Installation Instructions for iHR and ISS
These instructions explain how to install Apex's software products.
To skip these instructions and install everything on one computer,
click here
to complete a typical single-user installation.
If you have any questions then call (317) 225-4415 or e-mail tsupport@iHRsoftware.com.
1. Planning Installation
The software contains two core components: a SQL Server Database and a client, and the software contains three optional components:
a Web add-on (ISS), a file share that holds attachments, and a service that e-mails reminders and tasks (e-mailer service).
In a typical single-user installation,
the Database and client are installed on the same computer. In a typical client/server installation,
the Database, file share, e-mailer service, and Web add-on are installed on one server, and the client is installed on each
end-user's workstation.
Apex strongly recommends that you avoid installing ISS on a domain controller or a server that runs Microsoft Small Business Server.
If that recommendation is not followed then Apex reserves the right to deny security-related support for ISS.
Table 1 lists the system requirements for the server and client components.
You may install all of the server components on one computer, or you may install them separately.
The client uses an auto-update function that is similar to Windows Updates.
For auto-updates to work, each user needs write permissions on their local folder, c:\Program Files\Apex\iHR, and firewalls must allow SOAP messages over HTTP port 80 to/from 64.199.129.131.
Apex recommends that all of the workstations, users, and server(s) are joined to the same Windows AD domain.
Apex provides an alternative update package for network administrators who prefer to disable the auto-updates and control the installation of software revisions. See
http://iHRsoftware.com/updateHistory.aspx for more information.
Table 1. System Requirements
| Component |
Prerequisites |
Client/Server |
Permissions |
Additional Memory (MB) |
Additional Hard Drive Space (MB) |
| Apex Client |
Windows 98, 2000, XP, 2003 or Vista
.NET Framework 1.0 or better
| Client |
- Users require read/write on registry key, HKEY_CURRENT_USER
-
Updates require full permissions on Apex program installation folder
-
Auto-updates require SOAP messages over HTTP port 80 to/from 64.199.129.131
|
64 |
10 |
| Database |
Windows 2000, XP, 2003 or Vista
SQL Server: MSDE, Express, 2000 or 2005
Express requires .NET Framework 2.0 or better
|
Server |
Default SQL Server installation permissions
|
128 |
500 |
| Share for File Attachments |
Windows 98, 2000, XP, 2003 or Vista
All clients must be able to use a UNC path to access share |
Server |
- Typically, HR has full permissions over the share
- HR assistants need read/write/create
-
Managers may need read on folders for individual employees
|
0 |
4000 |
| Task E-mailer Service |
Windows 98, 2000, XP, 2003 or Vista
Relay Access to SMTP Server
.NET Framework 1.0 or better |
Server |
Service must run under an account that can read apexTaskEmailer.xml in the program installation folder |
10 |
10 |
| Instant Self Serve |
Windows 2000, XP, 2003 or Vista
Internet Information Services
.NET Framework 1.0 or better |
Server |
Depends on SQL Authentication or Windows Authentication. See ISS, section 7. |
128 |
10 |
Table 2 lists server configurations for a typical client/server installation. In the recommended configuration, performance is balanced with cost. The
recommended configuration uses two IDE drives:
one drive holds system files and the SQL Server transaction log. The other hard drive holds the database and the network share for the file attachments.
Table 2. Server Configurations
| Component |
Minimum |
Recommended |
Best Performance |
| Microprocessor | P3 | 2x Dual Core | 4x Quad Core Processors |
| RDMS | MSDE | SQL Server 2000 | SQL Server 2005 |
| OS | Windows 2000 | Windows XP Pro | Windows 2003 Server |
| RAM | 500M | 1G | 2G |
| Hard Drive | IDE 40G | IDE 2x40G | RAID SCSI/SAS 4x20G |
2. Database Server Installation
The database server requires Windows 2000 or better.
If you use a Windows domain then the server should be a member of the domain.
The procedure for server installation depends on whether or not you are attaching the database to an existing SQL Server 2000 or 2005.
2.1. Attaching the Database to an Existing SQL Server
If your server already runs SQL Server 2000 or 2005 then log on to your SQL Server as an administrator. Download the compressed database backup file...
http://iHRsoftware.com/FTP/iHRDb.zip (3M)
Extract the file and use Enterprise Manager to restore it as a database named IHR. During the restore, you may want to change the locations of the mdf and ldf files.
2.2. "No SQL Server" Installation
If SQL Server 2000 or 2005 is unavailable then log on to the server as an administrator. Download and run the self extracting executable...
http://iHRsoftware.com/FTP/iHRSetup.exe (16M)
The installer will open. Click Advanced Server Installation.
IMPORTANT! With the No SQL Server installation, append \IHR to the server's name when the system prompts you for the name of the database server.
If your server were named MyServer then you would enter MyServer\IHR
3. Client Installation
Client installation depends on whether or not the target workstation has .NET Framework 1.0 or better installed.
3.1. .NET Framework 1.0 or Better Is Already Installed
For every workstation with .NET Framework 1.0 or better, log on with an account that has local administrative permissions. Download and execute the file...
http://iHRsoftware.com/FTP/ApexSetup.msi (8M)
The installer will open. Click Next until it finishes. After the installer finishes, the client will open. When prompted, enter the name of the database server and choose Windows Authentication. After you log in, the software may prompt you to enter the key code from your e-mailed sales receipt. Enter your key code if prompted and close the software. You can open the software later by clicking Start > Programs > Apex.
3.2. .NET Framework 1.0 or Better Is Not Installed
For every workstation without .NET Framework 1.0 or better, log on with an account that has local administrative permissions. Either use Windows Update to install the latest .NET framework and then follow the instructions from the last section, 2.1, or download and execute the file...
http://iHRsoftware.com/FTP/iHRSetup.exe (16M)
The installer will open. Click Additional Client Installation. When prompted, click Next until the installer finishes. After the installer finishes, the client will open. When prompted, enter the name of the database server and choose Windows Authentication. After you log in, the software may prompt you to enter the key code from your e-mailed sales receipt. Enter your key code if prompted and close the software. You can open the software later by clicking Start > Programs > Apex.
3.3. Enabling Auto-Updates
For auto-updates to work, each user needs write permissions on their local folder, c:\Program Files\Apex\iHR, and firewalls must allow SOAP messages over HTTP port 80 to/from 64.199.129.131.
Auto-update failures are logged to the user's Application event log. If you use Microsoft's ISA or a similar firewall then copy the pinhole for Microsoft updates and change it to 64.199.129.131.
4. Configuring File Attachments and Portraits
iHR can associate files like portraits, resumes, and MS Office documents with an employee. If you choose to take advantage of this feature then use Windows Explorer and/or Computer Management to create a network share that will hold the documents. Set appropriate security on the share, and enter the share's UNC path into the software.
To enter the UNC path, log on as an administrator and open the client. Click Company > Settings. Click the File Associations tab. Enter the UNC path. On that same tab, you can also edit the subfolders that will be created for each employee. Note that iHR does not automatically manage the security on any of those folders.
5. Configuring Security
Before you configure security, decide whether users will use Windows Authentication or SQL Authentication.
Windows is preferred because, after the initial setup, it allows you to use Active Directory to control accces.
Unlike Windows Authentication, SQL Authentication requires that you create a new SQL login for each user.
Note that Windows Authentication requires that all of the users are enrolled in the same domain as the computer that hosts the SQL Server.
To set up typical security for Windows Authentication, read Section 5.1.
To set up typical security for SQL Authentication, read Section 5.2.
For additional security information refer to the help manual at http://iHRsoftware.com/ftp/help.doc.
5.1. Setting up Security for Windows Authentication
Typical security setup for Windows Authentication requires that you create an AD group,
join it to the db_owners role,
confirm the permissions on the public role,
and then associate Windows Accounts with Apex employee records.
If you will install Instant Self Serve then you must also grant database access to the staff by clicking Company > Security and adding the Domain Users role.
5.1.1. AD Group for HR Administrators
Create an AD group that holds all of the users who need full access to the database.
To create it, open Active Directory and create a group named something like "HR Admin" and join the necessary users.
Then, in Apex, click Company > Security and open the security window. Click Add Windows User or Group. Enter the name of the AD group in the format domain\group.
Save it. Then click the tab named Membership and click the checkbox named db_owner. Save your changes.
5.1.2. Public Role for Managers and Their Staff
The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then
click the tab named Permissions. In the select box named Scope, select
"User Viewing Self". These permissions define what a user can see about himself. Now select "User Viewing Subordinates".
These permissions define what a user can see about his subordinates. (The software identifies the user's subordinates based on the Manager
select box that is found on each person's General tab.)
5.1.3. Associating Windows Accounts with Apex Employee Records
For each user, associate his Windows Account with his employee record so that Apex
can correctly match "self" and "subordinate" permissions.
You can manually enter the Windows Accounts by opening each person and entering their domain\account in the Security Account field on theirGeneral tab.
Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the Windows Accounts for everyone
on one screen (click Apply often).
Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.
-- Adds access for windows accounts: john doe --> YOURDOMAIN\jdoe
-- Sets work e-mail address based on account name
-- Associates each user account with the correct Apex employee record
USE IHR
DECLARE @username varchar(50), @person_id int, @wdomain varchar(50), @edomain varchar(50)
SET @wdomain='CHANGE_ME_TO_YOUR_WINDOWS_DOMAIN'
SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'
DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), PersonID FROM Person
OPEN p_cursor
FETCH p_cursor INTO @username, @person_id
WHILE @@FETCH_STATUS = 0
BEGIN
PRINT @login
UPDATE Employee SET [SID] = SUSER_SID(@wdomain + '\' + @username) WHERE EmployeeID = @person_id
UPDATE Person SET [Work E-mail] = @username + '@' + @edomain WHERE PersonID = @person_id
FETCH p_cursor INTO @username, @person_id
END
CLOSE p_cursor
DEALLOCATE p_cursor
5.2. Setting up Security for SQL Authentication
Typical security setup for SQL Authentication requires that you create a SQL login for each administrative user,
join the logins to the db_owners role,
confirm the permissions on the public role,
create a SQL login for each user,
and then associate the SQL logins with Apex employee records.
5.2.1. Creating SQL Logins
Click Company > Security. Click Add SQL Login. Enter the login and password. Click Save. If this login should have full permissions then
click the tab named Membership and click the checkbox named db_owner. Save your changes and repeat these steps for each user.
5.2.2. Public Role for Managers and Their Staff
The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then
click the tab named Permissions. In the select box named Scope, select
"User Viewing Self". These permissions define what a user can see about herself. Now select "User Viewing Subordinates".
These permissions define what a user can see about her subordinates. (The software identifies the user's subordinates based on the Manager
select box that is found on each person's General tab.)
5.2.3. Associating SQL Logins with Apex Employee Records
For each user, associate his login with his employee record so that Apex
can correctly match "self" and "subordinate" permissions.
You can manually enter the logins by opening each person and entering their SQL login in the Security Account field on their General tab.
Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the SQL login for everyone
on one screen (click Apply often).
Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.
-- Creates SQL Logins with SSN as the password for each employee: john doe --> jdoe
-- Sets work e-mail address based on login
-- Associates each login with the correct Apex employee record
-- Make sure you delete old SQL logins before running
USE IHR
DECLARE @login varchar(50), @person_id int, @edomain varchar(50), @ssn varchar(50)
SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'
DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), P.PersonID, X.SSN FROM Person P
INNER JOIN PersonX X ON P.PersonID = X.PersonID
OPEN p_cursor
FETCH p_cursor INTO @login, @person_id, @ssn
WHILE @@FETCH_STATUS = 0
BEGIN
PRINT @login
EXEC sp_addlogin @loginame=@login, @passwd=@ssn, @defdb='iHR'
EXEC sp_grantdbaccess @login
UPDATE Employee SET [SID] = SUSER_SID(@login) WHERE EmployeeID = @person_id
UPDATE Person SET [Work E-mail] = @login + '@' + @edomain WHERE PersonID = @person_id
FETCH p_cursor INTO @login, @person_id, @ssn
END
CLOSE p_cursor
DEALLOCATE p_cursor
6. Installing the Apex Task E-mailer Service
To enable automatic e-mails, insure that your Windows Account is a member of
Domain
Admins and follow the steps below.
-
Choose the server that will host the service. The server needs network access
to the Apex database and an SMTP server. Apex recommends that you install the
e-mailer service on an existing SMTP server that does not require SMTP
authentication.
If the SMTP server is a remote computer then it must
grant relay permissions to the local server. Also, the e-mailer service cannot
pass SMTP credentials. If authentication and relaying create problems then work
around them by installing a new, local SMTP service from your Windows server
CD-ROM.
-
Log on to the target server. Download and run http://iHRsoftware.com/ftp/ApexTaskEmailer.msi
(6M).
-
After the service installs, open the apexTaskEmailer.xml file with
notepad. The file is usually located at C:\Program Files\Apex\Apex Task
Emailer\apexTaskEmailer.xml. Edit the file and change the database and
SMTP keys to point to your database and SMTP server.
You may choose to
create an administrative SQL account and use that account in the database
connection string. Otherwise, database permissions will be determined by the
Windows Account in which the service runs. Two example connection strings are
listed below. One uses Windows Authentication and the other uses SQL
Authentication.
Data Source=.;Database=IHR;Trusted_Connection=Yes
Data Source=.;Database=IHR;User Id=SQLEmailAccount;Password=colts2007
-
Open the computer's list of services. Find Apex Task E-mailer.
If
you choose to use Windows Authentication instead of SQL Authentication then
right-click the service, edit its properties, and change the Windows Account to
a domain account that has administrative database access (member of
IHR.db_owner). Note that the domain account needs read permissions on the local apexTaskEmailer.xml
file.
-
Right-click the service and start it. Review your application event log to
confirm that the service started successfully.
7. Installing Instant Self Serve
Instant Self Serve (ISS) installation involves creating a new virtual directory on your Web server, changing the authentication method on the virtual directory, copying the ISS files to the directory, editing the Web.config file to point to the database server, and confirming employees’ e-mail addresses and security accounts.
We recommend that you install ISS on your existing Web server.
After you install ISS,
insure that you followed Section 5 so that users can access their ISS accounts.
Apex strongly recommends that you avoid installing ISS on a domain controller or a server that runs Microsoft Small Business Server.
If that recommendation is not followed then Apex reserves the right to deny security-related support for ISS.
Attention Windows 2000 Web Servers: ISS will work with IIS 5.0 which comes with Windows 2000. If you use IIS 5.0 then you will need to use Windows Update to install the .NET framework. IMPORTANT! Install IIS 5.0 before installing the .NET framework.
7.1. Creating a New Virtual Directory
To create a new virtual directory, open Internet Information Services (IIS), right-click the web site, click New, and click Virtual Directory. IIS will open a wizard. Name the directory ISS, and set its path to c:\Inetpub\wwwroot\iss. Complete the steps in the wizard. Set the default file to indexAlt.aspx
7.2. Changing Authentication Methods
To change the IIS authentication method, right-click the directory from the previous step, and click Properties.
Click the Directory Security tab. Click the Edit button inside of the Authentication and access control frame.
A window similar to the figures below will open.
For integrated Windows authentication using one domain controller, change the settings to match Figure 1.
For SQL authentication using a separately maintained list of users and passwords, change the settings to match Figure 2.
Click OK.
Answer Yes. Click Apply.
Note that authentication must be set as shown below otherwise SQL Server will not be able to correctly identify the employee.
|
Figure 1. IIS Windows Authentication
|
|
Figure 2. IIS SQL Authentication
|
7.3. Run ISSInstaller and Edit Web.config
Download and run the self-extracting executable...
http://iHRsoftware.com/Secure/ISSInstaller.exe (2M)
The installer will extract files to your new virtual directory and open a file named Web.Config.
Web.Config is an XML document. At the top of the document is a section named appSettings. At the top of the appSettings section is an element named ConnectionString.
Change ConnectionString to point to the database server. Insure that the Web server has permission to relay through your e-mail server.
Scroll through the rest of the elements in appSettings and change them to meet your needs.
If you are using SQL authentication instead of Windows authentication, then scroll to the Authentication tag and follow the instructions.
7.4. Confirm Employees’ E-mail Addresses and Security Accounts
For an employee to use ISS, he must have either a Windows Account or SQL Login, and the employee’s security account (located on his General tab)
and work e-mail address must be correctly entered in the client software. The quickest way to manually enter the accounts and e-mail addresses is to open the software
and click Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts.
Section 5 lists scripts that you can run to automatically set the work e-mail addresses, create logins,
and associate accounts with employees.
After you enter accounts and e-mail addresses, employees can log on to IndexAlt.aspx page.
You can customize ISS by either editing the individual .aspx pages with notepad,or by opening the entire ISS.sln solution in Visual Studio.
Note that customizing the .aspx pages will make it more difficult for you to apply any future updates.
8. Notes regarding Setup.exe and Uninstallation
Setup.exe is designed to be a no-hassle installer for a typical single-user installation.
It wraps the client MSI, ApexSetup.msi. After the user selects the type of installation,
setup may download .NET framework 2.0 (dotnetfx.exe) or SQL Server Express SP1 (sqlexpr.exe).
Setup updates the registry, scheduling itself to run again after your machine reboots. This action is
necessary because the installers for .NET and SQL Server may force a reboot before setup can complete.
After setup completes, it removes itself from your registry. It may leave a folder
named c:\Temp\iHRsoftware. You can safely delete that iHRsoftware folder.
While Setup.exe is a complete installation package, it leaves a footprint and it triggers warnings from anti-virus software because it downloads installers from Microsoft's website
and writes to your registry.
For client/server installations where SQL Server is already installed, Apex recommends that you avoid setup.exe. Instead, use Enterprise Manager or SQL Management Studio to attach the database (iHR.bak)
and then install ApexSetup.msi on individual workstations. Sections 2 and 3 explain this procedure in detail.
To completely uninstall a typical single-user installation, open Add/Remove programs. Remove Apex Software and Microsft SQL Server 2005 (IHR instance).
Delete the c:\Temp\iHRsoftware folder, and delete all of the unused subfolders in c:\Program Files\Microsoft\SQL Server
and c:\Program Files\Apex.
Additionally, run regedit and delete the key, HKEY_CURRENT_USER\Software\Apex.