application and Web Console applications.
Preparing Permissions 31
Installing and Configuring Databases
When performing a custom installation, the database is the first component of ObserveIT that needs to
be installed.
Choose the location of the recorded graphic screenshots storage: By default, all the recorded
graphic screenshots are stored in the ObserveIT_Data database. In medium to large deployments
of ObserveIT, it is strongly recommended to configure all recorded graphic screenshots to be
stored in the file system network share (a UNC path) instead of in the SQL database. This will
reduce the overall I/O overhead on the SQL Server. (For information about formatting the volumes.
Install the ObserveIT databases: By default, ObserveIT uses Microsoft SQL Server databases for
data storage. This storage includes user activity configuration data, user analytics data, textual
audit metadata and possibly the screenshots captured by the ObserveIT Agents for video replay.
Add the ObserveIT Application Server(s) machine account to the ObserveIT databases.
2. Edit the database installer configuration file to use file system storage for recorded graphic
screenshots.
5. Add the ObserveIT Application Server(s) machine account to the ObserveIT databases.
A functional SQL Server database is still required for storing all the recorded metadata, image
pointers, and configuration settings.
The DB install process can also be run directly on the SQL Server machine.
The diagram below shows the file server and the SQL database. The SQL database is installed after you
configure the file server.
Prerequisites
1. Connect to the computer where you downloaded and extracted the ObserveIT Setup files.
2. Run the SQLPackage.exe file located in the DB folder which was created when you extracted the
setup files from the archive.
3. Select the SQL Server on which to install the database. The details of the Server field are in the fol-
lowing format:
<ServerFQDN>\<InstanceName>,<Port>
For example:
SQLsrv.test.lab\ObserveIT,1433
4. If the account you are currently using is an SQL Server administrator, select Windows Authentic-
ation as the authentication method. Otherwise, select SQL Server Authentication and provide a
user name and password with privileges to create databases and user accounts. If you select Win-
dows Authentication, you will need to perform additional tasks.
If the connection is successful, the installation will proceed. If not, check the connectivity to the
SQL server and make sure the connection string is correct.
Hint: Check the Windows Firewall on the SQL Server and either turn it off, or add the relevant rules
to allow SQL Server connectivity (TCP port 1433), check protocol bindings (TCP/IP must be
enabled), and check the SQL Server listening port.
Warning – Unable to create ObserveITUser (ObserveITUser Name: ObserveITUser)! (User does not
have permission to perform this action.) Press OK if you wish to continue anyway.
If you did not receive this error, it means that the ObserveIT service account has SYSADMIN
permissions on the SQL Server. It is strongly suggested that you stop the installation at this
phase, delete the resulting databases, change the ObserveIT service account permissions
to DBCREATOR, and then re-execute the database installer program. While, by itself, this is
not a problem, the result is that the ObserveIT database and the subsequent connection
strings used by all the ObserveIT components will use the “ObserveITUser” account in SQL
Server instead of the ObserveIT service account. To fix this issue you will need to manually
change the connection strings and change the SQL Server database settings. Contact sup-
port for information on how to perform these changes.
The message .ObserveIT database successfully installed appears.
7. Acknowledge the message the message ObserveIT database successfully installed. When the 4
databases are created, the window closes.
1. Connect to the computer where you downloaded and extracted the ObserveIT Setup files.
2. Run the SQLPackage.exe file located in the DB_Analytics folder which was created when you extrac-
ted the setup files from the archive.
3. Select the SQL Server on which to install the database. The details of the Server field are in the fol-
lowing format:
<ServerFQDN>\<InstanceName>,<Port>
For example:
SQLsrv.test.lab\ObserveIT,1433
4. If the account you are currently using is an SQL Server administrator, select Windows Authentic-
ation as the authentication method. Otherwise, select SQL Server Authentication and provide a
user name and password with privileges to create databases and user accounts. If you select Win-
dows Authentication, you will need to perform additional tasks.
5. From File Explorer, navigate and open the DB_Analytics folder and double-click the SQLPackage file.
6. Click Run.
Hint: Check the Windows Firewall on the SQL Server and either turn it off, or add the relevant rules
to allow SQL Server connectivity (TCP port 1433), check protocol bindings (TCP/IP must be
enabled), and check the SQL Server listening port.
Warning – Unable to create ObserveITUser (ObserveITUser Name: ObserveITUser)! (User does not
have permission to perform this action.) Press OK if you wish to continue anyway.
If you did not receive this error, it means that the ObserveIT service account has SYSADMIN
permissions on the SQL Server. It is strongly suggested that you stop the installation at this
phase, delete the resulting databases, change the ObserveIT service account permissions
to DBCREATOR, and then re-execute the database installer program. While, by itself, this is
not a problem, the result is that the ObserveIT database and the subsequent connection
strings used by all the ObserveIT components will use the “ObserveITUser” account in SQL
Server instead of the ObserveIT service account. To fix this issue you will need to manually
change the connection strings and change the SQL Server database settings. Contact sup-
port for information on how to perform these changes.
The message .ObserveIT database successfully installed appears.
1. Connect to the SQL server or to a computer with SQL Management Studio installed.
4. Select Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, choose SQL Server Authentication and log in with a sysadmin-level account.
5. Click Connect.
6. In the Microsoft SQL Server Management Studio, Expand Databases. You should see five new
ObserveIT databases.
8. Right-click the ObserveIT Service Account user – in this example, OITServiceAccount – and select
Properties.
10. Under User mapped to this login click the ObserveIT database.
This topic describes how to move the ObserveIT database files to designated drives.
The following steps assume two designated drives are present at the SQL machine. In the
example, the database drive is assigned the drive letter E:, while the log drive is assigned the drive
letter F:.
1. Connect to the SQL server or to a computer with SQL Server Management Studio installed.
3. Type in the SQL server's FQDN or IP address into the Server name field.
4. Select Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, choose SQL Server Authentication and log in with a sysadmin-level account.
5. Click Connect.
This action will stop all ObserveIT databases and will cause downtime for all ObserveIT services.
USE MASTER;
GO
SET SINGLE_USER
GO
GO
USE MASTER;
GO
SET SINGLE_USER
GO
GO
USE MASTER;
GO
SET SINGLE_USER
GO
GO
USE MASTER;
GO
SET SINGLE_USER
GO
USE MASTER;
GO
SET SINGLE_USER
GO
GO
8. Format 2 new disks in the machine. See "Formatting a Disk for Graphic Images Storage and the
Database" on page 14
In the example below: disk E: for the database data files and disk F: for the database log
files.
From File Explorer, navigate to disk E:.
13. If prompted Do you want to allow this app to make changes to your device? click Yes.
18. Paste the following code into the New Query window:
CREATE DATABASE [ObserveIT_Data] ON
( FILENAME = N'E:\MSSQLDATA\ObserveIT_Data_Data.mdf' ),
( FILENAME = N'F:\MSSQLLog\ObserveIT_Data_Log.ldf' )
FOR ATTACH
GO
( FILENAME = N'E:\MSSQLDATA\ObserveIT_Data.mdf' ),
( FILENAME = N'F:\MSSQLLog\ObserveIT_Log.ldf' )
FOR ATTACH
GO
( FILENAME = N'E:\MSSQLDATA\ObserveIT_Analytics_Data.mdf' ),
( FILENAME = N'F:\MSSQLLog\ObserveIT_Analytics_Log.ldf' )
FOR ATTACH
GO
( FILENAME = N'E:\MSSQLDATA\ObserveIT_Archive_1_Data.mdf' ),
( FILENAME = N'F:\MSSQLLog\ObserveIT_Archive_1_Log.ldf' )
FOR ATTACH
GO
( FILENAME = N'E:\MSSQLDATA\ObserveIT_Archive_Template_Data.mdf'
),
( FILENAME = N'F:\MSSQLLog\ObserveIT_Archive_Template_Log.ldf' )
FOR ATTACH
GO
To ensure optimal database health and performance, add the automated maintenance procedure for
your ObserveIT databases.
1. Connect to the machine containing the ObserveIT database or the machine where SQL Server Man-
agement Studio is installed.
If prompted How do you want to open this file? choose SQL Management Studio or SSMS. Click
OK.
5. Open SQL ServerManagement Studio, specify the server name, authentication type and Login and
Password to the ObserveIT SQL instance (if connecting via SQL Server Authentication). Click
6. Return to the File Explorer window. From File Explorer, select and double-click OIT-DB-Maint-
Create-Jobs.sql file.
If successfully completed, a confirmation message appears under the Messages pane. Ignore any
warnings received.
You need to prepare Internet Information Services (IIS) for installing ObserveIT Web applications.
If you have multiple Application Servers and/or a separate Web Console machine, you need to configure
IIS for each machine.
Related Topics:
For further details, refer to the Microsoft Knowledge Base article, see How to implement SSL in IIS.
However, most operating systems are preconfigured to trust a list of known 3rd-party CAs. This facilitates
deployment since you do not need to import anything to the computers running the ObserveIT Agents.
To avoid paying for a digital certificate, you can use an internal CA. Note that Windows Server 2008/2012
has a built-in CA that you can install and use.
In cases where an internal CA is not required, or where such a deployment cannot be achieved, you can
also use a Self-Signed Digital Certificate.
After a digital certificate is obtained, you must import the root CA digital certificate or the self-
signed digital certificate to each client computer running the ObserveIT Agent, so that they trust
your digital certificate source.
Digital Certificate Common Name
1. When issuing a digital certificate for the ObserveIT Application Server, you must make sure that
the Common Name field or the Issued to field on that certificate contains the same name as the
URL of the ObserveIT Application Server.
server100.mydomain.local
Then the same exact name MUST be used when issuing the digital certificate for the ObserveIT
Application Server.
2. When connecting to the ObserveIT Application Server, an IP address can be used instead of an
FQDN. If the following IP address is used by the ObserveIT Agents to connect to the ObserveIT
Application Server:
192.168.200.33
The same exact IP address MUST be used when issuing the digital certificate for the ObserveIT
Application Server.
3. at ObserveIT.ClientSetupActions.ClientInstaller.Install(IDictionary stateSaver)
4. If you do not follow these guidelines, an error message similar to one of the following appears:
at ObserveIT.ClientSetupActions.ClientInstaller.Install(IDictionary stateSaver)
-Or-
System.Net.WebException: The underlying connection was closed: Could not establish trust rela-
tionship with remote server.
at System.Net.HttpWebRequest.CheckFinalStatus()
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)
at System.Net.HttpWebRequest.GetRequestStream()
at ObserveIT.ClientSetupActions.Proxy.HeartBeatPrxClone.IsAlive()
While not viewable by the ObserveIT Agent, if you manually try to connect to the ObserveIT
Web Console while using an FQDN or IP address that does not match the one listed in the
server's SSL digital certificate, a warning appears in the Web browser, similar to that shown
in the following screenshot.
ObserveIT Recommendations:
Consult with your organization’s security team to learn what type of digital certificate best fits
your environment. When it is not possible to acquire a Certificate Authority certificate, a self-
signed certificate may be used.
In most instances, the Web Console is deployed on the only ObserveIT Application Server in a
smaller deployment or one of the ObserveIT Application Servers in case of a larger deployment. It
is also possible to deploy the ObserveIT Web Console on a separate server.
(The following assumes an Enterprise Certificate Authority certificate is used.)
1. From the Start menu and type mmc in the Run window. Enter.
If prompted Do you want to allow this app to make changes to your device? click Yes.
4. In the Certificates snap-in window choose Computer account and click Next.
5. In the Select Computer window, from Select the computer you want this snap-in to manage
options, select Local computer and click Finish.
8. Right-click Personal, select All Tasks and then Request New Certificate.
10. In the Select Certificate Enrollment Policy page select your enrollment policy (usually – Active Dir-
ectory Enrollment Policy) and click Next.
11. In the Request Certificates page select the certificate type (usually – Computer) and click Enroll.
13. Confirm the newly-created certificate exists, ffrom the console, select Personal> Certificates.
3. In Connections area on the left, select the relevant server and double-click the Server Certificates
5. In the Specify a friendly name for the certificate field, enter a descriptive name for the certificate.
Click OK.
The application pool must be configured as Integrated in order to use it for the ObserveIT server-
side component.
You can create an application pool manually or use Powershell commands.
To create a new application pool in IIS 8.X for the Application server (Manual):
1. On the server running IIS, open IIS Manager from the Administrative Tools folder. Expand your
server name.
2. In the Managed pipeline mode column, select Integrated from the list.
3. Click OK.
If you have multiple Application Servers and/or a separate Web Console machine, you need to
repeat this process for each.
For example:
To create a new application pool in IIS 8.X for the Application server (PowerShell):
Open PowerShell as administrator and paste the following commands:
$WebSiteName = 'ObserveITApplication'
Import-Module WebAdministration
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 'C:\Program Files\Ob-
serveIT\Web\' -Bindings @{pro-
tocol="https";bindingInformation=":443:"}
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -
Value $WebSiteName
To create a new application pool in IIS 8.X for the ObserveIT Console (manual):
7. Navigate to the following path: C:\Program Files\ObserveIT\Web. Click the Web folder. Click OK.
If you cannot find the “ObserveITApplication” application pool make sure you properly cre-
ated the application pool before creating the website.
10. Click OK to save the changes and create the new website.
If you have multiple Application Servers, you need to repeat this process for each machine.
When modifying an existing website, you need to configure that website to use this new application pool,
as follows:
1. Select the existing website in the Sites list, and click the Advanced Settings link for that website.
2. In the Advanced Settings window, click the Application Pool section, and then click the [...] button
next to the existing application pool.
3. In the Select Application Pool window, from the Application pool list, select ObserveITApp.
4. Click OK
To create a new application pool in IIS 8.X for the ObserveIT Console (Automatic - PowerShell):
Open PowerShell as administrator and paste the following commands:
$WebSiteName = 'ObserveITApplication'
Import-Module WebAdministration
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 'C:\Program Files\Ob-
serveIT\Web\' -Bindings @{pro-
tocol="https";bindingInformation=":443:"}
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -
Value $WebSiteName
In a custom installation, you can create an additional website in IIS, and use this site to host the
ObserveIT Application and Web Management virtual directories. However, in order to run multiple web-
sites on the same IIS server, the listening IP address of each website, the listening TCP port of each web-
site, and/or the Host Header of each website, must remain unique.
To create a new website for the ObserveIT Application Server (Using the Wizard - Manual):
1. On the server running IIS, open IIS Manager from the Administrative Tools folder. Expand your
server name, then expand Sites.
3. Follow the steps in the Web Site Creation Wizard. Make a note of the listening IP address of the
new website, the listening TCP port of the new website, and/or the Host header of the new web-
site.
5. From the Application pool dropdown, select ObserveITApp and click OK.
If you cannot find the “ObserveITApplication” application pool make sure you properly cre-
ated the application pool before creating the website.
8. In the Binding area, in the Port field, change the port value from 80 to 443.
10. If you have multiple Application Servers, you need to repeat this process for each machine.
The result will be to have an identical website using the same name and application pool on the 2
machines that will act as the Application Servers.
To create a new website in IIS 8.x for the Application Server (Automatic - Powershell):
Open PowerShell as administrator and paste the following commands to execute above steps auto-
matically.
$WebSiteName = 'ObserveITApplication'
Import-Module WebAdministration
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 'C:\Program
Files\ObserveIT\Web\' -Bindings @
{protocol="https";bindingInformation=":443:"}
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -
Value $WebSiteName
CREATING A NEW WEBSITE IN IIS 8.X FOR THE OBSERVEIT WEB CONSOLE
You can create an additional website in IIS.
To create a new website for the ObserveIT Web COnsole(Using the Wizard - Manual):
1. On the server running IIS, open IIS Manager from the Administrative Tools folder. Expand your
3. Follow the steps in the Web Site Creation Wizard. Make a note of the listening IP address of the
new website, the listening TCP port of the new website, and/or the Host header of the new web-
site.
5. From the Application pool dropdown, select ObserveITWebConsole and click OK.
6. From the Physical path field, navigate to the following path: C:\Program Files\ObserveIT\Web.
Select the Web folder and click OK.
If you cannot find the “ObserveITWebConsole”application pool make sure you properly cre-
ated the application pool before creating the website.
8. In the Binding area, change the value from http to https. The value of the Port field will be auto-
matically changed from 80 to 443.
9. In the SSL certificate field select a certificate you have previously created.
To create a new website in IIS 8.x for the Application Server (Automatic - Powershell):
Open PowerShell as administrator and paste the following commands to execute above steps auto-
matically.
$WebSiteName = 'ObserveITWebConsole'
This Application server is installed after you install the database and file server.
Do not attempt to install ObserveIT server-side components over the network. Always use a local
copy of the installation files.
Installing ObserveIT Application Server (Manual)
1. Connect to the computer where you downloaded and extracted the ObserveIT setup files.
3. Right-click the Command Prompt shortcut icon and select Run as administrator.
If prompted Do you want to allow this app to make changes to your device? click Yes.
4. From the command line, as an administrator, navigate to the folder with the extracted ObserveIT
installer. Navigate to the Web folder.
9. In the Server field, enter the details of the SQL server, in the following format:
<ServerFQDN>\<InstanceName>,<Port>
10. Select the Windows Authentication radio button and enter the password for the current account
– the ObserveIT Service Account - in the Password field. Click Test Connection.
If the test is successful, a success message displays, and the Next button becomes available.
The following command assumes the ObserveIT installer is located under the C:\Temp\ObserveIT-_
Setup_v7.8.2.270 path. After the execution of the command, the installation will starts – just follow the
prompts.
iisreset /stop
Get-Service WAS | Start-Service
Start-Process msiexec -ArgumentList '/i', "C:\Temp\ObserveIT-_Setup_
v7.8.2.270\Web\AppServer\ObserveIT.AppServerSetup.msi", '/norestart',
'/l*v ObserveITWebConsole_setup.txt' -Wait
iisreset /start
5. Open the Find dialog. (Press CTRL+F on the keyboard.) Find RegisterApplicationServer
If the line does not exist or the word Done does not exist – the installation failed. Re-check the
installation requirements, particularly the permissions for the SQL logins.
Before installing an additional Application Server, you must obtain a valid license from the
ObserveIT Sales team.
When deploying more than one Application Server, you need to load balance the Agent connections with
the multiple Application Servers. You may use software-based load balancing solutions, such as Microsoft
Network Load Balancing (NLB), or hardware-based solutions, such as F5, Citrix NetScaler, or others. Con-
figuring steps for these solutions is a task that is beyond the scope of this document.
In most cases, the Web Console is installed on the same machine as the Application Server (the first one,
in case of multiple Application Servers). However, it’s also possible to configure a dedicated machine for
this.
Before you can verify the Web Console installation you must install the SQL Native client. This lets you
work with ObserveIT REST APIs.
1. Connect to the computer where you downloaded and extracted the ObserveIT setup files.
If unable to log in as the ObserveIT Service Account interactively, see Running elevated
Windows PowerShell prompt as a different user.
3. Right-click the Command Prompt shortcut found and choose Run as administrator.
5. Navigate to the folder with the extracted ObserveIT installer. Navigate to the Web folder.
For example:
c:\Users\OITServiceAccount\Desktop\ObserveIT_Setup_vx.x.x.xx\Web"
6. Run PreRequisite_nodeServices.exe.
7. Check the check box with the message I agree to install the following products and click Install.
9. Navigate to the folder with the extracted ObserveIT installer. Navigate to the Web\WebConsole
folder.
Choose whether you opt-out of ObserveIT collecting anonymous usage data of the Web Console
use.
15. In the Server field enter the details of the SQL server, in the following format:
<ServerFQDN>\<InstanceName>,<Port>
16. Click the Windows Authentication radio button and enter the password for the current account –
the ObserveIT Service Account - in the Password field. Click Test Connection.
If the test is successful, a success message displays, and the Next button becomes available.
https://download.microsoft.com/download/F/E/D/FEDB200F-DE2A-46D8-B661-
D019DFE9D470/ENU/x64/sqlncli.msi.
2. After downloading, execute sqlncli.msi , and follow the Wizard to complete the installation.
Open PowerShell as administrator and paste the following commands, substituting the relevant location.
The example below assumes the ObserveIT installer is located under the C:\Temp\ObserveIT-_Setup_
v7.8.2.270 path.
After executing the commands bwlow, the installation wizard will
start – just follow the prompts.
Start-Process "C:\Temp\ObserveIT_Setup_v7.8.2.270\Web\PreRequisite_
nodeServices.exe" -Wait
Start-Process "C:\Temp\ObserveIT_Setup_v7.8.2.270\Web\sqlncli-2012-
64-QFE.msi" -Wait
iisreset /stop
Get-Service WAS | Start-Service
Start-Process msiexec -ArgumentList '/i', "C:\Temp\ObserveIT_Setup_
v7.8.2.270\Web\WebConsole\ObserveIT.WebConsoleSetup.msi",
'/norestart', 'EXTRACTMICROSERVICES=True', '/l*v ObserveITWebConsole_
setup.txt' -Wait
iisreset /start
2. After downloading, execute the sqlncli.msi file, and follow the wizard to complete the installation.
Open PowerShell as administrator and paste the following commands to execute above steps auto-
matically.
The below command assumes the ObserveIT installer is located under the C:\Temp\ObserveIT-_
Setup_v7.8.2.270 path. After the execution of below command, the installation wizard starts – just
follow the prompts.
Start-Process "C:\Temp\ObserveIT_Setup_v7.8.2.270\Web\PreRequisite_
nodeServices.exe" -Wait
Start-Process "C:\Temp\ObserveIT_Setup_v7.8.2.270\Web\sqlncli-2012-
64-QFE.msi" -Wait
iisreset /stop
Get-Service WAS | Start-Service
Start-Process msiexec -ArgumentList '/i', "C:\Temp\ObserveIT_Setup_
v7.8.2.270\Web\WebConsole\ObserveIT.WebConsoleSetup.msi",
'/norestart', 'EXTRACTMICROSERVICES=True', '/l*v ObserveITWebConsole_
setup.txt' -Wait
iisreset /start
5. Open the Find dialog. (Press CTRL+F on the keyboard.) Find RegisterWebConsole.
If the line does not exist or the word Done does not exist – the installation failed. Re-check the
installation requirements, particularly the permissions for the SQL logins created previously in this
guide.
The Screenshots Storage Optimizer can be installed anywhere on the same domain as the
ObserveIT Application server and Web Console. It must have access to the “Hot” and “Warm”
storage folders. More specifically, we recommended installing it directly to the SSD-based "Hot"
storage drive where the "Hot" storage folder is configured.
Installing the Screenshot Storage Optimizer (Manual)
1. Connect to the Web Console machine, where you downloaded and extracted the ObserveIT
Installer.
3. Navigate to ObserveIT_Setupv.xx > Screenshots Storage Optimizer folder and click Screen-
shotsStorageOptimizer installer. Follow the Wizard.
2. Click Next.
3. Install in the default folder or browse to the folder you want. Click Next.
The diagram below shows the configuration including the Web Categorization module.
To download the initial data and receive updates directly from NetSTAR cloud service, your
machine (that is, the server on which the Website Categorization module is installed), you must
have Internet access.
If you don’t have Internet access you can use an HTTP proxy that will provide Internet
access and allow the data download.
Make sure that port number 443 is open, and that the URL https://nsv10.netstar-inc.-
com/gcfus/get.cgi (that the module needs to access NETSTAR for initial data download and daily
database updates) is not blocked by the Firewall.
Open port 8000 between the Application server and the Website Categorization.
Custom installation installs the Website Categorization module via a separate installation file.
System events related to installation of the Website Categorization module and download of the
web categories database are generated by the system. For details, see Event Types.
1. On the ObserveIT Application Server, open Windows Explorer and browse to the ObserveIT Install-
ation folder.
2. Open the WebsiteCat folder and double-click the WebsiteCat_Setup Installer package.
The installation process searches for the installed ObserveIT SQL Server database. The following
message is displayed:
If after gathering information, the ObserveIT database was not found, the following message is dis-
played:
SQL Server with ObserveIT databases was not found.
The installation checks whether the module is already installed on this machine; if it is, you can
repair or remove it.
If the module is not already installed, the Website Categorization Installation wizard opens, dis-
playing the following information.
5. Select the SQL Server with which the module will interact (the drop-down list includes SQL Servers
which are already installed).
Upon successful installation of the module, the last screen of the wizard displays:
The below command assumes the ObserveIT installer is located under the C:\Temp\ObserveIT-_
Setup_v7.8.2.270 path. Replace the location with the location of ObserveIT installer you are using.
Related Topics:
If prompted Do you want to allow this app to make changes to your device?, click Yes. Select File
> Open.
5. In Notepad, change the file type from Text Documents (*.txt) to All Files (*.*).
7. In the # Proxy Settings section, locate the PROXY_HOST= string. Enter the IP address or the FQDN
of the proxy server after the = sign.
8. Locate the PROXY_PORT= string. Enter the port of the HTTP or HTTPS proxy after the = sign.
12. If prompted Do you want to allow this app to make changes to your device?, click Yes. Select File
> Open.
13. Paste the following command into the PowerShell window and press the Enter key:
Get-Service WebsiteCat.Manager,GCF1Service | Restart-Service -
Force
14. It is safe to close the PowerShell window now. A download window may appear. Do not close the
new window until the operation is complete.
ObserveITNotificationService
ObserveIT Health Monitoring Service
ObserveIT Analytics Service
Screenshots Storage Optimizer
GCF1Service
WebsiteCat.Manager
5. Verify the Log On As column reflects the ObserveIT Service Account identity. If it does not, follow
the rest of this procedure. Otherwise, verify the ObserveIT Service Account identity for other
ObserveIT services.
10. In the Enter the object name to select field, type OITServiceAccount. Click OK.
11. In the Password and Confirm password fields enter the password for the ObserveIT Service
Account user.
12. Click OK. If a message pops up that the user OITServiceAccount has been granted the Log on as a
service rights, click OK.
13. Right-click the ObserveIT Activity Alerts Service and click Restart.
14. Perform steps 5-12 on the remaining 3 ObserveIT services – 4 total – named ObserveIT Health Mon-
itoring Service, ObserveIT Notification Service and ObserveIT User Analytics Service.
Set-OITAccount
1. Open your preferred Web browser. In the address bar type the URL address of your ObserveIT
Web Console in the format:
https://<WebConsoleServerAddressFQDN>/ObserveIT
For example:
https://oitsrv1.oit-demo.local/ObserveIT
2. The browser window opens and you are prompted to set the password for the admin user.
3. In the Password and Confirm Password fields enter the password for the ObserveIT Admin user
account.
This license is generated at the customer's request by ObserveIT's support staff, and represents the num-
ber of Agents (monitored servers) that were purchased by the client.
If you are installing ObserveIT for a client that has not yet received the full paid license, you can tem-
porarily use the free time-limited license, and later upgrade the license to the paid one.
Some full paid licenses have a time limit. If a license has a time limit, a notification is displayed at
the top of the screen in the Web Console showing the number of days left till the expiration date,
and a hyperlink to contact the ObserveIT website at: http://www.observeit.com/request-pricing
in order to request a license extension. If a time-limited license is due to expire in less than 30
days, the message will appear highlighted in the Web Console.
To obtain and activate a Commercial License
Make sure that you use a corporate valid email address. Free email hosting addresses, such
as Hotmail or Gmail, will not be accepted.
3. Obtain a valid serial number which is generated at the customer's request by ObserveIT's sales
staff, and represents the number of Agents (or monitored servers) that were purchased by the cli-
ent.
When using the default TCP port 4884, use the following URL to connect to the ObserveIT Web
Console: http://servername:4884/ObserveIT, where servername is the name or IP of the server on
which the ObserveIT Web Console is installed.
5. In the Web Console, open the License page by selecting Configuration > License.
Note If the current license has a time limitation, the expiration date and number of days left
until the expiration date are included in the License information, as shown below. In addi-
tion, a notification appears at the top of the screen with a hyperlink to contact the
ObserveIT website at: http://www.observeit.com/request-pricing for details about extend-
ing the license.
7. Paste the Serial Number and click the Generate Registration Key button.
8. Copy the registration key, paste it into a new email message, and send it back to sales@ob-
serveit.com.
You will receive an automated email containing a license file in the format of a .lic file.
9. In the License File section of the Activate Software page, click Browse to find the license file that
was provided to you by the ObserveIT sales team.
10. Click the Activate button to use the specified license file.
After your product has been activated, the Web Console Login screen will immediately open.
Total Number of RegisteredAgents shows the number of licenses that were purchased by the cli-
ent.
Workstations: Licensed computers running the Workstation type license. This license is for com-
puters running Windows Vista/7/8/10 and Mac operating systems.
Endpoints: Licensed computers running the Server type license. This license is for computers run-
ning Windows Server 2008/2008 R2/2012/2012 R2.
Terminal Services: Licensed computers running the Terminal Server type license. This license is for
computers running Windows Server 2008/2012 with the Terminal Services role installed, or for
Sites: Licensed computers running the Site type license. This license is for computers running any
version of Windows operating system.
In this context, "Servers" relates to the operating system type that is installed on the monitored
endpoint.
The client can install additional Agents for the type of license that they have, providing that they have
available licenses.
For example: If the client bought 50 Workstation licenses and 25 Server licenses, they can install up to 50
Agents running on Windows Vista/7/8/10, and up to 25 Agents running on Windows Server 2008/2008
R2/2012. If the client wants to install an additional Workstation Agent or an additional Server Agent, they
cannot do so, because no free Agents remain. However, if the client bought 75 Site licenses, they can
install these 75 Agents on any type of operating system (Windows or Unix), as long as the total number of
Agents does not exceed the 75 licenses. If the client has already used up all the available licenses for that
type of Agent, to install an additional Agent the client must uninstall and unregister one existing Agent
(which will free up one license, making it available for a new machine), or purchase at least one additional
license based upon the required installation type.
The LDAP connector enables usage of Active Directory-based users and groups for various system set-
tings, such as:
1. From the the ObserveIT Web Console, select Management Console. Then select Configuration>
LDAP Settings.
2. From the LDAP Settings tab, in the Automatic LDAP Target area, select Detect Domain
If the Domain path and credentials are valid, the connection will be added to the LDAP Target List.
The LDAP Target type will be set to Auto.
The Detect Domain Membership button is grayed out and cannot be used again, because
the endpoint can be a member of only one domain.
The Web Console is responsible for sending emails from ObserveIT. Allow the Web Console to send email
via your email server.
2. Select Management Console at the top of the screen, select Configuration > SMTP Settings.
4. In the Mail From field, enter the email address which will identify the sender of ObserveIT noti-
fications.
5. Optional: In the User Name and Password fields enter credentials for the account authorized to
send emails using the specified email server.
7. To verify ObserveIT can successfully send emails, enter a working email address in the Email
Address field and click Send.
If the verification is successful, a Successfully Verified message appears and you should receive an
email from an email address specified in the Mail From field.
For most deployments, it is essential to store the screenshot data directly on a file system (such as NTFS).
This procedure describes how to move the default storage location to the file system.
4. Select On fast SSD-based hard drive (Hot Storage) for live sessions, and then signed sessions on
standard hard drive (Warm Storage).
5. Specify the Hot Storage path, the Warm Storage path, and the Archive path.
By default, ObserveIT Agents communicate with the ObserveIT Application Server by using the HTTP pro-
tocol.
As a built-in security mechanism, the ObserveIT Agents and Application Server use a token exchange
mechanism to prevent session hijacking and replay, and to encrypt the data communication. The security
mechanisms for this communication include encryption (Rijndael), digital signing, and token exchange.
Between the Application Server and the file share holding the graphic images (IPsec)
If you are deploying more than one Application Server, you must use a network load balancing
product. This can be a software-based load balancing solution such as Microsoft Network Load
Balancing (NLB), or hardware-based solutions such as F5, Citrix NetScaler, or others. In that case,
the digital certificate used for this traffic must be identical for all Application Servers, which can be
achieved by creating it on the first Application Server, exporting it (including the private key), and
importing it to the other Application Servers.
REQUIREMENTS
HTTPS can be used on the ObserveIT website (either optional or mandatory) to protect the data trans-
ferred by the Agents to the ObserveIT Application Server.
If you plan to deploy more than one Application Server, you must use a network load balancing product.
This can be a software-based load balancing solution such as Microsoft Network Load Balancing (NLB), or
hardware-based solutions such as F5, Citrix NetScaler, or others. In that case, the digital certificate used
for this traffic must be identical for all Application Servers, which can be achieved by creating it on the first
Application Server, exporting it (including the private key), and importing it to the other Application Serv-
ers.
Required steps to enable traffic encryption between the ObserveIT Agents and the Application Server:
1. Connect to the ObserveIT Web Console machine and if you need, request or create a digital cer-
tificate.
3. Type IIS, select the Internet Information Services (IIS) Manager. Enter.
6. Click Add.
9. Under SSL certificate select the certificate you have created or acquired.
10. Click OK to create the bindings. Click Close to close the window.
When enabling HTTPS encryption on an existing ObserveIT installation, with existing ObserveIT
Agents, remember that removing an existing, non-encrypted binding, will cause existing
ObserveIT Agents to cease communications with the ObserveIT Application Server. It is recom-
mended to leave as-is the previous, non-encrypted binding at this point.
During the ObserveIT Agent deployment, in the Enter Application Server Location screen, set the
value for Type field to https. Specify the server's FQDN in the Server Name field.
If using self-signed certificates, ensure the certificates are trusted by both parties. You can skip this
step if certificates from Enterprise Certificate Authority are used.
If a firewall is enabled on the ObserveIT Application Server, ensure the correct incoming port is
allowed in the firewall settings.
To make changes to the ObserveIT Database for enabling HTTPS on the Agents:
1. Connect to the SQL server or to a computer with SQL Management Studio installed.
3. Type the SQL server's FQDN or IP address into the Server name field.
4. Select Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, select SQL Server Authentication and log in with a sysadmin-level account.
5. Click OK to connect.
6. From the File menu, click New and Query with Current Connection.
7. To Check the current connection URL, copy and paste the following code into the Query window:
Use ObserveIT
9. Paste the following code into the query window, where NEW_APP_SERVER_URL is the new
address, with the HTTPS connectivity specified, and OLD_APP_SERVER_URL is the address currently
in use.
Use ObserveIT
UPDATE dbo.ServerConfiguration
SET PropertyValue = '<NEW_APP_SERVER_URL>'
WHERE PropertyId = 4
AND PropertyValue = '<OLD_APP_SERVER_URL>'
For example:
Use ObserveIT
UPDATE dbo.ServerConfiguration
SET PropertyValue = 'https://oitsrv1.oit-
demo.local:10443/ObserveITApplication'
WHERE PropertyId = 4
AND PropertyValue = 'http://oit-srv1.oit-
demo.local:4884/ObserveITApplication'
3. In the Site Bindings dialog box, select the https protocol and click Edit.
5. In the Certificate dialog box, select the Certification Path tab, select the root CA certificate, and
click View Certificate.
9. Click Browse, and specify the name of the file to which you want to export the certificate.
10. Click Next, and then click Finish to close the Certificate Export Wizard.
11. In the message box stating that the export was successful, click OK.
The list of certificates displays. A red X indicates that the certificate is not trusted, for example,
tsta-SERVER1-CA in the list below.
3. In the Site Bindings dialog box, select the https protocol and click Edit.
5. In the Certificate dialog box, select the Certification Path tab, select the root CA certificate, and
click View Certificate.
9. Click Browse and specify the name of the file to which you want to export the certificate.
10. Click Next and then click Finish to close the Certificate Export Wizard.
11. In the message box stating that the export was successful, click OK.
1. You must transfer the exported certificates to the /certs directory of the appliance, using SCP/FTP
or any other protocol.
2. If you are transferring the files using WinSCP, the file permissions might have changed. To verify
the file permissions, run the command: ls -la
The output should look like: -rw-r--r--.
If the output looks different, change the file permissions so that "user", "group", and "other" will
have read permissions. Run the following command to make the changes: chmod w+r or chmod
o+r.
1. Extract the certificate's hash, and use it as a symbolic link to the certificate:
ln -s certificate.pem 'openssl x509 -in certificate.pem -noout -hash'.0
Or
If you need to use a point in time recovery option – use Full recovery model instead, which is the
default configuration option. No changes need to be made. For more information, see Full Data-
base Backups (SQL Server) MSDN article: https://msdn.microsoft.com/en-AU/lib-
rary/ms186289.aspx.
1. Connect to the SQL server or to a computer with SQL Server Management Studio installed.
3. Type in the SQL server's FQDN or IP address into the Server name field.
4. Choose Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, choose SQL Server Authentication and log in with a sysadmin-level account.
5. Click Connect.
3. Type in the SQL server's FQDN or IP address into the Server name field.
4. Choose Windows Authentication if your account has sysadmin permissions on the SQL server.
Otherwise, choose SQL Server Authentication and log in with a sysadmin-level account.
5. Click Connect.
Formatting NTFS
When using an NTFS volume for ObserveIT image store, the drive containing the images may become frag-
mented and reach a limit where no further file operation will be available. To avoid this condition, format
the drive with support for large file size records.
2. Open the Start menu and type in COMPMGMT.MSC. Press the Enter.
3. In the Computer Management window, expand Storage , and click Disk Management.
4. Find the new disk in the list. Usually, it is the only one with the status Offline.
7. Click the GPT (GUID Partition Table) radio button and click OK.
9. Click Next.Make sure maximum the values specified in the Maximum disk space in MB and Simple
volume size in MB are equal. Click Next.
11. Click the Format this volume with the following settings radio button and select NTFS.
17. Type in CMD. Right-click the Command Prompt shortcut and click Run as administrator.
18. If prompted Do you want to allow this app to make changes to your device? click Yes.
20. If asked to specify current volume name, enter it and press Enter.
22. At the Volume label prompt enter a volume label, if required, and press Enter.
24. Type EXIT and press Enter to exit the command prompt.
Using PowerShell
Windows PowerShell is a command-line shell for system administrators. You can use it for many of the
installation procedures. It allows you to automate processes that might take more time manually.
To start PowerShell, from the Start menu, type powershell and Enter.
This will allow you to run ObserveIT installers as the ObserveIT Service Account.
1. In the PowerShell window, type in the following command, replacing Domain\Account with the
NETBIOS name of your Active Directory domain and the account name for the ObserveIT Service
Account:
Start-Process powershell.exe -Credential "DOMAIN\account" -
NoNewWindow -ArgumentList "Start-Process powershell.exe -Verb
runAs"
Enter.
2. In the Windows Security window enter the credentials of the ObserveIT Service Account.
3. Click OK.
If prompted Do you want to allow this app to make changes to your device? click Yes.
A new elevated PowerShell window will start running as the ObserveIT Service Account.