Quick overview of the planning and execution steps for deploying a production KeyServer. This primarily targets windows, but the information and links have information about Mac and Linux if desired.
Select KeyServer hardware and Operating System based on our guidelines:
Choose a computer that does not have other disk-intensive processes on it.(You can skip this during an eval if you want to just use IP address)
DNS names make it friendly for users to find the service, and more flexible in the event of moving a server. Instead of a primary ANAME, we recommend you set up a CNAME record in DNS. This allows KeyServer to be moved in the future independently from any other services, and helps route traffic easier.
As with any service, ensuring network traffic through any host, client, and network Firewalls is critical. Make sure the server can be reached on port 19283 (TCP and UDP) from client and admin workstations. Our installer tries to set this up in the local (Windows) firewall - but in case there are other firewalls in place (e.g. when putting up a VM in Azure, or Checkpoint network Firewalls) you have to also tell those devices to allow the traffic. For Web UI, also allow 80 and/or 443 for http/https, or whatever alternate ports you configure for the web service (see later steps).
Make sure the new server can do outbound https. Specifically, can it get to https://prs.sassafras.com/ to download new Product Definitions and Software Icons from our PRS. http generally isn’t needed but is nice to allow as a fallback. It will also need access to *.openstreetmap.org to fetch map tiles if you use geographic map pins.
If a proxy is generally used for outbound traffic from this computer, we recommend adding an exception so that it can contact prs.sassafras.com without going through the proxy. We have seen instances where a proxy changes packet headers in such a way that communication ultimately fails in subtle ways.
Review the Firewalls document for full details of all ports and considerations for various implementations and features.
See also Network Diagrams
More detailed steps are in the Installation and Configuration document, and we also have a Full Walkthrough, but the summary is:
Most daily operations can be done in the Web UI. Common configurations like AD integration for client mapping and admin authentication, audit and mail settings, client updates, usage tracking, and more are all available in the web. On a fresh install running in LabSight demo mode, the Web UI will pop up tasks that would be good to complete your deployment. These include:
Install the KeyConfigure admin application (Mac and Windows) to manage the KeyServer (ksp-admin-x64.exe). While most of the configuration and daily tasks can be done in the Web UI, a few things may still require the admin application. We recommend installing this on the host server for local troubleshooting and management (if not linux) as well as any administrative workstations for remote administration. If you have not used the Web based setup wizard, the default credentials for KeyServer are Administrator and Sassafras. You will be prompted to set a new password on first login with these credentials. You may also be prompted to set up other components if you skipped the wizard. Once clients are connected, audits have reported in, and the server has connected to PRS, you'll see the Automatic Policy Wizard. Note you can also manage Usage tracking easily in the Web UI. You may want to set up Admin Authentication to allow (for example) Active Directory or Azure users to authenticate to KeyServer and obtain privileged access.
Ensure you set your Computer ID Types using the setup wizard, and/or manually in the Web UI Settings or KeyConfigure before attaching any clients to the server. It is difficult to change the primary ID of a computer once it is assigned, so this is an important step. You can run the KeyAccess client installer manually on workstations, but it tends to be easier to use an Automated Deployment method. You can use GPO in AD for Windows clients, or systems like SCCM and JAMF for package management. You may also want to configure client authentication, for example to have computers automatically map to Divisions to match your Active Directory OU structure.
With clients reporting audit data, when you open KeyConfigure our automatic policy wizard will launch and walk you through creating Observe Policies for the Products discovered in your environment. You do need to get some discovery data in the system before this pops up, and it will continue to trigger every time new Products are found. You can also manage these in the Software page of the Web UI, which will also alert you to new items needing attention.
From there you can choose to change some policies to Manage and set their license metrics. While the need to manage licenses has decreased over the years due to vendor provided management it can still be needed in some cases, or add features like queueing for a license or setting group time period priority. You can also create Deny policies to prevent certain programs from being used.
At this point you're all set up and ready to dive into more advanced configuration and considerations. Use the links in this article to read more about the many Configuration options and features in the Web UI to do things like:
See also our Tutorial Videos which cover everything from Getting Started to creating Map Floorplans.