Configure the System

PowerShell scripts are provided to complete configuration of the central application server(s), including the connections to the databases, and then store appropriate values in the database.
Important: For a single server implementation, run the PowerShell scripts on the application server (if you have a separate database server, you do not run the PowerShell scripts on that.) If the logical application server has been separated into multiple servers, the PowerShell scripts must be run on each of these servers, and must be run in the following order:
  1. Your web application server
  2. Your batch server (or processing server, for a two-server application implementation)
  3. Your inventory server(s).
On each applicable server in turn, as administrator (fnms-admin), complete all the following steps (noticing that on different servers, different dialogs may be presented). Before executing the PowerShell scripts, you should first ensure that:
  • Your administrator account is a member of the db_owner fixed database role (at least temporarily, as described in Accounts)
  • The scripts themselves have sufficient authorization to execute, as described in the following process.

To configure the system with PowerShell scripts:

  1. Check that Active Directory domain policy, and (where domain policy is correctly set) local machine policy, both have the security setting Network access: Do not allow storage of passwords and credentials for network authentication set to Disabled.
    This check is required for:
    • Your batch server (or server hosting that functionality)
    • Your inventory server(s)
    • Later, any inventory beacons that you will operate using a service account (rather than running them as local SYSTEM).
    This setting is available in either domain policy or local security policy under Security Settings > Local Policies > Security Options. By default, the majority of Windows installations leave this setting disabled; but it may be enabled in tightly-secured environments. However, please note the following mandatory requirements:
    • This setting must be disabled to allow the PowerShell scripts to configure the scheduled tasks and the accounts that run them during operation (or, on inventory beacons, to allow storing credentials for any service account). If it is not disabled, the PowerShell scripts fail at Executing step Configure scheduled tasks with the error Exception has been thrown by the target of an invocation.
    • Furthermore, the setting must remain disabled for normal operation. If this setting is re-enabled, scheduled tasks with saved credentials will fail to run, showing the error Logon failure: unknown username or bad password. (0x8007052E) in the Task Scheduler interface. (However, saved credentials are not lost: disabling the setting again allows the scheduled tasks to resume as normal.)
    • Therefore, in any environment where it is mandatory for this setting to be enabled, an alternative task scheduling technology must be provided to allow operation of FlexNet Manager Suite (such as BMC Control-M, or other alternatives).
    Note: If you make this change to policy, a reboot of the server is required.
  2. On your web application server, batch server, or inventory server, ensure that Microsoft IIS is running again:
    1. Ensure that your Server Manager dialog is still open.
    2. In the left-hand navigation bar, expand Roles > Web Servers (IIS), and select Internet Information Services.
      The IIS page is displayed.
    3. In the Actions panel on the right, select Start.
      A message like Attempting to start... appears. Note that it can take some time before the service is started. When the service is running, the PowerShell scripts can update the IIS configuration as required.
  3. If you require that the URLs for your central server(s) use the HTTPS protocol, confirm that site bindings have been configured to allow this:
    1. Open IIS Manager.
    2. In the Connections pane, expand the Sites node in the tree, and then click to select the site for which you want to add a binding.
    3. In the Actions pane, click Bindings.
    4. In the Site Bindings dialog box, click Add.
    5. In the Add Site Binding dialog box, add the binding information and then click OK.
      For more information (including the set up of the required certificate), see http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis.
  4. Run PowerShell as administrator (use the 64-bit version where available):
    1. Locate PowerShell. For example:
      • On Windows Server 2012, Start > Windows PowerShell.
      • On earlier releases, in the Windows Start menu, find All Programs > Accessories > Windows PowerShell > Windows PowerShell (this is the 64-bit version; the 32-bit version is Windows PowerShell (x86). ).
    2. Right-click, and choose Run as Administrator.
      Important: It is critical that you run the PowerShell scripts with administrator privileges. Otherwise, scripts will fail.
  5. If you have not already done so, in the PowerShell command window, execute: 
    set-executionpolicy AllSigned
    Respond to the warning text with the default Y.
  6. In the PowerShell command window, navigate through the unzipped downloaded archive to the Support folder.
  7. On each server, execute: 
    .\Config.ps1 "Config\FNMS Windows Authentication Config.xml"
    (This script determines the type of server installation, and applies appropriate configuration. See also server-specific comments below.)
    Tip: If your PowerShell window is in its default QuickEdit mode (visible in the Properties for the window), simply clicking in the window when it already has focus puts it into Mark or Select mode. In such a mode, a process that is writing to the window is paused, awaiting your input. Beware of unintentionally pausing the configuration scripts by extra clicking in this PowerShell window. A process that has been paused in this way is resumed when the window already has focus and you press any key.
    On each server, on first run PowerShell asks whether to trust the publisher of this script. You may allow Run always for a certificate signed by Flexera LLC.
  8. In each case, allow the script to run once, completing the requested details.
    Tip: Helpful notes:
    • Use the service account details you created earlier (example: svc-flexnet).
    • Separately on each dialog, the check box Use the same credentials for all identities copies the account details from the upper section to the lower section of the dialog.
    • For externally visible URLs, you can specify either HTTP or HTTPS protocol, and either the flat server name or the fully qualified domain name is supported. Any port number is optional. Remember that site bindings may be required if you are using the HTTPS protocol (see above). Valid examples: 
      http://servername
https://www.servername.mydomain:8080
    • If you have a single-server implementation, when asked for the hostname of the different server functionality, use localhost.
    • Remember that in a multi-server implementation, MSMQ limits the hostname of the batch server to 14 characters. Of course, this limit applies to the hostname itself, and not to the fully-qualified domain name of the host. (If your batch server is already implemented with a longer hostname, consider using a DNS alias that satisfies this limitation.)
      Important: Remember to use the fully-qualified domain name (in the style of serverName.example.com) when identifying servers in a multi-server implementation. Do not use a URL.
    • The PowerShell script asks for appropriate database connection details, depending on the configuration of the current server (for example, if the current server includes inventory server functionality, the script asks for the Inventory Management database). In each case, supply the host server name (and, if the database instance is not the default instance, the instance name, separated by a backslash character); and the database name for each kind of database. In a small-to-medium implementation, all the operations databases may be on the same host and instance combination; but in larger implementations may be separated onto distinct servers. In either case, each database has a distinct database name, for which the suggested values are:
      • The main compliance database: FNMSCompliance
      • The database for inventory collected by the FlexNet Inventory Agent: FNMSInventory
      • The data warehouse for trend reporting: FNMSDataWarehouse
      • The snapshot database for performance improvement: FNMSSnapshot.
  9. Close the PowerShell command window.
  10. If this is your batch server (or the server hosting that functionality), ensure that the services for FlexNet Manager Suite Batch Process Scheduler are running:
    1. Navigate to Start > Control Panel > Administrative Tools > View local services.
      The Services dialog opens.
    2. In the list of services, ensure that both FlexNet Manager Suite Batch Process Scheduler and FlexNet Manager Suite Batch Processor are both running. If not, right-click each stopped service in turn, and from the context menu, select Start.
      Note: These services are critical to the operation of FlexNet Manager Suite. It is best practice to set up your service monitoring to alert you any time either of these services is stopped.
  11. As required for a multi-server implementation, loop back to step 1 and repeat across a multi-server implementation.
    Tip: On the application server (or on each component server in a multi-server implementation), the PowerShell scripts configure Microsoft IIS with an application pool for FlexNet Manager Platform. This pool requires authentication, and the scripts save the current logged-in account on each server in the IIS configuration for the application pool. When the user account on any server requires a password update, you must also update the password recorded in the IIS configuration for this application pool. For more information, see Password Maintenance.
  12. You now need to activate the product. Please refer to Product Activation.
Configuration by the PowerShell scripts is now complete. Although not needed now, at other times it is possible to re-run the PowerShell scripts with the following flags for the use cases shown. You do not need to re-run the scripts unless, at some later stage, one of these use cases applies to you:
  • Use without a flag to add a configuration file to a new installation; or on an existing implementation, to remove all customizations and replace the %ProgramFiles(x86)%\Flexera Software\FlexNet Manager Platform\WebUI\web.config file with the default version:
    .\Config.ps1 "Config\FNMS Windows Authentication Config.xml"
  • Add the updateConfig flag to insert any new parameters added by Flexera, leaving all settings (including customizations) unchanged for existing parameters:
    .\Config.ps1 "Config\FNMS Windows Authentication Config.xml" updateConfig
  • Add the forceUpdateConfig flag to insert any new parameters added by Flexera, and restore the default values for all factory-supplied settings, but leaving any custom parameters unchanged:
    .\Config.ps1 "Config\FNMS Windows Authentication Config.xml" forceUpdateConfig
  • Add the removeConfig flag to remove the %ProgramFiles(x86)%\Flexera Software\FlexNet Manager Platform\WebUI\web.config file before using Windows Programs and Features to uninstall FlexNet Manager Suite:
    .\Config.ps1 "Config\FNMS Windows Authentication Config.xml" removeConfig