These instructions explain how to install Apex's software products. They are written for system administrators. To skip these instructions and install everything on one computer, click here to complete a typical single-user installation.

These instructions do not explain how to set up communication between Apex Software and biometric\proximity terminals. Click here to read the setup instructions for the S900 biometric terminal. Click here to read the setup instructions for the S680 proximity terminal.

1. Planning Installation

The software contains two core components: a SQL Server Database and a client, and the software contains three optional components: a Web add-on (ISS), a file share that holds attachments, and a service that e-mails reminders and tasks (e-mailer service). In a typical single-user installation, the Database and client are installed on the same computer. In a typical client/server installation, the Database, file share, e-mailer service, and Web add-on are installed on one server, and the client is installed on each end-user's workstation. In use cases involving more than 500 users, Apex recommends that you reserve a dedicated database server as shown in Table 3 below.

Apex strongly recommends that you avoid installing ISS on a domain controller or a server that runs Microsoft Small Business Server. If that recommendation is not followed then Apex reserves the right to deny security-related support for ISS.

Table 1 lists the system requirements for the server and client components. You may install all of the server components on one computer, or you may install them separately. The client uses an auto-update function that is similar to Windows Updates. For auto-updates to work, each user needs write permissions on their local folder, c:\Program Files\Apex\iHR, and firewalls must allow SOAP messages over HTTP port 80 to/from 206.221.237.115. Apex recommends that all of the workstations, users, and server(s) are joined to the same Windows AD domain. Apex provides an alternative update package for network administrators who prefer to disable the auto-updates and control the installation of software revisions. See http://iHRsoftware.com/updateHistory.aspx for more information.

Table 1. System Requirements

Component	Prerequisites	Client/Server	Permissions	Additional Memory (MB)	Additional Hard Drive Space (MB)
Apex Client	Windows 98, 2000, XP, Vista, 7, 2003 or 2008 .NET Framework 1.0 or better Apex Client is not needed for general users. Only needed for admin users.	Client	Users require read/write on registry key, HKEY_CURRENT_USER Updates require full permissions on Apex program installation folder Auto-updates require SOAP messages over HTTP port 80 to/from 206.221.237.115	64	10
Database	Windows 2000, XP, Vista, 7, 2003 or 2008 SQL Server: SQL 2005 Express, 2005, SQL Express 2008, or 2008 Express requires .NET Framework 2.0 or better	Server	Default SQL Server installation permissions	256	500
Share for File Attachments	Windows 98, 2000, XP, Vista, 7, 2003 or 2008 All Apex thick clients must be able to use a UNC path to access this share. Web clients do not require access.	Server	Typically, HR has full permissions over the share HR assistants need read/write/create Managers may need read on folders for individual employees	0	4000
Task E-mailer Service	Windows 2000, XP, Vista, 7, 2003 or 2008 Relay Access to SMTP Server .NET Framework 1.0 or better	Server	Service must run under an account that can read apexTaskEmailer.xml in the program installation folder	10	10
Instant Self Serve	Windows 2000, XP, 2003, Vista Internet Information Services .NET Framework 1.0 or better	Server	Depends on SQL Authentication or Windows Authentication. See ISS, section 7.	128	10

Table 2 lists server configurations for a typical client/server installation with less than 500 active users. In the recommended configuration, performance is balanced with cost. The recommended configuration uses two IDE drives: one drive holds system files and the SQL Server transaction log. The other hard drive holds the database and the network share for the file attachments. Note that Apex provides software builds for both 32bit and 64bit architectures.

Table 2. Single Server Configurations for Less than 500 Active Users

Component	Minimum	Recommended	Best Performance
Microprocessor	P3	Dual Core	Quad Core (Phenom II X4\Xeon\Itanium)
RDMS	SQL Server 2005 Express	SQL Server 2005 Express	SQL Server 2008
OS	Windows 2000	Windows 7 Pro or Windows 2003 Server	Windows 2008 Server
RAM	1G	2G	4G
Hard Drive	IDE 40+ G	IDE 2x40+ G	RAID SCSI/SAS 4x20+ G

Table 3 lists server configurations for installations with 500 to 10,000 active users. In these configurations, a database server that is dedicated to running the Apex database communicates with a Web server that optionally hosts other low-traffic Web applications. Note that Integrated Windows Authentication will not work in a two-server configuration. SQL Authentication or Basic Authentication must be used. (Basic Authentication uses the same Windows login\password as Integrated Windows Authentication.)

Table 3. Two-Server Configurations for 500 to 10,000 Active Users

Server	Component	Minimum	Recommended	Best Performance
Server 1, Dedicated Database Server	Microprocessor	Dual Core	Quad Core	Quad Core (Phenom II X4\Xeon\Itanium)
	RDMS	SQL Server 2005	SQL Server 2008	SQL Server 2008
	OS	Windows 2003 Server	Windows 2008 Server	Windows 2008 Server
	RAM	16G	16G	32G
	Hard Drive	IDE 2x40+ G	IDE 2x40+ G	RAID SCSI/SAS 4x20+ G
Server 2, Web Server	Microprocessor	P4	Dual Core	Quad Core
May be shared with low-traffic sites	OS	Windows 7 Pro	Windows 2003 Server	Windows 2008 Server
	RAM	4G	8G	16G
	Hard Drive	IDE 40+ G	IDE 40+ G	RAID SCSI/SAS

2. Database Server Installation

The database server requires Windows 2000 or better. If you use a Windows domain then the server should be a member of the domain. The procedure for server installation depends on whether or not you are attaching the database to an existing SQL Server 200x.

2.1. Attaching the Database to an Existing SQL Server

If your server already runs SQL Server 2005 or 2008 then log on to your SQL Server as an administrator. Confirm that the collation on the server is set to the US default, SQL_Latin1_General_CP1_CI_AS. You can look up collation by looking at the general tab/node on the server's properties. If you see a different collation setting then you should install a separate SQL Server instance. Download the compressed database backup file...

http://iHRsoftware.com/FTP/iLeaveDb.zip (3M)

Extract the file and use SQL Management Studio to restore it as a database named iHR. During the restore, you may want to change the locations of the mdf and ldf files. Also, the iHR database must have an owner. After restoring the database, set the owner by opening the database properties. Alternatively, run the script below.

EXEC sp_changedbowner 'sa'

2.2. "No SQL Server" Installation

If SQL Server 200x is unavailable then log on to the server as an administrator. Download and run the self extracting executable...

http://iHRsoftware.com/FTP/iLeaveSetup.exe (16M)

The installer will open. Click Server Installation.

IMPORTANT! With the No SQL Server installation, append \IHR to the server's name when the system prompts you for the name of the database server. If your server were named MyServer then you would enter MyServer\IHR

3. Client Installation

Client installation depends on whether or not the target workstation has .NET Framework 1.0 or better installed.

3.1. .NET Framework 1.0 or Better Is Already Installed

For every workstation with .NET Framework 1.0 or better, log on with an account that has local administrative permissions. Download and execute the file...

http://iHRsoftware.com/FTP/ApexSetup.msi (8M)

The installer will open. Click Next until it finishes. After the installer finishes, the client will open. When prompted, enter the name of the database server and choose Windows Authentication. After you log in, the software may prompt you to enter the key code from your e-mailed sales receipt. Enter your key code if prompted and close the software. You can open the software later by clicking Start > Programs > Apex.

3.2. .NET Framework 1.0 or Better Is Not Installed

For every workstation without .NET Framework 1.0 or better, log on with an account that has local administrative permissions. Either use Windows Update to install the latest .NET framework and then follow the instructions from the last section, 2.1, or download and execute the file...

http://iHRsoftware.com/FTP/iLeaveSetup.exe (16M)

The installer will open. Click Additional Client Installation. When prompted, click Next until the installer finishes. After the installer finishes, the client will open. When prompted, enter the name of the database server and choose Windows Authentication. After you log in, the software may prompt you to enter the key code from your e-mailed sales receipt. Enter your key code if prompted and close the software. You can open the software later by clicking Start > Programs > Apex.

3.3. Enabling Auto-Updates

For auto-updates to work, each user needs write permissions on their local folder, c:\Program Files\Apex\iHR, and firewalls must allow SOAP messages over HTTP port 80 to/from 206.221.237.115. Auto-update failures are logged to the user's Application event log. If you use Microsoft's ISA or a similar firewall then copy the pinhole for Microsoft updates and change it to 206.221.237.115.

4. Configuring File Attachments and Portraits

5. Configuring Security

Before you configure security, decide whether users will use Windows Authentication or SQL Authentication. Windows is preferred because, after the initial setup, it allows you to use Active Directory to control accces. Unlike Windows Authentication, SQL Authentication requires that you create a new SQL login for each user. Note that Windows Authentication requires that all of the users are enrolled in the same domain as the computer that hosts the SQL Server. To set up typical security for Windows Authentication, read Section 5.1. To set up typical security for SQL Authentication, read Section 5.2. For additional security information refer to the help manual at http://iHRsoftware.com/ftp/help.doc.

5.1. Setting up Security for Windows Authentication

Typical security setup for Windows Authentication requires that you create an AD group, join it to the db_owners role, confirm the permissions on the public role, and then associate Windows Accounts with Apex employee records. If you will install Instant Self Serve then you must also grant database access to the staff by clicking Company > Security and adding the Domain Users role.

5.1.1. AD Group for HR Administrators

Create an AD group that holds all of the users who need full access to the database. To create it, open Active Directory and create a group named something like "HR Admin" and join the necessary users. Then, in Apex, click Company > Security and open the security window. Click Add Windows User or Group. Enter the name of the AD group in the format domain\group. Save it. Then click the tab named Membership and click the checkbox named db_owner. Save your changes.

5.1.2. Public Role for Managers and Their Staff

The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about himself. Now select "User Viewing Subordinates". These permissions define what a user can see about his subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)

5.1.3. Associating Windows Accounts with Apex Employee Records

For each user, associate his Windows Account with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the Windows Accounts by opening each person and entering their domain\account in the Security Account field on theirGeneral tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the Windows Accounts for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.

-- Adds access for windows accounts: john doe --> YOURDOMAIN\jdoe

-- Sets work e-mail address based on account name

-- Associates each user account with the correct Apex employee record

USE IHR

DECLARE @username varchar(50), @person_id int, @wdomain varchar(50), @edomain varchar(50)

SET @wdomain='CHANGE_ME_TO_YOUR_WINDOWS_DOMAIN'

SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'

DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), PersonID FROM Person

OPEN p_cursor

FETCH p_cursor INTO @username, @person_id

WHILE @@FETCH_STATUS = 0

BEGIN

   UPDATE Employee SET [SID] = SUSER_SID(@wdomain + '\' + @username) WHERE EmployeeID = @person_id

   UPDATE Person SET [Work E-mail] = @username + '@' + @edomain WHERE PersonID = @person_id

   FETCH p_cursor INTO @username, @person_id

END

CLOSE p_cursor

DEALLOCATE p_cursor

5.2. Setting up Security for SQL Authentication

Typical security setup for SQL Authentication requires that you create a SQL login for each administrative user, join the logins to the db_owners role, confirm the permissions on the public role, create a SQL login for each user, and then associate the SQL logins with Apex employee records.

5.2.1. Creating SQL Logins

Click Company > Security. Click Add SQL Login. Enter the login and password. Click Save. If this login should have full permissions then click the tab named Membership and click the checkbox named db_owner. Save your changes and repeat these steps for each user.

5.2.2. Public Role for Managers and Their Staff

The public role defines the permissions for managers and their staff. To check the permissions on public, double-click it and then click the tab named Permissions. In the select box named Scope, select "User Viewing Self". These permissions define what a user can see about herself. Now select "User Viewing Subordinates". These permissions define what a user can see about her subordinates. (The software identifies the user's subordinates based on the Manager select box that is found on each person's General tab.)

5.2.3. Associating SQL Logins with Apex Employee Records

For each user, associate his login with his employee record so that Apex can correctly match "self" and "subordinate" permissions. You can manually enter the logins by opening each person and entering their SQL login in the Security Account field on their General tab. Or you can click Company > Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts and enter the SQL login for everyone on one screen (click Apply often). Or you can copy and run the script below in either SQL Management Studio or the window that opens when you click Company > Execute SQL.

-- Creates SQL Logins with SSN as the password for each employee: john doe --> jdoe

-- Sets work e-mail address based on login

-- Associates each login with the correct Apex employee record

-- Make sure you delete old SQL logins before running

USE IHR

DECLARE @login varchar(50), @person_id int, @edomain varchar(50), @ssn varchar(50)

SET @edomain='CHANGE_ME_TO_YOUR_EMAIL_DOMAIN'

DECLARE p_cursor CURSOR FOR SELECT LOWER(SUBSTRING([First Name], 1, 1) + [Last Name]), P.PersonID, X.SSN FROM Person P

INNER JOIN PersonX X ON P.PersonID = X.PersonID

OPEN p_cursor

FETCH p_cursor INTO @login, @person_id, @ssn

WHILE @@FETCH_STATUS = 0

BEGIN

   PRINT @login

   EXEC sp_addlogin @loginame=@login, @passwd=@ssn, @defdb='iHR'

   EXEC sp_grantdbaccess @login

   UPDATE Employee SET [SID] = SUSER_SID(@login) WHERE EmployeeID = @person_id

   UPDATE Person SET [Work E-mail] = @login + '@' + @edomain WHERE PersonID = @person_id

   FETCH p_cursor INTO @login, @person_id, @ssn

END

CLOSE p_cursor

DEALLOCATE p_cursor

6. Installing the Apex Task E-mailer Service

To enable automatic e-mails, insure that your Windows Account is a member of Domain Admins and follow the steps below.

Choose the server that will host the service. The server needs network access to the Apex database and an SMTP server. Apex recommends that you install the e-mailer service on an existing SMTP server that does not require SMTP authentication.
If the server that you choose is not an SMTP server then the service will need to use a remote SMTP server. The remote SMTP server must grant relay permissions to your chosen\local server. Also, the e-mailer service cannot pass SMTP credentials. If authentication and relaying create problems then work around them by installing the SMTP service on your chosen server from your Windows Server CD-ROM.
Log on to the target server. Download and run http://iHRsoftware.com/ftp/ApexTaskEmailer.msi (6M).
Create a Window's Account for the service and grant the account permissions. If the service and the database are on the same computer then create a local Windows Account. Otherwise create a domain account. Grant the account read permissions on C:\Program Files\Apex\Apex Task Emailer\apexTaskEmailer.xml . Grant the account full permissions on the database (In Apex Software, click Company > Security, add the account, and join it to the db_owner group).
Assign the account to the service. Open Service Manager, edit the service properties, and enter the new account in the "run as" text box.
Point the service to the database. Open C:\Program Files\Apex\Apex Task Emailer\apexTaskEmailer.xml . Edit the file (right-click it and open with Notepad) and change the connectionString and SMTP elements to point to your database and SMTP server.
In the connectionString element, decide whether to use Windows Authentication (recommended) or SQL Authentication. With Windows Authentication, database permissions will be determined by the Windows Account in which the service runs. Example connection strings are listed below. If you do not know the value of the Data Source attribute then open Apex Software and click Company > Reconnect to Database. Use the text in the Server textbox.

-- Connect to the local server on the default instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=.;Trusted_Connection=Yes;Database=iHR" />

-- Connect to the local server on the SQLExpress instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=.\SQLExpress;Trusted_Connection=Yes;Database=iHR" />

-- Connect to a remote server on the default instance. Use the SQL login "daemon" to log in.
<connectionString value="Data Source=Server1;Database=iHR;User ID=daemon;Password=colts2008" />

-- Connect to a remote server on the IHR instance. Use the service's Windows credentials to log in.
<connectionString value="Data Source=Server1\IHR;Trusted_Connection=Yes;Database=iHR" />
Start the service. Open the computer's list of services, find Apex Task E-mailer Service, right-click it and start it.
Verify it worked. Review your application event log to confirm that the service started successfully. If the event log shows success then you can review the log of outgoing e-mails by opening Apex Software and clicking Reports > Tasks > Log of E-mailed Reminders.
Troubleshoot errors in the event log.
Connection errors are usually caused by one of the following problems.
- Wrong type of slash before the instance name (use Server1\iHR, do not use Server1/iHR)
- Using Windows Authentication to connect to a remote databaase when the task e-mailer service is running under a local account. To fix this problem, change the service's "run as" account to a domain account or use SQL authentication in the connection string. The domain account should have administrative database access (member of db_owner). The account needs read permissions on the local apexTaskEmailer.xml file.
- Running the service as LocalSystem (the default account) and using Windows Authentication to connect to a local SQL Server that is not set to run as LocalSystem. To fix this problem, check the account name that the MS SQL Server service is using. If the account is NOT named NetworkService then use that account to run the service. If it is named NetworkService then create a Windows account and assign it to the service as explained in step 3.
E-mail errors are usually caused by one of the following problems.
- Failing to grant relay permissions on the remote SMTP server.
- Setting a blank or invalid "send from" e-mail address in the Apex Software client (Company > Settings, Reminders tab).

7. Installing Instant Self Serve

Instant Self Serve (ISS) installation involves either creating a new virtual directory or creating a new Website on your Web server, changing the authentication method on the virtual directory or Website, copying the ISS files to the directory, editing the Web.config file to point to the database server, and confirming employees� e-mail addresses and security accounts. We recommend that you install ISS on your existing Web server. After you install ISS, insure that you followed Section 5 so that users can access their ISS accounts.

7.1. Creating a New Virtual Directory or Website

Create a new virtual directory if either (1) your "server" is not running a server operating system (Windows 2000/XP/7 only allow one Website) or (2) your server only has 1 IP address available AND you do not plan to use SSL. To create a new virtual directory, open Internet Information Services (IIS), right-click the web site, click New, and click Virtual Directory. IIS will open a wizard. Name the directory ISS, and set its path to c:\Inetpub\wwwroot\iss. Complete the steps in the wizard. Set the default file to indexAlt.aspx

Alternatively, if your server is running a server operating system and you plan on using SSL or a separate IP then create a new Website. To create a new Website, open Internet Information Services (IIS), right-click the Websites node, and click New. IIS will open a wizard. Set the path to something like c:\Inetpub\issroot. Complete the steps in the wizard. Set the default file to indexAlt.aspx. In step 7.3 you will need to change the extraction path to match the Website root.

7.2. Changing Authentication Methods

To change the IIS authentication method in IIS 5 or 6 (Windows 2003 Server), right-click the directory from the previous step, and click Properties. Click the Directory Security tab. Click the Edit button inside of the Authentication and access control frame. A window similar to the figures below will open. For integrated Windows authentication using one domain controller, change the settings to match Figure 1. For SQL authentication using a separately maintained list of users and passwords, change the settings to match Figure 2. Click OK. Answer Yes. Click Apply. Note that authentication must be set as shown below otherwise SQL Server will not be able to correctly identify the employee.

To change the ISS authentication method in IIS 7 (Windows 2008 Server), first install the "Basic Authentication" and "Windows Authentication" components for the "Web Server" role (Server Manager > Add\Remove Roles). After the components are installed, the procedure is similiar to the one described above for IIS 6.

Figure 1. IIS Windows Authentication

Figure 2. IIS SQL Authentication

7.3. Run ISSInstaller and Edit Web.config

Download and run the self-extracting executable...

http://iHRsoftware.com/Secure/ISSInstaller.exe (2M)

The installer will extract files to your new virtual directory and open a file named Web.Config.

Web.Config is an XML document. At the top of the document is a section named appSettings. At the top of the appSettings section is an element named ConnectionString. Change ConnectionString to point to the database server. Insure that the Web server has permission to relay through your e-mail server. Scroll through the rest of the elements in appSettings and change them to meet your needs. If you are using Windows authentication instead of SQL authentication then scroll to the Authentication tag toward the bottom of the config file and follow the instructions.

7.4. Confirm Employees� E-mail Addresses and Security Accounts

For an employee to use ISS, he must have either a Windows Account or SQL Login, and the employee�s security account (located on his General tab) and work e-mail address must be correctly entered in the client software. The quickest way to manually enter the accounts and e-mail addresses is to open the software and click Employees > Custom Tabular Reports > Names, Locations, Departments and Accounts. Section 5 lists scripts that you can run to automatically set the work e-mail addresses, create logins, and associate accounts with employees.

After you enter accounts and e-mail addresses, employees can log on to IndexAlt.aspx page. You can customize ISS by either editing the individual .aspx pages with notepad,or by opening the entire ISS.sln solution in Visual Studio. Note that customizing the .aspx pages will make it more difficult for you to apply any future updates.

7.5. SSL and DNS Considerations

Instant Self Serve works with SSL / https. To set up SSL, install a certificate on the Website. A certificate can be purchased from a third party like GoDaddy.com. Alternatively, you can install the "Certificate Authority" service on your server and issue yourself a certificate. With self-signed certificates, your users will see an "untrusted certificate" warning the first time they visit the site. After they accept the certificate, the warnings will stop. Google "self-signed certificates" for more information.

If you set up a Website for ISS instead of a virtual directory, and users need to access the ISS Website internally and externally, then you should use a single subdomain that resolves to the same Web server both inside and outside your network. Typically, you would define a subdomain like hr.mydomain.com. In the DNS settings for your internal router, you would assign hr.mydomain.com the internal IP of your Web Server (like 192.168.0.2). In the DNS settings that are managed by your registrar, you would assign hr.mydomain.com the external IP of your Web server (like 215.215.5.9). In general, users should not access the site through alternative local URLs like http://myserver/iss.

8. Notes regarding Setup.exe and Uninstallation

Setup.exe is designed to be a no-hassle installer for a typical single-user installation. It wraps the client MSI, ApexSetup.msi. After the user selects the type of installation, setup may download .NET framework 2.0 (dotnetfx.exe) or SQL Server Express SP1 (sqlexpr.exe). Setup updates the registry, scheduling itself to run again after your machine reboots. This action is necessary because the installers for .NET and SQL Server may force a reboot before setup can complete. After setup completes, it removes itself from your registry. It may leave a folder named c:\Temp\iHRsoftware. You can safely delete that iHRsoftware folder.

While Setup.exe is a complete installation package, it leaves a footprint and it triggers warnings from anti-virus software because it downloads installers from Microsoft's website and writes to your registry. For client/server installations where SQL Server is already installed, Apex recommends that you avoid setup.exe. Instead, use Enterprise Manager or SQL Management Studio to attach the database (iHR.bak) and then install ApexSetup.msi on individual workstations. Sections 2 and 3 explain this procedure in detail.

To completely uninstall a typical single-user installation, open Add/Remove programs. Remove Apex Software and Microsft SQL Server 2005 (IHR instance). Delete the c:\Temp\iHRsoftware folder, and delete all of the unused subfolders in c:\Program Files\Microsoft\SQL Server and c:\Program Files\Apex. Additionally, run regedit and delete the key, HKEY_CURRENT_USER\Software\Apex.

Installation Instructions for iLeave and ISS