null  null
Prepared by:
AFHCAN
Alaska Native Tribal Health Consortium
Division of Health Information & Technology
4000 Ambassador Drive, 3rd Floor
Anchorage, AK 99508
Telephone: (907) 729-2260
Fax: (907) 729-2269
SWP-0097 Telehealth Server
Document Version: 2
Applicable to: tConsult (Family)
Software version: tConsult v6.1.0
Effective Date: 5/16/2012
Purpose:
Scope:
Audience:
Copyright © 2012 Alaska Native Tribal Health Consortium. All rights reserved.
SWP-0097 Telehealth Server
Revision 1
Joining the Telehealth Server to a Domain ..............................................................................5
1. Device Configuration .............................................................................................................................................5
2. Computer Services .................................................................................................................................................6
3. Network Connectivity Properties ..........................................................................................................................7
4. Join the Telehealth Server to the Domain .............................................................................................................9
Establishing an Authoritative Time Source ............................................................................10
1. Acronyms and Abbreviations for Establishing an Authoritative Time Source .....................................................10
2. Changing Server Type to NTP ..............................................................................................................................10
3. Enabling Ports on Windows Firewall ...................................................................................................................10
Telehealth Liscensing ...........................................................................................................13
1. Background Information About User Licenses ....................................................................................................13
2. Liscensing Key Terms ...........................................................................................................................................13
3. License Process Overview Chart ..........................................................................................................................14
4. Requesting Additional Licenses ...........................................................................................................................14
5. Approving Additional Licenses .............................................................................................................................17
6. Installing Additional Licenses ...............................................................................................................................20
Telehealth Third Party SSL Certificate ...................................................................................22
1. Acronyms and Abbreviations for Third Party SSL Certificate ...............................................................................22
2. Removing the Current Certificate ........................................................................................................................22
3. Requesting a Third Party SSL Certificate ..............................................................................................................25
4. Installing the Third Party SSL Certificate into the Certificate Personal Store ......................................................30
5. Installing the Third Party SSL Certificate into IIS ..................................................................................................39
Moving an Organization Between Telehealth Servers............................................................44
1. Capturing the Telehealth Database, Support Files and Certificates ....................................................................44
2. Moving and Restoring a Telehealth Organization onto a Single Org Server ........................................................51
3. Moving and Restoring a Telehealth Organization onto a Server that Hosts Multiple Organizations ..................65
Setting Up and Maintaining MSDTC ......................................................................................72
1. Acronyms and Abbreviations for MSDTC.............................................................................................................72
2. Pre-Requisites for Setting Up MSDTC ..................................................................................................................72
3. Pre-Requisites for Setting Up MSDTC if Using a Back-End SQL Server ................................................................74
4. Configuring MSDTC ..............................................................................................................................................76
Obtaining New Certificate Public Key....................................................................................78
1. Obtaining the Public Key from an Existing Database ...........................................................................................78
2. Applying UpdateServerPubKey.sql Script ............................................................................................................81
3. Applying UpdateNodePubKey.sql Script* ............................................................................................................82
4. Appendix A for SQL scripts ...................................................................................................................................82
Troubleshooting Telehealth Server v5.2 and above ...............................................................83
1. Cannot log into Telehealth Cart software – Time Service ...................................................................................83
2. Cannot log into Telehealth Cart or Web software – Security MSDTC .................................................................83
Page 1 of 179
SWP-0097 Telehealth Server
Revision 1
3. Existing cases not accessible via Telehealth Web after upgrade .........................................................................83
4. “Server Error in ‘/’ Application” Received when running Reports in Web Client ................................................83
5. Missing Date Parameter Textbox when Preparing to Run a Report from Telehealth Web .................................84
Upgrading SQL Server 2000 to SQL Server 2005 on a Telehealth Server ..................................85
1. SQL Server Upgrade Paths ...................................................................................................................................85
2. Additional Resources for Upgrading ....................................................................................................................85
3. Backup the Existing Server ...................................................................................................................................85
4. Configuring the Existing Server ............................................................................................................................85
5. In-Place SQL Server 2000 Upgrade to SQL Server 2005 Process..........................................................................85
Telehealth Server System Administration .............................................................................87
1. Server Settings .....................................................................................................................................................87
1.1 System Settings ..............................................................................................................................................87
1.2 Data Service Setup .........................................................................................................................................89
1.3 Patient Search ................................................................................................................................................89
1.4 Sensitive Case Options ...................................................................................................................................89
Patient Import Procedures ...................................................................................................93
1. Acronyms and Abbreviations for Patient Import Procedures ..............................................................................93
2. Establishing Patient Source..................................................................................................................................93
3. tConsult Server Manager and Patient Sources ....................................................................................................94
4. Selecting Patient Sources.....................................................................................................................................96
Telehealth Server Build and Configuration Procedures ..........................................................97
1. Material Requirements ........................................................................................................................................97
2. Initialize Server ....................................................................................................................................................97
3. Initial Logon .........................................................................................................................................................98
4. .Net Framework Installation ................................................................................................................................98
5. IIS Installation ......................................................................................................................................................98
6. SQL Server Installation .........................................................................................................................................99
Installing Telehealth Server Software Using SQL Back End Servers ....................................... 101
1. Minimum System Requirements .......................................................................................................................101
2. Installation of tConsult Server software ............................................................................................................101
3. Creating Additional Organizations on the same tConsult Server ......................................................................105
4. Uninstalling vx.x.x.x Telehealth Server Software ...............................................................................................107
Registering XP_MD5.dll on a SQL Back End Server............................................................... 110
1. Additional Resources for Registering XP_MD5.dll on a SQL Back End Server ...................................................110
2. Copying xp_md5.dll ...........................................................................................................................................110
3. Install xp_md5 using the SQL Script...................................................................................................................110
4. APPENDIX A .......................................................................................................................................................110
Telehealth Server Backup ................................................................................................... 111
1. Additional Resources .........................................................................................................................................111
Page 2 of 179
SWP-0097 Telehealth Server
Revision 1
2. SQL Databases ...................................................................................................................................................111
3. System Backup ...................................................................................................................................................111
Creating a SQL Maintenance Plan ....................................................................................... 112
1. Creating a SQL Maintenance Plan Using SQL 2005 ............................................................................................112
Build and Configuration – Windows Server 2008 ................................................................. 135
1. Additional Resources .........................................................................................................................................135
2. Material Requirements ......................................................................................................................................135
3. Initialize Server ..................................................................................................................................................135
4. Initial Logon .......................................................................................................................................................136
5. User Access Control ...........................................................................................................................................136
6. IIS Installation – Not required for a Backend SQL server installation ................................................................137
7. Move IIS – Perform these steps if IIS will be relocated to the server “E” Drive. ...............................................137
8. .Net Framework Installation – Not required for Backend Server ......................................................................137
9. Webservice Extensions – IIS Installation............................................................................................................137
10. SQL Server Installation – For a Standalone and Backend server- skip for front end server build ...................137
11. Connect to Windows Update...........................................................................................................................138
12. Disable Windows Firewall ................................................................................................................................138
4.4.1.0 Front End Build ....................................................................................................... 139
1. Material Requirements ......................................................................................................................................139
2. Initialize Server ..................................................................................................................................................139
3. Initial Logon .......................................................................................................................................................140
4. .Net Framework Installation ..............................................................................................................................141
5. IIS Installation ....................................................................................................................................................141
6. Finalizing the OS Configurations ........................................................................................................................141
7. Installing Windows Applications ........................................................................................................................141
8. Configuring SNMP ..............................................................................................................................................141
9. Dell Management Software Installation ............................................................................................................141
10. Security – Windows Update ............................................................................................................................142
11. Harden Server ..................................................................................................................................................142
12. Enabling MSDTC Services: ................................................................................................................................143
Using SQL Profiler .............................................................................................................. 146
1. Additional Resources for SQL Profiler ................................................................................................................146
2. Setup SQL Profiler ..............................................................................................................................................146
Telehealth Server v6.x Upgrade .......................................................................................... 150
1. Additional Resources .........................................................................................................................................150
2. Minimum System Requirements .......................................................................................................................150
3. Prerequisites Prior to Installing Telehealth Server ............................................................................................150
4. Additional Requirement Considerations ...........................................................................................................150
Page 3 of 179
SWP-0097 Telehealth Server
Revision 1
5. Upgrading Telehealth Server Software ..............................................................................................................150
6. Upgrading an Organization ................................................................................................................................151
7. Upgrading a Multi-Organization Telehealth Server ...........................................................................................152
Telehealth Server v6.x Installation...................................................................................... 156
1. Additional Resources for Telehealth Server Installation ...................................................................................156
2. Minimum System Requirements .......................................................................................................................156
3. Prerequisites Prior to Installing Telehealth Server ............................................................................................156
4. Additional Requirement Considerations ...........................................................................................................156
5. Installation of Telehealth Server software.........................................................................................................156
6. Creating Additional Organizations on the same Telehealth Server ...................................................................160
7. Uninstalling v6.x Telehealth Server Software ....................................................................................................162
Telehealth Server Windows 2003 Front End Server Build and Configuration ........................ 166
1. Material Requirements ......................................................................................................................................166
2. Cleanup Server ...................................................................................................................................................171
Telehealth Server Windows 2003 Back End Server Build and Configuration ......................... 172
1. Material Requirements ......................................................................................................................................172
2. Cleanup Server ...................................................................................................................................................178
Page 4 of 179
SWP-0097 Telehealth Server
Revision 1
Joining the Telehealth Server to a Domain
1. Device Configuration
•
NetBios over TCP/IP is disabled within Device Connection and needs to be re-enabled.
o Using Computer Management, click on Device Manager. From View on the Menu Bar select Devices
by Connection and Show Hidden Devices.
Figure 1 – Computer Management and Device Manager
Figure 2 - Showing hidden devices
o
Double clicking on NetBios over TCP/IP, change the Device usage to Use this device (enable).
Page 5 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 3 - NetBios over TCP/IP Properties dialog box
o
Click on the Driver tab and change the Startup type to System as shown in Figure 4.
Figure 4 – NetBios over TCP/IP Properties dialog box continued’d
2. Computer Services
•
There are several services that need to be enabled before a server can be joined to a Domain.
o Using Administrative Tools – Services, enable the following services:
Page 6 of 179
SWP-0097 Telehealth Server
Revision 1
DNS Client
Workstation
Net Logon
RPC Locator
TCP/IP NetBios Helper
3. Network Connectivity Properties
•
The NIC has its own hardening in place that needs to be changed.
o Click on the Local Area Connection properties. Enable Client for Microsoft Networks as well as File
and Network Sharing.
o
Figure 5 – Local Area Connection Properties dialog box
Highlight Internet Protocol (TCP/IP) and click on Properties. Enter the DNS Server IP(s).
Page 7 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 6– Internet Protocol (TCP/IP) Properties Dialog box
o
Click on the Advanced tab, select the WINS tab and place a checkmark in front of Enable LM Hosts,
and click the radial button for Enable NetBIOS over TCP/IP as shown in the figure below.
Figure 7 – Advanced TCP/IP Settings - WINS
o
Reboot the server
Page 8 of 179
SWP-0097 Telehealth Server
Revision 1
4. Join the Telehealth Server to the Domain
•
•
In accordance with the organization policy, join the telehealth server to the Domain with a Domain
Administrator account. Reboot theReboot the server.
At this point, backup software, anti-virus software, and Windows Updates/Patches/Hotfixes can now be
added and configured as per the Domain policy.
End of procedure.
Page 9 of 179
SWP-0097 Telehealth Server
Revision 1
Establishing an Authoritative Time Source
1. Acronyms and Abbreviations for Establishing an Authoritative Time Source
Acronym
WCF
Meaning
Windows Communications Foundation
2. Changing Server Type to NTP
•
This section outlines edits to be made to the registry of a Windows Server 2003. Editing needs to be done
with extreme care to avoid critical failures. Using regedit is at the readers’ own risk. AFHCAN assumes no
responsibility for failure to follow the below steps.
o Change the server type to NTP. To do this, follow these steps:
 Click Start, click Run, type regedit, and then click OK.
 Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
 In the right pane, right-click Type, and then click Modify.
 In Edit Value, type NTP in the Value data box, and then click OK.
o Change the Announce Flags. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
 In the right pane, right-click AnnounceFlags, and then click Modify.
 In Edit DWORD Value, type 5 in the Value data box, and then click OK.
o Enable NTPServer. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
 In the right pane, right-click Enabled, and then click Modify.
 In Edit DWORD Value, type 1 in the Value data box, and then click OK.
o
Specify the time sources that will be the authoritative time source for the tConsult Server. Locate
and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
 In the right pane, right-click NtpServer, and then click Modify.
 In Edit Value, type Peers in the Value data box, and then click OK.
Note: Peers is a placeholder for a space-delimited list of peers from which your computer obtains
time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of
each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in
step 5 will not take effect.
o
Set Windows Time service to automatic and then start it.
3. Enabling Ports on Windows Firewall
•
This section lists the steps necessary to open up two ports on Windows Firewall to allow WCF and Time
Server to function properly.
o Enabling Ports on the Windows Firewall. tConsult Servers uses Windows Firewall as part of the
overall security strategy. By default, only 3 ports are open: HTTP port 80, HTTPS port 443 and RDP
port 3389. WCF and Time Server requires two additional ports be enabled.
o Open the Windows Firewall Exceptions page for Local Area Connection Properties.
Page 10 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 1 – Windows Firewall – Exceptions
o
Select Add Port and enter WCF, Port 6968, TCP
Figure 2 – Adding WCF Port
o
Select Add Port and enter Time Server, Port 123, UDP
Page 11 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 3 – Adding Time Server Port
End of procedure.
Page 12 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Liscensing
1. Background Information About User Licenses
In the tConsult system, a user is someone who uses the tConsult Software, either on an telehealth cart or at a
PC workstation. Normally users include health aides, nurses, physicians and other health practitioners. Some users
can be designated as system administrators (a system administrator may be a healthcare provider or a member of
IT staff). Among other duties, the system administrators set up user accounts on the network server for which they
are responsible. Users log into the server from a telehealth cart or a PC running the tConsult Software. For the
purpose of traceability, user accounts are maintained in the system indefinitely. If a user is no longer working on
tConsult cases and is not using the tConsult Software, he or she can be designated as inactive by the system
administrator.
tConsult User Licenses specify the maximum number of active users that can be identified on a given server.
When a system is first installed, the system comes with licenses for 5 active users. These initial licenses remain
valid for 30 days. After the 30 days, the system administrator and his or her organization will have to purchase user
licenses. Purchased licenses remain valid indefinitely.
Organizations can purchase additional licenses at any time. System administrators can designate any users as
active or inactive at any time provided the number of active users does not exceed the number of available
licenses.
2. Liscensing Key Terms
Term
License
Using Organization
Sys Admin
User
Active User
Inactive User
Licensing
Organization
Approver
Definition
Authorization for an active user of the tConsult Software
The organization using tConsult Software to develop, send and receive clinical
cases (may also be called the requesting organization)
System Administrator on a tConsult server to which users connect when using
the tConsult Software; sets up user (provider) accounts
An individual with a provider account established on an tConsult server
A user designated as active in his or her provider account and for whom a license
is required
A user designated as inactive in his or her provider account
The organization that issues licenses for using the tConsult Software
An individual in the Licensing Organization who is responsible for approving
license update requests and working with the System Administrator to exchange
the necessary files
Page 13 of 179
SWP-0097 Telehealth Server
Revision 1
3. License Process Overview Chart
Chart 1 – Process for obtaining tConsult User Licenses
4. Requesting Additional Licenses
•
Open tConsult Web and click on Server Monitor.
o Note: You must be designated as an Administrator in the tConsult Software to see that selection.
Page 14 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 1 – Logged into tConsult Web Client
•
In the Server Monitor window, click on Licensing.
Figure 2 – Open tConsult Licensing Dialog Box
•
In the Licensing window, click on Export server validation file.
Page 15 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 3 – tConsult Licensing Dialog Box
Note: In the Licensing Information section of the above example, the total licenses are 50 and the number of
available licenses is 47. This indicates that the server has three users (providers) designated as active.
•
The following window will open up. Click the Save button.
Figure 4 – Saving tConsult License Request
Note: You will have an opportunity to change the default filename in the next screen.
•
Save the file to any convenient location on your computer, and change the file name, if desired, to any
name that makes sense. Click the Save button to save the file.
Note: The main goal is to save the file so you can insert it into an email.
Page 16 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 5 – Saving tConsult License Request Location
•
Attach the file to an email and send it to the Approver.
5. Approving Additional Licenses
•
Open the email from the requesting organization and save the ***.elic file to a suitable location.
Note: AFHCAN recommends a file structure similar to the one shown below. The License Signer software (and
related files) and all Organizational License Data are within the same directory. Copies of requests and approvals
are kept in separate directories and are retained as a matter of good recordkeeping.
Page 17 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 6 – Folder Location of tConsult License Request
•
Double-click on AFHCAN_Licensing_Signer.exe to open the licensing software.
Figure 7 – Starting AFHCAN Licensing Software
•
Complete the AFHCAN License Signer as follows:
o
o
o
o
In the License File field, use the browse feature
to locate and select the file saved from the
requesting organization’s email (step 1 above).
In the Private Key field, use the browse feature to locate and select the file, amd.licensing.private.xml
(in same directory as Signer Software, step 2 above).
In the Output Path field, type the full path name where the license file about to be generated will be
stored. Select a suitable filename, such as one based on the organization and action performed.
In the Number of Licenses field, enter the new total number of user licenses being issued to the
requesting organization.
Page 18 of 179
SWP-0097 Telehealth Server
Revision 1
EXAMPLE: If they originally had 50 licenses, and they sent in a purchase order for an additional
50 licenses, then the amount entered would be 100, as shown.
Click on the Generate License File button to generate the file and save it in the location shown.

o
Figure 9 – Generate tConsult License Dialog Box
o
o
The following notice will appear. Click the OK button, and then click on the red X to close the AFHCAN
License Signer software.
Figure 10 – Successful tConsult License Generated
Create an email, attach the newly generated license file (in this example, GL100.lic), and send it to the
system administrator at the requesting organization.
Page 19 of 179
SWP-0097 Telehealth Server
Revision 1
6. Installing Additional Licenses
•
•
•
Open the email from the Approver and save the attached license file to any convenient location (in this
example, the file is GL100.lic and it was saved to the desktop).
Open tConsult Web, click on Server Monitor, and click on Licensing (see steps 1 and 2 in Part A).
Click on the Browse button to locate the license file.
Figure 11 – tConsult Licensing Dialog Box
•
Click on the desired file to enter it in the File name field, and click the Open button.
Figure 12 – Location of tConsult License
•
Click on the Upload button to upload and install the new licenses.
Page 20 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 13 – Uploading tConsult License
•
•
A message will appear confirming that the license file was successfully imported, and the revised total
number of licenses will be displayed.
Figure 14 – Successful tConsult License Import
Click the X in the corner of the window to close the Server Monitor window, if desired.
End of procedure.
Page 21 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Third Party SSL Certificate
1. Acronyms and Abbreviations for Third Party SSL Certificate
Acronym
SSL
IIS
CSR
FQDN
DN
MMC
Meaning
Secure Socket Layer
Internet Information Server
Certificate Signing Request
Fully Qualified Domain Name
Distinguished Name
Microsoft Management Console
2. Removing the Current Certificate
•
•
This section details the steps necessary to remove the current tConsult Certificate from within IIS only.
IMPORTANT: Do NOT remove the certificate from the Certificate Store, the tConsult Server Service uses
this certificate!
o Using IIS Manager on the tConsult Server, expand the Web Sites until tConsult website is located.
Figure 1 – IIS Manager
o
Do a right mouse-click on the tConsult website and select Properties. Click on the Directory Security
tab. Click on the Server Certificate button.
Page 22 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 – Directory Security tab of the tConsult Website Properties
o
This will open the Web Server Certificate Wizard. Click on Next.
Figure 3 – Web Server Certificate Wizard
o
There is an AFHCAN Telehealth Signing Certificate currently installed. This needs to be removed from
within IIS in order to request a new certificate from a third party. Ensure the Remove the current
certificate radio button is selected and click on Next.
Page 23 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – Removing the Current Certificate
o
A verification of the removing of the current certificate is displayed. Click Next.
Figure 5 – Verifying the Removal of the Current Certificate
o
Click on Finish to complete the removal process.
Page 24 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 6 – Completing the Removal of the Current Certificate
3. Requesting a Third Party SSL Certificate
•
This section details the steps for generating a CSR (Certificate Signing Request) from the tConsult Server.
o Still using IIS Manager on the tConsult Server, right mouse on the tConsult Website and select
Properties. Click on the Directory Security tab and click on the Server Certificate button.
Figure 7 – Directory Security tab of the tConsult Website Properties
o
The Welcome to the Web Security Wizard will start up. Click Next.
Page 25 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 8 – Web Server Certificate Wizard
o
Select the radio button in front of Create a new certificate as shown in Figure 9 below, and then click
Next.
Figure 9 – Creating a New Certificate
o
Accept the default “Prepare the request now, but send it later” and click on Next.
Page 26 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 10 – Delayed or Immediate Request
o
Enter a name for this certificate, then click Next.
 Note: The name in Figure 11 is an example only.
Figure 11 – Naming the Certificate
o
Enter the name of the Organization and the Organizational Unit. The Organizational Unit is
whichever branch of the Organization that is ordering the certificate such as accounting, marketing,
etc.
Page 27 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 12 – Organizational Information
o
Enter the FQDN (Fully Qualified Domain Name) for which you are requesting the SSL Certificate.
Some third party vendors do allow the use of IP addresses – check with the third party certificate
company where submitting this request.
Figure 13 – Entering the FQDN
o
Select the Country/Region, enter the State/province and City/locality and then click on Next. This
information is specific to the company and domain name and is collectively known as a Distinguished
Name or DN. It is encoded within the certificate request.
Page 28 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 14 – Information Specific to the Company and Domain Name
o
Enter a file name and location for this file to store this certificate request.
Figure 15 – File Name and Location of Certificate Request
o
Request the file summary, and then click Next.
Page 29 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 16 – Reviewing the Request File Summary
o
Click Finish at the Completion of the Web Server Certificate Wizard.
Figure 17 – Completing the Web Server Certificate Wizard
o
.
Create an email and submit the Certificate Request to the Third Party SSL Vendor who will be fulfilling
this order. Upon receipt of a valid certificate from the Third Party SSL Vendor, place the certificate in
the root of the C:\drive of the tConsult Server.
4. Installing the Third Party SSL Certificate into the Certificate Personal Store
•
The steps listed here install the Third Party SSL Certificate into the Certificate Personal Store on the
tConsult Server.
o Open an MMC (Microsoft Management Console) and select Add/Remove Snap-in, then click on Add.
Page 30 of 179
SWP-0097 Telehealth Server
o
Revision 1
Figure 18 – Add/Remove Snap-In Dialog Box
Select Certificates then click on Add.
Figure 19 – Selecting Certificates
o
Ensure the radio button for Computer account is selected. Click Next.
Page 31 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 20 – Managing Certificates for Computer Account
o
Select Local computer, then click Finish.
Figure 21 – Designating Local Computer to Manage
o
Click the Close button to close the Add Standalone Snap-in dialog box.
Page 32 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 22 – Close the Add Standalone Snap-In
o
Click OK to return to view the Certificates MMC.
Figure 23 – Close Add/Remove Snap-in to view Certificates MMC
o
Expand the Console Root in the left pane to reveal Personal Certificates under Certificates (Local
Computer). AFHCAN Telehealth Signing will show in the pane to the right.
Page 33 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 24 – Certificates MMC
o
With Certificates highlighted as shown in Figure 24, do a right mouse-click and choose Import. The
Certificate Import Wizard will open. Click Next.
Figure 25 – Certificate Import Wizard Welcome Screen
o
Browse to the location where the Third Party SSL Certificate was placed on the tConsult Server.
Change the Files of type to Personal Information Exchange (*.pfx,*.p12) to see the certificate. Select
the certificate and click Open.
Page 34 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 26 – Browsing to the Third Party SSL Certificate
o
Click Next.
Figure 27 – Specifying the Correct Certificate to be Imported
o
Leave the password field blank. Place a checkmark in front of “Mark this key as exportable. This will
allow you to back up or transport your keys at a later time”. Click Next.
Page 35 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 28 – Marking the Key Exportable
o
Place the Certificate into the Certificate Personal Store, and then click Next.
Figure 29 – Placing the Certificate into the Certificate Personal Store
o
After verifying the settings, click Finish to complete the Certificate Import Wizard.
Page 36 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 30 – Completing the Certificate Import Wizard
o
By default, a tConsult Server built to AFHCAN specifications will have the Update Root Certificates
turned off. There are two steps to enabling Update Root Certificates:
 Using Control Panel, click on Add/Remove Programs:

Figure 31 – Add or Remove Programs
Click on Add/Remove Windows Components. As seen on the bottom left of Figure 31. Scroll
down to place a checkmark in front of Update Root Certificates, then click Next.
Page 37 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 32 – Enabling Update Root Certificates


Click Finish when the Windows Components install is complete.
Figure 33 – Completing the Windows Components Wizard

o
Within Computer Management under Services, ensure the Windows Update Service is enabled,
set to Automatically start up, and start the service.
There now will show two certificates in the Certificate Personal Store. To verify that there is a trusted
cert in the trusted root certification store; double-click on the imported personal certificate. Close
the MMC by clicking on the X in the upper right hand corner.
Page 38 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 34 – Certificates MMC
5. Installing the Third Party SSL Certificate into IIS
•
Using IIS Manager on the tConsult Server, expand the Web Sites until tConsult website is located.
Figure 35 – IIS Manager
•
Do a right mouse-click on the tConsult website and select Properties. Click the Directory Security tab.
Click the Server Certificate button.
Page 39 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 36 – Directory Security tab of the tConsult Website Properties
•
This will open the Web Server Certificate Wizard. Click Next.
Figure 37 – Web Server Certificate Wizard
•
With the “Process the pending request and install the certificate” radial button selected, click Next.
Page 40 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 38 – Pending Certificate Request Dialog Box
•
Browse to the location where the Third Party SSL Certificate was placed on the tConsult Server and click
Next.
Figure 39 – Entering the Path and File Name of the Third Party SSL Certificate
•
Accept the default port the tConsult Website should use and click Next.
Page 41 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 40 – SSL Port for tConsult Website
•
A review of the SSL Certificate will display. Click Next.
o
NOTE: The illustration in Figure 41 is a representative example.
Figure 41 – Web Server Certificate Summary
•
Click Finish to complete the Web Server Certificate Wizard.
Page 42 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 42 – Completing the Web Server Certificate Wizard
End of procedure.
Page 43 of 179
SWP-0097 Telehealth Server
Revision 1
Moving an Organization Between Telehealth Servers
1. Capturing the Telehealth Database, Support Files and Certificates
Disclaimer: This document does not give the reader step by step instructions on how to do a backup, but relies on
an organizations’ backup strategy to be able to restore the tConsult Server in the event of an untimely failure.
The SQL Databases, specifically the Telehealth Case database, (tConsult, CaseDB), should be backed up
using the SQL Backup function or 3rd party solution, such as Veritas with SQL Agent. For the purposes of this
document, a backup of the SQL Database should be completed using the SQL Backup function and placed in the
MSSQL\Backup folder on the D:\drive.
The folders critical to a successful restoral are:
D:\AFHCAN\Blobs*
D:\MSSQL\Backup
E:\InetPub\AFHCANRoot\AFHCAN**
*On older tConsult Telehealth Servers, this may be the D:\ATS\Blobs folder
**On older tConsult Telehealth Servers, this may be the E:\InetPub\WWWRoot\AFHCAN
In addition to the above files and folders, the tConsult Telehealth Signing, and tConsult Telehealth CA
certificates need to be exported and saved to the root of the D:\drive.
•
Click on Start, select Run and enter mmc and then click on OK. Select File from the Menu Bar and choose
Add/Remove Snap-In. Click on Add and select Certificates, clicking on Add again.
Figure 2 - Adding Standalone Snap-in to the MMC
•
When asked what this snap-in will always use to manage certificates, select Computer account. Click
Next.
Page 44 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 - Managing Certificates for Computer Account
•
Select the Local Computer that this snap-in will manage, and then click on Finish.
Figure 3 - Snap-in Manages Local Computer
•
Expand the Console Root to Certificates | Personal | Certificates. Do a right-mouse on the AFHCAN
Telehealth Signing certification, select All Tasks and choose Export to invoke the Certificate Export Wizard.
Click Next.
Page 45 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – Certificate Export Wizard
•
Always export the private key by selecting the radio button Yes.
Figure 5 – Export the Private Key
•
Leave the default export file format of Personal Information Exchange (.pfx) while enabling strong
protection.
Page 46 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 6 – Personal Information Exchange with Strong Protection
•
Leave the Password field blank.
Figure 7 – Password Dialog Box
•
Enter an appropriate file name such as the name of the organization and save to the root of the D:\drive.
Page 47 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 8 – Naming the Exported Certificate
•
Click on Finish after reviewing the settings.
•
Click on OK.
Figure 9 – Reviewing the Settings
Figure 10 – Successful Personal Certificate Export
•
Expand Trusted Root Certificates in the left pane, click on Certificates, and locate the AFHCAN Telehealth
CA certificate in the right pane. Do a right-mouse and select All Tasks | Export.
Page 48 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 11 – Starting the Export of the Root Certificate
•
At the start of the Certificate Export Wizard, click on Next.
Figure 12 – Certificate Export Wizard
•
Select the Base-64 encoded X.509 (.CER) file format for export.
Page 49 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 13 – File Format of Base-64 Encoded X.509 (.CER)
•
Enter an appropriate file name such as the name of the organization and save to the root of the D:\drive.
Figure 14 – Saving the AFHCAN Telehealth CA Certificate to the D:\drive
•
Review the settings of the Certificate Export Wizard and click on Finish.
Page 50 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 15– Reviewing the AFHCAN Telehealth CA Certificate Export Settings
•
Click OK on the Successful completion.
Figure 16 – Successful Export Dialog Box
•
•
•
Using Windows Server Backup utility, backup D:\Certificates (.pfx) and (.cer), D:\AFHACN\Blobs,
D:\MSSQL\Backup and E:\InetPub\AFHCANRoot\AFHCAN.
Place the created backup onto an encrypted drive for transport to the new host server.
Copy the backup to the root of the D:\drive on the new server.
2. Moving and Restoring a Telehealth Organization onto a Single Org Server
•
The detailed steps in this section outline the restoration of a tConsult organization and supporting files
onto a new server that hosts a single organization.
o Install the tConsult Server software, creating a new organization. Please refer to the appropriate
tConsult Server Software Installation Procedures for detailed instructions.
o Make a note of the tConsult user account that is created.
o Using the Windows Server Backup utility, restore to their original locations the backed up database
and supporting files from the old server.
o Stop the tConsult Server Service in Administrative Tools | Services mmc
o Click on Start, select Run and enter mmc and then click on OK. Select File from the Menu Bar and
choose Add/Remove Snap-In. Click on Add and select Certificates, clicking on Add again.
Page 51 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 17 - Adding Standalone Snap-in to the MMC
o
When asked what this snap-in will always use to manage certificates, select Computer account. Click
Next.
Figure 18 - Managing Certificates for Computer Account
o
Select the Local Computer that this snap-in will manage, and then click on Finish.
Page 52 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 19 - Snap-in Manages Local Computer
o
Expand the Console Root to Certificates | Personal | Certificates. Highlight the existing Telehealth
Signing certificate in the right pane and choose Delete. Click Yes on the warning dialog box to confirm
deletion.
Figure 20 – Confirming Deletion of Existing Certificate
o
Do a right mouse on Certificates under Personal and select Import. The Certificate Import Wizard will
start. Click Next.
Page 53 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 21 – Certificate Import Wizard
o
.
Change the file type to Personal Information Exchange (*.pfx,*.p12) and locate the certificate that
was exported from the old server and restored to the original location in the root of the D:\drive.
Highlight the certificate and click on Open.
Figure 22 – Locating the Personal Information Exchange Certificate
o
Click on Next to continue the Certificate Import Wizard.
Page 54 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 23 – Continuing the Certificate Import Wizard
o
Ensure a checkmark is placed in front of Mark Private Key as Exportable before clicking Next.
Figure 24 – Marking this Key as Exportable
o
Place all Certificates in the Personal Certificate Store and click Next.
Page 55 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 25 – Placing Certificates in the Personal Certificate Store
o
Click Finish at the final review screen.
Figure 26 – Reviewing the Settings
o
Click on OK.
Figure 27 – Import Successful Dialog Box
o
Expand Trusted Root Certificates in the left pane, click on Certificates, and locate the AFHCAN
Telehealth CA certificate in the right pane. Do a right-mouse and select Delete. Confirm deletion by
clicking Yes.
Page 56 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 28 – Confirming Deletion of AFHCAN Telehealth CA Root Certificate
o
Again clicking on Certificates under Trusted Root Certificates, do a right-mouse and select All Tasks |
Import.
Figure 29 – Importing the AFHCAN Telehealth CA Root Certificate
o
The Certificate Import Wizard will startup. Click Next.
Page 57 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 30 – Certificate Import Wizard
o
.
Browse to the root of the D:\drive where the root certificate was restored then click Next.
Figure 31 – Locating the AFHCAN Telehealth CA Root Certificate
o
Accept the default location for placement of the certificate and click Next.
Page 58 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 32 – Placement of AFHCAN Telehealth CA Root Certificate
o
Review the settings and click on Finish.
Figure 33 – Finishing the AFHCAN Telehealth CA Root Certificate Import
o
Click on OK at the successful import of the AFHCAN CA Root Certificate.
Figure 34 – Import Successful Dialog Box
o
Open IIS. Highlight the tConsult website and doing a right mouse click, select Properties.
Page 59 of 179
SWP-0097 Telehealth Server
o
Revision 1
Select the Directory Security tab and click on Server Certificate. At the Welcome to the Web Server
Certificate Wizard click on Next, then select Replace Current Certificate. Highlight the Available
AFHCAN Telehealth certificate and click on Next.
Figure 35 – Selecting the Available Certificate
o
Ensure 443 is the selected SSL Port the web site should use.
Figure 36– Selecting SSL Port
o
Upon completion of the IIS Certificate Wizard, exit IIS.
o
Open Enterprise Manager (if SQL 2000) or SQL Server Management Studio if SQL 2005. Expand
Databases. Do a right-mouse click on Databases and select All Tasks | Restore Database. Restore as
tConsult database from the device of D:\MSSQL\Backup leaving the backup set database-complete.
Then click on Options tab.
Page 60 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 37 – Restoring a SQL Database
o
Force a restore over the existing database, and ensure that physical file name is that of the database
being overwritten. Click on OK.
Figure 38 – Restore Database Options
o
Click on OK at the Successful Restore Database dialog box.
Page 61 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 39 – Successful Restore of Database Dialog Box
o
Expand the tConsult database highlight Users and delete the existing tConsult user in the right pane.
Click on Yes to verify the deletion. This user is from the old server and no longer applicable to this
new server.
Figure 40 – Removing Old Server User Account
o
Do a right-mouse click on Users and select New User. Select the tConsult account created and noted
in Step 2 of this section. Permit this user the role of public and db_owner prior to clicking on OK.
Page 62 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 41 - Adding a New User and Selecting Roles for a Database
o
Click on Tables and locate the Server table in the right pane. Do a right-mouse click and select Open
Table | Returning all rows.
Figure 42 – Returning All Rows upon Opening a Table
o
Locate the name of the organization in the Description column (type will be Home). Highlight the
ServerGUID in the first column and copy to the clipboard.
Page 63 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 43 – Copying the ServerGUID to Computer Clipboard
o
o
Click on Start | Run and enter “regedit” (without the quotes). Editing needs to be done with extreme
care to avoid critical failures. Using regedit is at the readers’ own risk. AFHCAN assumes no
responsibility for failure to follow the below steps.
Expand the registry to locate HKLM | Software | AFHCAN. Expand Organizations. Do a right-mouse
click on the first key under Organizations and select Rename. Paste the ServerGUID obtained in Step
29.
Figure 44 – Renaming the ServerGUID within the Registry
o
In the right pane, click on the Name value and ensure the Value Data is the correct name of the
Organization that was just restored.
Page 64 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 45 – Correcting the Value Data for the Name
o
o
Within Computer Management, set the tConsult user account to “never expire” and restart the
tConsult Server Service and the World Wide Web Publishing Service.
Open Internet Explorer and enter http://IP_Address_of_your_server/ping.htm
The AFHCAN Server Information page should display as seen in Figure 46.
Figure 46 – Displaying the Ping Page for an Organization
o
Close Internet Explorer.
3. Moving and Restoring a Telehealth Organization onto a Server that Hosts Multiple Organizations
•
The detailed steps in this section outline the restoration of a tConsult organization and supporting files
onto a new server that hosts multiple organizations. This procedure assumes the tConsult Server
software has already been installed and several organizations have been created.
Page 65 of 179
SWP-0097 Telehealth Server
o
o
o
o
Revision 1
Create a new organization noting the name of the tConsultX user account, name of tConsultX
database and location of the data files.
Using the Windows Server Backup utility, restore the database and supporting files to these new
locations.
Stop the tConsultX Server Service in Administrative Tools | Services mmc.
Open Enterprise Manager (if SQL 2000) or SQL Server Management Studio if SQL 2005. Expand
Databases. Click on the newly created database and expand it. Click on Tables. Do a right-mouse on
the Server Table in the right pane to return all open rows. Write down the ServerGUID to be located
in the registry later in this procedure.
Figure 47 – Returning All Rows in a Table
o
Do a right-mouse click on Databases and select All Tasks | Restore Database. Restore as tConsult
database from the device of D:\MSSQL\Backup leaving the backup set database-complete. Then click
on Options tab.
Page 66 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 48 – Restoring a SQL Database
o
Force a restore over the existing database, and ensure that physical file name is that of the database
being overwritten. Click on OK.
Figure 49 – Restore Database Options
o
Click on OK at the Successful Restore Database dialog box.
Page 67 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 50 – Successful Restore of Database Dialog Box
o
Expand the tConsultX database highlight Users and delete the existing tConsultX user in the right
pane. Click on Yes to verify the deletion. This user is from the old server and no longer applicable to
this new server.
Figure 51 – Removing Old Server User Account
o
Do a right-mouse click on Users and select New User. Select the tConsultX account created and noted
in Step 1 of this section. Permit this user the role of public and db_owner prior to clicking on OK.
Figure 52 - Adding a New User and Selecting Roles for a Database
Page 68 of 179
SWP-0097 Telehealth Server
o
Revision 1
Click on Tables and locate the Server table in the right pane. Do a right-mouse click and select Open
Table | Returning all rows.
Figure 53 – Returning All Rows upon Opening a Table
o
Locate the name of the organization in the Description column (type will be Home). Highlight the
ServerGUID in the first column and copy to the clipboard.
Figure 54 – Copying the ServerGUID to Computer Clipboard
o
o
Click on Start | Run and enter “regedit” (without the quotes). Editing needs to be done with extreme
care to avoid critical failures. Using regedit is at the readers’ own risk. AFHCAN assumes no
responsibility for failure to follow the below steps.
Expand the registry to locate HKLM | Software | AFHCAN. Expand Organizations. Click on the key of
the Organization that is the ServerGUID number written down in Step 4 of this section. Once the
correct Organization is verified, do a right-mouse click on the key of the Organization restored and
select Rename. Paste the ServerGUID obtained in Step 11.
Page 69 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 55 – Renaming the ServerGUID within the Registry
o
In the right pane, click on the Name value and ensure the Value Data is the correct name of the
Organization that was just restored.
Figure 56 – Correcting the Value Data for the Name
o
o
o
Since multiple organizations are already installed on the server, all are using an AFHCAN Telehealth
Signing certificate that was installed when the tConsult Server Software was originally installed. The
newly restored database needs to have this public key applied to the database. Please refer to SWP0017 Obtaining New Certificate Public Key to obtain and apply the public key.
Once the public key has been applied to the restored database, set the tConsultX user account to
“never expire” and restart the tConsultX Server Service.
Open Internet Explorer and enter http://IP_Address_of_your_server/ping.htm
The AFHCAN Server Information page should display as seen in Figure 57.
Page 70 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 57 – Displaying the Ping Page for an Organization
o
Close Internet Explorer.
End of procedure.
Page 71 of 179
SWP-0097 Telehealth Server
Revision 1
Setting Up and Maintaining MSDTC
1. Acronyms and Abbreviations for MSDTC
Acronym
MSDTC
Meaning
Microsoft Distributed Transaction Coordinator
2. Pre-Requisites for Setting Up MSDTC
•
This section will detail the necessary services that need to be enabled and started in order to configure
MSDTC.
o Using Computer Management | Services, change the following five services to Automatic and Start
each one:
COM + Event System
COM+ System Application
DCom Server Process Launcher
Distributed Transaction Coordinator
System Event Notification
o
Allow MSDTC.exe through the firewall. Using Local Area Connection, click on Properties.
o
o
o
Select the Advanced tab, and then click on the Settings button.
Click on the Exceptions tab. Click on Add a Program.
Browse to the Windows\System32\msdtc.exe. Click to select msdtc.exe and click Open.
Figure 3 – Adding the MSDTC Program as a Firewall Exception
o
o
Click OK.
At the General tab, ensure there are checkmarks in front of Client for Microsoft Networks and File
and Print Sharing for Microsoft Networks.
Page 72 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 – Properties of Local Area Connection
o
o
With Internet Protocol highlighted, click on Properties, click on Advanced, and proceed to the WINS
tab. Place a checkmark in front of Enable LMHosts lookup. Under NetBIOS setting, click on the radio
button in front of Enable NetBIOS over TCI/IP, and then click on OK.
Figure 3 – Advanced TCP/IP Settings
Within Computer Management, click on Device Manager and then view devices by Connection and
Hidden Devices. Click on NetBIOS over TCP/IP Properties. Enable the Device for using, and then click
on the Driver tab to change Startup to Automatic.
Page 73 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – NetBIOS over TCP/IP Properties in Device Manager
o
Reboot the server.
3. Pre-Requisites for Setting Up MSDTC if Using a Back-End SQL Server
•
This section will detail the necessary services that need to be enabled and started in order to configure
MSDTC.
Note: These steps need to be completed on both the Front-End Telehealth Server and the Back-End
SQL Server.
o Using Computer Management | Services, change the following five services to Automatic and Start
each one:
COM + Event System
COM+ System Application
DCom Server Process Launcher
Distributed Transaction Coordinator
System Event Notification
Remote Procedure Locator
TCP/IP NetBIOS Helper
o
o
o
o
Allow MSDTC.exe through the firewall. Using Local Area Connection, click on Properties.
Select the Advanced tab, and then click on the Settings button.
Click on the Exceptions tab. Click on Add a Program.
Browse to the Windows\System32\msdtc.exe. Click to select msdtc.exe and click Open.
Page 74 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – Adding the MSDTC Program as a Firewall Exception
o
o
Click OK.
At the General tab, ensure there are checkmarks in front of Client for Microsoft Networks and File
and Print Sharing for Microsoft Networks.
Figure 2 – Properties of Local Area Connection
o
With Internet Protocol highlighted, click on Properties, click on Advanced, and proceed to the WINS
tab. Place a checkmark in front of Enable LMHosts lookup. Under NetBIOS setting, click on the radio
button in front of Enable NetBIOS over TCI/IP, and then click on OK.
Page 75 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 3 – Advanced TCP/IP Settings
o
Within Computer Management, click on Device Manager and then view devices by Connection and
Hidden Devices. Click on NetBIOS over TCP/IP Properties. Enable the Device for using, and then click
on the Driver tab to change Startup to Automatic.
Figure 4 – NetBIOS over TCP/IP Properties in Device Manager
o
o
On the Front-End Telehealth Server only, use Windows Explorer, navigate to
C:\Windows\System32\Drivers\etc folder and edit the Hosts file by adding the IP address and
NetBIOS name of the Back-End SQL Server. Save the Hosts File.
Reboot the server.
4. Configuring MSDTC
•
The steps for configuring MSDTC are outlined in this section. These steps are for any server using MSDTC.
o Click Start | Programs | Administrative Tools | Component Services.
o Click to expand Component Services and click to expand Computers.
Page 76 of 179
SWP-0097 Telehealth Server
o
o
Revision 1
Right-click My Computer, and click Properties.
Click the MSDTC tab of the My Computer Properties dialog and click the Security Configuration
button to display the Security Configuration dialog box.
Figure 5 – Security Configuration for MSDTC Component Services
o
o
Ensure the following checkmarks are in place on the Security Configuration Dialog box:
 Network DTC Access
• Allow Remote Clients
• Allow Remote Administration
 Transaction Manager Communication
• Allow Inbound
• Allow Outbound
• No Authentication Required
• Enable Transaction Internet Protocol (TIP) Transactions
Click on OK when complete; OK again to return to Component Services to Exit.
End of procedure.
Page 77 of 179
SWP-0097 Telehealth Server
Revision 1
Obtaining New Certificate Public Key
1. Obtaining the Public Key from an Existing Database
•
In this section, the steps are detailed for obtaining a public key from an existing tConsultX database on a
server that hosts multiple organizations.
o Open Enterprise Manager (if using SQL 2000) or SQL Server Management Studio (if using SQL 2005).
Highlight an existing tConsult database and open SQL Query Analyzer.
Note: Do NOT highlight the newly restored tConsultX database.
Figure 5 – Opening SQL Query Analyzer
o
In SQL Query Analyzer open the GetPubKey.sql.
Figure 2 – Opening the SQL Script
o
Run the script by clicking on the green triangle. Click in the results box below and Select All | Copy.
Page 78 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 3 – Copying the Results of a SQL Query
o
Open Notepad and paste the results obtained in Step 3. Leave Notepad open and return back to
Enterprise Manager.
Figure 4 – Pasting the Results of a SQL Query into Notepad
o
Highlight the newly restored tConsultX database. Click on Tables and locate the Server table in the
right pane. Do a right-mouse click and select Open Table | Returning all rows.
Page 79 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 5 – Returning All Rows upon Opening a Table
o
Locate the name of the organization in the Description column (type will be Home). Highlight the
ServerGUID in the first column and copy to the clipboard.
Figure 6 – Copying the ServerGUID to Computer Clipboard
o
Return to Notepad and replace the ServerGUID between the quotations in the last line of the script.
Save the document as UpdateServerPubKey.txt.
Page 80 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 7 – Copying the ServerGUID to Computer Clipboard
o
o
Using Windows Explorer, rename the updateserverpubkey.txt to UpdateServerPubKey.sql.
Copy UpdateServerPubKey.sql to UpdateNodePubKey.sql. Do a right-mouse click on
UpdateNodePubKey.sql and choose Edit using Notepad. Replace server in the first line with
nodeserversetup. Save the file.
Figure 8 – Changing Server to NodeServerSetup
2. Applying UpdateServerPubKey.sql Script
o
With the restored database highlighted within Enterprise Manager, open SQL Query Analyzer. Open
UpdateServerPubKey.sql and run it against a newly restored database.
Page 81 of 179
SWP-0097 Telehealth Server
o
o
Revision 1
Stop and restart the tConsultX Server Service for this database within Computer Management |
Services.
Repeat these two steps for each organization that has a trust relationship with the restored
organization.
3. Applying UpdateNodePubKey.sql Script*
o
o
Select one Node Server. Open Enterprise Manager and highlight the S2SPH8 database. Open SQL
Query Analyzer and open UpdateNodePubKey.sql and run the script. This will update the public key
for the restored organization on the Node Server.
Repeat this on all Node Servers.
Note: On the Internet Secondary Node server, run the UpdateNodePubKey.sql script on both S2SPH8-52
AND S2SPH8-60 databases.
*Applying UpdateNodePubKey is internal to AFHCAN only.
4. Appendix A for SQL scripts
•
There are 3 SQL scripts used in the obtaining and applying public keys. Each script is detailed here.
o GetPubKey.sql
declare @pubkey as varchar(4000)
declare @serverguid as varchar(50)
select @pubkey = publickey, @serverguid = serverguid from server where type = 'Home'
print 'update server set publickey = ''' + @pubkey + ''' where serverguid = ''' + @serverguid + ''''
o
UpdateServerPubKey.sql
Update server set publickey = ‘place public key here’
Where ServerGUID = ‘place ServerGUID here’
o
UpdateNodePubKey.sql
Update nodeserversetup set publickey =’place public key here’
Where ServerGUID=’place ServerGUID here’
End of procedure.
Page 82 of 179
SWP-0097 Telehealth Server
Revision 1
Troubleshooting Telehealth Server v5.2 and above
1. Cannot log into Telehealth Cart software – Time Service
•
•
tConsult software now uses Windows Communication Foundation (WCF) to authenticate users using
Kerberos. WCF depends on the time service. The Windows Time on tConsult Server and tConsult Cart
cannot be different greater than five minutes.
Verify that the tConsult Server and the tConsult Cart client are using an authoritative time source and that
the Windows time is within five minutes of each other.
2. Cannot log into Telehealth Cart or Web software – Security MSDTC
•
•
To promote data integrity, the tConsult software employs MSDTC (Microsoft Distributed Transaction
Coordinator) to track all parts of the transaction process.
Verify that MSDTC has been enabled and configured as per SWP-0015 Setting Up and Maintaining MSDTC.
3. Existing cases not accessible via Telehealth Web after upgrade
•
Created Date values cannot be Null within the tables of a tConsult database. During the upgrade, the
Date Created function did not run against the blob table.
o Run the following SQL Script via Query Analyzer to the tConsult database:
Update
Blob
Set
DateCreated = dbo.fn_ConvertToDate(createddate)
Where
DateCreated Is Null
GO
4. “Server Error in ‘/’ Application” Received when running Reports in Web Client
•
In version 5.2 only, site names that contain a single quote (for example Site’s, St. Elias’) will cause a Server
Error in ‘/’ Application error when a Report is run from System Administration in the Web Client.
Page 83 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 1 – Server Error in ‘/’ Application Dialog
•
To correct this issue, contact AFHCAN or your distributor to receive the necessary files to be placed within
the E:\InetPub\AFHCANRoot*\tConsult folder structure.
•
Always back up any files to be overwritten prior to beginning this procedure.
o Using Windows Explorer, navigate to E:\Inetpub\AFHCANRoot*\tConsult
o Rename AttachmentViewer.aspx to AttachmentViewerold.aspx
o Rename BlobViewer.aspx to BlobViewerold.aspx
o Copy AttachmentViewer.aspx and BlobViewer.aspx to E:\Inetpub\AFHCANRoot*\tConsult
o Navigate to E:\Inetpub\AFHCANRoot*\tConsult\admin\Reports
o Rename current casesummaryby.aspx to casesummarybyold.aspx
o Copy casesummaryby.aspx to E:\Inetpub\AFHCANRoot*\tConsult\admin\Reports
o Navigate to E:\Inetpub\AFHCANRoot*\tConsult\xml
o Rename AttachmentViewer.xsl to AttachmentViewerold.xsl
o Rename Case.xsl to Caseold.xsl
o Copy AttachmentViewer.xsl and Case.xsl to E:\Inetpub\AFHCANRoot*\tConsult\xml
*This may be WWWRoot if the server has been in existence pre-v4.8.
5. Missing Date Parameter Textbox when Preparing to Run a Report from Telehealth Web
•
The “From” Date Textbox is missing in the dialog box. To resolve this issue, follow the eleven steps from
the preceding section.
End of procedure.
Page 84 of 179
SWP-0097 Telehealth Server
Revision 1
Upgrading SQL Server 2000 to SQL Server 2005 on a Telehealth Server
1. SQL Server Upgrade Paths
SQL Server 2005 Component
Database Engine
In-Place Upgrade
SQL Server Setup
(upgrades all databases and
preserves server configurations
when possible)
Side-by-Side Upgrade
One or two servers (use
backup/restore, detach/attach,
or Copy Database Wizard)
2. Additional Resources for Upgrading
SQL2005UpgradeTechReference.doc from Microsoft:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3d5e96d9-0074-46c4-bd4fc3eb2abf4b66&DisplayLang=en
3. Backup the Existing Server
•
This section outlines the steps to prepare a server to do an in-place SQL Server upgrade from SQL Server
2000 to SQL Server 2005.
o With the tConsult Server service(s) stopped, backup ALL system and user databases (this includes but
not limited to: master, msdb, model, ITAssist, CaseDB, tConsult etc.) Use separate folders for each
database with the D:\MSSQL\Backup folder.
o Backup ALL transaction logs for each of the databases using separate folders for each database within
the D:\MSSQL\Backup folder.
o Using Windows 2003 Backup Utility, backup the entire D:\MSSQL\Backup folder; D:\AFHCAN* folders
with the blobs and E:\Inetpub\AFHCANRoot*, placing the backup in the root of the D:\drive.
NOTE: On an AFHCAN Telehealth server built prior to 2008, it may be D:\ATS and
E:\Inetpub\WWWRoot folder structure.
4. Configuring the Existing Server
•
Changes to existing services and folder permissions need to be set to allow the upgrade to occur.
o Change the Remote Registry service to Automatic and Start the Service.
o Assign Users the ability to Read and Execute at the C:\Program Files\Microsoft SQL Server folder level
– with inherit to subfolder and files set.
5. In-Place SQL Server 2000 Upgrade to SQL Server 2005 Process
•
•
•
•
•
Ensure that all tConsultServer Service(s) are still shut down.
If installing SQL 2005 on a back-end SQL server, install .Net Framework 2.0 if not already installed.
Insert SQL 2005 Server disk into CD/DVD-Rom. (If doing the upgrade remotely, copy the contents of the
SQL Server 2005 Installation CD(s) to a folder on the D:\drive. Click on Install Server components, tools,
Books Online, and samples. (If AutoRun is disabled, use Windows Explorer to navigate to the CD/DVDRom drive and double click on Setup.exe).
Allow Native client and Support files to be installed. When completed, do not click on Next nor Exit the
Microsoft SQL Server 2005 setup program.
Due to the .Net Framework 3.5 SP1, being installed, .NET runtime searches for the BPAClient.dll in a
subfolder called BPAClient. Confirmed by Microsoft in KB2020426, use Windows Explorer, navigate to
C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\BPA folder. Create a new subfolder within
the BPA folder called BPAClient (no space).
Page 85 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Revision 1
Copy the file BPAClient.dll from the C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\BPA\Bin
folder into the newly created BPAClient folder.
Return to the Microsoft SQL Server 2005 Setup program, and click on Next.
At the Components to Install screen, select SQL Server Database Services and Workstation Components,
Books Online and development tools. Click on Advanced button.
Under Client Components:
o Make Business Intelligence Development Studio components unavailable.
o Make Software Development Kit components unavailable.
Make the Documentation, Samples and Sample Databases unavailable
Accept Default Instance
Check SQL Server Database Services 8.00.2039
Use Windows Authentication Mode
Service Accounts:
o SQL Browser: Use the built-in System account of Local system
o Do not start the SQL Browser service
Do not send errors to Microsoft
At the Completing Microsoft SQL Server 2005 Setup screen, click on Surface Area Configuration Tool
Select Surface Area Configuration Features:
o Enable CLR Integration
Click OK to return to Surface Area Configuration Screen. Click on the X to close the dialog box. Click on
Finish to end setup.
Copy xp_md5.dll from C:Program Files\Microsoft SQL Server\MSSQL\Binn to C:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\Binn
Open SQL Server Management Studio to allow the software to initialize
Highlight the tConsultX or CaseDB database and select Database Properties.
o Select the Files Page –
o Place a checkmark to allow Full Text Indexing
o Select the Options Page – Change the compatibility level to SQL Server 2005 (90)
o Select the Permissions Page – click on the tConsultX name and scroll in the bottom window pane to
Take Ownership. Place a checkmark in the Grant checkbox.
Repeat Step 21 for each tConsultX or CaseDB database if a multi-org server.
Restart tConsultServer Service, then using IE, check the ping page status:
Http://ip_address_of_your_server/ping.htm
Reboot the server
After logging back into the server, stop the tConsultServer(s) Service
Stop all SQL Services
Install SQL 2005-SP4 accepting all defaults
At completion do NOT Launch the User Provisioning Tool for Windows Vista after SP3 installation
completes
Reboot the server
Verify that the tConsultServer Service(s) is running. Log into the cart client and create a case. Log into the
Web client and create a case. Archive the cases.
End of procedure.
Page 86 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server System Administration
1. Server Settings
Server settings can now be edited within system administration using the web client and does not need to be
manually changed in the databases. To access the System Administration page, the user/provider must be
assigned the Sys Admin role. Logging into the web client, the user clicks on the System Administration link on the
bottom left of the page. Then click on the System Settings link/button and click on the last tab marked Server
Settings.
Figure 6 System Settings Dialog Box – Part 1
1.1 System Settings
o
o
o
o
System timeout (minutes): Default value is 15 minutes and is the amount of time a screen can be
inactive before automatically logging out of the software. This feature helps to prevent the
unauthorized use of the system and ensures that the provider who starts a case is associated with
that case.
Use node mail: The node server is a hosted server by AFHCAN that acts as a message router t
increase network security between organizations. In addition, it can route email notifications for
cases. Customers, who are not connected to a node server, can use their own internal SMTP server
for email notifications.
SMTP server: Enter the IP Address of an SMTP server to be used for case email notifications
Send Errors: Check this box if you want any server error notifications to be sent such as alerts or
syncing between trusted servers.
Page 87 of 179
SWP-0097 Telehealth Server
o
o
o
Revision 1
Server email: This needs to be filled in with a valid user mailbox account for receiving emails.
Admin email: This is a mandatory field that must be filled in with a valid user mailbox account for
sending email. (Will appear in the From line of an email).
Web contact: The information entered here will appear when a provider clicks on the Help link.
Figure 2 Help Link from Web Client
o
o
o
o
o
o
Cart contact: The information entered here will appear when a provider clicks on the About link
within the cart client.
Evaluation Prompt: Upon sending a real case to another provider, the user is prompted to answer a
question. AFHCAN recommends the default value.
Case event email: This is a valid user mailbox account for sending email regarding cases that cannot
be delivered to a recipient.
Patient edit: Leaving the default checkbox allows patient account information to be edited.
Removing the checkmark locks all patient accounts.
Logo file: Customers can insert their own logo here if they desire. The default log is AFHCAN.
Locale: This is used to indicate primary language of the country where the server is located.
Figure 3 System Settings Dialog Box – Part 2
Page 88 of 179
SWP-0097 Telehealth Server
Revision 1
1.2 Data Service Setup
o
o
o
Enable data service sleep: The data service provides secure communication between the tConsult
client and the tConsult server. The enable data service sleep was established to allow organizations
to lessen the cost of network bandwidth usage. When enabled, tConsult Cart will cease all network
communication when the tConsult Cart user interface is not running and cases are not transiting in
the background. Connection to the server will be re-established the next time the user interface is
opened.
Active Sleep Time (minutes): This is the amount of time when the tConsult Cart is idle and not
running, but cases are in transit to the server, but communication with the server is disrupted. The
default value is to enter the sleep mode after five minutes.
Passive Sleep Time (minutes): This is the amount of time when the data service has been asleep
(default value is 30 minutes) and there is a case to transmit, the Data service will wake to attempt to
transmit the case.
1.3 Patient Search
o
Placing a checkmark in this box allows a search of patients by entering their Social Security number.
1.4 Sensitive Case Options
tConsult Telehealth cases can now be marked as sensitive which will restricts access to only the case creator
and users/groups to which the case has been sent. Users with the correct permissions will be presented with a
warning before viewing a sensitive case and optionally can be challenged to re-enter their password for further
protection. Sensitive cases will only appear in search results and case lists of users that have permissions to view
the case. System and clinical administrators have permission to view any sensitive case.
By default, installation of v5.3.x will have all options selected. It is highly recommended to work with each
organization to tailor the specific warnings and actions to their requirements.
o
Warn user when searching for sensitive cases: If left checked, when Searching cases, a new checkbox
is present that allows the ability to include sensitive cases for other users.
Figure 4 – Search Cases Dialog Box
Page 89 of 179
SWP-0097 Telehealth Server
o
Revision 1
Clicking on the Search button will warn the user as shown in Figure 5.
Figure 5 – Search Cases Warning
o
o
Removing the checkmark will still include sensitive cases if selected, but no warning will be displayed.
Warn user before viewing a case – either sent directory to them or one that is on hold: When a user
clicks on a sensitive case, they will receive a warning as shown in Figure 6.
Figure 6 –Warning a User About Viewing a Sensitive Case
o
o
o
o
o
o
By placing a checkmark in front of - “Also require user to re-enter password” - will force the user to
enter their password before the case will be viewable.
Warn user before viewing a case sent to their group: The same warning box as displayed in Figure 6
appears when clicking on a case sent to a group of which the user belongs.
By placing a checkmark in front of “Also require user to re-enter password” will force the user to
enter their password before the case will be viewable.
Warn user before viewing a case as an admin: The warning box as displayed in Figure 6 will appear.
By placing a checkmark in front of “Also require user to re-enter password” will force the user to
enter their password before the case will be viewable.
Warn user when flagging a case as sensitive: Figure 7 is the warning display when a user flags a case
as sensitive.
Figure 7 –Warning a User About Marking a Case as Sensitive
Page 90 of 179
SWP-0097 Telehealth Server
o
Revision 1
Once the case has been marked as sensitive, and the user prepares to send the case to another
provider, they will receive the dialog box as shown in Figure 8. There is no way to “turn off” this
particular dialog box.
Figure 8 –Warning a User About Sending a Sensitive Case
*Note: Sensitive cases can only be sent to providers at other organizations that have tConsult 5.3 or higher
installed. Attempting to send to an organization that is not upgraded to v5.3 will result in a firewall
message as shown in Figure 9. Cases received from previous versions of tConsult cannot be marked as
sensitive.
Figure 9 –Warning a User About a Recipient Unable to Receive the Case
o
Warn user when removing sensitive case flag: Once a case has been marked as sensitive, a provider
who has received the case can remove the sensitivity flag. A warning is issued as seen in Figure 9.
Page 91 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 10 –Warning Received When Changing the Sensitivity of a Case
End of procedure.
Page 92 of 179
SWP-0097 Telehealth Server
Revision 1
Patient Import Procedures
1. Acronyms and Abbreviations for Patient Import Procedures
Acronym
EHR
Meaning
Electronic Health Record
2. Establishing Patient Source
•
This section details the steps for establishing the patient source.
o Log in to the tConsult server using an administrative account.
o Open SQL Enterprise Manager, and locate the tConsult database. Expand the Tables and do a right
mouse-click on the ServerSettings table, and select Open Table, Return All Rows.
Figure 1 – Locating the ServerSettings Table within SQL Server
Note: Images are representative of the process and may not necessarily reflect the actual version
of software that is being installed; however, the step by step instructions are correct.
•
For SQL 2005, open SQL Server Management Studio, locate the tConsult database, expand the Tables and
do a right mouse-click on the ServerSettings Table and select Open Table.
o
Next to medicalRecord1 row, remove the Primary HR# and type in the name of the source of the
patient demographic data file. For example, if the file was exported from RPMS, one might enter the
organization name and add RPMS after it such as ORG RPMS.
Page 93 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 – Replacing Primary HR# with EHR Source
o
Close SQL Enterprise Manager.
3. tConsult Server Manager and Patient Sources
•
This section details using tConsult Server Manager and importing patient sources.
o Locate the source of the patient demographic data, be it on CD-ROM, DVD, USB drive, etc. Import
files may be both tab and semi-colon delimited and generally are named with a ‘.txt’ file extension.
o Open tConsult Server Manager, and click on the “Patient Sources” link.
Figure 3 – Using tConsult Server Manager
o
After verifying the Organization name, click on the Add button below Patient Sources. Enter the
Patient Source Name, and click on Add.
Page 94 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – Creating Patient Source Name
o
o
Click on “Select File to Import” button, and select the file identified in Step 1 of this section.
If there are no dry run errors, click on the “Import” button.
Figure 5 – Verifying No Errors
o
Once all records have been imported, click on “OK”.
Page 95 of 179
SWP-0097 Telehealth Server
o
Revision 1
Figure 6 – Successful Import Dialog Box
Close tConsult Server Manager
4. Selecting Patient Sources
•
To verify a successful import with tConsult Cart client, create a “Real Case”, click on “Patients” and do a
search. Patients that have been imported will have a green button next to them, while locally created
tConsult patients will have a gray button next to them.
Figure 7 – Selecting Patients within tConsult Cart Client
•
Using tConsult Web Client, search results for Patients return green with a lock depicted on the icon for
imported patients and bluish-gray on locally created tConsult patients.
Figure 8 – Selecting Patients within tConsult Web Client
End of procedure.
Page 96 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server Build and Configuration Procedures
1. Material Requirements
•
•
•
Server
o Server CPU w/NIC(s)
o Manufacturer CDROMS/DVDs – drivers disk
o Monitor
o Keyboard
o Mouse
Software
o Windows 2003 CD-ROM/DVD w/license key (plus CALs)
o Windows 2003 SP2
o SQL Server 2005 CD-ROM/DVD w/license key (plus CALs if not processor license)
o SQL Server 2005 SP4 CD-ROM/DVD
o ATS Downloads CD-ROM dated 8-9-2011 or later (can be obtained from AFHCAN)
o .Net 3.5 Framework SP1, .Net 4.0 Framework CD-ROM/DVD
Miscellaneous
o LAN Connection for Server
o CAT5 cables – regular, cross-over
2. Initialize Server
It is assumed that the server is installed with a monitor, keyboard and mouse (or KVM equivalent). The
following steps are typical for a Dell server.
• BIOS Configuration – Boot Sequence:
o
CD-ROM
o
Hard Drive
o
Floppy
• RAID-5 configuration:
o Follow the manufacturer’s documentation provided for the RAID software installation/hardware
configuration. To access the Dell RAID BIOS select Ctl-M during the POST process.
o Create a single four-drive RAID5 container and establish the fifth drive as a hot spare.
• Perc Firmware update – Depends on Dell PowerEdge Model which version to be updated.
o
Insert bootable firmware update floppy
o
Reboot system
o
Follow instructions on screen to update
o
Reboot system
• Windows 2003 Server Initial Installation:
o Partition hard disks
 Note: The sizes below reflect 146 Gb Hard Drives. Larger Hard Drives will allow for a 36 Gb C
partition and a 24 Gb E partition with the remaining disk space for the D partition.
IMPORTANT: Use NTFS file format for ALL partitions throughout this process.
o
o
o
o
o
o
o
o
Create C: partition – 36 Gbytes (36874)
Create D: partition – 350 Gbytes (358537) or the amount of the remaining space available after
calculating the space necessary for the C and E partitions *Remember to leave 8 Mb free.
Create E: Partition – 24 Gbytes (24576)
Regional and language Options – leave at default
Name: “User”
Organization: Use the organization name (e.g. “”AFHCAN”)
Product Key – enter key
License - Per Server with (5) connections typically.
Page 97 of 179
SWP-0097 Telehealth Server
o
o
o
o
o
o
o
o
Revision 1
Computer Name: Enter appropriate name
Administrator Name and Administrator Password:
 Enter appropriate name and password
Date & Time Settings:
 Adjust as necessary. Configure Time Zone with automatic adjustment for daylight savings if
appropriate.
Networking Settings:
 Install using typical settings, and appropriate workgroup or domain settings.
Post Setup Security:
 Configure automatic updates, install critical security updates and server IP address as determined
by installation requirements and network location.
Security Updates – Choose “Finish”
“Manage your Server” window - check the “Don’t display this page at logon”
Enable RDP if desired.
3. Initial Logon
•
•
•
Copy files to C:
o
Copy “i386” folder files from W2K3 CD-ROM to C: drive
o
Copy “ATS Downloads” folder from AFHCAN ATS Downloads CD-ROM to C:\Downloads (available
from AFHCAN).
View parameters, device manager, hard drive assignments:
o
Adjust Tools / Folder Options /View in Explorer window.
 Recommendation: Uncheck “Hide protected operating system files”, click on “Apply”, then
“Apply to all folders”.

Check Device manager and update/install drivers as necessary – update existing Perc controller

Change DVD/CDROM drive assignment to R:
nd
rd

Change drive assignments if necessary so 2 partition is D: and 3 partition is E:

Format D: drive – Format and change volume label to “Local Disk”

Format E: drive – Format and change volume label to “Local Disk”

Change screen resolution to 1024x768.

Set color depth as high as possible – preferably 32 bit.
Create/Modify Accounts:
o In a typical Telehealth Server build a new local admin account is created and used instead of the
default administrator account for installation.
 Create AFHCANAdmin*** account
•
(Use an appropriate account name for this server)
• Password: enter appropriate password
• User CAN change password, and password never expires
• Member of the administrators group
• Log out and log back in with the "AFHCANAdmin***" account.
4. .Net Framework Installation
•
•
•
Install .NET Framework 3.5 SP1
Install .NET Framework 4.0
Reboot
5. IIS Installation
•
•
IIS is typically installed on the AFHCAN server “E” Drive, but a default installation using add/remove
Windows components, application server may be used if desired. Use “C:\i386” directory when prompted
for Windows CD.
To install IIS on the “E” drive:
Page 98 of 179
SWP-0097 Telehealth Server
o
o
o
o
o
o
o
o
o
o
o
Revision 1
Browse to “C:\ATS Downloads\Registry and double-click on Setup.reg
Browse to “C:\ATS Downloads\IIS Install and run the “installiis.bat” file
Do not delete the default web site when finished.
Open a command prompt, and change directory to
C:\Windows\Microsoft.Net\Framework\v2.0.50727
Run “aspnet_regiis –i”
Change directory to C:\Windows\Microsoft.Net\Framework\v4.0.30319
Run “aspnet_regiis –i”
From IIS Manager, Web Service Extensions, allow ASP .NET v2.0.50727 and v4.0.30319
Finalizing the OS Configurations
Apply Microsoft Windows Server 2003 SP2
Reboot Server
6. SQL Server Installation
•
•
•
•
•
•
•
•
•
•
Install SQL Server 2005 – the below steps are typical for an AFHCAN server with a local installation of SQL
server 2005, using the “D” drive for the data files.
Install from CDROM, Disk 1 of 2. If it does not auto start, double click on Setup.exe.
Installing Prerequisites: Microsoft SQL Server 2005 will examine the system and install any software
components required prior to installing SQL Server. (Generally it is Microsoft SQL Native Client and
Microsoft SQL Server 2005 Setup Support Files).
Setup then continues by scanning the system and actually appears to stop running before it returns to the
System Configuration Check screen. If there are any features missing, SQL Server 2005 will allow
correction prior to installation.
Accept the default registration information.
Select the following components:
o SQL Server Database Services
o Workstation components, Books Online and development tools.
 Click on the Advanced Tab
Expand Database Services, select Data Files, and change the Installation path to D:\
Client Components – make Business Intelligence and Software Development Kit unavailable.
Documentation, Samples and Sample Databases – Make Entire Feature Unavailable.
Accept Default Instance
o Service Accounts - Customize the settings for each service
 For SQL Server - Use the Local System Account.
o For SQL Server Agent - Use the Local System Account.
o For SQL Browser – Use the Local System Account
rd
o At the Start Services at the end of setup, (bottom 3 of dialog box), select SQL Server and SQL Server
Agent.

Authentication Mode – Windows Authentication only

Accept default collation settings

Do NOT send Error or Usage Report Settings to Microsoft
Note: You will be prompted for Disk 2 of 2 during installation – insert when prompted and
click OK. When installation finishes click Next.
o At the Completing Microsoft SQL Server 2005 Setup dialog box, click on Surface Area Configuration
Tool.
o Surface Area Configuration for Services and connections Click on MSSQLSERVER | Database Engine | Remote Connections selecting Using named pipes
only. Click on Apply and accept OK for restart of the Database Engine service. Then click on Ok
to return to Surface Area Configuration screen.

Surface Area Configuration Features
• Select and enable CLR Integration
Page 99 of 179
SWP-0097 Telehealth Server
Revision 1
•
•
•
Click OK to return to Surface Area Configuration Screen. Click on the X to close the dialog
box. Click on Finish to end setup.
Upon finish, reboot the server
o After logging on, ensure the following SQL services are running:
 SQL Server
 SQL Server Agent
o Ensure the following services are disabled:
 SQL Browser
 SQL Server Active Directory Helper
Install SQL 2005 – SP4
o Insert the CD-ROM and click on SQLServer2005SP4-KB2463332-x86-ENU.exe
 Agree to accept all defaults.
 Do not choose to send errors to Microsoft
 After SP4 has been successfully installed, remove the checkmark from Launch the User
Provisioning Tool for Windows Vista after SP3 installation completes.
 Finish installing SP4 and reboot the server
 Set sa Password with Complex Password
End of procedure.
Page 100 of 179
SWP-0097 Telehealth Server
Revision 1
Installing Telehealth Server Software Using SQL Back End Servers
1. Minimum System Requirements
•
•
•
Front End tConsult Server:
o .Net Framework 4.0
o Windows Server 2003
o MSDTC Configured
o a dedicated IP address that clients will use to connect
Back End SQL Server:
o Windows Server 2003
o SQL 2000/2005 with:
 Mixed Mode Authentication
 Named Pipes and TCP/IP
SQL User Account of tConsult and secure password with the role of Create Database, SysAdmin and
public. Default database should be master.
Note: Images used are representative of the process and may not necessarily reflect the actual version of
software; however, the step by step instructions are correct.
2. Installation of tConsult Server software
•
•
•
Log in to the tConsult Front End server using an administrative account.
Insert the tConsult Server Software installation disk into the CD-ROM and run the “ServerSetup_x.x.x.x”
executable to start the Install Shield Wizard.
At the Welcome Screen, click Next.
•
Figure 7 – Welcome Splash Screen
Accept the default location for the tConsult Server vx.x.x.x and click on Next.
Page 101 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 2 – Destination Folder for tConsult Server software install
Web Files Install location should be at E\Inetpub\AFHCANRoot. Accept this and click on Next.
•
Figure 3 – Destination Folder for Web Client Files install
Install the Data Directory on the D:\AFHCAN as displayed in Figure 4, then click on Install.
Page 102 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 4– Destination Folder for tConsult Server data install
o The installation of the software will commence.
Once the installation process is complete, the “tConsult Server Manager” window will appear allowing the
administrator to install the first Organization.
Figure 5 – Creating the First Organization
Enter the new Organization name.
Define a Super-Admin provider that will be used within the tConsult software. Enter a password for
this new provider account.
New Database Settings
o Accept the Database name or enter one in accordance with the organization naming structure.
Change the Server Name to point to the SQL Back End Server IP Address, hosting the databases.
o Select use SQL Server Authentication and enter the SQL tConsult User name and password created
during the prerequisite steps.
Note: Password will be in clear text when entered.
o
o
•
Page 103 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 6 – Creating the First Organization (Continued)
•
Using the scroll bar on the right, continue to the remainder of the Installation Settings dialog box.
Figure 7 – Creating the First Organization (Continued)
Select the IP address of the Front End tConsult Server.
Create a New User entering a complex password.
Note: For ease of maintenance and keeping with good Security standards, this New User should
match the SQL tConsult User account created during the prerequisite phase.
o Click Install.
The installation of the tConsult Server Software vx.x.x.x will commence. The reader will see a series of
scripts. No action is required on the part of the administrator.
The upgrade wizard will reflect that the installation is complete. Click Finish to close the wizard.
o
o
•
•
Page 104 of 179
SWP-0097 Telehealth Server
•
•
•
Revision 1
Figure 8 – Creation of Organization Completed
Proceed to pages on Registering XP_MD5.dll on a SQL Back End Server to complete the process.
Open Internet Explorer and enter http://IP_address_of_your_server/ping.htm
The AFHCAN Server Information page should display as seen in Figure 8.
Figure 9 – Ping page
•
Close Internet Explorer.
•
tConsult Software is a licensed product. After installation of tConsult Server Software and creating of an
organization, it will be necessary to enter licensing information. Please refer to pages on Server Licensing
for instructions on obtaining and installing tConsult licenses.
3. Creating Additional Organizations on the same tConsult Server
•
tConsult Server software allows multiple organizations to be hosted on the same server. This section
discusses the steps necessary for creating an additional organization. When used with a Back End SQL
Server, a SQL tConsult User Accounts must be set up per organization in advance on the Back End SQL
Server.
o Open tConsult Server Manager and click on Create New Organization.
Page 105 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 10 – Creating Additional Organizations
o
o
o
o
As in creating a new organization, enter the new Organizations’ name; create a Super-Admin provider
and password.
Accept the Database Name.
At the Server Name: Enter the IP Address of the Back End SQL Server
Select Use SQL Server Authentication and enter the appropriate SQL tConsult User name and
account.
Figure 11 – Creating Additional Organizations Cont’d.
Select a new IP address. Each organization must have a unique IP address.
Page 106 of 179
SWP-0097 Telehealth Server
o
o
o
Revision 1
Figure 12 – Creating Additional Organizations Cont’d.
Create a new user with a complex password, matching the SQL tConsult User Account created within
Enterprise Manager on the Back End SQL Server.
Click on Install.
Repeat this section for each organization.
4. Uninstalling vx.x.x.x Telehealth Server Software
•
•
•
Should the need arise to uninstall vx.x.x.x Server Software, it is important to verify how many
organizations may be hosted on a server. Uninstall involves both the tConsult Server Software AND an
organization. One does not uninstall the other. This section details how to uninstall the tConsult Server
Software followed by uninstalling an organization, and cleanup of the disk.
If an administrator only needs to uninstall an Organization, proceed and begin at Step 5.
If tConsult Update Server has been installed and it is to be retained, then copy the
E:\Inetpub\AFHCANRoot\AFHCAN\tConsult\Update folder to a safe location – such as E:\Update.
o Begin by Clicking on Start | All Programs | AFHCAN | Uninstall.
o
Figure 13 – Uninstalling tConsult Server Software
Click on Yes to uninstall the tConsult Server Software.
Page 107 of 179
SWP-0097 Telehealth Server
Revision 1
o
Figure 14 – Uninstalling tConsult Server Software Verification
The uninstaller will proceed to remove the tConsult Server Software. When complete click on Close.
o
Figure 15 – Completion of tConsult Server Software Uninstall
Click on OK to acknowledge the successful uninstall.
o
o
Figure 16– Acknowledging successful tConsult Server Software Uninstall
Using the Control Panel | Add and Remove Programs, highlight the Organization to be uninstalled and
click on Remove.
Figure 17 – Uninstalling tConsult Organization
Confirm the removal of the Organization by clicking on Yes.
Page 108 of 179
SWP-0097 Telehealth Server
Revision 1
o
Figure 18 – Verifying the Uninstalling of tConsult Organization
A series of scripts will run. When the process is complete, click on the Close button.
o
Figure 19 – Completing the Uninstalling of a tConsult Organization
Click on OK.
Figure 20 – Acknowledging successful Uninstalling of a tConsult Organization
o
o
o
o
o
Cleanup the Server by removing the following folders:
 C:\Program Files\AFHCAN
 D:\AFHCAN
Verify that the E:\Inetpub\AFHCANRoot\AFHCAN folder is empty.
Delete the tConsult Organization database within Enterprise Manager
Remove the empty AppPools_*** using IIS Manager.
Using regedit is at the readers’ own risk. AFHCAN assumes no responsibility for failure to follow the
below steps. Using regedit very carefully, remove the Organization and Settings from
HKLM\Software\AFHCAN.
End of procedure.
Page 109 of 179
SWP-0097 Telehealth Server
Revision 1
Registering XP_MD5.dll on a SQL Back End Server
1. Additional Resources for Registering XP_MD5.dll on a SQL Back End Server
Installing tConsult Server Software Using SQL Back End Servers
2. Copying xp_md5.dll
When tConsult Server software is installed onto a Front End (non SQL) server and an organization is created, a
folder is created within C:\Program Files\AFHCAN\tConsult\, named MD5. Into it is placed the xp_md5.dll. This
file must be copied to the SQL Back End Server hosting the database of the organization just created.
• From the Front End tConsult Server, use Windows Explorer and copy C:\Program
Files\AFHCAN\tConsult\MD5\xp_md5.dll to a thumb drive.
• From the thumb drive, copy the xp_md5.dll file to C:\Program Files\Microsoft SQL Server\MSSQL\Binn
folder (SQL 2000), C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn (SQL 2005)
3. Install xp_md5 using the SQL Script
Appendix A is the contents of a SQL Script that when run against the Master database on a SQL Back End server
will register the xp_md5.dll.
•
Copy the contents of Appendix A into Notepad. Save the file to the root of the C:\, naming it
Install_MD5.sql
• Open Enterprise Manager (SQL 2000), SQL Server Management Studio (SQL 2005)
• With the Master database highlighted, click on Query Analyzer (SQL 2000), or right click and select New
Query (SQL 2005). Open the Install_MD5.sql script and select Run.
• At the Command completed successfully prompt, exit the SQL application.
4. APPENDIX A
if NOT exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_md5]'))
EXEC sp_addextendedproc 'xp_md5', 'xp_md5.dll'
GO
if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[fn_md5]'))
DROP FUNCTION [dbo].[fn_md5]
GO
CREATE FUNCTION [dbo].[fn_md5] (@data TEXT)
RETURNS CHAR(32) AS
BEGIN
DECLARE @hash CHAR(32)
EXEC master.dbo.xp_md5 @data, -1, @hash OUTPUT
RETURN @hash
END
GO
grant EXECUTE on [master].dbo.fn_md5 to [public]
End of procedure.
Page 110 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server Backup
1. Additional Resources
Creating a SQL Maintenance Plan
2. SQL Databases
The tConsult software creates a SQL database where case information is stored. It is especially critical that the
database(s) be backed-up to the D:\MSSQL\Backup folder. (If multi-org, all tConsult databases should be backed
up to their own folder within D:\MSSQL\Backup). AFHCAN recommends doing a daily full backup of the database.
If unfamiliar with creating a SQL Maintenance Plan, please refer to Creating a SQL Maintenance Plan.
Some organizations may use a commercial product such as VERITAS Back-up Exec Remote with SQL Agent. It is
recommended that a SQL Maintenance Plan also be set up for redundancy.
3. System Backup
Windows Server 2003and Windows Server 2008 have a built in Backup utility. The tConsult database is only
one of several files that needs to be backed up on a daily basis.
• The folders that are critical to a successful restoral are:
o D:\ATS – if exists
o D:\AFHCAN – if exists
o D:\MSSQL\Backup
o E:\Inetpub
• The above folders and their inclusive files should be backed up once per day. Planning should include a
full back up at a minimum of once a week and incremental in between the full backups. This will help
avoid any data loss and keep your organization protected.
End of procedure.
Page 111 of 179
SWP-0097 Telehealth Server
Revision 1
Creating a SQL Maintenance Plan
1. Creating a SQL Maintenance Plan Using SQL 2005
This section details how to set up a SQL Maintenance Plan on a SQL 2005 server to back up a tConsult database
(or databases if a multi-org server), check database integrity, shrink a database, cleanup old backups and
transaction logs, and reorganize and rebuild database indexes.
• With the Local Administrator account, log into the tConsult server that has SQL Server 2005 installed. In
some cases, SQL Server 2005 may be located on a backend server separate from the front end tConsult
Telehealth Server. In either scenario, the steps listed here are identical.
• Open SQL Server Management Studio connecting to the Database Engine.
• Expanding Object Explorer in the left pane, expand Management. Do a right mouse click on Management
Plans and select Maintenance Plan Wizard as shown in Figure 1.
•
Figure 8 - Selecting Maintenance Plan Wizard
Click Next at the Startup Screen
Page 112 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 – Startup Page for SQL Server Maintenance Plan Wizard
•
Enter an appropriate name for the Maintenance Plan. A short description may be entered if desired.
Figure 3 – Entering a Maintenance Plan Name and Description
•
Select the Following Maintenance Tasks as shown in Figure 4:
o
o
o
o
o
o
o
Check Database Integrity
Shrink Database
Reorganize Index
Rebuild Index
Back Up Database (Full)
Back Up Database (Transaction Log)
Maintenance Cleanup Task
Page 113 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 4 – Selecting Maintenance Tasks
•
The default task order that is displayed in Figure 5 is acceptable. Click on Next.
Figure 5 – Maintenance Task Order Screen
Page 114 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Select the Databases that Integrity Task will check by clicking on the drop-down arrow to the right of
Databases. If there are multiple tConsult databases on the server, select all of them. Click on OK to
return to the Define Database Check Integrity Task dialog screen.
Figure 6 – Selecting Databases
Click on the Change button by Schedule to set the time the Integrity Task should be completed. This is
generally a task that needs to only run once a week. Click OK to return to the dialog screen, and then click
on Next.
Page 115 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 7 – Setting the Check Integrity Task Schedule
•
The next task is to Shrink the Database. As in Step 8, select the tConsult database(s), then click OK to
return to the Define Shrink Database Task dialog screen.
Figure 8 – Selecting Databases to Shrink
•
Being organization dependent, only the administrator of an organization can determine a safe size for
their database. Some organizations are intensive users of the tConsult software and create hundreds of
Page 116 of 179
SWP-0097 Telehealth Server
Revision 1
cases; they will have a large database size. In this guide, 1000 Mb is selected (1 GB) which is ideal for
most small – medium organizations. This value may be increased if the organization is large and the
database is normally larger than 1 GB.
Figure 8 – Selecting Databases to Shrink
•
The Shrink Database Task does not need to be run daily or weekly. It is recommended to run this task
monthly. Set the Schedule by clicking on Change and setting the schedule to occur monthly. Click OK to
return to the dialog screen, and then click on Next.
Figure 9 – Setting the Schedule to Shrink a Database
Page 117 of 179
SWP-0097 Telehealth Server
•
Revision 1
The next task that will display is to Reorganize the Index. Again, select the tConsult database(s). Once
selected, click on OK to return to the Reorganize Index Task dialog screen.
Figure 10 – Selecting Database(s) to Reorganize Index
•
Schedule this task to run once a week. Click on OK to return to the dialog screen, and then click on Next.
Page 118 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 11 – Scheduling Database(s) to Reorganize Index
•
Once the Index has been reorganized, it should be rebuilt. Select the tConsult database(s) to rebuild the
index, and then click OK to return to the dialog screen.
Figure 12 – Selecting Database(s) to Rebuild Index Task
Page 119 of 179
SWP-0097 Telehealth Server
•
Revision 1
Leave the default settings and set the Schedule to rebuild the index once a week. Click on OK to return to
the dialog screen, and then click on Next.
Figure 13 – Scheduling Database(s) to Rebuild Index
•
•
•
•
Though it is highly recommended to backup each and every tConsult database prior to any upgrades, a
daily backup should be part of the overall disaster recovery management plan.
Many organizations use VERITAS Backup Exec with SQL Agent or other third party vendor software to
capture a backup of the various databases.
Setting a daily backup within this maintenance plan will provide a redundant layer and stores the
database to the D:\MSSQL\Backup folder.
Select the tConsult database(s) to be backed up. Click on OK to return to the Backup dialog screen.
Page 120 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 14 – Selecting the Database(s) to be Backed Up
•
Set the options by placing a checkmark in the checkbox or clicking on the Radio button in front of the
following parameters:
o Backup set should expire after 7 days.
o Backup to Disk
o Create a backup file for every database
o Create a sub-directory for each database
o Backup file extensions: Enter bak Do NOT enter a (.) period before bak
o Verify backup integrity
Page 121 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 15 – Setting the Backup Options
Schedule the backups of the database(s) on a daily schedule. Once the schedule is set, click on OK to
return to the dialog screen, and then click on Next.
Page 122 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 16 – Scheduling the Database(s) Back Ups
Similar to the Full Database backup, the Transaction Log backup task is almost identical. Begin by
selecting the database(s), then click OK to return to the dialog screen.
Figure 17 – Selecting the Database(s) for Transaction Log Backups
Page 123 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Set the options by placing a checkmark in the checkbox or clicking on the Radio button in front of the
following parameters:
o Backup set should expire after 7 days.
o Backup to Disk
o Create a backup file for every database
o Create a sub-directory for each database
o Backup file extensions: Enter trn Do NOT enter a (.) period before trn
o Verify backup integrity
Figure 18 – Setting the Transaction Log Backup Options
Schedule the backups of the transaction logs on a daily schedule. Once the schedule is set, click on OK to
return to the dialog screen, and then click on Next.
Page 124 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 19 – Scheduling the Transaction Log Back Ups
The last task within this maintenance plan is to Cleanup old backup files. Set this task to Search folder and
delete files based on an extension. Click on the elliptical button next to Folder.
Figure 20 – Setting the Cleanup of Old Backups
Select D:\MSSQL\Backup, and then click on OK.
Page 125 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 21 – Selecting the Folder
Enter bak (no periods) in the File extension, and place a checkmark in front of Include first-level
subfolders as shown in Figure 22. Change the File age to one (1) week.
Page 126 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 22 – Setting the Parameters
Click on Change to set the Schedule. This should be done once per week. Then click on OK to return to
the dialog screen, then Next.
Figure 23 – Scheduling the Cleanup of Back Ups
Remove the checkmark from in front of Write a report to a text file.
Page 127 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 24 – Setting the Report Options
Click on Finish at the Complete the Wizard screen.
•
Figure 25 – Completing the Maintenance Wizard
The Maintenance Plan Wizard will now setup the plan. When it is finished click on Close.
Page 128 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 26 – Maintenance Plan Wizard Progress Window
The Maintenance Plan Wizard does not allow an individual to set more than one cleanup task. It is
necessary to clean up the transaction logs files in addition to the backup files. To accomplish this, do a
right mouse click on Maintenance Plans and select New Maintenance Plan.
Figure 27 – Setting up a Maintenance Plan Manually
Enter an appropriate name then click on OK.
Page 129 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 28 – Naming the New Maintenance Plan
Under the Toolbox, in the left pane, drag Maintenance Cleanup Task to the cream colored area as shown
in Figure 29.
Figure 29 – Dragging the Maintenance Cleanup Task
Do a right mouse click on the task and choose Edit. When the Maintenance Cleanup Task dialog window
opens set this task to Search folder and delete files based on an extension. Click on the elliptical button
next to Folder.
Page 130 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 30 – Setting the Folder to Search
Select D:\MSSQL\Backup, and then click on OK.
Page 131 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 31 – Selecting the Folder
Enter trn (no periods) in the File extension, and place a checkmark in front of Include first-level subfolders as
shown in Figure 22. Change the File age to one (1) week, and then click on OK.
Figure 32 – Setting the Parameters
Page 132 of 179
SWP-0097 Telehealth Server
Revision 1
•
Double-click on Subplan_1. It will open the Subplan properties box.
•
Figure 33 – Displaying Subplan Properties
Enter an appropriate name for this Subplan, then click on the calendar to Schedule a time for this task to
occur. Once the schedule has been set, click on OK.
•
Figure 34 – Scheduling the Deletion of Transaction Log Files
The Maintenance Plan needs to be saved. Click on the Floppy Disk Icon in the menu bar as shown in
Figure 35.
Page 133 of 179
SWP-0097 Telehealth Server
•
•
•
Revision 1
Figure 35 – Saving the New Maintenance Plan
Verify that SQL Server Agent is running. A quick check under Jobs will display all of the maintenance tasks
that have been set up and scheduled.
Figure 36 – Verifying Jobs
To test the maintenance tasks, select one of the jobs, do a right mouse and select Start job.
Exit SQL Server Management Studio.
End of procedure.
Page 134 of 179
SWP-0097 Telehealth Server
Revision 1
Build and Configuration – Windows Server 2008
1. Additional Resources
Installing Telehealth Server Software Using SQL Back End Servers
Registering XP_MD5.dll onto a SQL Back End Server
2. Material Requirements
•
•
•
Server
o Server CPU w/NIC(s)
o Manufacturer CDROMS/DVDs – drivers disk
o Monitor
o Keyboard
o Mouse
Software
o Windows 2008 CD-ROM/DVD w/license key (plus CALs)
o SQL Server 2008 CD-ROM/DVD w/license key (plus CALs if not processor license)
o ATS Downloads DVD dated 6/30/2011 or later (can be obtained from AFHCAN)
o Perc Firmware Update (if applicable)
Miscellaneous – all may not be needed
o LAN Connection for Server
o WAN Connectivity to Core
o CAT5 cables – regular, cross-over
3. Initialize Server
•
•
It is assumed that the server is installed with a monitor, keyboard and mouse (or KVM equivalent).
IMPORTANT: DO NOT CONNECT THE LAN AT THIS POINT – the server is vulnerable to attacks until it is
hardened.
o BIOS Configuration – Boot Sequence:
 CD-ROM
 Hard Drive
 Floppy
o RAID-5 configuration
 Follow the manufacturer’s documentation provided for the RAID software installation/hardware
configuration. To access the Dell RAID BIOS select Ctl-M during the POST process.

Create a single four-drive RAID5 container and establish the fifth drive as a hot spare.
o Perc Firmware update – Depends on Dell PowerEdge Model which version to be updated.

Insert bootable firmware update floppy

Reboot system

Follow instructions on screen to update

Reboot system
o Windows 2008 Server Initial Installation (x86 OR x64 versions)
 Partition hard disks: Note: The sizes below reflect 146 Gb Hard Drives. Larger Hard Drives will
allow for a 40 Gb C partition and a 24 Gb E partition with the remaining disk space for the D
partition.
 IMPORTANT: Use NTFS file format for ALL partitions throughout this process
• Accept default, install now
• Select WS2008 Standard (x86 or x64 depending in hardware)
• Accept license
• Install clean copy
• Create C: partition – 40 Gbytes (40960) (minimum)
Page 135 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
Revision 1
Create D: partition – 75.5 Gbytes (77312) or the amount of the remaining space available
after calculating the space necessary for the C and E partitions *Remember to leave 8 Mb
free.
Create E: Partition if IIS will be located on the E Drive (E Drive is not required for an AFHCAN
backend SQL Server) – 20 Gbytes (20480)
Ensure Disk Partition 1 is selected for the install. Allow Windows installation to proceed.
Enter new password when prompted.
NOTE: This will change later with stronger account names and passwords.
4. Initial Logon
•
•
•
Initial Configuration Tasks
o Set Time Zone: Adjust as necessary. Configure Time Zone with automatic adjustment for daylight
savings if appropriate.
o Computer Name: Enter appropriate name – do not join a domain at this time.
o Change Workgroup to AFHCAN
o Reboot server
View Parameters, device manager, hard drive assignments
o Check “Do not show the Initial Configuration Tasks Window at logon”
o Server Manager window – check “Do not show me this console at logon”
o Place shortcut to Computer on desktop
o Adjust Tools / Folder Options/ View in Explorer window
o Recommendation: Show hidden files and folders, Uncheck “Hide extensions for known file types”,
Uncheck “Hide protected operating system files”, click on “Apply”. Click OK, t hen Adjust Tools /
Folder Options / View in Explorer window and “Apply to all folders”
o Enable RDP if desired.
o Create new folder “ATSDownloads” on the C:\ drive
o Copy x86 or x64 “ATS Downloads” folder from the appropriate AFHCAN ATS Downloads DVD to C:\
drive (if available).
o Check Device manager and update/install drivers as necessary – update existing Perc controller
o Change DVD/CDROM drive assignment to R:
o Change drive assignments if necessary so 2nd partition is D: and 3rd partition is E:
o Format D: drive – Format and change volume label to “Local Disk”
o Format E: drive – Format and change volume label to “Local Disk”
o Change screen resolution to 1024x768.
o Set color depth as high as possible – preferably 32 bit.
Create/Modify Accounts: In a typical AFHCAN server build, a new local admin account is created and used
instead of the default administrator account for installation.
o Create AFHCANAdmin*** account
o Use the name defined for this server
o Password: Use complex password defined for this account
o User CAN change password, and password never expires
o Member of the administrators group
o Log out and log back in with the "AFHCANAdmin***" account.
5. User Access Control
•
•
•
Using Control Panel | User Accounts, Turn User Account control on or off, select Continue to turn off User
Access Control
Remove the checkmark from in front of Use User Account Control (UAC)…….
Reboot Server
Page 136 of 179
SWP-0097 Telehealth Server
Revision 1
6. IIS Installation – Not required for a Backend SQL server installation
IIS is typically installed on the AFHCAN server “E” Drive, but a default installation may be used if desired.
• To install IIS:
o Administrative tools | Server Manager | Add Roles, Select Web Server (IIS)
o At prompt Add Required Features – Windows Process Activation Service
o Add Role Services – select ASP.NET, Add Required Role Services
o Add Role Services – select Windows Authentication under Security
7. Move IIS – Perform these steps if IIS will be relocated to the server “E” Drive.
•
•
•
Open Command prompt and browse to C:\ATSDownloads\Move IIS – note – this utility may also be found
available for download from the internet by searching for this keyword: MoveIIS7Root
Type “moveiis7root.bat e”
Once verified that E:\Inetpub exists, delete C:\Inetpub
8. .Net Framework Installation – Not required for Backend Server
•
•
•
•
•
•
Install .Net Framework 3.0 via Administrative Tools | Server Manager | Add Features, select .NET
Framework 3.0 Features
Reboot
Install .NET Framework 3.5 SP1
Upon completion reboot- This also updates .Net 2.0 and .Net 3.0 to SP2.
Install .NET Framework 4.0
Reboot
9. Webservice Extensions – IIS Installation
IIS Manager – Select Server in Left pane, ISAPI and CGI Restrictions in right pane. Allow all .Net 2.0 and 4.0
extensions.
10. SQL Server Installation – For a Standalone and Backend server- skip for front end server build
•
Install SQL Server 2008 Standard
o Insert CD/DVD – if it doesn’t autostart, click on Setup.exe
o Allow SQL Server 2008 Setup to update the Windows Installer and Microsoft .Net Framework
o Reboot Server
o Once logged back in, SQL Server 2008 may need to be accessed via the Setup.exe command. Select
Installation at the SQL Server Installation Center, and click on “New SQL Server stand-alone
installation………..”
o Click OK at the Setup Support Rules
o Enter Product Key
o Accept License Terms
o Click on Install for Setup Support Files
o Click Next at the second Setup Support Rules
o Feature Selection:
 Select Database Engine Services with Full-Text Search
 Select Client Tools Backwards Compatibility
 Select Client Tools Connectivity, Management Tools – Basic and Complete
o Accept default Instance configuration
o Accept Disk Space Requirements
o Server Configuration
 Use Network Service for SQL Server Agent and SQL Server Database Engine
 SQL Server Agent and SQL Server Database Engine set to Automatic
 SQL Full-Text Filter Daemon Launcher set to Manual
Page 137 of 179
SWP-0097 Telehealth Server
o
o
o
o
o
o
Revision 1
 SQL Browser set to Disabled
Database Engine Configuration
 Select Windows authentication mode (Unless installing for a Back-End SQL Server – Configure for
Mixed mode)
 Add “Administrators” group as SQL Server Administrator
 Select D:\ as Data root directory
 Accept the default entries for the remainder (D:\MSSQL10.MSSQLServer\MSSQL\...........)
Do not report Errors
Click Next at Installation Rules
At the Ready to Install screen, click Install
Close all Installation dialogs when complete
MSSQL Server Configuration Manager
 SQL Server Network Configuration | Protocols for MSSQLSERVER | Enable Named Pipes- both
standalone and backend server installations require this.
 SQL Server Network Configuration | Protocols for MSSQLSERVER | ONLY Enable TCP/IP for a
Backend SQL Server.
11. Connect to Windows Update
•
•
•
Connect to Microsoft Windows Update site to obtain and apply the latest patches/hotfixes/service packs.
Reboot server when complete.
You may have to repeat this step a couple of times.
12. Disable Windows Firewall
If Windows Firewall is to be enabled please refer to the following for configuration to allow AFHCAN software to
function.
• Windows Firewall: (Use Administrative Tools | Windows Firewall with Advanced Security)
• With Windows Firewall with Advanced Security on Local Computer highlighted, Ensure Firewall is turned
on, and the following Inbound Rules exist:
o
Port 80 TCP
o
Port 443 TCP
o
WCF 6968 TCP
o
Remote Desktop (TCP Port 3389)
o
Time Server (UDP Port 123)
o
ICMPv4 allows echo request
o
On the Program page, click All programs, and then click Next.
o
On the Protocol and Ports page, select ICMPv4 or ICMPv6 from the Protocol type list. If you use
both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each. Click Customize.
o
In the Customize ICMP Settings dialog box, click Specific ICMP types, and then select Echo
Request. Click OK.
o
Allow all IP addresses on the Scope page.
o
Select Allow the connection
Leave the default on the Profile page
On the Name page, enter ICMP and click Finish
o
o Security logging: Returning to Windows Firewall with Advanced Security on Local Computer
highlighted, Under Public Profile, select Windows Firewall Properties
o
Change log file location to C:\Logs\firewall.log
End of Procedure
Page 138 of 179
SWP-0097 Telehealth Server
Revision 1
4.4.1.0 Front End Build
1. Material Requirements
•
•
•
Server
o Server CPU w/NIC(s)
o Manufacturer CDROMS/DVDs – drivers disk
o Monitor
o Keyboard
o Mouse
Documentation
o Server configuration QA sheet
Miscellaneous – all may not be needed
o LAN connection for server
o WAN connectivity to core
o CAT5 cables – regular, crossover
o CAT5 female-female adapters
2. Initialize Server
It is assumed that the server is installed with a monitor, keyboard and mouse (or KVM equivalent).
IMPORTANT: DO NOT CONNECT THE LAN AT THIS POINT – the server is vulnerable to attacks until it is hardened.
• BIOS Configuration – Boot Sequence:
o CD-ROM
o Hard Drive
o Floppy
• RAID-5 configuration
o Follow the manufacturer’s documentation provided for the RAID software installation/hardware
configuration. To access the Dell RAID BIOS select Ctl-M during the POST process.
o For a five drive host server, create a single four-drive RAID5 container and establish the fifth drive as
a hot spare. For a six drive host server, create a single five-drive RAID5 container and establish the
sixth drive as a hot spare.
• Perc Firmware update – Depends on Dell PowerEdge Model which version to be updated.
o Insert bootable firmware update floppy
o Reboot system
o Follow instructions on screen to update
o Reboot system
• Windows 2003 Server Initial Installation
o Partition hard disks: Note: The sizes below reflect 146 Gb Hard Drives. Larger Hard Drives will allow
for a 36 Gb C partition and a 24 Gb E partition with the remaining disk space for the D partition.
o IMPORTANT: Use NTFS file format for ALL partitions throughout this process
 Create C: partition – 36 Gbytes (36874)
 Create D: partition – 350 Gbytes (358537) or the amount of the remaining space available after
calculating the space necessary for the C and E partitions *Remember to leave 8 Mb free.
 Create E: Partition – 24 Gbytes (24576)
 Regional and Language Options – leave at default
 Name: “User”
 Organization: Use the organization name (e.g. “”AFHCAN”)
 Product Key – enter key
 License - Per Server with (5) connections typically
 Computer Name: Enter appropriate name
 Computer Name and Administrator Password:
• Name: Administrator / Password: “password”
Page 139 of 179
SWP-0097 Telehealth Server
o
Revision 1
• NOTE: This will change later with stronger account names and passwords
Date & Time Settings
 Adjust as necessary. Use Alaska Time Zone with automatic adjustment for daylight savings unless
Server is being deployed elsewhere – check deployment for Time Zone location.
3. Initial Logon
•
Security Updates – Choose “Finish”
o NOTE: These next steps will need to be completed for each administrator account as they log on for
the first time
 “Manage your Server” window – check the “Don’t display this page at logon”
 Show My Computer on Desktop
 Adjust Tools / Folder Options / View in Explorer window
Recommendation: Uncheck “Hide protected operating system files”, click on “Apply” then
“Apply to all folders”
 Screen Resolution:
• Change screen resolution to 1024 X 768.
• Set color depth as high as possible – preferably 32 bit.
 Copy files to C:
• Copy “i386” folder files from W2K3 CD-ROM to C: drive
• Copy “ATS Downloads” folder from AFHCAN ATS Downloads CD-ROM
 Log Files:
• Create “C:\Logs” folder
 Device Manager:
• Check Device manager and update/install drivers as necessary – update existing Perc
controller
 Disk Management:
• Change DVD/CD-ROM drive assignment to R:
• Change the drive assignments so 2nd partition is D:
• Format D: drive – Format and change volume label to “Local Disk”
• Change the drive assignment so the 3rd partition is E:
• Format E: drive – Format and change volume label to “Local Disk”
 Create/Modify Accounts:
• Change name of Administrator account. Use the OSBA#*** defined for this server.
o Password: Use complex password defined for this account
o User CANNOT change password, and password never expires
• Create decoy Administrator account
o User name: Administrator
o Password: [email protected]
o User CANNOT change password, and password never expires
o NOT a member of the administrator group
• Create AFHCANAdmin*** account
o Use the name defined for this server
o Password: [email protected] (Do not use the complex password yet, due to the many reboots
that will be coming up. This will be done at the end.)
o User CAN change password, and password never expires
o Member of the administrators group
• Create AFHCANDirector1 account if server resides at AFHCAN
o Password: password defined for this account
o User CANNOT change password, and password never expires
o Member of the administrators group
• Log out and log back in with the AFHCANAdmin*** account. The Administrator account no
longer has any privileges.
Page 140 of 179
SWP-0097 Telehealth Server
Revision 1
4. .Net Framework Installation
•
•
•
•
•
•
•
•
Install .NET Framework 2 by double-clicking “C:\ATS Downloads\2.0 .Net Framework\dotnetfx2.exe”
Install .NET Framework 3 by double-clicking “C:\ATS Downloads\3.0 .Net Framework\dotnetfx3.exe”
Install MSXML6, SP1 by double-clicking “C:\ATS Downloads\MSXML6.0\msxml6_x86.msi”
Reboot
Install .NET Framework 3.5 SP1
Upon completion reboot- This also updates .Net 2.0 and .Net 3.0 to SP2.
Install .NET Framework 4.0
Reboot
5. IIS Installation
•
•
•
Browse to “C:\ATS Downloads\Registry and double-click on Setup.reg
Browse to “C:\ATS Downloads\IIS Install and run the “installiis.bat” file
Leave the default web site
6. Finalizing the OS Configurations
•
Install Optional Windows Components
o Uncheck “Accessories and Utilities”
o Leave Application Server checked
o Leave “Internet Explorer Enhanced Security Config…” checked
o “Management and Monitoring Tools” – click “Details”
o Check “Simple Network Management Protocol”
o Check “Security Configuration Wizard”
o Uncheck “Update Root Certificates”
o Reboot server
o Within “System Properties”, enable “Remote Desktop”
o Apply Microsoft “WindowsServer2003-SP2”
o Reboot Server
7. Installing Windows Applications
•
Install Adobe Reader
o Adobe Acrobat Reader - Run “C:\ATSDownloads\Adobe\AdbeRdr1000_en_US.exe”. Accept all
defaults.
o Delete any shortcut icons created on desktop.
8. Configuring SNMP
•
•
Configure SNMP (Note – configure this only if being hosted locally by AFHCAN)
Open “SNMP Service Properties” – in services
o Traps Tab
 Set Community name – site unique
 Set trap destination – use IP address of server
o Security Tab
 Uncheck “Send Authentication Trap” checkbox
 Set the community to be “Read Only”
 “Accept SNMP packets from these hosts” – add the server’s IP address
9. Dell Management Software Installation
•
Install Dell OpenManage Server Administrator
o Click on R:\SYSMGMT\srvadmin\windows\Setup.exe
 Perform Custom install
Page 141 of 179
SWP-0097 Telehealth Server
Revision 1
 Leave all selections at their default values and install
o Restart the server
Note: tConsult Telehealth servers normally have IT Assistant installed. IT Assistant requires SQL and will install SQL
Express as part of the installation process. It is a conscious decision to forego IT Assistant on a front-end tConsult
Telehealth server.
10. Security – Windows Update
•
•
•
Install Windows 2003 SP2
Reboot Server
Connect to Microsoft Windows Update site and download and install all security patches
11. Harden Server
•
•
Operating System Services and Security policies
o Within Administrative Tools, select and run the Security Configuration Wizard. When prompted,
select “Apply an existing security policy”
o Browse to C:\ATSDownloads\Security Template and select Secure AFHCAN Server1.xml
 Accept all defaults and apply the template
o Select Start/Run and enter MMC
 Add the Security Configuration and Analysis MMC snap-in to the MMC
 Right click Security Analysis and select Open database
• Name the database “Update”
• Import Template – browse to and select C:\ATSDownloads\Security Template, select Secure
AFHCAN Server2 and click Open
• Again right click Security Configuration and Analysis and select Configure computer now and
apply the template
 Close the MMC and DO NOT save when prompted
Review NIC settings for all NICs
o On all NIC(s) ensure Firewall is turned on and the following exceptions are enabled:
 Port 80 TCP – http
 Port 443 TCP – https
 Remote Desktop - Port 3389 TCP
 Time Server - Port 123 UDP
 WCF - Port 6968 TCP
 MSDTC (Add Program: C:\Windows\System32\MSDTC.exe)
o Security logging:
 Change log file location to C:\Logs\pfirewall.log
o ICMP:
 Check “Allow incoming echo request”
o General Tab:
 Ensure “Client for Microsoft Networks” is selected
 Ensure “File and Print Sharing for Microsoft Networks” Is selected
 Verify IP, SM, DG, DNS
 Disable any NICs that will not be connected to the network
o System 32 Changes
 Run the “C:\ATS Downloads\Batch Files\ACLChange.Bat”
o Change ACLs on partitions
o C: Drive Root (C:\)
 Remove Everyone, CREATOR OWNER, and Users groups
o D: Drive Root (D:\)
 Remove Everyone, CREATOR OWNER, and Users groups
o E: Drive Root (E:\)
 Remove Everyone, CREATOR OWNER, and Users groups
Page 142 of 179
SWP-0097 Telehealth Server
o
o
o
o
Revision 1
 Delete E:\Inetpub\AdminScripts folder
E:\Inetpub
 Add the IIS_WPG Group and give modify permissions
 Add the Web Applications Group and give modify permissions
E:\Inetpub\WWWRoot
 Remove the Internet Guest Account (IUSR)
 Remove the Users account
 Remove the Web Anonymous Users account
Indexing Service
 Turn off indexing service at the root of C:\
 Right click on C: drive / Properties / General. Clear the checkmark for “Allow Indexing Service to
index this disk”. When prompted – select option to apply changes to subfolders and files.
 Turn off indexing service at the root of D:\
 When prompted – select option to apply changes to subfolders and files
 Turn off indexing service at the root of E:\
 When prompted – select option to apply changes to subfolders and files.
Registry Changes:
 Run the C:\ATSDownloads\Registry\RegSecChanges.Reg
12. Enabling MSDTC Services:
•
•
•
•
•
•
•
Using Computer Management / Services, ensure the following five services are set to Automatic and Start
each one:
o COM+ Event System
o COM+ System Application
o DCom Server Process Launcher
o Distributed Transaction Coordinator
o System Event Notification
User Accounts
o Delete the “Support…” account
o Disable the IUSR account
o Disable the IWAM account
Modify user’s Remote / Terminal Services settings
o Do the following for all users except AFHCANAdmin*** and OSBA
o Remove ability to logon to Terminal Services
o Computer Management / User Properties / Terminal Services Profile. Check the “Deny this use
permission…” checkbox
o Under “Remote Control” tab, uncheck “Need User’s permission”
o Harden the AFHCANAdmin*** password
o Delete both Full Name and Description entries from all users
Group Accounts
o Within the IIS-WPG group, remove the IWAM user account
Disable Dump File Creation
o Disable System dump files: My Computer / Properties / Advanced / Startup and Recovery – Set “Write
Debugging Information” at “(none)”
o Uncheck “Send an Administrative Alert”
Create/Set Pagefile Parameters: Go to System Properties / Advanced / Performance / Settings, then select
Advanced tab / Virtual Memory
o On C: drive, create/set pagefile initial/max at 1024 MB
o On D: drive, create/set pagefile initial/max at 4096 MB
o Do not restart your system at this time
Disable Application dump files
o Run drwtsn32.exe and uncheck everything but “Append to Existing Log File
Page 143 of 179
SWP-0097 Telehealth Server
•
Revision 1
Terminal Services
o Administrative Tools / Terminal Services Configuration RDP-TCP Properties
 General Tab:
• Encryption Level: Client Compatible
 Client Settings Tab:
• Uncheck “Use Connection Settings from User Settings”
• Uncheck “Connect Client Printers at Logon”
• Uncheck “Default to Main Client Printer”
• Under “Disable the Following”, check everything except “Drive Mapping”
 Sessions Tab:
• Check “Override User Settings”
• End a disconnected session in 30 minutes
• Limit active sessions length to 1 day
• Idle sessions Limit: 30 minutes
 Network Adapter Tab
• Set maximum connections to 2
 Server Settings
• Change Active Desktop to “Disable”
 Configure MSDTC
• Start / Programs / Administrative Tools / Component Services
• Click the MSDTC tab of the My Computer Properties dialog and click the Security
Configuration button.
 Network DTC Access:
• Allow Remote Clients
• Allow Remote Administration
 Transaction Manager Communication:
• Allow Inbound
• Allow Outbound
• No Authentication Required
• Enable Transaction Internet Protocol (TIP) Transactions IIS
 Web Sites – right-click and select Properties
• Web Site Tab:
• Active log format – click Properties and change log file directory to C:\Logs
• Advanced tab – check Cookie and Referer checkboxes
 Directory Security Tab:
• Authentication and access control – edit and Uncheck anonymous access – only Integrated
Authentication allowed
 Home Directory Tab:
• Application Settings – click Configuration and remove all application extensions
 Web Service Extensions
• Ensure ASP.NET v1.1.4322 is allowed
• Ensure ASP.NET v2.0.50727 is allowed
• Ensure ASP.NET v4.0.30319 is allowed
• Prohibit “Active Server pages”
o Reboot Server
o Cleanup Server
 Check for FTP Service and uninstall if present
 Clear the log files using Event Viewer
 Delete Security Configuration Wizard shortcut from the Desktop
 Empty Recycle bin
 Defrag the hard drives
Page 144 of 179
SWP-0097 Telehealth Server
Revision 1
End of procedure.
Page 145 of 179
SWP-0097 Telehealth Server
Revision 1
Using SQL Profiler
1. Additional Resources for SQL Profiler
http://www.codeproject.com/KB/dotnet/SQLServerProfiler.aspx (SQL Server 2005)
http://msdn.microsoft.com/en-us/library/ff650699.aspx (SQL Server 2000)
2. Setup SQL Profiler
This section discusses setting up SQL Profiler, selecting the events to be traced, and how to save the captured data
to a file.
• Open SQL Profiler by clicking on Start | All Programs | Microsoft SQL Server 2005 | Performance Tools |
SQL Server Profiler.
•
Figure 9 – Accessing SQL Server Profiler
Select File in the Upper Left and select New Trace.
Page 146 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 2 – Starting a New Trace
At the Connect to Server dialog box, Click on Connect.
Figure 3 – Connecting to SQL Server
The Trace Properties dialog box will open.
o Enter an appropriate Trace name.
o Place a checkmark in the Save to file: field and select the save location of the file. In the image below,
a special folder was created for the captured the files. This folder should be on a large enough hard
drive to hold several gigabytes of data.
Page 147 of 179
SWP-0097 Telehealth Server
•
•
•
•
Revision 1
Figure 4 – Setting the General Properties
o Leave the default value of 5 MB and ensure file rollover is enabled.
Select the Events Selection tab and remove the checkmarks from Security Audit and Sessions.
Place a checkmark in the RPC Completed row under TextData column.
Figure 5 – Selecting the Events
Click on Run. The profiler will begin capturing data and saving the events to the file named in Step
number 4.
Page 148 of 179
SWP-0097 Telehealth Server
•
Revision 1
Figure 6 – Live Trace Log
About an hour after the trace has been running, stop the trace by clicking on the Red Square Box in the
menu.
Figure 7 – Stopping Trace Log
•
Close the SQL Server Profiler.
End of procedure.
Page 149 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server v6.x Upgrade
1. Additional Resources
How to Establish an Authoritative Time Source for Telehealth Servers
2. Minimum System Requirements
•
•
•
•
.Net Framework 4.0
SQL 2005
Windows Server 2003
a dedicated IP address that clients will use to connect
3. Prerequisites Prior to Installing Telehealth Server
•
If installing on Windows Server 2008 x86 with IIS7 and either SQL2005 or SQL2008:
o Upgrade to Windows Server 2008 x86 SP2
o Run command “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe” to register
the appropriate .NET 4.0 handlers.
4. Additional Requirement Considerations
The server hosting tConsult Server must be configured to use a valid time source, and the Windows Time
Service enabled and started.
A tConsult Server built to tConsult specifications will have only 3 ports open on the firewall. tConsult Cart can
be configured to use the tConsult Server host as a time source. If this is desired, the tConsult Server host must also
be configured as a time server. This will require UDP port 123 inbound to be enabled on the server firewall.
tConsult Server and tConsult Cart are now using Windows Communication Foundation for user authentication
as one of the first steps toward messaging system improvements. This will require TCP port 6968 inbound to be
enabled on the server firewall.
Details instructions for establishing a Time Source can be found in SWP-0005 How to Establish an Authoritative
Time Source for tConsult Servers.
Note: Images used are representative of the process and may not necessarily reflect the actual version of software;
however, the step by step instructions are correct.
5. Upgrading Telehealth Server Software
•
This section details those steps that will upgrade the tConsult Server Software.
o Log in to the tConsult Server using an administrative account.
o Insert the tConsult Server Software installation disk into the CD-ROM and run the
“ServerSetup_6.x.x.x” executable to start the upgrade.
o The installation routine will detect the earlier version. Click Yes to proceed with the upgrade.
o
Figure 10 – Getting Started with the Upgrade
The tConsult Server Software will be installed. No action is necessary.
Page 150 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 2 – Installation Progress Window
6. Upgrading an Organization
•
•
The steps detailed here will upgrade an organization.
Note: As with any procedure that could possibly carry risk, always follow the IT best practice to backup
any SQL tConsult database prior to beginning an upgrade.
o Upon completion of the tConsult Server Software upgrade on a single organization server, the reader
will see Figure 3. Click Install.
o
Figure 3 – Upgrading a Single Organization
A series of scripts will commence upgrading the organization. No action is necessary.
Page 151 of 179
SWP-0097 Telehealth Server
o
Revision 1
Figure 4 – Upgrading the Organization Progress Window
Click Finish upon completion of the upgrade.
Figure 5 – Completing the Upgrade of a Single Organization
7. Upgrading a Multi-Organization Telehealth Server
•
•
If the tConsult Server is a multi-organizational server, repeat this next sequence of steps for each
organization.
Note: Always backup any and all SQL tConsult databases first.
o Click Update Organization in the upper right of the t Consult Server Manager window.
Page 152 of 179
SWP-0097 Telehealth Server
Revision 1
o
Figure 6 – Upgrading Multiple Organizations
In the right hand pane, highlight the organization that will be upgraded and then click Next.
o
Figure 7 – Selecting the Organization
Again in the right hand pane, highlight the version of the upgrade and click Next.
Page 153 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 8 – Selecting the Version
o
Click Install.
o
Figure 9 – Beginning the Organization Upgrade
A series of scripts will commence upgrading the organization. No action is necessary.
Page 154 of 179
SWP-0097 Telehealth Server
o
Revision 1
Figure 10 – Upgrading the Organization Progress Window
Click Finish upon completion of the upgrade.
Figure 11– Completing the Upgrade of a Single Organization
End of procedure.
Page 155 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server v6.x Installation
1. Additional Resources for Telehealth Server Installation
Telehealth Server Licensing
Telehealth Server v6.x Upgrade
2. Minimum System Requirements
•
•
•
•
•
.Net Framework 4.0
SQL 2005
Windows Server 2003
Internet Explorer 7.0
a dedicated IP address that clients will use to connect
3. Prerequisites Prior to Installing Telehealth Server
•
If installing on Windows Server 2008 x86 with IIS7 and either SQL2005 or SQL2008:
o Upgrade to Windows Server 2008 x86 SP2
o Run command “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe” to register
the appropriate .NET 4.0 handlers.
4. Additional Requirement Considerations
The server hosting tConsult Server must be configured to use a valid time source, and the Windows Time
Service enabled and started.
tConsult Cart can be configured to use the tConsult server host as a time source. If this is desired, the tConsult
Server host must also be configured as a time server. By default a tConsult Server built to tConsult specifications
will have only 3 ports open on the firewall and will require UDP port 123 inbound to be enabled on the server
firewall.
tConsult Server and tConsult Cart are now using Windows Communication Foundation for user authentication
as one of the first steps toward messaging system improvements. This will require TCP port 6968 inbound to be
enabled on the server firewall.
Note: Images used are representative of the process and may not necessarily reflect the actual version of software;
however, the step by step instructions are correct.
5. Installation of Telehealth Server software
•
•
•
Log in to the tConsult server using an administrative account.
Insert the tConsult Server Software installation disk into the CD-ROM and run the “ServerSetup_6.0.x”
executable to start the Install Shield Wizard.
At the Welcome Screen, click Next.
Page 156 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 11 – Welcome Splash Screen
Accept the default location for the Telehealth Server v6.0 and click Next.
•
Figure 2 – Destination Folder for tConsult Server software install
Web Files Install location should be at E:\Inetpub\AFHCANRoot. Accept this and click Next.
Page 157 of 179
SWP-0097 Telehealth Server
•
•
•
Revision 1
Figure 3 – Destination Folder for Web Client Files install
Install the Data Directory on the D:\AFHCAN as displayed in Figure 4, then click Install.
Figure 4 – Destination Folder for tConsult Server data install
The installation of the software will commence.
Once the installation process is complete, the “tConsult Server Manager” window will appear allowing the
administrator to install the first Organization.
Page 158 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 5 – Creating the First Organization
Enter the new Organization name.
Define a Super-Admin Provider that will be used within the tConsult software. Enter a password for
this new provider account.
o Accept the Database name or enter one in accordance with the organization naming structure.
Using the scroll bar on the right, continue through the remainder of the Installing Organization dialog box.
o
o
•
•
•
Figure 6 – Creating the First Organization Continued
o Select the IP address
o Create a New User entering a complex password
o Click Install
The installation of the tConsult Server Software v6.x will commence. The reader will see a series of
scripts. No action is required on the part of the administrator.
The upgrade wizard will reflect that the installation is complete. Click Finish to close the wizard.
Page 159 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Figure 7 – Creation of Organization Completed
Open Internet Explorer and enter http://IP_address_of_your_server/ping.htm
The Server Information page should display as seen in Figure 8.
Figure 8 – Ping page
•
•
Close Internet Explorer.
tConsult Software is a licensed product. After installation of tConsult Server Software and creating of an
organization, it will be necessary to enter licensing information. Please refer to Telehealth Liscensing for
instructions on obtaining and installing licenses.
6. Creating Additional Organizations on the same Telehealth Server
Telehealth Server software allows multiple organizations to be hosted on the same server. This section
discusses the steps necessary for creating an additional organization.
• Open tConsult Server Manager and click on Create New Organization.
Page 160 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 9 – Creating Additional Organizations
Enter the new Organizations’ name, create a Super-Admin provider and password.
•
Figure 10 – Creating Additional Organizations Continued
Select a new IP address. Each organization must have a unique IP address.
Page 161 of 179
SWP-0097 Telehealth Server
•
•
•
Revision 1
Figure 11 – Creating Additional Organizations Continued
Create a new user with a complex password.
Click Install.
Repeat this section for each organization.
7. Uninstalling v6.x Telehealth Server Software
Should the need arise to uninstall v6.x Server Software, it is important to verify how many organizations may
be hosted on a server. Uninstall involves both the Telehealth Server Software AND organization. One does not
uninstall the other. This section details how to uninstall the server software followed by uninstalling an
organization, and cleanup of the disk.
If an administrator only needs to uninstall an Organization, begin at Step 5.
If tConsult Update Server has been installed and it is to be retained, then copy the
E:\Inetpub\AFHCANRoot\AFHCAN\tConsult\Update folder to a safe location – such as E:\Update.
• Begin by Clicking on Start | All Programs | AFHCAN | Uninstall.
•
Figure 12 – Uninstalling tConsult Server Software
Click on Yes to uninstall the tConsult Server Software.
Page 162 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 13 – Uninstalling tConsult Server Software Verification
The uninstaller will proceed to remove the tConsult Server Software. When complete click on Close.
•
Figure 14 – Completion of tConsult Server Software Uninstall
Click OK to acknowledge the successful uninstall.
•
Figure 15 – Acknowledging successful tConsult Server Software Uninstall
Using the Control Panel | Add and Remove Programs, highlight the Organization to be uninstalled and
click on Remove.
Page 163 of 179
SWP-0097 Telehealth Server
Revision 1
•
Figure 16 – Uninstalling tConsult Organization
Confirm the removal of the Organization by clicking on Yes.
•
Figure 17 – Verifying the Uninstalling of tConsult Organization
A series of scripts will run. When the process is complete, click Close.
Page 164 of 179
SWP-0097 Telehealth Server
Revision 1
Figure 18 – Completing the Uninstalling of a tConsult Organization
•
•
•
•
•
•
Click OK.
Figure 19 – Acknowledging successful Uninstalling of a tConsult Organization
Cleanup the Server by removing the following folders:
o C:\Program Files\AFHCAN
o D:\AFHCAN
Verify that the E:\Inetpub\AFHCANRoot\AFHCAN folder is empty.
Delete the tConsult Organization database within SQL Server Management Studio
Remove the empty AppPools_*** using IIS Manager.
Using regedit is at the readers’ own risk. AFHCAN assumes no responsibility for failure to follow this step.
Using regedit very carefully, remove the Organization and Settings from HKLK\Software\AFHCAN if they
exist.
End of procedure.
Page 165 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server Windows 2003 Front End Server Build and Configuration
1. Material Requirements
•
•
•
•
•
•
•
•
•
Server
o Server CPU w/NIC(s)
o Manufacturer CDROMS – drivers disk
o Monitor
o Keyboard
o Mouse
Software
o AFHCAN Windows 2003 CD-ROM w/license key (plus CALs)
o Windows 2003 SP2 CD-ROM
o AFHCAN software patches (if applicable)
o Perc Firmware update floppy disks (if applicable)
o ATS Downloads CD-ROM dated 3/24/2010 or later
o .NET 3.5 Framework SP1 CD-ROM
o 5.1.3 Documentation
o Server configuration QA sheet
Miscellaneous – all may not be needed
o LAN connection for server
o WAN connectivity to core
o CAT5 cables – regular, crossover
o CAT5 female-female adapters
Initialize Server: It is assumed that the server is installed with a monitor, keyboard and mouse (or KVM
equivalent).
IMPORTANT: DO NOT CONNECT THE LAN AT THIS POINT – the server is vulnerable to attacks until it is
hardened.
BIOS Configuration – Boot Sequence:
o CD-ROM
o Hard Drive
o Floppy
RAID-5 configuration: Follow the manufacturer’s documentation provided for the RAID software
installation/hardware configuration. To access the Dell R710 RAID BIOS hit Ctl-R during the POST process.
o Create a single five-drive RAID5 container and establish the sixth drive as a hot spare.
o Do a full Initialization followed by a Consistency Check if brand new out of the box server
Windows 2003 Server Initial Installation
Partition hard disks: Note: The sizes below reflect 500 Gb Hard Drives. Larger Hard Drives will allow for a
200 Gb C partition with the remaining disk space for the D partition. IMPORTANT: Use NTFS file format for
ALL partitions throughout this process
o
o
o
o
o
o
o
o
o
o
Create C: partition – 200 Gbytes (204800)
Create D: partition – 1.7 Tbytes (1700866) or the amount of the remaining space available after
calculating the space necessary for the C & E partitions *Remember to leave 8 Mb free.
Create E: partition – 10 Gbytes (10240)
Regional and language Options – leave at default
Name: “User”
Organization: Use the organization name (e.g. “”AFHCAN”)
Product Key – enter key
License - Per Server with (5) connections typically.
Computer Name: Enter appropriate name
Computer Name and Administrator Password:
 Name: Administrator / Password: “password”
Page 166 of 179
SWP-0097 Telehealth Server
Revision 1
 NOTE: This will change later with stronger account names and passwords
Date & Time Settings
 Adjust as necessary. Use Alaska Time Zone with automatic adjustment for daylight savings unless
Server is being deployed elsewhere – check deployment for Time Zone location.
o Security Updates – Choose “Finish”
o “Manage your Server” window - check the “Don’t display this page at logon”
Initial Logon
o Security Updates – Choose “Finish”
o NOTE: These next steps will need to be completed for each administrator account as they log on for
the first time
 “Manage your Server” window – check the “Don’t display this page at logon”
 Show My Computer on Desktop
 Adjust Tools / Folder Options / View in Explorer window
 Recommendation: Uncheck “Hide protected operating system files”, click on “Apply” then
“Apply to all folders”
Screen Resolution:
o Change screen resolution to 1024 X 768.
o Set color depth as high as possible – preferably 32 bit.
Copy files to C:
o Copy “i386” folder files from W2K3 CD-ROM to C: drive
o Copy “ATS Downloads” folder from AFHCAN ATS Downloads CD-ROM
Log Files:
o Create “C:\Logs” folder
Device Manager:
o From the Dell R710 Drivers CD-ROM, extract Win_2k3_2k8_14.2.11.1.zip to C:\Dell\Broadcom
o From the same CD-ROM, extract BASP_BACS_Mgmt_apps_ia32-14.2.12.1.zip to C:\Dell\Broadcom
o Copy the Chip folder from the CD to C:\Dell\Chip
o Run C:\Dell\Broadcom\Win_2k3_2k8_14.2.11.1\Server\W2K3_W2K8\DrvInst\Setup.exe
o Run C:\Dell\Broadcom\BASP_BACS_Mgmt_apps_ia32-14.2.12.1\Server\MgmtApps\IA32\Setup.exe
o Select Control Suite\BASP and SNMP. Ignore error about SNMP not being detected, it will be installed
later in the document. Click on OK.
o Continue to load BACS when .Net Framework 2.0 warning appears by clicking on OK
o Reboot Server
o Install .Net Framework 2.0 (C:\Domain Downloads\2.0 Net Framework\dotnetfx2.exe) to use the
Broadcom Advanced Control Suite 3 and disable the iSCSI Offload Engine.
o Within the Broadcom Advanced Control Suite 3, disable the iSCSI Offload Engine from those System
Devices (VBD) by removing the checkmark in front of iSCSI Offload Engine found under Resource
Reservations from the Configurations tab.
o Update the CHIP set by clicking on Setup.exe from C:\Dell\Chip\
o Reboot Server
o After log on, check Device manager and update/install drivers as necessary
Disk Management:
o Change DVD/CD-ROM drive assignment to R:
o Change the drive assignments so 2nd partition is D:
o Format D: drive – Format and change volume label to “Local Disk”
o Change the drive assignment so the 3rd partition is E:
o Format E: drive – Format and change volume label to “Local Disk”
Create/Modify Accounts:
o Change name of Administrator account. Use the OSBA#*** defined for this server.
 Password: Use complex password defined for this account
 User CANNOT change password, and password never expires
o Create decoy Administrator account
o
•
•
•
•
•
•
•
Page 167 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
•
•
Revision 1
 User name: Administrator
 Password: [email protected]
 User CANNOT change password, and password never expires
 NOT a member of the administrator group
o Create AFHCANAdmin*** account
 Use the name defined for this server
 Password: [email protected]
 Do not use the complex password yet, due to the many reboots that will be coming up. This will
be done at the end.
 User CAN change password, and password never expires
 Member of the administrators group
 Log out and log back in with the AFHCANAdmin*** account. The Administrator account no
longer has any privileges.
Install .Net Framework 3.5 SP1
o Reboot server
Install .Net Framework 4.0 by double-clicking C:\ATS Downloads\4.0 .Net
Framework\dotNetFx40_Full_x86_x64.exe
Install IIS
o Browse to C:\Downloads\Registry and double-click on Setup.reg
o Browse to C:\Downloads\IIS Install and run the “installiis.bat” file
 Leave the default web site
Finalize OS Configurations
o Browse to C:\ATS Downloads\Registry and double-click on Setup.reg
o Install Optional Windows Components
o Uncheck Accessories and Utilities
o Check Application Server – click Details – ensure FTP is not being installed.
o Leave Internet Explorer Enhance Security Config checked
o Management and Monitoring Tools – click Details
 Check Simple Network Management Protocol
o Check Security Configuration Wizard
o Uncheck Update root Certificates
o Reboot Server
o Within System Properties, enable Remote Desktop
o Apply Microsoft WindowsServer2003-SP2
Reboot Server
Install Adobe Acrobat Reader
o Run C:\ATS Downloads\Adobe\Adobe Reader v9.0\adbeRddr930_en_US.exe accepting all defaults
Delete any shortcut icons created on desktop
Configure SNMP (Note – configure this only if being hosted locally by AFHCAN)
o Open “SNMP Service Properties” – in services
o Traps Tab
 Set Community name – site unique
 Set trap destination – use IP address of server
o Security Tab
 Uncheck “Send Authentication Trap” checkbox
 Set the community to be “Read Only”
 “Accept SNMP packets from these hosts” – add the server’s IP address
Install Dell OpenManage Server Administrator
o Click on R:\SYSMGMT\srvadmin\windows\Setup.exe
 Perform Custom install
 Leave all selections at their default values and install
o Restart the server
Page 168 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
Note: tConsult Telehealth servers normally have IT Assistant installed. IT Assistant requires SQL and
will install SQL Express as part of the installation process. It is a conscious decision to forego IT
Assistant on a front-end tConsult Telehealth server.
Connect to Microsoft Windows Update site and download and install all security patches
Harden Server
o Operating System Services and Security policies
 Within Administrative Tools, select and run the Security Configuration Wizard. When prompted,
select “Apply an exisiting security policy”
 Browse to C:\ATS Downloads\Security Template and select Secure AFHCAN Server1.xml
 Accept all defaults and apply the template
 Select Start/Run and enter MMC
 Add the Security Configuration and Analysis MMC snap-in to the MMC
 Right click Security Analysis and select Open database
 Name the database “Update”
 Import Template – browse to and select C:\ATS Downloads\Security Template, select Secure
AFHCAN Server2 and click Open
 Again right click Security Configuration and Analysis and select Configure computer now and
apply the template
Close the MMC and DO NOT save when prompted
 Review NIC settings for all NICs
 On all NIC(s): Ensure Firewall is turned on and the following exceptions are enabled:
• Port 80 TCP – http
• Port 443 TCP – https
• Remote Desktop - Port 3389 TCP
• Time Server - Port 123 UDP
• WCF - Port 6968 TCP
• MSDTC (Add Program: C:\Windows\System32\MSDTC.exe)
Security logging:
o Change log file location to C:\Logs\pfirewall.log
• ICMP:
o Check “Allow incoming echo request”
• Ensure “Client for Microsoft Networks” is selected
• Ensure “File and Print Sharing for Microsoft Networks” Is selected
• Verify IP, SM, DG, DNS
• Disable any NICs that will not be connected to the network
• System 32 Changes
o Run the “C:\ATS Downloads\Batch Files\ACLChange.Bat”
• Change ACLs on partitions
C: Drive
Root (C:\)
Remove Everyone, CREATOR OWNER, and Users groups
D: Drive
Root (D:\)
Remove Everyone, CREATOR OWNER, and Users groups
E: Drive
Root (E:\)
Remove Everyone, CREATOR OWNER, and Users groups
Delete E:\Inetpub\AdminScripts folder
C:\Inetpub
Add the IIS_WPG Group and give modify permissions
Add the Web Applications Group and give modify permissions
C:\Inetpub\WWWRoot
Page 169 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
•
•
•
•
•
•
Revision 1
o Remove the Internet Guest Account (IUSR)
o Remove the Users account
o Remove the Web Anonymous Users account
Indexing Service
o Turn off indexing service at the root of C:\
 Right click on C: drive / Properties / General. Clear the checkmark for “Allow Indexing Service to
index this disk”. When prompted – select option to apply changes to subfolders and files.
o Turn off indexing service at the root of D:\
 When prompted – select option to apply changes to subfolders and files.
o Turn off indexing service at the root of E:\
 When prompted – select option to apply changes to subfolders and files.
Registry Changes: Run the C:\ATS Downloads\Registry\RegSecChanges.Reg
Enabling MSDTC Services: Using Computer Management / Services, ensure the following five services are
set to Automatic and Start each one:
o COM+ Event System
o COM+ System Application
o DCom Server Process Launcher
o Distributed Transaction Coordinator
o System Event Notification
User Accounts
o Delete the “Support…” account
o Disable the IUSR account
o Disable the IWAM account
Modify user’s Remote / Terminal Services settings
o Do the following for all users except AFHCANAdmin*** and OSBA: Remove ability to logon to
Terminal Services
 Computer Management / User Properties / Terminal Services Profile. Check the “Deny this use
permission…” checkbox
 Under “Remote Control” tab, uncheck “Need User’s permission”
 Harden the AFHCANAdmin*** password
 Delete both Full Name and Description entries from all users
Group Accounts
o Within the IIS-WPG group, remove the IWAM user account
Disable Dump File Creation:
o My Computer / Properties / Advanced / Startup and Recovery – Set “Write Debugging Information” at
“(none)”
o Uncheck “Send an Administrative Alert”
Create/Set Pagefile Parameters: Go to System Properties / Advanced / Performance / Settings, then select
Advanced tab / Virtual Memory
o On C: drive, create/set pagefile initial/max at 1024 MB
o On D: drive, create/set pagefile initial/max at 4096 MB
o Do not restart your system at this time
Disable Application dump files
o Run drwtsn32.exe and uncheck everything but “Append to Existing Log File”
Terminal Services
Administrative Tools / Terminal Services Configuration
o RDP-TCP Properties
o General Tab:
 Encryption Level: Client Compatible
o Client Settings Tab:
 Uncheck “Use Connection Settings from User Settings”
 Uncheck “Connect Client Printers at Logon”
Page 170 of 179
SWP-0097 Telehealth Server
•
•
•
Revision 1
 Uncheck “Default to Main Client Printer”
 Under “Disable the Following”, check everything except “Drive Mapping”
o Sessions Tab:
 Check “Override User Settings”
 End a disconnected session in 30 minutes
 Limit active sessions length to 1 day
 Idle sessions Limit: 30 minutes
o Network Adapter Tab
 Set maximum connections to 2
o Server Settings
 Change Active Desktop to “Disable”
Configure MSDTC: Start / Programs / Administrative Tools / Component Services
o Click the MSDTC tab of the My Computer Properties dialog and click the Security Configuration
button.
o Network DTC Access:
 Allow Remote Clients
 Allow Remote Administration
o Transaction Manager Communication:
 Allow Inbound
 Allow Outbound
 No Authentication Required
 Enable Transaction Internet Protocol (TIP) Transactions
IIS
o Web Sites – right-click and select Properties
o Web Site Tab:
 Active log format – click Properties and change log file directory to C:\Logs
o Advanced tab – check Cookie and Referer checkboxes
o Directory Security Tab:
 Authentication and access control – edit and Uncheck anonymous access – only Integrated
Authentication allowed
o Home Directory Tab:
 Application Settings – click Configuration and remove all application extensions
 Web Service Extensions
• Ensure ASP.NET v1.1.4322 is allowed
• Ensure ASP.NET v2.0.50727 is allowed
• Ensure ASP.NET v4.0.30319 is allowed
• Prohibit “Active Server pages”
Reboot Server
2. Cleanup Server
•
•
•
•
•
Check for FTP Service and uninstall if present
Clear the log files using Event Viewer
Delete Security Configuration Wizard shortcut from the Desktop
Empty Recycle bin
Defrag the hard drives
End of Procedure.
Page 171 of 179
SWP-0097 Telehealth Server
Revision 1
Telehealth Server Windows 2003 Back End Server Build and Configuration
1. Material Requirements
•
•
•
•
•
•
•
Server
o Server CPU w/NIC(s)
o Manufacturer CDROMS – drivers disk
o Monitor
o Keyboard
o Mouse
Software
o AFHCAN Windows 2003 CD-ROM w/license key (plus CALs)
o Windows 2003 SP2 CD-ROM
o AFHCAN software patches (if applicable)
o Perc Firmware update floppy disks (if applicable)
o ATS Downloads CD-ROM dated 3/24/2010 or later
o .NET 3.5 Framework SP1 CD-ROM
o SQL Server 2005
o 5.1.3
Documentation
o Server configuration QA sheet
Miscellaneous – all may not be needed
o LAN connection for server
o WAN connectivity to core
o CAT5 cables – regular, crossover
o CAT5 female-female adapters
Initialize Server
o It is assumed that the server is installed with a monitor, keyboard and mouse (or KVM equivalent).
o IMPORTANT: DO NOT CONNECT THE LAN AT THIS POINT – the server is vulnerable to attacks until it
is hardened.
BIOS Configuration – Boot Sequence:
o CD-ROM
o Hard Drive
o Floppy
RAID-5 configuration: Follow the manufacturer’s documentation provided for the RAID software
installation/hardware configuration. To access the Dell R710 RAID BIOS hit Ctl-R during the POST process.
o Create a single five-drive RAID5 container and establish the sixth drive as a hot spare.
o Do a full Initialization followed by a Consistency Check if brand new out of the box server
Windows 2003 Server Initial Installation
o Partition hard disks: Note: The sizes below reflect 500 Gb Hard Drives. Larger Hard Drives will allow
for a 200 Gb C partition with the remaining disk space for the D partition.
IMPORTANT: Use NTFS file format for ALL partitions throughout this process
o Create C: partition – 200 Gbytes (204800)
o Create D: partition – 726 Gbytes (726017) or the amount of the remaining space available after
calculating the space necessary for the C and E partitions. *Remember to leave 8 Mb free.
o Create E: partition – 20 Gbytes (20480)
o Regional and language Options – leave at default
o Name: “User”
o Organization: Use the organization name (e.g. “”AFHCAN”)
o Product Key – enter key
o License - Per Server with (5) connections typically.
o Computer Name: Enter appropriate name
 Name: Administrator / Password: “password”
 NOTE: This will change later with stronger account names and passwords
Page 172 of 179
SWP-0097 Telehealth Server
Revision 1
Date & Time Settings
 Adjust as necessary. Use Alaska Time Zone with automatic adjustment for daylight savings unless
Server is being deployed elsewhere – check deployment for Time Zone location.
o Security Updates – Choose “Finish”
o “Manage your Server” window - check the “Don’t display this page at logon”
Initial Logon
o Security Updates – Choose “Finish”
o NOTE: These next steps will need to be completed for each administrator account as they log on for
the first time
o “Manage your Server” window – check the “Don’t display this page at logon”
o Show My Computer on Desktop
o Adjust Tools / Folder Options / View in Explorer window
o Recommendation: Uncheck “Hide protected operating system files”, click on “Apply” then “Apply to
all folders”
Screen Resolution:
o Change screen resolution to 1024 X 768.
o Set color depth as high as possible – preferably 32 bit.
Copy files to C:
o Copy “i386” folder files from W2K3 CD-ROM to C: drive
o Copy “ATS Downloads” folder from AFHCAN ATS Downloads CD-ROM
Log Files:
o Create “C:\Logs” folder
Device Manager:
o From the Dell R710 Drivers CD-ROM, extract Win_2k3_2k8_14.2.11.1.zip to C:\Dell\Broadcom
o From the same CD-ROM, extract BASP_BACS_Mgmt_apps_ia32-14.2.12.1.zip to C:\Dell\Broadcom
o Copy the Chip folder from the CD to C:\Dell\Chip
o Run C:\Dell\Broadcom\Win_2k3_2k8_14.2.11.1\Server\W2K3_W2K8\DrvInst\Setup.exe
o Run C:\Dell\Broadcom\BASP_BACS_Mgmt_apps_ia32-14.2.12.1\Server\MgmtApps\IA32\Setup.exe
 Select Control Suite\BASP and SNMP. Ignore error about SNMP not being detected, it will be
installed later in the document. Click on OK.
 Continue to load BACS when .Net Framework 2.0 warning appears by clicking on OK
o Reboot Server
o Install .Net Framework 2.0 (C:\ATS Downloads\2.0 Net Framework\dotnetfx2.exe) to use the
Broadcom Advanced Control Suite 3 and disable the iSCSI Offload Engine.
o Within the Broadcom Advanced Control Suite 3, disable the iSCSI Offload Engine from those System
Devices (VBD) by removing the checkmark in front of iSCSI Offload Engine found under Resource
Reservations from the Configurations tab.
o Update the CHIP set by clicking on Setup.exe from C:\Dell\Chip\
o Reboot Server
o After log on, check Device manager and update/install drivers as necessary
Disk Management:
o Change DVD/CD-ROM drive assignment to R:
o Change the drive assignments so 2nd partition is D:
o Format D: drive – Format and change volume label to “Local Disk”
o Change the drive assignment so the 3rd partition is E:
o Format E: drive – Format and change volume label to “Local Disk”
Create/Modify Accounts:
o Change name of Administrator account. Use the OSBA#*** defined for this server.
 Password: Use complex password defined for this account
 User CANNOT change password, and password never expires
 Create decoy Administrator account
• User name: Administrator
o
•
•
•
•
•
•
•
Page 173 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
•
•
•
•
•
•
Revision 1
• Password: [email protected]
• User CANNOT change password, and password never expires
• NOT a member of the administrator group
 Create AFHCANAdmin*** account
• Use the name defined for this server
• Password: [email protected]
• Do not use the complex password yet, due to the many reboots that will be coming up. This
will be done at the end.
 User CAN change password, and password never expires

Member of the administrators group
 Log out and log back in with the AFHCANAdmin*** account. The Administrator account no
longer has any privileges.
Install .Net Framework 3.0 by double-clicking C:\ATS Downloads\3.0 .Net Framework\dotnetfx3.exe
Install MSXML6, SP1 by double-clicking C:\ATS Downloads\MSXML6.0\msxml6_x86.msi
o Reboot server
Install .Net Framework 3.5 SP1
o Reboot server
Install .Net Framework 4.0 by double-clicking C:\ATS Downloads\4.0 .Net
Framework\dotNetFx40_Full_x86_x64.exe
Finalize OS Configurations
o Within System Properties, enable Remote Desktop
o Apply Microsoft WindowsServer2003-SP2
o Reboot Server
Install SQL Server 2005
o Install from CDROM/DVD. SQL Server 2005 Setup.exe if it doesn’t autostart. Accept component
updates.
o Accept username and company
o Enter Product Key
Components to Install
o SQL Server Database Services
o Workstation components, Books Online and development tools
Click on Advanced
o Database Services
Change the installation path for Data Files to D:\
o Client Components
Make Business Intelligence Development Studio components unavailable
Make Software Development Kit components unavailable
o Documentation, Samples, and Sample Databases
Make the Documentation, Samples and Sample Databases unavailable
o
Accept Default instance
o
Service Accounts - Customize the settings for each service
For SQL Server - Use the Local System Account.
For SQL Server Agent - Use the Local System Account.
For SQL Browser – Use the Local System Account
At the Start Services at the end of setup, (bottom 3rd of dialog box), select SQL Server and SQL Server
Agent
o Mixed Mode for Authentication
o Enter hardened SA password
o Accept default collations
o Do NOT send errors to Microsoft
o Completing Microsoft SQL Server 2005 Setup
 Click on Surface Area Configuration Tool
Page 174 of 179
SWP-0097 Telehealth Server
•
•
•
•
•
•
•
•
•
Revision 1
 Select Surface Area Configuration for Services and Connections
 Highlight MSSQLSERVER | Database Engine | Remote Connections

Select Using both TCP/IP and named pipes
 Select Area Configuration for Features
 Enable CLR Integration
Install SP4 for Microsoft SQL 2005 Server
From CDROM/DVD, click on SQLServer2005SP4-KB2463332-x86-ENU.exe
o Accept License Terms
o Accept default feature selections
o Do NOT send errors to Microsoft
Reboot Server
Configure SNMP (Note – configure this only if being hosted locally by AFHCAN)
Open SNMP Service Properties in services
o Traps Tab
 Set Community name – site unique
 Set trap destination – use IP address of server
o Security Tab
 Uncheck Send Authentication Trap checkbox
 Set the community to be Read Only
 Add new Read/Write Community
 Accept SNMP packets from these hosts – add the server’s IP address
Install Dell OpenManage Server Administrator
o Click on R:\SYSMGMT\srvadmin\windows\Setup.exe
 Perform Custom install
 Leave all selections at their default values and install
o Restart the server
Install IT Assistant: Run C:\ATS Downloads\IT Assistant\setup.exe
o Accept all default settings and install
o Restart the server
o Open IT Assistant
o Add to trusted site
o Install the Java runtime component accepting defaults
Connect to Microsoft Windows Update site and download and install all security patches
Harden Server
o Operating System Services and Security policies
o Within Administrative Tools, select and run the Security Configuration Wizard. When prompted,
select “Apply an existing security policy”
 Browse to C:\ATS Downloads\Security Template and select Secure AFHCAN Server1.xml
 Accept all defaults and apply the template
 Select Start/Run and enter MMC
 Add the Security Configuration and Analysis MMC snap-in to the MMC
 Right click Security Analysis and select Open database
• Name the database “Update”
 Import Template – browse to and select C:\ATS Downloads\Security Template, select Secure
AFHCAN Server2 and click Open
 Again right click Security Configuration and Analysis and select Configure computer now and
apply the template
 Close the MMC and DO NOT save when prompted
 Review NIC settings for all NICs
 On all NIC(s): Ensure Firewall is turned on and the following exceptions are enabled:
• Port 80 TCP – http
• Port 443 TCP – https
Page 175 of 179
SWP-0097 Telehealth Server
Revision 1
•
•
•
•
•
•
•
•
•
•
Remote Desktop - Port 3389 TCP
Time Server - Port 123 UDP
WCF - Port 6968 TCP
MSDTC (Add Program: C:\Windows\System32\MSDTC.exe)
Port 1433 – Edit Scope and allow only the tConsult Telehealth Server by entering the IP
address and 255.255.255.255 as the subnet
• Security logging: Change log file location to C:\Logs\pfirewall.log
• ICMP: Check “Allow incoming echo request”
• Ensure “Client for Microsoft Networks” is selected
• Ensure “File and Print Sharing for Microsoft Networks” Is selected
• Verify IP, SM, DG, DNS
• Disable any NICs that will not be connected to the network
System 32 Changes
o Run the “C:\ATS Downloads\Batch Files\ACLChange.Bat”
Change ACLs on partitions
o C: Drive
o Root (C:\)
 Remove Everyone, CREATOR OWNER, and Users groups
 C:\Program Files\Microsoft SQL Server
 Remove everyone EXCEPT Administrators & System
 Add and give Users Modify permission on MSSQLServer\90\Shared folder level
o D: Drive
o Root (D:\)
 Remove Everyone, CREATOR OWNER, and Users groups
o E: Drive
o Root (E:\)
 Remove Everyone, CREATOR OWNER, and Users groups
 Delete E:\Inetpub\AdminScripts folder
o C:\Inetpub\WWWRoot
 Remove the Internet Guest Account (IUSR)
 Remove the Users account
 Remove the Web Anonymous Users account
 Add the IIS_WPG Group and give modify permissions
Indexing Service
o Turn off indexing service at the root of C:\
 Right click on C: drive / Properties / General. Clear the checkmark for “Allow Indexing Service to
index this disk”. When prompted – select option to apply changes to subfolders and files.
o Turn off indexing service at the root of D:\
 When prompted – select option to apply changes to subfolders and files.
o Turn off indexing service at the root of E:\
 When prompted – select option to apply changes to subfolders and files.
Registry Changes: Run the C:\ATS Downloads\Registry\RegSecChanges.Reg
Enabling MSDTC Services:
o Using Computer Management / Services, ensure the following five services are set to Automatic and
start each one:
 COM+ Event System
 COM+ System Application
 DCom Server Process Launcher
 Distributed Transaction Coordinator
 System Event Notification
 User Accounts
• Delete the “Support…” account
Page 176 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
• Disable the IUSR account
• Disable the IWAM account
o Modify user’s Remote / Terminal Services settings
 Do the following for all users except AFHCANAdmin*** and OSBA
• Remove ability to logon to Terminal Services
Computer Management / User Properties / Terminal Services Profile.
• Check the “Deny this use permission…” checkbox
• Under “Remote Control” tab, uncheck “Need User’s permission”
• Harden the AFHCANAdmin*** password
• Delete both Full Name and Description entries from all users
o Group Accounts: Within the IIS-WPG group, remove the IWAM user account
Disable Dump File Creation: My Computer / Properties / Advanced / Startup and Recovery – Set
“Write Debugging Information” at “(none)”
 Uncheck “Send an Administrative Alert”
 Create/Set Pagefile Parameters: Go to System Properties / Advanced / Performance / Settings,
then select Advanced tab / Virtual Memory
• On C: drive, create/set pagefile initial/max at 1024 MB
• On D: drive, create/set pagefile initial/max at 4096 MB
• Do not restart your system at this time
o Disable Application dump files: Run drwtsn32.exe and uncheck everything but “Append to Existing
Log File”
o Terminal Services
 Administrative Tools / Terminal Services Configuration
 RDP-TCP Properties
• General Tab: Encryption Level: Client Compatible
• Client Settings Tab:
o Uncheck “Use Connection Settings from User Settings”
o Uncheck “Connect Client Printers at Logon”
o Uncheck “Default to Main Client Printer”
o Under “Disable the Following”, check everything except “Drive Mapping”
• Sessions Tab:
o Check “Override User Settings”
o End a disconnected session in 30 minutes
o Limit active sessions length to 1 day
o Idle sessions Limit: 30 minutes
o When session limit is reached “Override User Settings” and select End session.
• Network Adapter Tab
o Set maximum connections to 2
• Server Settings
o Change Active Desktop to “Disable”
Configure MSDTC: Start / Programs / Administrative Tools / Component Services
o Click the MSDTC tab of the My Computer Properties dialog and click the Security Configuration
button.
 Network DTC Access:
• Allow Remote Clients
• Allow Remote Administration
 Transaction Manager Communication:
• Allow Inbound
• Allow Outbound
• No Authentication Required
• Enable Transaction Internet Protocol (TIP) Transactions
IIS
Page 177 of 179
SWP-0097 Telehealth Server
•
•
Revision 1
ISS
o Web Sites – right-click and select Properties
o Web Site Tab:
 Active log format – click Properties and change log file directory to C:\Logs
 Advanced tab – check Cookie and Referer checkboxes
o Directory Security Tab:
 Authentication and access control – edit and Uncheck anonymous access – only Integrated
Authentication allowed
o Home Directory Tab:
 Application Settings – click Configuration and remove all application extensions
o ASP.NET Tab
 ASP.NET version set to 4.0.30319
 Web Service Extensions
• Ensure ASP.NET v1.1.4322 is allowed
• Ensure ASP.NET v2.0.50727 is allowed
• Ensure ASP.NET v4.0.30319 is allowed
• Prohibit “Active Server pages”
Reboot Server
2. Cleanup Server
•
•
o Check for FTP Service and uninstall if present
o Clear the log files using Event Viewer
o Delete Security Configuration Wizard shortcut from the Desktop
o Empty Recycle bin
o Defrag the hard drives
Review / Make Final Configuration Changes
BIOS Configuration
o Set BIOS password (if organization policy)
o Set AC Power Recovery to ON
o Set Boot Sequence
 Hard Drive
 CDROM/DVD
 Floppy
End of Procedure
Page 178 of 179
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement