SoftActivity

SoftActivity™ TS Monitor 5 – Installation Guide for Administrators

Contents

  1. Supported Operating Systems
  2. Components
  3. Monitoring one terminal server
  4. Monitoring terminal servers farm
  5. Webapp Administration
    1. Change administrator password
    2. Create a new manager/supervisor account in the web console
    3. Enabling HTTPS for the web console
    4. Set data retention policy
  6. Allowing connection to PostgreSQL server from remote computers
  7. Troubleshooting
  8. Resetting password in PostgreSQL database server

Supported Operating Systems

SoftActivity TS Monitor for recording users: Windows Server 2016, 2012, 2008, 2003 SP1. 32- or 64- bit version. Citrix XenApp is supported. Domain joined and workgroup servers are supported.

SoftActivity Webapp Server: Windows Server 2016, 2012, 2008. 64-bit only

PostgreSQL Server. Version included in SoftActivity installer: Windows Server 2008 or newer, 32- or 64-bit. Downloaded from https://www.postgresql.org/  : BSD, Linux, Windows, Solaris, Mac OS X

Components

Architecture of SoftActivity TS Monitor system consist of the components listed below. Each of them can be installed on premise, either on one server machine or on separate servers for the best performance. This allows monitoring users in a range of possible deployments from just one terminal server to a large server farm.

  1. TS Monitor client – recording users’ activity in server sessions. Install on all Terminal servers or Citrix XenApp servers where user sessions are running. Client sends recorded logs to a PostgreSQL database and sends screenshots as jpg files to a central folder on a file server (or on the local terminal server, in the simplest case with just one server). TS Monitor includes a configuration program for administrators to modify all recording settings and select users for monitoring. Supports Windows Server 2016, 2012, 2008, or 2003. TS Monitor requires a license for each server;
  2. SoftActivity Webapp Server – web console for viewing logs and screenshots by administrators and managers. It’s running a web server, accepting connections from web browsers on port 8081, by default. Can be installed on Window or Linux. Install either on a dedicated application server, or a machine shared with the PostgreSQL database server, or in the simplest case, on the terminal server. The Webapp Server does not require purchasing of extra license and is included with SoftActivity TS Monitor license for free;
  3. PostgreSQL Server (https://www.postgresql.org/) – free, high performance and scalable database server. Used for storing logs recorded by TS Monitor on terminal servers. PostgreSQL can be installed on Windows or Linux, either on a dedicated server machine, a cluster of servers, or sharing a machine with any of the above components. Can be installed on Windows Server by SoftActivity installer, which will also create a default database. Optionally you can download PostgreSQL from its official website and install it separately. Currently SoftActivity supports PostgreSQL versions 9.5+;

To update this product, please download and run the installer of the latest version. It will update installed components to the latest version.

To add or remove components on your server, uninstall SoftActivity TS Monitor package completely, then run the installation again and select required components. Adding/removing of individual components on a server is not currently supported.

View TS Monitor deployment architecture

Monitoring one terminal server

The easiest case of installation is with just one terminal server that needs to be monitored. In this case, all components of SoftActivity TS Monitor can be installed on the same server:

  1. Run SoftActivity TS Monitor installer, and select Full Installation (with all components selected):
  2. You can leave all options in the installer as set default;
  3. Click SoftActivity Webapp icon on the Desktop to view recorded logs in browser. To view logs remotely from your PC, open your browser and enter address: http://SERVER-NAME:8081
  4. Click SoftActivity TS Monitor icon on the Desktop (or press Win+R and type: opentsm) to change settings: select users to monitor, types of events to record, port number for the webapp server, etc.

Monitoring terminal servers farm

In case of a terminal server farm, user sessions that we want to monitor can be running on any server in a farm. Logs and screenshots from all serves will be combined and kept in the Central Storage on premise, from where an administrator (and managers) can view them altogether in web browser. TS Monitor component should be installed on each terminal server in a farm to record activity and send it to the Central Storage. Webapp and PostgreSQL components should be installed just once on an application server. Follow these steps:

  1. Select a machine to function as an Application Server (DOMAIN\APPSERVER, in this example). It can be either one of the terminal servers in a farm or, preferably, a separate machine with Windows Server 2016, 2012, or 2008 64-bit.
    NOTE: Optionally, PostgreSQL can be installed on Unix-style operating systems with an installation package downloaded from https://www.postgresql.org/. In this case, do not install it with SoftActivity installer in the next step. Or you can re-use your existing instance of PostgreSQL for SoftActivity database. Just make sure that the version is supported by SoftActivity and create a new database.
    NOTE: SoftActivity Webapp Server can be manually installed and configured on a Linux machine from a download package provided by SoftActivity on request. Currently TS Monitor installer will only install the webapp on Windows Server.
  2. Login as a user with Administrator rights onto DOMAIN\APPSERVER machine and run SoftActivity installer, select Application Server from the drop down, so that only Webapp Server and PostgreSQL components are selected (in case of a dedicated server; select Full Installation in case it’s shared with one of the servers in a farm). Click Next.
  3. Enter and remember a new password for PostgreSQL server. Enter the data folder path on a local drive (or leave the default directory on the system drive), where PostgreSQL database files and, separately, screenshots will be stored. Selected drive must have enough empty space for storage. At least 1 GB per monitored user is recommended.  Selected directory must either be empty, or not existing (in which case it will be created during installation).
  4. Wait until the installation finishes. Open SoftActivity Webapp Configuration from the Desktop shortcut, Start menu or press Win+R and type: opentsm.
  5. Switch to Webapp tab and verify that Webapp server Status reads: OK – Running; click Open next to the webapp URL to check the web server’s availability in browser. Although there will be no data shown in the Webapp until we point TS Monitor on at least one terminal server to this database and screenshots folder.
  6. Allow connections to PostgreSQL server from other servers in a farm, as described below under “Allowing connection to PostgreSQL server from remote computers”.
  7. Create a network share from the Central Screenshots Folder on this application server. Follow these steps:
    Copy the Central Storage Folder path from the Database tab and open the folder’s Properties in Windows.

    Setup NTFS permissions for the shared folder as follows:

    • Add DOMAIN\TSERVER1$ and DOMAIN\TSERVER2$ (terminal servers in our example farm) and assign Modify permissions for them, so that SalogSrvTsm service (part of TS Monitor component) running on those machines, can save screenshots into this folder;
    • Make sure SawebSrv service (“NT Service\SawebSrv” user account) has read/write access to this folder (it should by default);
    • Make sure other non-admin users have NO access rights to this folder;
    • For this tutorial, we will share this folder with tsm$name, so that the share is invisible to casual browsers. Allow Full Control of the share to Everyone. Verify that the share is accessible from the network: \\APPSERVER\tsm$
  8. Now, when Application server setup is done, we need to install TS Monitor on terminal servers and point them to this Central Storage Folder and Postgres Database. Follow instructions in the next step
  9. Install TS Monitor component on the 1st terminal server in a farm, i.e. DOMAIN\TSERVER1 in this example. You must be logged in as a user with Administrator rights in order to run the installation. Assign a new password for TS Monitor, which will be required to open TS Monitor configuration later. Users may be working on the terminal server in other sessions. This installation will not interrupt them, notify them about presence of the monitoring software, and should not require rebooting of the server. From the moment when installation finishes, TS Monitor will start recording all sessions in a local cache.
  10. Click SoftActivity TS Monitor icon on the Desktop (or press Win+R and type: opentsm) to open SoftActivity TS Monitor Configuration, where you can change settings: select users to monitor, types of events to record, etc.
  11. Now we have to point this TS Monitor to the Central Database and the Central Screenshots folder (on DOMAIN\APPSERVER in this example) created in the previous steps. Enter PostgreSQL database host name (APPSERVER or its FQDN, such as APPSERVER.domain.company.com), connection credentials previously assigned on APPSERVER, and the database name. Default database user name is softactivity, the password is what you specified during the installation on APPSERVER. Click Check Connection button.
    Enter the network share’s path \\APPSERVER\tsm$ and click Check Access button. If you get any access errors, check the folder’s NTFS permissions and shared folder status. Click Apply to save the settings.
  12. Login to the web console in browser and verify that data from TSERVER1 has appeared in the webapp. You should see the server and user names in the right-side panel. New logs from each server will be updated in the webapp approx. every 2 minutes. Click Refresh to see new logs.
  13. Repeat the step 11 on other terminal servers in the farm, i.e. TSERVER2 in this example and point them to the same Central Database and Central Screenshots shared folder.

Webapp Administration

Default administrator account in the SoftActivity web console is created during installation:

User Name: sadmin
Password:
changeme

It is highly recommended for the administrator to change their password immediately after installation.

To change administrator password:

  • open the webapp in browser at http://localhost:8081, by default (or click Open link on Webapp tab in TS Monitor Config);
  • login with the above default credentials;
  • click sadmin menu in the top right corner, click Edit Account
  • click Password tab, and enter the new password, click Save changes

Create a new manager/supervisor account in the web console:

  • Manager account is a limited account used for viewing logs and reports. Managers cannot modify any application settings.
  • To create a new limited account, login as an administrator with the above default sadmin account;
  • Click your user name in the top right corner, and click Admin Panel
  • Click Create an Account button;
  • Enter a new user name to assign to this manager’s account and their personal information below;
  • Select Security Role: Manager/Supervisor
  • Make sure that “Active” checkmark is ON
  • Enter or generate a new one-time password for the account, at least 8 characters long;
  • Supply the webapp URL, user name and along with the temporary password to the manager;
  • When the manager logs in, they will be prompted to change their one-time password to a permanent one of their choice and remember it;

Enabling HTTPS for the web console

It’s recommended to access the web console via secure HTTPS protocol, even inside the company’s network. SoftActivity web console supports HTTPS connection. Follow these steps:

  • Prepare an SSL certificate. You will need. pem files for the certificate and the private key. SHA-256 is recommended. You can either create a self signed certificate using openssl command line, or get it from a certificate provider. This is out of scope of this guide.
  • Open Webapp server Configuration on SoftActivity Application server machine:
  • Select protocol HTTPS://
  • Port number can be changed to 443 (default for HTTPS) or any other number, such as 8081, for example
  • Select .pem files for the certificate and private key.
  • Click Apply, click Open next to the webapp URL to check it in browser.
  • For troubleshooting click Even Log link on About tab in the configuration

Set data retention policy

By default, recorded logs will be retained indefinitely on the server. It’s only limited by the hard drive space available on the server. Administrator can set a retention interval for logs and screenshots. To do that:

  • Log in to the web console as a user with user with Administrator rights
  • Click your user name in the top right corner, click Admin Panel
  • Switch to Application Settings tab
  • Under Auto-Cleanup of old data, select a retention interval in days or months
  • Click Save
  • The system will perform a clean up of old data once per day

Allowing connection to PostgreSQL server from remote computers

By default, for the best security, PostgreSQL server allows connections only from the local computer. To allow connections by TS Monitors and/or the Webapp from other computers on your network you need to follow these steps:

  • On the application server machine or database server machine where PostgreSQL server has been installed:
  • go to the PostgreSQL data directory (by default, if installed by the SoftActivity installer, C:\ProgramData\Salog\data\pgdata); or switch to About tab in SoftActivity Webapp Configuration utility and click “PostgreSQL config files…” link to open the folder
  • open pg_hba.conf in Notepad
  • add a new line at the end of this format:

host       postgres              softactivity         192.168.1.1/24                md5

, where:

postgres – database name used for SoftActivity; or all to allows access to all databases on this server;

softactivity – PostgreSQL user name with write access to the above database;

192.168.1.1/24 – IP mask of remote addresses allowed to connect to this database; IP mask should match other SoftActivity servers on the network;

md5 – authentication method;
or you can add multiple lines for each terminal server with its IP;

  • for more details about pg_hba.conf file format read this
  • open postgres.conf in Notepad
  • find the line with listen_addresses. By default, for security reasons, it is set to localhost which allows connections only from the local computer. Enter:
    listen_addresses= ‘*’
    to allow it accepting connection on all network interfaces, or ‘0.0.0.0’ – for all local IPv4 address, or ‘::’ for all IPv6 interfaces, or an actual IP address of a local network interface connected to the LAN. If needed, uncomment the line by removing the leading #
  • open a port in Windows Firewall for PostgreSQL server. Port number is selected during installation, by default 5432. To find out the port open postgresql.conf in Notepad and look for “port = “ line.
    • open Firewall with Advanced Security in Windows;
    • click new Rule; Type: Custom; Select program: postgres.exe located in C:\Program Data\SoftActivity TS Monitor\postgres\bin, by default
    • select Protocol type: TCP; Port number: <enter PostgreSQL port number (default 5432)>; Remote port: all;
    • select Action: Allow. Optionally, enter a range of IP address that can access the port. Leave other settings default.
  • restart SapgSrv service (if PostgreSQL was installed by SoftActivity installer), or “postgresql-x.x” service for standalone installation to apply new settings. To verify the firewall rule, open Resource Monitor in Windows Server – switch to Network tab, click Listening Ports at the bottom, find postgres.exe line with the port number and make sure that the Firewall Status column reads: Allowed

To check connection to the server, open SoftActivity TS Monitor on another server, go to Database tab, enter Postgres host name, port number and connection credentials, and click Test Connection button.

Troubleshooting

  1. Check in Task Manager – Service tab if the services listed below are running. Ensure they are set to Startup type: Automatic. Try restarting the services.
    1. On the terminal servers with TS Monitor client:
      TsmSvc – recording user activity to a local cache;
      SalogSrvTsm – data uploader from local cache to the central storage;
    2. On the Application server with the webapp:
      SawebSrv – webapp server, running the web server process and serving browser connections;
      SapgSrv – PostgreSQL database server installed with SoftActivity installer;
  2. View windows Event log with the source: SalogSrvTsm, TsmSvc, SawebSrv, Postgres. Quickly access Event Viewer from a link on About tab in TS Monitor. Fix issues that might be causing the errors shown in event log and restart the service.
  3. Open TS Monitor- Database tab and click Check Connection, Check Access button. In case of any access errors, resolve those access issues.
  4. Problem: Webapp not available in browser, unable to start SawebSrv service, status: Stopped on Webapp tab; in Event Log: “error loading python35.dll” or “webapp process exited with code -1”
    Fix: install the latest Windows updates on the server. In addition, download and install this Windows update manually: http://support.mcrosoft.com?kbid=2999226
  5. Problem: cannot start one SoftActivity services: SawebSrv, SalogSrv, SalogSrvTsm, SapgSrv
    Error message in Even Log: could not login with specified service account
    Solution: Open Local Group Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->User Right Assignments. Open “Log on as a service” policy and make sure it includes NT SERVICE\ALL SERVICES group. Notice, that this policy might be overwritten by the GPO from the domain controller, when it propagates. In this case, you will need to add NT SERVICE\ALL SERVICES to the domain’s policy and propagate to the computer by running: gpupdate /force.
    Try starting the problem service again and see it’s able to login.
  6. Problem: What is my PostgreSQL database password?
    Solution: In case PostgreSQL was installed with SoftActivity installer (which it does by default), PostgreSQL superuser password is the same as you’ve assigned for TS Monitor during installation.
  7. For further help, Contact SoftActivity Support and provide the error messages found in your server’s event log;

Resetting password in PostgreSQL database server

In case Check Connection button in TS Monitor Configuration on Database tab shows an authentication error and you cannot recall your password for PostrgeSQL database, try entering user name: softactivity and the same password as you used when installing SoftActivity TS Monitor. If you need to reset the password, you can follow the steps outlined below to reset softactivity user’s password in your Postgres server:

  1. Login to the server where PostgreSQL server is installed.
  2. Open TS Monitor configuration from the Desktop shortcut, switch to About tab and click PostgreSQL config files link (or navigate to C:\ProgramData\Salog\data\pgdata folder)
  3. Create a backup copy of pg_hba.conf file
  4. Open pg_hba.conf file in Notepad and add these lines:#Allow all connection from a local machine without authentication
    #!!!REMOVE THE NEXT LINE LATER!!!
    host all             all             ::1/0                 trust
  5. Save the file and restart SapgSrv service in Windows
  6. Run from command line to connect to Postgres:
    “C:\Program Files (x86)\SoftActivity TS Monitor\postgres\psql.exe” -U softactivity -d postgres
  7. Copy the following command into the console, replace MyNewPassword with a unique and secure password you want to set, press Enter to execute:
    ALTER USER softactivity with password ‘MyNewPassword’;
  8. Remove the added line from pg_hba.conf, save the file and restart SapgSrv service
  9. Open TS Monitor Configuration – Database tab, enter your new password MyNewPassword and click Check Connection button