Quick overview of the planning and execution steps for deploying a production KeyServer. This primarily targets windows, but the information and links have information about Mac and Linux if desired.
Select KeyServer hardware and Operating System based on our guidelines:
Choose a computer that does not have other disk-intensive processes on it.(You can skip this during an eval if you want to just use IP address)
DNS names make it friendly for users to find the service, and more flexible in the event of moving a server. Instead of a primary ANAME, we recommend you set up a CNAME record in DNS. This allows KeyServer to be moved in the future independently from any other services, and helps route traffic easier.
As with any service, ensuring network traffic through any host, client, and network Firewalls is critical. Make sure the server can be reached on port 19283 (TCP and UDP) from client and admin workstations. Our installer tries to set this up in the local (Windows) firewall - but in case there are other firewalls in place (e.g. when putting up a VM in Azure, or Checkpoint network Firewalls) you have to also tell those devices to allow the traffic. For Web UI, also allow 80 and/or 443 for http/https, or whatever alternate ports you configure for the web service (see later steps).
Make sure the new server can do outbound https. Specifically, can it get to https://prs.sassafras.com/ to download new Product Definitions and Software Icons from our PRS. http generally isn’t needed but is nice to allow as a fallback. It will also need access to *.openstreetmap.org to fetch map tiles if you use geographic map pins.
If a proxy is generally used for outbound traffic from this computer, we recommend adding an exception so that it can contact prs.sassafras.com without going through the proxy. We have seen instances where a proxy changes packet headers in such a way that communication ultimately fails in subtle ways.
A more detailed walkthrough is in the Installation and Configuration document, but the summary is:
As of 7.7 most daily operations can be done in the Web UI. Common configurations like AD integration for client mapping and admin authentication, audit and mail settings, client updates, usage tracking, and more are all available in the web. The default LabSight license will on a new install pop up with tasks that would be good to complete next. These include:
Install the KeyConfigure admin application to manage the KeyServer (ksp-admin-x64.exe). While much of the configuration in 7.7 can be done in the Web UI, some things will require the admin application. We recommend installing this on the server as well as any administrative workstations. This way, if there is a network issue you can manage the KeyServer on the server for troubleshooting. This is available for Mac and Windows. When you launch it the first time, if you have not used the Web based setup wizard, the default credentials for the server are Administrator and Sassafras, and you will be prompted to set a new password. You may also be prompted to set up other components if you skipped the wizard. On future use once clients are connected, you'll see the Automatic Policy Wizard once Products have been discovered. Note you can also manage Usage tracking easily in the Web UI. You may want to set up Admin Authentication to allow for example Active Directory users to authenticate to KeyServer.
Ensure you set your Computer ID Types in the setup wizard, or manually in KeyConfigure before attaching any clients to the server. You can run the KeyAccess client installer manually (on our Downloads page both stand alone and in the Archive), but it tends to be easier to use an Automated Deployment method. You can use GPO in AD for Windows clients, or systems like SCCM and JAMF for package management. You may also want to configure client authentication, for example to have computers automatically map to Divisions to match your Active Directory OU structure.
With clients reporting audit data, when you open KeyConfigure our automatic policy wizard will launch and walk you through creating Observe Policies for the Products discovered in your environment. You do need to get some discovery data in the system before this pops up, and it will continue to trigger every time new Products are found. You can also manage these in the Software page of the Web UI, which will also alert you to new items needing attention.
From there you can choose to change some policies to Manage and set their license metrics. While the need to manage licenses has decreased over the years due to vendor provided management it can still be needed in some cases, or help to augment with features like queueing for a license or setting group time period priority. You can also create Deny policies if needed to prevent certain programs from being used.
At this point you're all set up and ready to dive into more advanced configuration and considerations. Use the links in this article to read more about the many Configuration options and features in the Web UI to do things like:
See also our Short Burst Training Videos which cover everything from Getting Started to creating Map Floorplans.