ActiveEfficiency Server and the ActiveEfficiency Scout

CategoryProductNotes

OS

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
ActiveEfficiency and the Scout will install on systems running these OS.

Database servers

  • SQL Server 2019
  • SQL Server 2017
  • SQL Server 2016 SP2
  • You must have one of these SQL Server versions installed for ActiveEfficiency and the Scout
  • SQL server must be configured to use a case-insensitive, accent-sensitive collation as the server default - the preferred collation is SQL_Latin1_General_CP1_CI_AS
  • ActiveEfficiency supports SQL Always On Availability Groups or SQL cluster
  • See Preparation for details of SQL permissions required by the installation and service accounts

Configuration Manager

  • SCCM CB 2111
  • SCCM CB 2107
  • SCCM CB 2103
  • SCCM CB 2010
  • SCCM CB 2006
  • SCCM CB 2002
  • SCCM CB 1910
  • SCCM CB 1906
  • SCCM CB 1902
  • You must have one of these Configuration Manager versions installed for ActiveEfficiency and the Scout
  • If you installed or upgraded to ActiveEfficiency 1.10 ensure you have installed Nomad Configuration Manager Admin Console Extensions for Nomad 7.0 (or later), otherwise pre-caching content fails when you run it.

Pre-caching content failure

  • Enable the Distributed Transaction Coordinated (DTC) service. DTC is a feature of Windows Server and is used to track processes of transactional processes, usually over multiple resource managers on multiple computers. DTC ensures that the transactions are completed and can be rolled-back if any part of the process fails.
    Enabling the DTC service

    Nomad synchronization uses DTC to perform complex queries on Configuration Manager and ActiveEfficiency data (for example, to retrieve computers targeted with Nomad Pre-cache policies and Nomad Dashboard data). DTC must be enabled and configured on the Configuration Manager SQL database server.

    You must restart the SQL service after enabling DTC.

Web servers

  • IIS 10
  • You must have one of these IIS versions installed for ActiveEfficiency and the Scout. The ActiveEfficiency installer runs a check to ensure that a supported version of IIS is installed before continuing.
  • To allow users and other 1E products to access the ActiveEfficiency website and web services, you must enable the following Windows roles and features
      • Web Server IIS (Web-Server)
      • Windows Authentication (Web-Windows-Auth)
      • IIS Management Console (Web-Mgmt-Console)
      • .NET Framework 4.x (Web-Asp-Net45)
      • ASP.NET 4.x (Web-Asp-Net45) - under the ISAPI and CGI restrictions section in IIS Manager 

      • Message Queuing (MSMQ) - see notes for Runtime libraries
      • Other required features are included in the above roles and features. 
  • If your SQL server is remote and TLS 1.0 is disabled in your environment you must install the SQL Server Native Client 11.0 (also known as SQL Server 2012 Native Client) on the Web server hosting the ActiveEfficiency application. If your SQL server is local you will likely already have the SQL Server Native Client installed, but you should check that this is the case.

    The following image illustrates the ODBC driver for the installed SQL Server Native Client:

You can download the SQL Server Native Client 11.0 installer (sqlncli.msi) from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=50402. Note that this version supports SQL Server 2012, 2014, 2016 and 2017.

Runtime libraries

  • MSMQ
  • .NET Framework 4.8
  • .NET Framework 4.7.2
  • .NET Framework 4.7.1
  • .NET Framework 4.7
  • You must have one of these versions of .NET Framework. The ActiveEfficiency and Scout installers each runs a check to ensure that .NET Framework Full Profile runtime library is installed. To know supported combinations of OS and .NET Framework, please refer to: https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies .
    • Windows Server 2019 has .NET Framework 4.7.2 installed by default.
    • Windows Server 2016 has .NET Framework 4.6.2 installed by default.
  • You must install MSMQ if you use the Nomad integration with WakeUp, Nomad Dashboard or Pre-cache features.
    • MSMQ is only used by the WakeUp integration feature
    • Even though the Dashboard and Pre-cache features do not use MSMQ, it is a prerequisite for installing these ActiveEfficiency Server features.
    • MSMQ is not used by the SSD, SSPBA and Nomad Download Pause features, and not required for installing their features.



Browsers

  • Google Chrome
  • Microsoft Edge (Chromium)
  • Mozilla Firefox

Others

  • ActiveEfficiency Server
ActiveEfficiency Server must be running on your network before you install the ActiveEfficiency Scout.

Constraints of Legacy OS

In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.

1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.

  • Windows XP *
  • Windows Vista
  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows Server 2003 *
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
1E Client 8.1 and later will not install on Windows XP and Windows Server 2003. Please contact 1E if you intend to continue using any of the other legacy OS. If you experience an issue, then please try replicating the issue on a supported OS.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Certificate limitations - expired root certificates

Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.

If this GPO is enabled, then you will see DisableRootAutoUpdate = 1 (dword) in HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot.

Certificate limitations - signing certificates missing

On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below. 

Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).

Typical reasons for issues with signing certificate are:

  • If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer
  • If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below. 

The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature. 

The table below applies to software and hotfixes released in 2020.

2020

Signing certificate

Timestamping certificates

Certificate

1E Limited

TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder

Issuing CA

DigiCert EV Code Signing CA (SHA2)

Thumbprint: 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3

DigiCert SHA2 Assured ID Timestamping CA

Thumbprint: 3ba63a6e4841355772debef9cdcf4d5af353a297

and  DigiCert Assured ID CA-1

Thumbprint: 19a09b5a36f4dd99727df783c17a51231a56c117

Root CA

DigiCert High Assurance EV Root CA

Thumbprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

DigiCert Assured ID Root CA

Thumbprint: 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43