Proofpoint | ObserveIT On-Premises Insider Threat Management

Installing ObserveIT Application Server

The ObserveIT Application Server is the data ingestion component. It receives and processes the raw data received from the ObserveIT Agents.

Depending on the sizing and architecture of the product deployment, you must install one or more ObserveIT Application Server(s).

This Application server is installed after you install the database and file server.

This topic describes how to install and verify the ObserveIT Application Server component on the first server. If you have multiple Application Servers, you need to repeat this procedure for each machine.

Do not attempt to install ObserveIT server-side components over the network. Always use a local copy of the installation files.

Installing the Application Server with PowerShell

You can use the following PowerShell commands to install the ObserveIT Application Server. (This is the recommended procedure.) 

Optionally, you can use the Application Server manually, see Installing ObserveIT Application Server.

Prerequisites:

  1. Connect (with RDP) to the server that will host the ObserveIT Application Server as the Active Directory Service Account.

  2. Download the ObserveIT installer into c:\temp and extract the contents. (See Downloading the Latest Version.)

    (Assume the installer files are extracted to c:\temp\ObserveIT_Setup_vx.xx.y.yy path, where x.xx the major ObserveIT version, and y.yy is the minor version and build.)

  3. Run PowerShell as Administrator.

  4. From the table below, copy the rows from Command column, replacing the values as applicable. The Values to Replace column indicates which values you will need to replace.

    Paste the commands into the PowerShell window.

    Command Values to Replace
    $observeitInstallerPath = "c:\temp\ObserveIT_Setup_vx.xx.y.yy" Replace the generalized path with the correct path for your ObserveIT installer. For example: C:\temp\ObserveIT_Setup_v7.11.0.25
    $SQLServer = '<# FQDN of the SQL Server #>' Replace the commented section with FQDN of your SQL Server
    $DNSForestName = "<# enter your DNS domain name here #>" Replace the commented section with the DNS domain name of your Active Directory. For example: domain.local.
    $Creds = Get-Credential  
    $WebSiteName = 'ObserveITApplicationServer'  
    $WebSitePort = "443"  
    $WebSiteProtocol = "https"  
    $ComputerName = (Get-WmiObject -Class Win32_ComputerSystem).PSComputerName  
    $MachineFQDN = $ComputerName + '.' + $DNSForestName  
    $ApplicationPool = "IIS:\AppPools\$WebSiteName"  
    $WebSiteBinding = ":" + $WebSitePort + ":"  
    $OutputDestination = 'C:\temp'  

  5. When PowerShell prompts, Enter your Active Directory Service Account credentials here, enter the username in the format DOMAIN\account.

  6. Install the required Windows features:

    Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Stat-Compression, Web-Security, Web-Filtering, Web-App-Dev, Web-Net-Ext45, Web-Asp, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Compat, Web-Mgmt-Console, NET-WCF-Services45, NET-WCF-HTTP-Activation45 -IncludeManagementTools

  7. Create the directory and Microsoft IIS folder structures:

    New-Item -Name ObserveIT -Path "C:\Program Files" -ItemType Directory
New-Item -Name Web -Path "C:\Program Files\ObserveIT" -ItemType Directory
Import-Module WebAdministration
New-Item $ApplicationPool -Force
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 
'C:\Program Files\ObserveIT\Web\' `
-Bindings @{protocol = $WebSiteProtocol; bindingInformation = 
$WebSiteBinding } -Force
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -Value 
$WebSiteName -Force
Get-Item 'IIS:\Sites\Default Web Site\' | Remove-Item -Recurse
Get-Item 'IIS:\AppPools\DefaultAppPool\' | Remove-Item -Recurse

  8. Require SSL for connections to the ObserveIT Application Server websites:

    Import-Module WebAdministration
$ConfigSection = Get-IISConfigSection -SectionPath 
"system.webServer/security/access" -Location "$WebSiteName"
Set-IISConfigAttributeValue -AttributeName sslFlags -AttributeValue 
Ssl -ConfigElement $ConfigSection
Get-IISConfigAttributeValue -ConfigElement $ConfigSection 
-AttributeName sslFlags

  9. Disable IIS logging:

    Set-ItemProperty -Path "IIS:\Sites\$WebSiteName" -Name Logfile.enabled -Value $false

  10. Configure the best-practice IIS Application Pool recycling settings:

    Import-Module WebAdministration
$AppPoolPath = "IIS:\AppPools\$ApplicationPool"
# Set the Application Pool to recycle every 8 hours
Set-ItemProperty $AppPoolPath -Name Recycling.periodicRestart.time -
Value 0.08:00:00
Clear-ItemProperty $AppPoolPath -Name 
Recycling.periodicRestart.schedule
$RestartAt = @('12:00', '20:00', '07:00')
# Set recycling to occur at 12pm, 8pm, and 7am, when there's less load on the system
New-ItemProperty -Path $AppPoolPath -Name 
Recycling.periodicRestart.schedule -Value $RestartAt

  11. Assign the provisioned TLS certificate to the ObserveIT Application Server website. (The TLS certificate was provisioned in Back-end Components Prerequisites.)

  12. Right-click the Start Menu and click Run.

  13. Type inetmgr and click OK.

  14. In the Microsoft Internet Information Services management console, select and expand your server and then expand Sites.

  15. Right-click the ObserveITApplicationServer website and click Bindings.

  16. Select the row starting with https in the Site Bindings window and click Edit.

  17. From the SSL certificate drop-down, at the bottom of the window, select your provisioned TLS certificate.

  18. Click OK to apply the settings.

  19. Click Close in the Site Bindings window.

  20. Install ObserveIT Application Server prerequisites:

    $NodeJSInstaller = $observeitInstallerPath + '\Web\PreRequisite_nodeServices.exe' $ComponentInstallArguments = "wconly=1", "sqlcli=1", "/install", "/quiet", "/norestart" ,"/log PreRequisite_nodeServices.log" Start-Process $NodeJSInstaller -ArgumentList $ComponentInstallArguments -Wait

  21. Assign Logon as Service Rights to the Active Directory Service Account::

    function Set-LogonRight ($accountToAdd) {
    if ( [string]::IsNullOrEmpty($accountToAdd) ) {
        Write-Output "no account specified"
        exit
}
    $sidstr = $null
try {
        $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
        $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
        $sidstr = $sid.Value.ToString()
} catch {
        $sidstr = $null
}
    Write-Output "Account: $($accountToAdd)"
    if ( [string]::IsNullOrEmpty($sidstr) ) {
        Write-Output "Account not found!"
        exit -1
}
    Write-Output "Account SID: $($sidstr)"
    $tmp = [System.IO.Path]::GetTempFileName()
    Write-Output "Export current Local Security Policy"
    secedit.exe /export /cfg "$($tmp)" 
    $c = Get-Content -Path $tmp 
    $currentSetting = ""
    foreach ($s in $c) {
        if ( $s -like "SeServiceLogonRight*") {
            $x = $s.split("=", [System.StringSplitOptions]::RemoveEmptyEntries)
            $currentSetting = $x[1].Trim()
    }
}
    if ( $currentSetting -notlike "*$($sidstr)*" ) {
        Write-Output "Modify Setting ""Logon as a Service"""
        if ( [string]::IsNullOrEmpty($currentSetting) ) {
            $currentSetting = "*$($sidstr)"
    } else {
            $currentSetting = "*$($sidstr),$($currentSetting)"
    }
        Write-Output "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@
        $tmp2 = [System.IO.Path]::GetTempFileName()
        Write-Output "Import new settings to Local Security Policy"
        $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
        Push-Location (Split-Path $tmp2)
    try {
            secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
    } finally { 
            Pop-Location
    }
} else {
        Write-Output "NO ACTIONS REQUIRED! Account already in ""Logon as a Service"""
}
    Write-Output "Done."
}

Set-LogonRight "$($Creds.GetNetworkCredential().UserName)"

  22. Install the ObserveIT Application Server:

    $ComponentInstallArguments = "/i", ($observeitInstallerPath + '\Web\AppServer\ObserveIT.WebConsoleSetup.msi'), "/qb", "/norestart", "DATABASE_SERVER=$SQLServer", "TARGETAPPPOOL=$WebSiteName", "TARGETSITE=$WebSiteName", "DATABASE_LOGON_TYPE=WindowsAccount", "SERVICE_USERNAME=$($Creds.GetNetworkCredential().Domain + '\' + $Creds.GetNetworkCredential().UserName)", "SERVICE_PASSWORD=$($Creds.GetNetworkCredential().Password)","/leo", ".\WebConsoleMSI.log"

    Start-Process msiexec.exe -ArgumentList $ComponentInstallArguments -Wait -NoNewWindow

  23. Validate the ObserveIT Application Server is installed correctly:

    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
iisreset /start
Import-Module WebAdministration
Get-IISSite $WebSiteName | Start-IISSite
$CurrentURL = $WebSiteProtocol + '://localhost:' + $WebSitePort + '/ObserveitApplicationServer/v2/apis/health/_health'
Invoke-WebRequest $CurrentURL -UseBasicParsing

    If successful, the PowerShell prompt returns several values. One of the top values will be the code 200.

Related Topic:

Custom Installation Steps

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint