Deploy Upgrade

We strongly recommend reading the Prepare Upgrade chapter first if you haven't done so already.

Trained Administrators only!

The following procedure is to be performed by Luware-trained system administrators only. When uncertain about certain steps, don't hesitate to contact us.

Upgrade Database

To upgrade the DB, perform the following steps:

Before you start

Before starting any Database operations, always create a full backup first!

Push Reporting Data (Stored Prodcedure)

This step is required to push existing reporting data out of the database, which could otherwise significantly slow down the update process. Use either one of the following methods:

Navigate to path: <YourDatabase>\programmability\storedprocedures\Reporting.usp_Dataloader and run "Execute Stored Procedure..." and confirm.

or
Run an SQL Query to execute the stored procedure to write the last reporting data into the reporting schema:
```
EXEC [Reporting].[usp_DataLoader]
```
CODE

Perform Update

Install and run the latest Luware Database Updater (DataBaseUpdater.exe).
Specify "Server Name" and "Database Name".
Use either "Integrated Security" or enter your SQL "User Name" and "Password".
Click on the "Check DB" button. → A check is performed to see if your database is compatible with this update.
What if this check fails? A smaller incremental update may be necessary first to convert the necessary data and introduce new tables and fields.
When upgrading from a much older version, please contact our support first.
Select the latest DB version in the "Update to version" drop-down.
Click the "Update" button.
→ After update is finished successfully, DB Updater will show a completion message.

Cleanup

Close the DB Updater.
Optional step (only if present / entries found): Remove [mgt].[usp_CleanupReporting_DboSchema] cleanup jobs
Execute data loader EXEC [Reporting].[usp_DataLoader] again (→ Step 2)

Install TM System Components

Now it is time to install all the necessary TM System Components.

During the Installation it will be necessary to specify the following values:

Instance Name ( If TM and LUCS products are installed on machine use different Instance Names)
Port Number (each component has its own)
Lync Server Version (for Luware-TM-CIC only)
Site Port Number (for Luware-TM-FE and Luware-TM-API only)

Make sure to have this information readily available.

The minimum required components are marked in bold:

Luware-TM-AC (Agent Controller)
Luware-TM-API (Application Programming Interface)
Luware-TM-AM (Agent Manager)
Luware-TM-CI (Calendar Integration)
Luware-TM-CIC (Customer Infrastructure Connector)
Luware-TM-CR (Conversation Recording)
Luware-TM-Configurator (System configuration definition)
Luware-TM-CWS (Configuration Web Service for TM)
Luware-TM-FE (Frontend of the Web Application)
Luware-TM-GalReader (Global Address List l Reader)
Luware-TM-ICH (Interactive Conversation Handler)
Luware-TM-PS(Persistence Service)
Luware-TM-SMD (SIP Message Dispatcher) – the SMD component is installed on the Lync server machine

By default, TM will be installed in the C:\Program Files\Luware AG folder. The installation path can be changed using ‘Browse’ button.
During AC, ICH, CR, SMD and CIC components installation, you need to specify Lync server version and select appropriate option. The ‘Skype for Business‘ option is selected by default.

Certificate Security

One of the requirements for building service-oriented system is to protect the transmitted data. To guarantee the safety of this data, Luware products provide the possibility to use certificate-based encryption and verification during the communication between a client and a server. The client identifies itself with this certificate. The service accesses the server to confirm the authenticity of the certificate - and in extension - the client.

Certificate Setup during Installation

The certificate security can be configured during installation of Luware components and services. There are two sets of settings that can be configured:

Server settings: The server settings specify which settings the service will use to validate other services when they try to reach this service.
Client settings: The client settings specify which settings the service will use while connecting to other services.

To configure certificate security select 'Configure Certificate Security' flag during installation:

Upon clicking 'Next' button with this flag enabled you will be presented an extra step to configure options:

Control Name	Required?	Description
Mode	No	None : No security is applied during the communication between a server and a client. Transport: Enables security of communication between a client and a service via network protocol. Guarantees confidentiality and integrity of messages at transport level, since transport security secures the entire communication channel.
Validation Mode	No	None: No validation is performed. ChainTrust: : In this mode WCF simply validates the certificate against the issuer of a certificate known as a root authority (the expiration time is checked, too). PeerTrust: In this mode WCF simply checks if the incoming certificate is installed in the Local machine - Personal folder in the certificate store (the expiration time is checked, too). PeerOrChainTrust: Mixed mode.
Is Dedicated	No	False: Encryption is done with default certificate. It means that certificate with the hostname of the machine from the Personal Store is used on the server side. True: Encryption is done with a dedicated certificate. It means there is a possibility to configure an identifier (thumbprint) of the certificate.
Thumbprint	No	A certificate thumbprint is a hexadecimal string that uniquely identifies a certificate. A thumbprint is calculated from the content of the certificate using a thumbprint algorithm. → This is to be generated via Microsoft Management Console. Read more about it on the "Retrieve Thumbprint of a Certificate" page from Microsoft. Important Notes When copied from the source the thumbprint is unicode encoded but you need it in plain ASCII → Notepad++ or any equivalent editor is a great help to convert it. Don't forget to set up permissions for the certificate private key so that the service account can access it.

Create thumbprint of Certificate

During installation of varous Luware components you can opt in to "Configure Certificate Security" options. On these dialogues the certificate thumbprints need to be provided.

Also read the official → Microsoft documentation on this topic.

To find the thumbprint of a certificate use the Microsoft Management Console (MMC) to get access to a certificate and then read its thumbprint in the properties.

Open the Start Menu , type mmc and press ENTER.
In the Console add a certificate snap-in:
1. On the File menu, click Add/Remove Snap In (or press Ctrl+N)
2. In the Add or remove Snap-ins dialog box, select Certificates.
3. Click Add.
  → the entry is moved to selected snap-ins.
4. In the Certificates snap-in dialog box, select "Computer account" and click "Next"
5. In the Select Computer dialog box select "Local Computer" and click Finish
6. In the Add or remove Snap-ins dialog box, click OK.
  → The window is closed
In the Console Root window, expand Certificates (Local Computer) > Personal > Certificates
1. In the central panel, double-click the certificate.
2. In the Certificate dialog box select the Details tab.
3. Select Thumbprint in the list and copy the thumbprint hexadecimal string
4. Encode the copied string in ANSI (use Notepad++) and remove first hidden characters.
  
  This string is to be used during installation of Luware components

Assign Conferencing Policy to Connector Script

Since TeamManager 3.2 every connector establishes its own conference (instead of only 1 trusted application performing this task). The following script creates new conferencing policies and must be run prior to starting the ICH Service (see chapter below).

Note: If you (re)used our "Register Trusted Applications script" during installation or upgrade, all configured endpoints conferencing will have their policies automatically refreshed and you can skip the steps below. If you need to just reapply policies on a certain endpoints, read on below.

Perform the following steps before restarting (your updated) ICH Service:

Replace "sip:lucs_agent_connector_00@SIPDomain.com" with your connector SIP address in the script below.
Add new lines according the amount of connectors used in your instance.
Run the Script via Powershell on your instance

Assign Conferencing Policy to Connector Script

Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_00@SIPDomain.com | select *
 
Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_00@SIPDomain.com | Grant-CsConferencingPolicy -PolicyName "Tag:LucsService"
Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_01@SIPDomain.com | Grant-CsConferencingPolicy -PolicyName "Tag:LucsService"
Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_02@SIPDomain.com | Grant-CsConferencingPolicy -PolicyName "Tag:LucsService"
Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_03@SIPDomain.com | Grant-CsConferencingPolicy -PolicyName "Tag:LucsService"
Get-CsTrustedApplicationEndpoint sip:lucs_agent_connector_04@SIPDomain.com | Grant-CsConferencingPolicy -PolicyName "Tag:LucsService"

POWERSHELL

ICH Installation Specifics

During the installation process, it is possible to manage the ‘Cleanup Conferences’ functionality, which is present since TM V2.5. This option is turned OFF by default.

On establishing a service endpoint , the “Cleanup Conferences“ option runs the process of setting expiration time for all old conferences that do not have expiration time set.

Switch the option ON only on one server to avoid conflicts on this functionality.

Cleanup Conferences - TM ICH Configuration Settings screen

Noteworthy points:

After running the ICH service with this option activated option new log file ‘ConferenceTerminationLog.txt’ appears in LUCS folder: C:\Program Files\Luware AG\TM – ICH\log
The log file contains information about the conferences with no expiration found and the updated expiration time.
It can take the system around 20 second to clean up each conference.
Activation of the option can be used only once for cleaning old conferences. In the future it can be disabled since newly created conferences will have expiration time already set.

Deactivation of Conference Cleanup feature

There are two ways to switch off the option (e.g. after all old conferences are cleaned):

a) Use ICH Config File

Open ICH config file ‘TM.ICH.Service.exe.config‘
→ C:\Program Files\Luware AG\TM-ICH
Find ‘CleanupConferences’ parameter

Change value to “false“ and save changes

<appSettings>
<add key="CleanupConferences" value="true"/>
</appSettings>

XML

Restart ICH service

b) Set “Cleanup Conferences “option to false while reinstalling ICH

CIC Installation Specifics

During the installation process, it is possible to manage the ‘Tenant’ functionality, which is present since TM v.2.5.

The ‘Tenant’ functionality allows to hide or show services’ name in Lync client search.

Switch on the functionality by selecting ‘Enable Tenant ID’ check box during CIC installation. If this option is selected for CIC, add the computer to specific AD-Groups.

Luware-LUCS-CIC Configuration Settings screen

FE Installation Specifics

As of TM V2.6 during Installation, settings for TM FE will be read from the registry and filled in the corresponding fields. However you can still change those settings during installation.

The TM-FE setup wizard

The LUCS front end installation wizard settings:

Option	Description / Action
Instance Name	The server instance name The setting is stored in C:\Program Files\Luware AG\TM-FE\AppSettings.config as <add key=”InstanzName” value=”LUCS”/>
Port Number	The server port number The setting is stored in C:\Program Files\Luware AG\TM-FE\AppSettings.config as <add key=”PortNumberToAdd” value=”3500″/>
Site Port Number	Enter the site port number. The port number 80 is recommended for http and 443 for https. The used site port number should be not used by other sites The setting is stored in IIS.
Security Protocol	Choose the security protocol between http and https The setting is stored in IIS.
System Administrator Group	The distinguished name value of the System Administrator Group from Active Directory In the following format without spaces: CN=GroupName,OU=OrganizationalUnitName,OU=OrganizationalUnitName, DC=DomainComponent,DC=DomainComponent The setting is stored in C:\Program Files\Luware AG\TM-FE\AppSettings.config as <add key="SystemAdministratorGroup" value="CN=TM2,OU=TM2,OU=Development,DC=dev,DC=local"/>
Readonly Administrator Group	The distinguished name value of the Readonly Administrator Group from Active Directory In the following format without spaces: CN=GroupName,OU=OrganizationalUnitName,OU=OrganizationalUnitName, DC=DomainComponent,DC=DomainComponent The setting is stored in C:\Program Files\Luware AG\TM-FE\AppSettings.config as <add key="ReadonlyAdministratorGroup" value="CN=TM2,OU=TM2,OU=Development,DC=dev,DC=local"/>
User Domain	If the ‘User Domain’ field is empty: If user enters his login on FE without domain, the system uses the domain, where FE is installed. If user enters his login on FE with some domain,the system uses the entered by the user domain. If the ‘User Domain’ field is filled: If user enters his login on FE without domain, the system uses the domain from the ‘User Domain’ field. If user enters his login on FE with some domain, the system uses the entered by the user domain. The setting is stored in C:\Program Files\Luware AG\TM-FE\AppSettings.config as <add key="UserDomain" value="yourserver.com"/>
Default Sip Domain	If the Default SIP domain is empty, it is possible to use only sip address as the Service FWD Target and impossible to use the phone number, because it will not work. It is possible to enter the Service FWD Target on TM Front End -> Activated Teams -> Forward Settings. If the Default SIP Domain is filled, it is possible to use the sip address and the phone number as the Service FWD Target. If the Default Sip Domain was filled in the setup during the installation or directly in the FE AppSettings.config file, the user should enter on the FE the tel number in format tel:+xxxxxxxxxxx and the TM will add the configured Default SIP Domain to this number. Exactly this makes it possible to set the phone number as the Service FWD Target. Usually the Default SIP Domain value corresponds to Lync sip domain.
Configure Certificate Security	If the check box is ‘true’ the certificate settings has to be defined during the installation: server settings specify which settings other services will use while connecting to FE and FE Core client settings specify which settings FE and FE Core will use while connecting to PS Note: The system reports all errors related to connection or certificate issues to a log file ‘C:\Program Files\Luware AG\LUCS-ICH\log\connectionIssues.log’.
Enable Reporting	Set to ‘true’, to make the ‘Reporting’ page be available on front end Set to ‘false’, to make the ‘Reporting’ page be not available on front end Default value: true
Enable Workflow Resources	Set to ‘true’, to make the ‘Workflow Resources’ page be available on front end Set to ‘false’, to make the ‘Workflow Resources’ page be not available on front end Default value: true
Disable Windows Authentication	If the check box is ‘true’ , windows credentials are not applied automatically and user is redirected to TM FE Login page. Default value: false
Install GAL-Search Service	The GAL-Search Service allows a TM front end team member to perform a search of contacts in the GAL (Global Address List). He can insert these contacts as FWD/SimRing-Targets. To start the search user should enter at least 3 characters. The search can be by First Name, Last Name, Display Name, Company, Department, Job Title or City. Set to ‘true’, to perform the installation of the GAL-Search Service Set to ‘false’, to perform the installation of the FE without GAL-Search Service Default value: true
Disable Team Member Login	Set to ‘true’, to make a Team Member with activated team choice be able to log in on FE. Set to ‘false’, to make a Team Member with activated team choice be not able to log in on FE. With ‘false‘ value a Team Member by login attempt will see the ‘Not authorized Message‘. Default value: false

Propagation of Settings

All the settings are automatically saved in registry (path: HKEY_LOCAL_MACHINE\SOFTWARE\Luware AG\TM-FE) and in front end app settings file (default path: C:\Program Files\Luware AG\TM-FE\AppSettings.config). For each new Front End version installation, the settings are prepopulated with previously existed values.

→ To make sure that new LUC-FE uses the same settings that the previous version used, compare data from new AppSettings.config (default path: C:\Program Files \Luware AG\TM-FE\AppSettings.config) with the backup copy that was saved during uninstalling TM-FE.

HTTPS certificate and Internet Information Service (IIS)

If FE is installed with a https binding, the certificate should be set manually in IIS (Internet Information Service); otherwise, the application will not run in browser.

Open IIS and choose Luware-TM-FE site
Click Bindings in Actions section
Choose site binding and click Edit
In opened window, choose SSL certificate using drop-down list and click OK.

SMD Installation Specifics

During the installation process, it is possible to manage the log level functionality, which is presented in TM V2.8. The ‘Log level’ functionality allows filtering the messages that will be written to the SMD log files.

There are two options are available:

Debug (default) :Allows to write into SMD log files informational events that are most useful to debug an application.
Info: Allows to write into SMD log files informational messages that highlight the progress of th eapplication at coarse-grained level.

SMD Setup wizard

API Installation Specifics

The TM API Setup installs TM API to Internet Information Services (IIS).

The ‘Configuration Settings’ for TM API are entered during installation.

Luware-TM-API Configuration Settings screen

The TM API installation wizard settings:

Option	Description / Action
Instance Name	The server instance name The setting is stored in C:\Program Files\Luware AG\API\AppSettings.config as <add key=‘InstanzName’ value=‘NAVY’/>
Port Number	The server port number The setting is stored in C:\Program Files\Luware AG\API\AppSettings.config as <add key=‘PortNumberToAdd’ value=‘3500’/>
Site Port Number	The site port number. The port number 80 is recommended for http and 443 for https. The used site port number should be not used by other sites. Please note: For TM-FE and TM-API installed on the same machine a site port numbers have to be different. The setting is stored in IIS.
Security Protocol	Choose the security protocol between http and https The setting is stored in IIS.
Configure Certificate Security	For security reason the system provides a possibility to use certificate-based encryption and verification during the components communication. → To configure certificate based authentication, select ‘Configure Certificate Security’ check box and press ‘Next’ button to open a page with server certificate settings. If the check box is checked, you need to provide certificate settings during the installation: – client settings specify which settings API will use while connecting to PS Note: The system reports all errors related to connection or certificate issues to a log file‘C:\Program Files\Luware AG\TM-ICH\log\connectionIssues.log’.

If ‘Configure Certificate Security’ check box was set to true, configure the client certificate settings as the next steps. The client settings specify which settings API will use while connecting to PS.

Luware-TM-API Server Certificate Settings screen

Settings	Description	Value
Mode	Transfer security modes offered by WCF to ensure a secured communication between a client and a server.	None: This mode ensures that no security is applied while communication between server and client. Transport: As the name suggests, it is concerned with security of communication between a client and a service over a network protocol. It guarantees the confidentiality and integrity of messages at transport level since transport security secures the entire communication channel.
Validation Mode	The mode that specifies how incoming certificate is validated and how trust is determined.	None: In this mode no validation is performed. ChainTrust: In this mode, WCF simply validates the certificate against the issuer of a certificate known as a root authority (the expiration time is checked too). PeerTrust: In this mode, WCF simply checks if the incoming certificate is installed in the Trusted People folder in the certificate store (the expiration time is checked too). PeerOrChainTrust: Mixed mode.
Is Dedicated	The flag that defines which certificate is used for encryption.	False: Encryption is done with default certificate. It means that certificate with the hostname of the machine from the Personal Store is used on server side. True: Encryption is done with a dedicated certificate. It means there is possibility to configure identifier (thumbprint) of the certificate.
Thumbprint	The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature.	A thumbprint value. Read the previous chapter on thumbprint generation.

When the installation is done, open Internet Information Services (IIS) Manager and make sure that the Luware-API is started:

IIS showing Luware API (Example: LUCS) as running