Install the empower® Backend (Version >= 9.7)

Available from Version: 9.7 

Hosting Option: Corporate Cloud 

Required Permissions: IT Admin 

To install the empower® Backend, use the empower® Backend Installer.

You only need to install the empower® Backend if your company hosts empower® on-premises or in a corporate cloud.

If empower® is hosted in the empower® Cloud, the backend is installed and maintained by empower® Support.

The backend installer provides a wizard that includes explanations and guides you through the installation process step-by-step.

Here, you can make settings and configure the backend according to your needs.

The installer can be used in three modes:

  • Install – The backend installer automatically starts in install mode if there is no existing empower® Backend Installation (Figure 1, “First Installation”).

  • Update – The backend installer can be started in update mode if there is an existing empower® Backend Installation which needs to be updated to a newer version.

  • Configure – The backend installer can be started in configure mode if there is an existing empower® Backend Installation which is on the current version. Here, you can adjust the settings that have been made during the initial installation.

Figure 1. First Installation

First Installation

Important

Before installing the empower® Backend, the following must be true:

  • .NET Framework 4.6.2 has been installed by your IT.

    This is the default case as from Windows Server 2016 onwards.

  • The database has been prepared by empower.

    • The Service User has been set up by you or your IT.

  • The Service Host User has been set up by you or your IT.

  • If applicable, the identity service (Okta or Microsoft Entra ID) has been set up by you or your IT.

For further information regarding the required users for the backend installation, see Backend Installation Users.

For further information regarding the setup of Microsoft Entra ID, see Script for App Registration in Microsoft Entra ID.

For further information regarding the setup of Okta, see Configure Okta for the Use with empower®.

Install the empower® Backend

The installation is divided into five sections. In each section, several settings can be made.

Each time the button Apply appears instead of the button Next, you complete one of the sections.

Installing the backend requires a version of .NET Core Runtime & Hosting Bundle.

If you have not installed the correct version, a message appears in the installer window (Figure 2, “.NET Core Runtime Missing”).

Here, click on the link to download the .NET Core Runtime and then restart the installer.

Figure 2. .NET Core Runtime Missing

.NET Core Runtime Missing

Note

If there is an issue, you only need to redo the steps in the section you are currently in. All sections that have been completed successfully in advance are saved.

Section 1 – Target Folder and Web Components

In section 1 of the backend installer, you choose the target folder for the installation. In the next step, you decide if you want to install the web components for PowerPoint Online, Word Online and Excel Online.

Then, you can also decide if you want to install the web component for Outlook Online as well.

To do so, follow the following steps:

  1. To choose the folder the backend services should be installed to, click on the button Browse (Figure 3, “Target Folder”).

    It is recommended to keep the default path.

  2. Then, choose the folder.

  3. Click on the button Next.

Figure 3. Target Folder

Target Folder

  1. To install the web components for PowerPoint Online, Word Online and Excel Online, tick the checkbox for Install web components (Figure 4, “Web Components”).

  2. To install the web component for Outlook Online, tick the checkbox for Install empower Mails Online.

  3. Then, click on the button Apply.

Figure 4. Web Components

Web Components

Your changes are applied and you will be forwarded to the next section.

Note

empower® Mails Online can only be installed if all other web components are installed as well.

If you choose to install empower® Mails Online, you can only use Microsoft Entra ID as identity service.

Further Requirements for Web Components

For the web components to work, you need to fulfill further requirements:

  • For each new version, the manifest files need to be rolled out again.

  • If you choose to install empower® Mails Online, configure Single Sign-On for empower® Mails Online.

Important

For version 9.7, there have been major changes to the manifest files for the web components. Therefore, the web components might not work properly if the new manifest files are not rolled out for existing installations.

If you update the empower® Backend, make sure the manifest files are rolled-out accordingly.

Note

For further information regarding the distribution of the manifest files, see Set up the empower® Web Components for Office Online.

For further information regarding Single Sign-On for empower® Mails Online, see Adjust App Registration for empower® Mails Online.

Section 2 – Identity Service and Public Endpoint

In section 2, you can choose your preferred identity service. Afterwards, you can make changes to the public endpoint and database configurations as well as to the load balancing configuration.

Choose Identity Service

In the window Identity provider selection, select the identity service you want to use for empower®.

You can choose from the following (Figure 5, “Choose Identity Service”):

  • Active Directory

  • Microsoft Entra ID

  • Okta

Figure 5. Choose Identity Service

Choose Identity Service

Then, click on the button Next.

If you have selected Active Directory, you are forwarded to the public endpoint configuration.

If you have selected Microsoft Entra ID or Okta, you are forwarded to further settings for those identity services.

Note

If you have chosen to install empower® Mails Online, the only option to be displayed is Microsoft Entra ID.

Configure Backend for Microsoft Entra ID

To fill in the configuration information for Microsoft Entra ID, make sure to follow the instructions on setting up the app registration for Microsoft Entra ID.

You will need the values Tenant ID, Client ID and Client Secret for the backend installer.

Save those values securely and then follow the following steps in the backend installer (Figure 6, “Enter MS Entra ID Values”):

  1. In the window Configure Entra ID Identity Provider, enter the value for the Tenant ID.

  2. Enter the value for the Client ID.

  3. Enter the value for the Client Secret.

  4. Then, click on the button Next.

Figure 6. Enter MS Entra ID Values

Enter MS Entra ID Values

Tenant ID and Client ID must be entered in GUID format.

Important

The Client Secret is only visible once. Make sure to save the Client Secret securely.

Note

For further information regarding the setup of the Microsoft Entra ID app registration, see Script for App Registration in Microsoft Entra ID.

Configure Backend for Okta

To fill in the configuration information for Okta, make sure to follow the instructions on setting up the necessary applications for Okta.

If you use the PowerShell script for the application setup, you receive a configuration file.

In the backend installer, follow the following steps (Figure 7, “Import Okta Directory Values”):

  1. Click on the button Import.

  2. Navigate to the folder in which you have saved the Okta configuration file.

  3. Select the Okta configuration file.

    The values are automatically entered into the corresponding input fields.

  4. Click on the button Next.

Figure 7. Import Okta Directory Values

Import Okta Directory Values

If you have not used the PowerShell script but you have setup the applications in Okta manually, enter the values manually.

Important

Using the PowerShell script is always recommended!

Note

For further information regarding the setup of the Okta applications, see Configure Okta for the Use with empower®.

Configure Public Endpoint and Certificates

After the identity service selection and configuration, you are forwarded to the configuration of the public endpoint. Then, you can choose which type of certificate you want to use.

To do so, follow the following steps (Figure 8, “Host Name and Port Information”):

  1. In the window Configure Public Endpoint, enter the host name.

  2. Then, choose if you want to use the default port or a custom port.

    1. To use the default port, choose the option Use standard port.

    2. To use a custom port, choose the option Use a custom port.

      If the default port (443) is available, a warning is displayed.

  3. To set up a firewall rule, tick the checkbox for Create Windows Firewall Rule.

  4. Click on the button Next.

Figure 8. Host Name and Port Information

Host Name and Port Information

  1. In the window Configure SSL, choose the type of certificate you want to use (Figure 9, “Choose SSL Certificate”).

    1. If you want to use a certificate signed by LetsEncrypt, choose the option Use a free certificate issued by LetsEncrypt.

      1. Enter the e-mail address that you want to use for the registration.

    2. If you want to use a certificate issued by your own Company Certification Authority, choose the option Use a certificate issued by your IT department.

      1. Click on the button Browse and navigate to the .pfx file you want to use.

      2. Enter the password for this file.

    3. If you want to use a self-signed certificate, choose the option Use a self-signed certificate.

      The certificate will be created upon backend installation and can be saved to your device after the installation is finished.

  2. Click on the button Next.

Figure 9. Choose SSL Certificate

Choose SSL Certificate

You are forwarded to the next step.

Important

If you change the public endpoint later on, this affects the Microsoft Entra ID app registration and might therefore result in issues.

Make sure to change the public endpoint accordingly.

Important

If possible, always use a certificate signed by LetsEncrypt. As an alternative, you can use a certificate issued by your own Company Certification Authority.

For productive environments, never use the self-signed certificate!

Note

For further information regarding the SSL certificates and which one is best for you, see SSL Certificates.

Configure Backend Application Services and Data Folder

To configure the backend application services, you need to create a Service Host User.

Afterwards, you can decide where the backend should cache data locally. This is done to improve the overall performance.

To do so, follow the following steps:

  1. In the window Setup empower backend Application Services, enter the user name for the Service Host User (Figure 10, “Enter Credentials”).

  2. Then, enter the password for the Service Host User.

  3. Click on the button Next.

Figure 10. Enter Credentials

Enter Credentials

  1. In the window Select Data Folders, choose where you want to save binary data (Figure 11, “Choose Data Folder”).

  2. If you want to use the default cache folder, choose the option Use the default cache folder.

  3. If you want to use a custom cache folder, choose the option Use a custom cache folder.

    1. Click on the button Browse.

    2. Navigate to the folder in which you want to save the binary data or create a new folder for this purpose.

  4. Click on the button Next.

Figure 11. Choose Data Folder

Choose Data Folder

You are forwarded to the next step.

Configure Database Connection

Next, you can configure the database connection for the empower® Backend.

To do so, follow the following steps:

  1. In the window Configure Database Connection, enter the database server name (Figure 12, “Enter Database Details”).

  2. Then, enter the database name.

Figure 12. Enter Database Details

Enter Database Details

  1. Choose if you want to use the integrated Windows authentication or the SQL authentication with user name and password.

    1. If you use the integrated Windows authentication, you do not need to execute further steps. The access to the empower® Database takes place via the configured Service Host User.

    2. If you use the SQL authentication with user name and password, enter the user name and the password in the input fields.

  2. Then, click on the button Next.

Important

The user that is used to establish the database connection must not have the role sysadmin on the SQL server.

For further information regarding this user, see empower® Database.

Configure Load Balancing

To ensure that users can experience the best possible performance, the number of clients that can access the empower® Backend at once is limited.

This is done to balance the load. Therefore, a queuing system has been established.

If the backend has already reached its capacity, clients which send additional requests might be asked to wait for the backend to reply.

To configure the load balancing for your environment, the hardware conditions can be detected automatically or entered manually.

The automatic detection is recommended!

To detect this information automatically, you need an internet connection.

Only if there is no internet connection and the automatic scaling process is therefore not possible, you can choose a fixed size yourself.

The capacity sizes range from XS to XL.

In the window Load Balancing, choose the option you want to use (Figure 13, “Configure Load Balancing”).

Then, click on the button Apply.

Figure 13. Configure Load Balancing

Configure Load Balancing

Your changes are applied and you will be forwarded to the next section.

Note

For further information regarding the load balancing in empower®, see empower® Sync.

Important

If automatic scaling is not possible, contact empower® Support.

If you choose a capacity that is too small, the access to the backend might be slowed down. If you choose a capacity that is too large, this might destabilize the backend.

Section 3 – Database Upgrade

In section 3, the database upgrade is executed.

To do so, follow the following steps:

  1. In the window Database Upgrade, choose if you want to use the current user or a dedicated SQL Service User to be the Database Update User.

    1. If you want to use the current user for the database update, choose the option Use the current user (Figure 14, “Database Upgrade”).

      The user that is currently used for the backend installation is then used for the database update. This user must have the database role db_owner.

    2. If you want to use an SQL Service User, choose the option Use SQL authentication (Figure 15, “Database Upgrade with SQL User”).

      1. Now, enter the user name and the password.

  2. Click on the button Next.

Figure 14. Database Upgrade

Database Upgrade

Figure 15. Database Upgrade with SQL User

Database Upgrade with SQL User

  1. Check if there is a backup for the database.

  2. In the window Database Upgrade – Backup Confirmation, confirm that the backup for the database exists (Figure 16, “Confirm Database Backup”).

  3. Click on the button Next.

    The backend installer now applies your changes. If this process fails, a message is displayed and the changes are revoked.

  4. If the process has been successful, click on the button Apply.

Figure 16. Confirm Database Backup

Confirm Database Backup

Your changes are applied and you will be forwarded to the next section.

Section 4 – Directory Synchronization

In section 4, you can choose your preferred provisioning method.

Depending on the provisioning method and the identity service, you can then make further settings.

First, choose if you want to use the Directory Sync or SCIM (Figure 17, “Choose Provisioning Method”).

SCIM can only be used if you have selected Microsoft Entra ID as identity service.

Figure 17. Choose Provisioning Method

Choose Provisioning Method

Then, click on the button Next.

Configure Directory Sync

If you have selected the Directory Sync, you can first define the synchronization interval and then make further settings for Active Directory and Okta.

For Microsoft Entra ID, there are no further settings to be made.

To configure the synchronization interval, enter the time in minutes after which the users and user groups should be synchronized into the input field (Figure 18, “Enter Synchronization Interval”).

The default is 60 minutes (one hour). If the interval is not valid, a message appears next to the input field.

Then, click on the button Next.

Figure 18. Enter Synchronization Interval

Enter Synchronization Interval
Configure Active Directory Synchronization

If you have chosen the Active Directory as identity service, you can make further settings for the Directory Sync.

To do so, follow the following steps (Figure 19, “Configure AD Synchronization”):

  1. In the window Configure Active Directory Synchronization, choose which domain controller you want to use.

    1. If you want to use a custom domain controller, enter the domain name manually into the input field.

  2. If multiple users from multiple domains should be synchronized, empower® can be connected to the global catalog (GC) instead.

    1. To do so, tick the checkbox for Use global catalog.

  3. During the synchronization, the Directory Sync only synchronizes users that can be found under a specific organizational unit (OU).

    Therefore, enter the required organizational unit into the input field for Sync below this base OU.

    If you use the global catalog, the organization unit must be complete. That means that the path to the organization unit must include DC=.

  4. Click on the button Next.

Figure 19. Configure AD Synchronization

Configure AD Synchronization

You are forwarded to the filter options for the synchronization.
Configure Okta Synchronization

To fill in the configuration information for Okta, make sure to follow the instructions on setting up the necessary applications for Okta.

If you use the PowerShell script for the application setup, you receive a configuration file.

In the backend installer, follow the following steps (Figure 20, “Configure Okta Synchronization”):

  1. Click on the button Import.

  2. Navigate to the folder in which you have saved the Okta configuration file.

  3. Select the Okta configuration file.

    The values are automatically entered into the corresponding text fields.

  4. Click on the button Next.

Figure 20. Configure Okta Synchronization

Configure Okta Synchronization

If you have not used the PowerShell script but you have setup the applications in Okta manually, enter the values manually.

You are forwarded to the filter options for the synchronization.

Important

Using the PowerShell script is always recommended!

Note

For further information regarding the setup of the Okta applications, see Configure Okta for the Use with empower®.

Use Directory Sync Filters

The users to be synchronized cannot only be filtered according to their organizational unit.

They can also be filtered by different criteria (Figure 21, “Choose Filters”):

  • Synchronize all users – All users under the specified OU are synchronized.

  • Filter by security group membership – Only users under the specified OU that are additionally part of a specified security group are synchronized. This is the case for direct and indirect group members (subgroup members).

    However, the specified security group itself is not synchronized!

  • Use a custom filter string – Only users under the specified OU that comply with a custom filter are synchronized.

Figure 21. Choose Filters

Choose Filters

The same settings can be applied on the synchronization of user groups.

For the synchronization with Microsoft Entra ID, you can additionally specify a Microsoft Graph API user filter (Figure 22, “MS Graph API Filter”).

Figure 22. MS Graph API Filter

MS Graph API Filter

For Okta, the filter options vary depending on the application setup.

If group synchronization has been enabled, group filters are available.

If group synchronization has not been enabled, group filters are not available.

Configure SCIM

If you have chosen SCIM as provisioning method, save the Tenant URL and the secret token from the window SCIM Configuration Details.

The values are required for additional adjustments that need to be made to the Microsoft Entra ID app registration after the backend installation.

Click on the button Next.

Important

The secret token is only visible once!

Note

For further information regarding the setup of SCIM, see Set up Microsoft Entra ID for SCIM.

Check Directory Synchronization

After the configuration, the backend installer checks if all data is correct and if it can establish a connection to the identity service.

Depending on the configuration, this might take a moment.

If the check is successful, the message Using the configured settings, users and groups were found appears (Figure 23, “Successful Synchronization Test”).

Click on the button Apply.

Your changes are applied and you will be forwarded to the next section.

Figure 23. Successful Synchronization Test

Successful Synchronization Test

Section 5 – Start Application Services

In section 5, the application services are started.

To do so, tick the checkbox for Start backend Application Services (Figure 24, “Start Backend Services”).

Then, click on the button Next.

Figure 24. Start Backend Services

Start Backend Services

The window Client Configuration Details provides you with information about your configuration (Figure 25, “Configuration Overview”).

To save this information, click on RemoteServiceConfig.xml.

To save the self-signed certificate you have used, click on empower.crt.

To finish the installation, click on the button Apply.

Figure 25. Configuration Overview

Configuration Overview

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.