The InsolDataSync Service will be installed by Insolvency Support agents remotely on your Test and Production systems.
The prerequisites are listed as follows:
- Make sure you're running the latest version of software
An Insol2 database updated to the latest version (current install) - Set up an "InsolDataSync" user account
An AD User with Service Accounts is required on your server for the InsolDataSync services to run. We recommend that you name this AD user account "InsolDataSync".
The service account will need access to SMTP, SQL and Azure (https 443) ports, have access to the insolvency client document folders, full access to write log files in installation folder (c:\Program Files (x86)\MYOB\InsolDataSync\), write to the Event Application Log, and "Logon as a Service" privileges.
If m365/o365/SMTP access is required then SMTP Admins will be required to
- The 'From' account name and password are set in the Insol6 desktop.
- The 'From' address is in the Insol Database as: Select SMTPUser = Setting FROM dbo.ApplicationSetting WHERE SettingID = 95002;
- The 'From' account is NOT used as the 'From' property in emails, the 'Sender' value is used for that - see below. The 'From' account is used to authenticate with a password, to the SMTP endpoint, unless 'no auth' is chosen from the Insol6 authentication drop down.
- The 'From' account needs a mailbox
- Server needs firewall access to the m365 server
- 'From' user needs to be unlocked
- 'From' user setup with ‘Sending As’
- The mailbox higher ‘Sending Limits’ for the Sender user
- The InsolDataSync host server needs to have the correct signed certificates installed that will validate on the m365 server
- Enable SMTP Auth on the M365 mailbox that sends email: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission
- Make sure TLS 1.2 was the default secure protocols for WinHTTP. https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392
- The SMTP 'Sender' of emails is stored in the DB: Select @EmailFrom = Setting FROM dbo.ApplicationSetting WHERE SettingID = 95005
- The 'From' account needs to be granted permission to send on behalf of the 'Sender', it may be possible using the PowerShell script
Add-RecipientPermission "{Insol From Account}" -AccessRights SendAs -Trustee "{Sender Display Name}"
-
If there is a local SMTP relay instead of using EXO relay then you need to set permissions:
In AD
$InsolUserList| ForEach-Object {Add-ADPermission $_ -User "<SERVICE ACCOUNT>" -Extendedrights "Send As"}
In Exchange
$InsolUserList| ForEach-Object {Add-RecipientPermission '$_@<DOMAIN>' -AccessRights SendAs -Trustee <SERVICE ACCOUNT>@<DOMAIN>}
The InsolDataSync Windows Service will need to be installed on a Windows Server. This can be the SQL Database Server machine. Installation will download the latest Microsoft DotNet Framework and requires permission to the internet.
The InsolDataSync AD user performs actions and will require the appropriate permissions on any Portal enabled Job’s Documents folders.
Action:
Upload document from Job subfolder to Creditors Portal
Permission required:
Read: stream document to Creditors Portal from the File System.
Action:
Write Log message
Permission required: Create and Write log files to the c:\program files (x86)\Insol6\InsolDataSync\ subfolder
Permission required: Write log entries to the Application Event log called “Insol”.
Action:
Send Email
Permission:
Connect to SMPT server as the user configured in Insol6 Application Settings "SMTPUser"
Send email From address configured in Insol6 Application Settings, SMTP/m365 configured to haver 'send as' permissions.
Please note, that creating a new Insol6 Job using the desktop app for a Practice will create a new subfolder under the Practice’s root Insolvency File System folder, and if that Job were to be Portal enabled the InsolDataSync AD user would also require permissions on that root folder’s subfolders.
The features below may not apply to your Practice at the moment, but it should be considered now when designing the security profile:
Action:
Download document from Creditors Portal
Permission required:
Create folders: Under Job subfolder ‘Creditors’, create one folder per Creditor
Write: create a new document in the Creditors\{Creditor}\ subfolder
Action:
Upload to external Document Management System (extDMS)
Permission required:
Full: Create a subfolder, Move File, Delete File, Delete subfolder.
- Ensure your Document Folders use UNC addresses
The document folders will need to use UNC addresses as a service does not logon in a way it can interpret mapped drives.
The document template folders may be updated in the Application Settings accessible from the Main menu.
You will also need to be aware that jobs enabled on the portal will need to use UNC paths to upload documents.
Insolvency Support can provide SQL Scripts to update job paths. The following SQL results need to be emailed to Insolvency Support:
select DISTINCT Left(Setting,3) as DriveLetterApplicationSetting from ApplicationSetting where Setting like '%:\%';select DISTINCT Left(Setting,3) as DriveLetterAdminSetting from AdminSetting where Setting like '%:\%';select DISTINCT Left(Setting,3) as DriveLetterUserSetting from UserSetting where Setting like '%:\%' ;select DISTINCT Left(DocumentFolder,3) as AdminDocumentFolder, p.PracticeName from Admin a inner join Practice p on a.PracticeID=p.PracticeID where DocumentFolder like '%:\%' and AdminID > 1000 AND NOT AdminTypeID in (1000) and DocumentFolder IS NOT NULL ;select DISTINCT Left(path,3) DocPath, a.ShortName from Document d inner join [Admin] a on d.AdminID=a.AdminID where d.Path is not null and a.AdminStatusID NOT IN (2,3,4) and Path like '%:\%';
When new jobs are created make sure they are created with UNC addresses and users can access the folders. - InsolDataSync service requires 2 SQL users to transfer data between your database and the creditors' portal. SQL Login names should be: insolStartUser and insolSubscribeUser. As part of the configuration we provide scripts to set up the users (a DBA can execute).
- Adding Your Practice
Your unique Practice Id is required to be posted on the Creditors' Portal database, please supply the results of this query:
SELECT UID, * from Admin WHERE AdminID = 1 and PracticeID = 1 - Make sure the version of SQL is adequate
We recommended you run SQL Version 2016 or later.
The minimum version is:
Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Express Edition with Advanced Services (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor) - The service installation will be performed by a Support agent who will need to logon to the SQL Server Machine with admin privileges to complete the installation.
Note RE: UNC paths: There is a "hack" to enable a service to read mapped drives but it is best avoided as subsequent changes would have to be managed by undoing any hacks. https://stackoverflow.com/questions/182750/map-a-network-drive-to-be-used-by-a-service
Detailed installation steps: Instructions-to-setup-the-creditors-portal-technical-guide.
8. The server administrator will need to confirm network connectivity and a minimum dotnet framework version, by executing the powershell script from Insol6 source control: 000PreInstallDataSyncSvcCheck.ps1
Comments
0 comments
Please sign in to leave a comment.