Laserfiche Web Access 9.2 Installation Guide. White Paper

(1)

Laserfiche Web Access 9.2

Installation Guide

White Paper

(2)

Introduction

Web Access is an ASP.NET 4.0 web application that allows you to access and modify your Laserfiche repository from any computer using a web browser. Web Access incorporates many of the features and options available in the Laserfiche Windows Client.

Preinstallation

Prior to installing Laserfiche Web Access, make sure your system meets the following requirements.

• Install the Laserfiche Server software (version 9.2 or later) and create a repository using the Laserfiche 9 Administration Console (which can be installed with the Laserfiche Client).

• IIS (Internet Information Services) must be installed on the computer where you plan to install Web Access.

• A network firewall should be installed to keep your Laserfiche repositories secure. It will need to be configured appropriately depending on how you will be using Web Access to access your repositories.

System Requirements

Below are the minimum and recommended system requirements for Laserfiche Web Access. The term "server" refers to the web server. Minimum Server Requirements

• CPU: 2 GHz or faster processor • Memory: 1 GB RAM

• Operating system: Windows Server 2003 (Service Pack 1) with IIS 6, Windows Server 2008 with IIS 7, Windows 7 with IIS 7.5, Windows Server 2008 R2 with IIS 7.5, Windows Server 2012 with IIS 8, Windows 8 with IIS 8, Windows Server 2012 R2 with IIS 8.5, Windows 8.1 with IIS 8.5.

Note: Server operating systems (Windows Server 2012, etc.) are

preferred. Home editions of Windows 7 may not include IIS features necessary for full Web Access functionality.

Recommended Server Requirements • CPU: 2.8 GHz or faster processor • Memory: 2 GB RAM

(5)

Note: Hardware requirements may fluctuate based on the number of users logged in to the server. If you expect to have many

simultaneous connections to your Web Access server, we

encourage you to configure it with a faster CPU and/or add more RAM.

Note: Serving high-resolution images can require large amounts of

system resources. If your repository contains high-resolution images, make sure that the total paging file size on the Web Access server is at least twice the amount of physical memory (RAM)

Software Requirements

Below are the recommended software requirements for Laserfiche Web Access.

Laserfiche Server

• Laserfiche Web Access 9.2 requires version 9.2 or later of the Laserfiche Server.

• Web Access is not compatible with standalone editions of Laserfiche (Executive, Desktop, etc.).

Web Server

• Web Access is an ASP.NET 4.0 Web application for IIS. Ensure the Windows Authentication feature in IIS 7 or IIS 8 is enabled.

• Internet Information Services (IIS): IIS 6 (Windows Server 2003), IIS 7 (Windows Server 2008), IIS 7.5 (Windows 7 or Windows Server 2008 R2), IIS 8 (Windows 8 or Windows Server 2012).

Client Workstation

• Web Access is best viewed using Internet Explorer 9 or higher (Internet Explorer 7 and Internet Explorer 8 are supported), Firefox 3 or higher, Safari 4 or higher, Chrome 6 or higher.

Note: Internet Explorer 7 users should install Microsoft security

update 947864 (MS08-024).

Installing Web Access

Insert the Laserfiche Web Access DVD and the installation should

automatically launch. If it does not, double-clickAutorun.exeon the Web Access DVD.

(6)

1. On the Choose Language Setup step, select how you want the installation displayed. This language setting only affects the installation.

2. On the Welcome step, click Next.

3. On the License Agreement step, read the license agreement and select I

accept the terms in the License Agreement if you agree to the terms of

the license agreement. Click Next to continue.

4. On the Custom Setup step, select the components you want to install and the location that you want to install t hem. Click Next to continue.

Note: If you have more than one website in IIS, the IIS Options

step will be displayed. You can choose to use the default website for Web Access, or you can specify another website. This option will not be displayed if you do not have more than one website on your web server.

5. On the Laserfiche Product Activation step, specify the desired method for activating Web Access. If you have an activation key, select the

Activate online using the following activation key option and specify

the activation key in the text box. The installation will contact Laserfiche over the Internet at the end of the installation. If you

received a license file, select the Activate using license file option and browse to the path where the Web Access license file can be found. If you are in a Laserfiche Rio environment, select the Activate using the

Rio License Manager option. Click Nextto continue.

6. If you chose to activate using the Rio License Manager, you will be prompted to complete the following additional steps. If not, skip to step 7.

Note: The following instructions refer to terms and concepts

specific to Laserfiche Rio. If you are not familiar with these concepts, see the License Manager help files or the Laserfiche Rio

Deployment Guide on the Laserfiche Support Site.

a. In the first Register to a License Manager step, in the License Manager Server option, type the name of your Rio License Manager server computer. In the Log on as option, select whether to log in as the current Windows user or as another Windows user. Click Next to continue.

b. In the second Register to a License Manager step, in the License database option, select the license database for your Rio

installation. In the License block option, select the Web Access instance you want to use. In most cases, there will be only one license database and only one Web Access license block.

(7)

c. In the same step, select whether to use an existing registration or register a new Web Access instance. If you or your Rio

administrator already registered this computer for Web Access, select Use existing registration and then choose the computer from the list. If not, select Register new instance. Click Next to continue.

Note: If you are upgrading an existing installation, in most

cases you should choose Use existing registration. Registering a new instance when an existing registration exists may result in unnecessary reallocation of repository named users or public portal licenses.

d. Note: If the available license information seems incomplete or out of date, you may need to renew your master license to get the most current information. Click Renew Master License to do so. e. Click Next to continue.

Note: If you are using Laserfiche Directory Server for license

management and you have configured organizations, the

Organization path option will be displayed after this step.

Select the organization you want to use in this option. This option will not be displayed if you do not have

organizations configured, or if you are not using Laserfiche Directory Server.

f. In the final Register to a License Manager step, review the settings for your new License Manager registration. Click Next and proceed with the installation.

7. On the Laserfiche Service Settings step, specify the default account to use when IIS is configured for anonymous authentication. You can specify a custom Windows domain account or use the Windows Internet Guest (IUSR) account. Anonymous Access allows visitors to access IIS without providing a user name and password. For most situations, you can choose the built-in IUSR guest account. You should only need to specify a domain account if you have a security

configuration where the IUSR account cannot access the Web Access installation path. You can change this setting after the installation by modifying the Anonymous Authentication option for the Web Access virtual directory in IIS Manager.

See this Microsoft TechNet article for more information on anonymous authentication:

http://technet.microsoft.com/en-us/library/cc731244(WS.10).aspx

8. On the Ready to Install step, click Install to start the installation process.

(8)

9. On the Prerequisites step, Web Access will detect for required IIS features and enable them if they are currently disabled. In addition, Web Access will install .NET Framework 4.0 if it is not already installed on the Web Server. Click Install to begin the check. If .NET Framework is already installed, click Next to continue.

10. The installation process will run, displaying the product or feature currently being installed and the status of the installation. When the installation is complete, click Next to continue

11. At the end of the installation, the Laserfiche Product Enhancement

Program step will open. Select Yes if you want to participate, and No if

you do not. You can opt out at any time. For more information, see the Product Enrichment Program help. Click Next to continue.

12. When the installation process is complete, click Finish to exit the installation wizard. You can automatically open the configuration page by selecting Launch Web Access configuration page on exit and click

Finish.

Note: The Web Access installation includes a subcomponent called the

Laserfiche Authentication Service 9.2. By default, this service runs on port 8188. The installation package must use this port during the initial installation. If this port is not available, the installation cannot continue. If a third-party program is currently using this port, you must temporarily free port 8188 to complete the Web Access installation process. After the installation is complete, you can configure the Laserfiche Authentication Service 9.2 to run on a different port.

Web Access Help

Web Access offers two types of help files. Online Documentation

The online documentation is hosted off of Laserfiche.com. This allows Laserfiche to update the documentation as needed and give you the most current information. It is also accessible from anywhere that has Internet access.

• Laserfiche User Guide

• Web Access Installation, Configuration, and Administration Help

• Laserfiche Administration Guide

Local Documentation

The local documentation is installed to your local machine when you install Web Access. This enables those without Internet access the ability to view the Web Access documentation. Because it is installed on your machine, changes

(9)

made to the online documentation will not be reflected in the local documentation. If you have Internet access, we recommend you use the online documentation as it will be the most up-to-date.

By default, Web Access is configured to use online documentation.

Local help for Web Access is installed as a .zip file, and must be extracted to be used:

1. On the computer on which Web Access has been installed, navigate to C:\Program Files\Laserfiche\Web Access. (If you chose to install Web Access in a different location, navigate to that location instead.)

2. Open the WebHelp folder to install local user help. 3. Extract the zip file in place.

4. Open the WebHelpAdmin folder to install local installation and configuration help.

5. Extract the zip file in place.

Note: The zip file must be extracted in place in the WebHelp or

WebHelpAdmin folder, and the files should not be moved. If the files are moved or the zip file is extracted elsewhere, help buttons and links for the product will not function correctly. Note that some extraction programs will create a subfolder automatically when extracting the contents of a .zip file. If this is the case, you should either modify your extraction program’s settings to extract directly to the WebHelp or WebHelpAdmin folder, or manually move the file contents from the subfolder to the WebHelp or WebHelpAdmin folder.

Once you have extracted the local help, you will need to configure Web Access to use it. To configure Web Access to use local documentation:

1. Click Start, then Run.

2. In the Run dialog box type regedit.

3. In the Registry Editor, double-click HKEY_LOCAL_MACHINE, then

SOFTWARE, then Laserfiche.

4. Select Web Access.

5. Click Edit in the menu, point to New, and select String Value. 6. Name the new value UseLocalHelp.

7. Double-click UseLocalHelp, type 1 under Value data, and click OK. After you close the Registry Editor, restart the Internet Information Services

(IIS) service. To restart this service:

(10)

2. Double-click Administrative Tools then Services. 3. Right-click IIS Admin and select Restart.

Post Installation Information

Types of Firewall Configurations

When a user attempts to access a Laserfiche repository through Laserfiche Web Access, the user communicates with the web server hosting Laserfiche Web Access. The web server then communicates with the Laserfiche Server, which sends back the appropriate response to the Web Access server, which transmits it to the user. You can configure your setup so the firewall resides anywhere along that route. As a result, there are several different types of firewall configurations that can be implemented for Laserfiche Web Access.

Note: If you have never configured a firewall, it is strongly

recommended that you refer to another source for information on firewall configuration. You should also contact a network security professional prior to implementing a firewall solution.

The following basic configurations are available when using Laserfiche Web Access with a firewall.

• Web server and the Laserfiche Server outside the firewall

• Web server outside the firewall; Laserfiche Server inside the firewall • Web server and the Laserfiche Server inside the firewall

• Web server and the Laserfiche Server inside the primary firewall, but outside the secondary firewall

Everything Outside the Firewall

With this configuration, the firewall's security is not compromised in any way; the data protected within the firewall remains secure. On the down side, the Laserfiche Server is exposed to the outside world, which could be

(11)

How does it work?

1. An Internet user (via web browser) requests information from the Laserfiche repository through a web site incorporating Laserfiche Web Access.

2. The request is received by the web server. The web server opens a connection with the Laserfiche Server using Laserfiche Web Access. 3. The Laserfiche Server receives the connection command and provides

the requested information back to the user through Laserfiche Web Access.

4. The firewall is configured to allow Internet access from the private network. All access initiated from the Internet to the private network is restricted.

Laserfiche Web Access Outside; Laserfiche Server Inside

With this setup, the Laserfiche Server remains protected behind the firewall, however, the Laserfiche Web Access Server will need to be configured to connect to the Laserfiche Server. On the plus side, such a configuration would keep the Laserfiche Server relatively secure within the firewall. However, because a tunnel must exist to allow the Web Access server to communicate with the Laserfiche server, if the Web Access server were to be compromised, it could be used as a launching point of an attack through the firewall to the Laserfiche Server.

2. The request is received by the Web Access server, which opens a connection with Laserfiche Web Access.

3. Laserfiche Web Access opens a connection with the Laserfiche Server via the firewall.

4. The firewall is configured to allow Internet access from the private network. All direct access initiated from the Internet to the private network is restricted. When Laserfiche Web Access makes a connection to the firewall, the firewall passes the request on to the Laserfiche Server located on the private network. Special care should be taken to only allow access to the ports that Laserfiche needs for connection and to only allow connections coming from the web server hosting the Laserfiche web product.

5. The Laserfiche Server receives the connection command and provides the requested information back to the user through Laserfiche Web Access.

(12)

By default, Laserfiche Server 9 listens on TCP port 80 or 5050. The Laserfiche Server broadcasts notifications on port 5051. If there is a firewall between your Laserfiche Server instance and your Web Access server, make sure ports 80 or 5050, and port 5051 are open on the firewall. You can use the Server

Settings node of the Laserfiche 9 Administration Console to modify the

default port settings.

Note: The Laserfiche Server 9 installation automatically creates a

Windows Firewall exception for the Laserfiche Server.

Everything Inside the Firewall

This type of configuration allows access to the Laserfiche Server and the Laserfiche Web Access server only through the firewall. In this case, the firewall acts as a proxy or a filtering gateway depending upon your network configuration. This requires careful configuration and entails an extra level of complexity for the firewall.

With this configuration, the firewall would need to be reconfigured to allow arbitrary connections from the Internet to the web server. However, if access to Laserfiche documents from the Internet is not desired or if Web Access is only being used for an intranet and not for Internet access, then not allowing connections through the firewall would be acceptable. Be aware that you will be lowering the integrity of your firewall if you do configure the firewall to allow arbitrary connections from the Internet to the web server.

2. The firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the web server located on the private network.

3. The request is received by the web server, which opens a connection with the Laserfiche Server.

Multiple Firewalls

This configuration allows access to the Laserfiche Server and the Laserfiche Web Access server only through the firewall. In this case, the firewall acts as a proxy or a filtering gateway depending upon your network configuration. It

(13)

requires careful configuration and entails an extra level of complexity for the primary firewall.

This setup is similar to the single within-firewall example, with the addition of a second firewall. In the case of a network compromise, a properly

configured dual-firewall setup will provide a method of localizing the security breach. It offers additional security over an all-or-nothing model.

2. The firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the web server located on the private network.

3. The request is received by the web server, which opens a connection with the Laserfiche Server.

5. A second firewall is configured to allow Internet and Laserfiche access from the private network. All access initiated from the Internet or from the Laserfiche server to the private network is restricted.

Firewall Setup

By default, Laserfiche Server 9 listens on TCP port 80 or 5050. Laserfiche defaults to port 80. The Laserfiche Server broadcasts notifications on port 5051. If there is a firewall between your Laserfiche Server 9 instance and your Web Access server, please make sure that ports 80 or 5050, and port 5051 are open on the firewall. You can use the Server Settings node of the Laserfiche 9 Administration Console to modify the default port settings.

Note: The Laserfiche Server 9 installation automatically creates a

Windows Firewall exception for the Laserfiche Server.

Configuring Web Access

Configuration Page

The Configuration Page enables you to configure repositories Web Access users can connect to. It also allows you to configure profiles, how users should authenticate to Web Access, an SMTP Server for outgoing e-mail

(14)

messages, watermark settings, if users can access the Configuration Page remotely, and Web Access logging levels. You must add at least one repository before you will be able to use Web Access.

After you have installed Web Access, you can find the Configuration Page either through the Start menu or by typing the URL in your browser.

Note: The Configuration Page can be automatically launched from

the last step of the installation process by selecting Launch

Laserfiche Web Access configuration page.

A shortcut is located in the Start menu under All Programs, Laserfiche, Web

Access, Web Access – Configuration. The URL for the Configuration Page is

http://machinename/laserfiche/Configuration/Configuration.aspx, where

machinename is the name of the server where Web Access is installed.

Language Picker

Select the default language you want Web Access displayed in.

Note: This option is only available when you have the Laserfiche

language packs installed.

Troubleshooting Tips:

• Server operating systems, such as Windows Server 2008, have an

Enhanced Internet Security setting that requires all URLs (even ones on

your network) to default to the Internet zone. The Internet zone is usually set to a high security level, causing standard features that usually work on normal workstations, like JavaScript, to be disabled. When Enhanced Internet Security is enabled, the Configuration Page may not be functional. Add the trusted Web Access URL to the Intranet zone (which has lower security) and refresh the page to get the

Configuration Page to function correctly.

• If adding a repository does appear to do anything and you are on Windows 7 or later, User Access Control (UAC) may be affecting the page functionality. As a workaround, browse to the Config subfolder in the Web Files folder of your Web Access installation folder. Accept the UAC prompt which appears and try to add your repository again using the Web Access Configuration Page.

• If you receive a "Retrieving the COM class factory for component with CLSID {E479E155-4F63-4E98-8B23-FCCFF569CA81} failed due to the following error: 800736b1" error message when adding a repository, you may need to restart the machine after installing Web Access. Repositories

The Repositories section of the Configuration Page allows you to configure Web Access to connect to a repository.

(15)

• Repository Name: Enter the name of the repository you want to connect to.

• Server Name: Enter the name of the server where the repository is located.

• Connection Options: There are four ways in which you can connect to the repository.

Note: A warning message will appear on the Configuration page if

there is high latency between the Web Access Server and the Laserfiche Server

o Prompt for Laserfiche Credentials: Users will be prompted for the Laserfiche username and password assigned to them by a Laserfiche administrator.

Note: This option also allows users to enter their

Windows credentials as long as they enter

DOMAIN\username for their username. Web Access

will be able to detect it's a Windows account by the backslash.

Note: This option also allows users to enter their

LDAP username (username@ProfileName) and password.

o Prompt for Windows domain credentials: Users will be prompted to enter their Windows domain username and

password. This option can be used as an alternative to Kerberos.

Note: When configuring this option, the Select a login domain dialog will be displayed. This allows you to

enter the domain users will log in to so they don't have to specify it each time they log in. If left blank, this is effectively the same as choosing Prompt for

(16)

o Auto-login using integrated Windows authentication: Users will automatically be logged in to the repository using the Windows username and password used to log in to the computer or network. Additional IIS configuration might be necessary.

o Use SSL: Select this checkbox if you want the Web Access server to connect to the Laserfiche server using an

SSL connection. This will force users to always log in to the repository using SSL.

Note: To use SSL, the server name must be written as

a fully qualified domain name (FQDN) such as

mycomputer.laserfiche.com. This is a different

process from configuring SSL between Web Access and the user's Internet browser. For more information, see the Configuring SSL DevNotes on the Laserfiche Support Site.

Note: This is a different process from configuring SSL

between Web Access and the user's Internet browser.

• Add Profile: This option enables administrators to configure multiple login methods per repository.

o Profile Name: Type a name for the profile. Profiles

Profiles allow administrators to configure multiple login methods per repository.

Note: Profiles are not supported for Laserfiche Rio and Laserfiche

Avante.

To create a profile

1. Open the Web Access Configuration page

(http://machinename/laserfiche/Configuration/Configuration.aspx, where machinename is the name of the server where Web Access is installed).

2. Select Add Profile next to the repository you want to add a profile to. 3. In the Add Profile dialog box, type a profile name. Under Connection

Type, select Auto-login with specified Laserfiche account to associate

(17)

or LDAP username and password. Select Auto-login using integrated

Windows authentication to associate the profile with a Windows

account. Click OK.

4. Open Web Access (http://machinename/laserfiche).

5. Select Use Profile, select the profile you want to use from the drop-down menu, and click Login.

6. To send a profile link to another user, navigate to the folder you want to create the link to.

7. In the URL, after the repository name, add “&profile=” followed by the profile name.

8. You can now copy the URL and send it. Authentication

Restricting/Allowing Access

Administrators can explicitly restrict or allow specific Laserfiche or Windows users access to a repository. By restricting an account, you will prevent

anyone from using that login to gain access to the repository regardless of whether or not they enter the correct password. This also is useful if you only want Web Access configured to be viewable over the Internet for specific users. This setting is configured per repository.

(18)

• Laserfiche accounts are: Select Allowed if you want all users logging in with Laserfiche accounts to have access to the repository. Select Denied if you want to restrict all users with Laserfiche accounts.

• Windows accounts are: Select Allowed if you want all users logging in with Windows accounts to have access to the repository. Select Denied if you want to restrict all users with Windows accounts.

• The following users are: You can restrict or allow specific users' access to Web Access. Enter the user's Laserfiche username, LDAP username, or Windows account name (domain\username) and click Add User. You can add as many users as you want to this list. Once added, click

Verify Account List to verify all accounts in the list at once. Enter any

account credentials that can access the Laserfiche Server to ensure the accounts you added to the list exist and are configured properly

(Laserfiche, Windows, or LDAP account). Once verified, select Allowed to give all the users in this list access or Denied to deny them access. This option overrides the previous two options. For example, if you deny all users with Laserfiche accounts access to Web Access, you can explicitly grant a specific Laserfiche account user access to the

repository by adding them to this list and selecting Allowed.

Windows Authentication

You can configure if the Login Page should display the Use Windows

Authentication checkbox allowing users to select if they want to log in using

Windows authentication.

• Select Show the "Use Windows Authentication" checkbox on the Login

screen to display it on the Login Page. Note that additional

configuration may be required for Windows authentication to work.

Cookie Authentication

A cookie is a small text file—containing information such as user preferences or credentials—that is stored by a web browser on a user's machine. The web server tells the browser to store this cookie information on your machine to identify who you are when you visit the site again. Most sites requiring you to provide credentials will set a cookie once your credentials have been verified, allowing you to freely navigate to all parts of a site as long as that cookie is present and validated.

Administrators can configure Web Access so users can authenticate using authentication tokens generated by the new Laserfiche Authentication Service and stored in the user’s browser cookies. As long as the browser retains the cookie, the user will be automatically logged in when opening a Web Access session from a new browser window. The Login page allows users to choose

(19)

between private and public authentication modes to control how long the cookie is active or valid. Choosing the “This is a private computer” option enables the cookie to stay valid longer. Choosing the “This is a public or shared computer” option causes the cookie to expire in a shorter period of time. When the cookie expires, the next user will not be able to access your information. You can control the expiration periods through a configuration file.

To enable cookie authentication

1. Select Allow Web Access to authenticate users using authentication

tokens stored in the user's cookies.

Note: If cookie authentication is not working, ensure the Laserfiche

Authentication Service is started. Laserfiche Authentication Service

The Laserfiche Authentication Service, which is installed during the Web Access installation, is a Windows Communication Foundation (WCF) Service that generates tokens for Laserfiche connections (similar to the cookie

authentication used when accessing Microsoft Outlook via the Web). This service contains two specific authentication profiles, public and private.

• Public: This profile is for users connecting to Web Access through a public or shared computer who do not want to risk having their Laserfiche sessions used by other people. The Laserfiche Authentication service generates the login token under a public profile and the session is terminated after 15 minutes of inactivity.

• Private: This profile is for users connecting to Web Access through a private secured computer. These users prefer to only log in once per day and are confident their Laserfiche session token is safe on their own machine. The Laserfiche

Authentication service generates the login token under the private profile and the session will be terminated after eight hours. Since the user is the only one using this computer, this allows them to stay logged in for a longer period of inactivity before ending the session.

Configuring Session Timeouts

The Laserfiche Authentication Service's default session timeouts for public and private profiles can be modified. For example, if you want the public profile to maintain a connection for 25 minutes instead of 15, you can configure this in the service's settings.

(20)

To modify a session timeout period

1. Navigate to <Installation Directory>\Laserfiche\Laserfiche Authentication Service 9.2

2. Open LfAuthenticationServiceHost.exe.config in a text editor. 3. Look for

4. The length of the session is represented in milliseconds. Below is a table with sample minute to millisecond conversions.

1 minute = 6000 milliseconds Minutes/Hours Milliseconds 5 minutes 300000 10 minutes 600000 30 minutes 1800000 1 hour 3600000 4 hours 14400000 10 hours 36000000

5. To modify the public timeout period, change the "PublicTimeout" value. To modify the private timeout period, change the

"PrivateTimeout" value. For example, to change the public timeout period to maintain a connection for 30 minutes, the new public timeout tag would look like this: <add key="PublicTimeout"

value="1800000"/>. E-mail

Specifying an SMTP Server for outgoing e-mail messages

The E-mail section of the Configuration Page allows you to specify an SMTP mail server to interact with e-mail export features in Web Access. If you do not specify an SMTP Server, Web Access will not be able to directly send e-mail messages. However, users can still choose to save the .msg file to their local computers to manually send out the e-mail using their personal e-mail client software.

Note: Sending e-mail directly through Web Access requires the

(21)

• SMTP Server: Enter the name of your mail server. o Save: Save your mail server settings.

o Save and Verify: Save your mail server settings and verify they are configured correctly by providing an e-mail address in the

Mail Server Verification dialog box for Web Access to send an

e-mail to.

• Reply Address: Enter the reply e-mail address you want displayed in the e-mail header's From field. The Reply Address is required to verify the e-mail settings. By default, the reply address is

[email protected].

• Reply Display Name: Specify the display name that you want displayed for the e-mail. By default, the display name is Laserfiche Web Access 9.2

• SMTP server requires username and password (Optional): If your mail server requires a username and password, select this option and enter them.

Tip: Once configured, these settings will be saved to the

WebAccessConfig.xml file under <Installation

Directory>\Laserfiche\Web Access\Web Files\Config\. They will be listed in the MailSettings section next to User and Password.

Note: These settings only apply to repositories on servers that have

the MAPI feature.

Specifying a Microsoft Exchange Server's Exchange Web Service URL for incoming e-mail messages

The E-mail Import (Outlook Address Resolution) section of the Configuration page allows you to configure Web Access to connect to a Microsoft Exchange Server's Exchange Web Services in order to facilitate extracting the e-mail address from the recipient field when importing e-mail messages.

(22)

Exchange Web Service URL: Specify the URL to your Exchange Server's

Exchange Web Services.

• Autodiscover: Web Access can attempt to automatically detect the location of the Web service. You will be prompted to specify an e-mail address to start the auto-detection process.

Exchange Server requires user name and password: If your Exchange Server

requires a user name and password, select this option and specify the appropriate values.

Note: This feature is available in Microsoft Exchange Server 2007

SP1 and later. Export Settings

The Export Settings section of the Configuration Page allows you to modify the page limit when generating a PDF from a Laserfiche imaged document. By default, Web Access is configured to limit generated PDFs to 75 pages. This means that when users attempt to export a Laserfiche imaged document as a PDF file and the document contains more than 75 pages, only the first 75 pages of the document will be included in the downloaded PDF file.

• Maximum pages for exporting PDF: Specify the page limit for generated PDF files.

Note: This setting only affects PDFs created during the export

process for Laserfiche imaged documents. This setting has no bearing on the length of PDF files stored as electronic documents in Laserfiche.

Watermarks

The Watermarks section on the Configuration Page allows you to decide if you want watermarks to be displayed on your imaged documents when viewing them in the Document Viewer.

Show watermarks in the Laserfiche Web Access Document Viewer

• Cleared: The Group Watermark header and footer setting configured in the Laserfiche Administration console will not be displayed when viewing the document in the Document Viewer. The group watermark configured in the Laserfiche Administration console will still be exported on the document. If no watermarks are configured in the

(23)

Laserfiche Administration Console, the document will be exported without a watermark.

• Selected without Watermark text: The Group Watermark header and footer settings configured in the Laserfiche Administration console will

be displayed when viewing the document in the Document Viewer.

When exported, the document will display the group watermark. If no watermarks are configured in the Laserfiche Administration Console, nothing will be displayed when viewing the document in the

Document Viewer and the document will be exported without a watermark.

• Selected with Watermark text: The Group Watermark header and footer settings configured in the Laserfiche Administration console and the text typed in the Watermark text field will be displayed when viewing the document in the Document Viewer. When exported, the group watermark will be displayed on the document. The text defined in the Watermark text field is never exported on a document; it is for display purposes only. If no watermarks are configured in the

Laserfiche Administration console, the Web Access Watermark text will not be displayed when viewing the document in the Document Viewer and the document will be exported without a watermark. You can enter up to 63 characters in the Watermark Text text box.

Note: Group Watermarks configured in the Laserfiche

Administration console will never be displayed on the document when viewing it in the Document Viewer.

Note: If multiple group watermarks have been configured in the

Laserfiche Administration console, the user will be prompted to choose one when exporting a document.

Configuration Page Access

Administrators can give specific users access to the Configuration Page remotely, as long as the user is part of the local administrators group or a specified Windows group on the Web Access server machine. After adding specific users to one of these types of groups, you can then allow that group remote access to the page.

(24)

To allow remote access:

• Select the Allow remote access to specific Windows group checkbox, then select if the users who should have remote access are part of the

Local administrators group or part of a Specified Windows group. If

selecting Specified Windows group, enter the group name as

DOMAIN\groupname.

Note: Ensure the Windows Authentication feature is enabled in IIS

to allow remote access to the Configuration Page.

Tip: In IIS 7 or IIS 8, you will need to have Windows

Authentication first installed under IIS, Security before you can enable it.

Troubleshooting

• If you receive a The configuration page can only be accessed locally error, this means remote access has not been set up.

• If you receive an Access is denied error, this means the user trying to access the page remotely has not been added to the appropriate group. Logging

The Logging section of the Configuration Page allows you to select a log level for Web Access, as well as to turn tracing on and off in order to locate a specific problem. "Debug" will provide the most detailed logs; these may take up more space, so you may want to use this level only when you are

troubleshooting a specific problem.

• Trace Log Level: Allows you to log errors to a text file, located at

c:\trace.txt. The location of the trace file is determined by the

Web.config file located in the Web Files folder of the Web Access program directory.

Note: The first time you enable logging, you will need to

(25)

1. Navigate to the Web Access installation directory and open Web Files.

2. Open web.config in a text or XML editing program. 3. Search or navigate to the section beginning with the following characters: <-- Enable the following block to log

trace messages to a file -->

4. Remove the  brackets from the line beginning <add name="TestTractor".

5. Optional: To modify the location of the trace file,

locate the initializeData="c:\trace.txt" attribute and change the path and file. Note that you must specify a file name; you cannot specify only a path.

6. Save web.config.

• Event Log Level: Determines which errors will appear in the

Windows Event Log, which you can view using the Windows Event Viewer.

• Enable LFSO Tracing: Logs LFSO communication information between Web Access and the Laserfiche Server.

Note: The Web Access application pool identity requires full

control over the trace file path.

• Trace file path: Specify where you want to store the LFSO trace log file. The file name automatically contains the application name (Web

Access), process id (the IIS worker process), and timestamp. • Enable WinHTTP Tracing: Enables Windows HTTP Services

(WinHTTP) tracing on the Web Server.

Note: Enabling WinHTTP tracing requires local administrative

rights on the web server. This means that the Web Access

application pool identity must be running as a user that has local administrative rights. By default, Web Access runs in the

WebAccessAppPool application pool. On UAC-enabled operating

systems (Windows Sever 2008 and later), you must turn off UAC in order for Web Access to properly generate the WinHTTP trace log.

Note: Enabling WinHTTP tracing is a computer-wide setting that

will log all traffic through Windows HTTP Services and may log information not related to Laserfiche communication.

Note: Both the Laserfiche Client and Web Access contain options

for enabling WinHTTP tracing. Because the WinHTTP tracing option is a computer-wide setting, if both are installed on the same

(26)

computer, modifying WinHTTP tracing options in one of the client application affects the other application as well.

• Trace folder path: Specify where you want to store the WinHTTP trace log file.

Metadata Preview Pane

The Metadata Preview Pane section of the Configuration Page allows you to control the default behavior of the Metadata Preview Pane in the Folder Browser when viewing template and field values.

By default, when a user selects multiple entries, Web Access detects and compares what fields are assigned to the selected documents. When there are a large number of fields, the Preview Pane may take a long time to fully load. In certain situations, a user may not need to see the existing field values and just wants to update a group of documents to all have the same value for a field.

When a user multi-selects more than the specified number of entries in the Folder Browser, the metadata Preview Pane will present the option to either

Show fields or Update fields. The Show fields option enables the standard

behavior of displaying field values. The Update fields option displays a write-only version of the preview pane and allows users to update field values without waiting for Web Access to load and display existing field values.

Note: Users can still update field values when they choose to show

field values

• Allow users to directly update field values: Allow users to choose the display option for the Folder Browser Preview Pane.

• Minimum number of selected entries: Specify the minimum number of entries a user must multi-select in the Folder Browser before given the option to choose whether to load field information or to directly update field values.

IFilter

An IFilter is a Windows tool that Laserfiche can take advantage of when retrieving the text and the properties associated with an electronic file. By default, Windows provides several IFilters that allow you to retrieve text from HTML documents, XML documents, Multipurpose Internet Mail Extension (MIME) files, and Microsoft Office files. In addition to the filters provided by Windows, IFilters for other types of files exist. To take advantage of one of these IFilters, download and install it on the web server hosting Web Access. After an IFilter has been installed there, it will be immediately available for use by Web Access. Text pages can be created for that type of file by following the instructions provided in the Extracting Text from Electronic Documents topic.

(27)

Tip: IFilters are typically created by the manufacturer of the

software that created the file.

The primary purpose of an IFilter is to retrieve all text associated with an electronic file. As a result, it will not store text according to the original pagination in the electronic file. Instead, all text retrieved from the electronic file will be treated as a single page. A new text page will be created after a certain number of characters have been retrieved from the electronic file.

Note: Extracting text from an electronic file will overwrite any

Laserfiche pages associated with the electronic document. Configuring Default Upload and Download Limits

By default, Web Access allows users to:

• Upload files that are no larger than 2,097,151KBs (2GB; unless you are on IIS 7, in which case the default is 30 MB) and take no longer than 3,600 seconds (1 hour) to upload.

• Export files that are no larger than 204,800KBs (200MB) and take no longer than 7,200 seconds (2 hours) to download.

• E-mail files that are no larger than 204,800KBs (200MB) and take no longer than 110 seconds (less than 2 minutes) to download.

Instructions on modifying these settings will NOT be covered in this article, as increasing the default e-mail limits is not recommended. To modify the settings above, open the Web.config file, which is in the Web Access installation directory. By default, the file is located in "C:\Program Files\Laserfiche\Web Access\Web Files" or "C:\Program Files

(x86)\Laserfiche\Web Access\Web Files."

Note: In order for a change to take effect, restart Internet

Information Services (IIS) or restart the application pool hosting Web Access.

Note: In the code blocks listed below, some of the initial values

may vary if the Web.config file has previously been edited.

To modify upload limits:

1. In Web.config, locate the following code block:

(28)

2. If necessary, change the value of the maxRequestLength setting to the maximum number of KBs a file can be before it cannot be uploaded via Web Access. We do not recommend setting this value greater than 2,097,151KBs (2GB).

3. In the previous step, if you changed the maxRequestLength setting to a value larger than 30,720KBs (30MBs), and if you are using IIS 7 or higher, add the following code block directly under the

<system.webServer> section. Modify the maxAllowedContentLength setting to ensure it matches the maxRequestLength setting. We do not recommend setting this value greater than 2,097,151KBs (2GB).

</security>

4. If necessary, change the value of the executionTimeout setting to the maximum number of seconds that can pass during the upload process before the file cannot be uploaded via Web Access.

5. Save your changes and close the text editor.

To modify export limits:

1. In Web.config, locate the following code block:

<httpRuntime executionTimeout="7200" />

</system.web> </location>

2. If necessary, change the value of the executionTimeout setting to the maximum number of seconds that can pass during the export process before the file cannot be exported via Web Access.

3. If you need to change the maximum number of KBs a file can be before it cannot be exported via Web Access, replace <httpRuntime

executionTimeout="7200" /> with <httpRuntime

maxRequestLength="X" executionTimeout="7200" />. Replace X with the file size limit you want (in KBs). We do not recommend setting this value greater than 2,097,151KBs (2GB).

(29)

Disabling Token Substitution in Sticky Note, Text Box, and Callout Text Annotations

By default, Laserfiche will automatically replace tokens in sticky note, text box, and callout text annotations. You can disable this feature for specific users by manually adding the following trustee attribute to the appropriate user or group:

[SETTINGS]SubstituteTextAnnotationTokens

Set the value of the attribute to No to prevent Laserfiche from automatically replacing tokens in sticky notes, text boxes, and callout text boxes.

To re-enable the option, set the attribute value to Yes or remove the attribute completely.

Note: The value is case sensitive.

Trustee attributes are accessible through the Laserfiche Administration

Console. Please see the Laserfiche Administration Guide for more information on trustee attributes.

Laserfiche Web Accelerator

The Laserfiche Web Accelerator section of the Web Access Configuration page lets you enable and configure Web Accelerator for specific repositories. Web Accelerator carries high-load processes, such as image processing, for Web Access, allowing the performance impacts of resources intensive processes on Web Access to be lessened.

Before enabling Web Accelerator, you will first need to install it. For

information about installing and configuring Laserfiche Web Accelerator, see

Laserfiche Web Accelerator 9.1 Installation Guide.

To enable Web Accelerator:

1. On the Web Access Configuration page, under Laserfiche Web Accelerator, select Enabled.

2. Next to Server, type http://WebAcceleratorServerName/image, where WebAcceleratorServerName equals the machine name of the Web Accelerator host.

3. Next to Verification code, paste the Web Accelerator verification code that was generated on the Web Accelerator Configuration page.

4. If you have more than one repository registered on the Web Access Configuration page, checkboxes will appear for each repository. Select the repositories you want Web Accelerator to serve.

(30)

Laserfiche Distributed Computing Cluster

The Laserfiche Distributed Computing Cluster section of the Web Access Configuration page allows you to connect your Web Access Server to a Distributed Computing Cluster installation. When enabled, the Web Access Server will send certain tasks, like OCR processing, to the cluster. Distributed Computing Cluster will perform the tasks and return the finished work to the Web Access Server. Learn more about Distributed Computing Cluster.

To enable Distributed Computing Cluster:

1. On the Configuration Page under Laserfiche Distributed Computing Cluster, select the Enabled checkbox.

2. Next to Scheduler, enter name of the machine where the Distributed Computing Cluster scheduler is installed.

3. Next to Port, enter the port that the Web Access Server will use to communicate with the Distributed Computing Cluster scheduler. Laserfiche Web Administration Console

The Laserfiche Web Administration Console section of the Web Access Configuration page lets you specify a Web Administration Console that will be accessible from Web Access by administrative users. If you enable

Distributed Computing Cluster, then Web Administration Console can be used for OCR monitoring purposes.

To enable linking to the Web Administration Console:

1. On the Web Access Configuration page under Laserfiche Web Administration Console, select the Enabled checkbox.

2. For the URL, open the Laserfiche Web Administration Console, copy the URL from the browser's address bar and paste it next to

URL in the Web Access Configuration page.

3. Click Save.

Administering Web Access

Most Web Access administration activities are related to controlling which Laserfiche repository users can access and what types of access are permitted. See the Laserfiche Administration Guide for information about creating

repositories, setting up users, controlling repository security, and similar topics.

Prompting for Login Information

Web Access will always request login information if auto-login is not

configured. Login information may be a Laserfiche username and password or Windows domain credentials.

(31)

To turn off auto-login

1. Open the Web Access configuration page at

http://machinename/laserfiche/Configuration/Configuration.aspx, where machinename is the name of the server where Web Access is installed.

2. In the list of repositories, find the one for which you want to require login information.

3. Select Prompt for Laserfiche credentials or Prompt for Windows

domain credentials.

4. Depending on which one you choose, users will be able to log in using their Laserfiche and/or Windows credentials to access Web Access.

Note: If you select Prompt for Laserfiche credentials or Prompt for Windows domain credentials (without configuring a domain

name), users will be able to enter either their Laserfiche or Windows credentials to authenticate.

Automatic Login

You can configure Web Access to automatically log users into a repository. To do this, you will need to specify a Laserfiche or Windows domain account that Web Access will always use to log in to the repository. You can also let the browser auto-detect the Windows user account currently being used and log the user in with that account. Anyone accessing the repository through Web Access will be automatically logged in using that user account, and will have all the security rights and privileges assigned to that user.

To configure automatic login

1. On the computer hosting Web Access, open the Web Access configuration page at

http://machinename/laserfiche/Configuration/Configuration.aspx, where machinename is the name of the server where Web Access is installed.

2. In the list of repositories, click Edit next to the one you want to configure.

3. Select Auto-login using integrated Windows authentication from the drop-down list and click Save.

4. Ensure IIS is configured for integrated Windows authentication. Using Windows Authentication

When Windows Authentication is configured as the login method for a repository, users with valid Windows credentials will either be prompted to enter their Windows credentials or automatically be logged in using these

(32)

credentials when they visit the Web Access page. You can configure login methods on the Web Access Configuration Page.

Configuring Web Access for Windows authentication

1. Configure your Laserfiche repository to accept Windows users for authentication.

In order for a Windows user to be able to log in using Windows Authentication, that user must be allowed access to the repository. The Windows account can be granted access in a few different ways:

• The Windows account can be added directly.

• The Windows user can be associated with a Laserfiche user.

• The Windows group has been added to the Trusted Accounts list.

Laserfiche administrators can do this through the Laserfiche

Administration Console. The administrator must also configure Web Access to accept Windows credentials and pass them to the

Laserfiche server.

2. Ensure IIS is configured so users can automatically be logged in using Window authentication.

By default, IIS is configured to allow users to log in using their Windows credentials without any additional configuration.

However, if you are updating to a newer version of Web Access or have previously modified your IIS settings, follow the steps below to configure IIS for Windows authentication.

Note: Ensure the Windows Authentication feature is installed

under Security on IIS 7 or IIS 8 to allow Windows users to automatically log in.

Tip: In IIS 7, IIS 8, or IIS 8.5, you will need to have Windows

Authentication first installed under IIS, Security before you can enable it.

1. Open Internet Information Services (IIS) Manager. You can find it under Administrative Tools in the Start Menu in Windows 7 or machines with server operating systems like Windows Server 2003 or Windows Server 2008.

2. Select the Web Access virtual directory. By default, this will be namedLaserfiche and located under Default Web Site in

the Web Sites folder.

(33)

• Double-click on Authentication in the center pane. • In the Authentication Configuration Pane, enable

Windows Authentication. If you do not see a Windows Authentication option, check to see whether the Windows

Authentication feature is installed on your copy of IIS.

Note: The Web Access application runs as the application pool user. This

user requires read and write access to the tempDirectory and

cacheDirectory and read access to the Config subfolder inside the Web

Files folder of the Web Access installation folder. Access to these specific files is configured for you during the Web Access installation.

3. If the Laserfiche Server and Web Access are installed on different machines, and you want to log in using Windows Authentication, you have three options:

• Option 1: You can configure Kerberos to enable users to log in using Integrated Windows authentication. Users will never be prompted to provide credentials, as the browser will

automatically authenticate and log them in. This method requires knowledge and setup of Kerberos.

• Option 2: You can configure Basic Authentication to enable users to log in by providing Windows credentials to the browser. If the user's first login attempt is successful, all future login attempts will not prompt for credentials until the session times out. This method requires knowledge and setup of Basic

Authentication.

• Option 3: You can configure Web Access to enable users to log in by providing Windows credentials to the Web Access Login

Page. Users must manually provide credentials each time they

want to log in. Since this method requires no knowledge or setup of Kerberos or Basic Authentication, it is the method we

recommend.

Tip: When using Option 2 or 3, credentials are passed in

plaintext. As a result, these methods should never be used without also using SSL.

Configuring Kerberos

Kerberos support enables Windows authentication to fully function when Web Access and the Laserfiche Server are installed on different computers. Kerberos allows authentication information to be delegated from the computer hosting Web Access to the computer hosting Laserfiche Server. For more information on enabling Kerberos for Windows authentication, see the

(34)

Enabling Kerberos Support for Windows Authentication Knowledge Base article and/or the Setting Up Kerberos for Web Access 8 on IIS 7 white paper. Configuring SSL and Basic Authentication

Basic authentication can be used as an alternative to Kerberos to allow information to be delegated from the computer hosting Web Access to the computer hosting the Laserfiche Server. This authentication method allows the application to run as the browser user, provided the browser user provides correct Windows authentication.

These Windows credentials are transmitted in plain text, which means the web server does not need to use Kerberos to authenticate into a separate machine. Because the credentials are sent from IIS to Web Access in plain text, this method should never be used without also using SSL to protect the password.

Configuring Basic Authentication

To configure Basic Authentication on the machine hosting the Web Access server (IIS):

IIS 6 (Windows Server 2003)

1. Click Start and select Control Panel.

2. Double-click Administrative Tools, then Internet Information Services

(IIS).

3. In the left pane, double-click your computer name, then Web Sites, then Default Web Site.

4. Right-click Laserfiche and select Properties. 5. Select the Directory Security tab.

6. Under Authentication and access control, click Edit

7. Clear the Anonymous access and Integrated Window authentication checkboxes.

8. Select Basic authentication (password is sent in clear text) and click

Yes in the IIS Manager pop-up dialog box.

9. Click OK and close any other windows that are open.

IIS 7 (Windows Server 2008 or Windows 7)

(IIS) Manager.

3. In the Connections pane on the left, under Default Web Site, select

(35)

4. In the middle pane, under IIS, double-click Authentication 5. Right-click Anonymous Authentication and select Disable 6. Right-click Basic Authentication and select Enable.

Basic Authentication should not be used without also using SSL to protect the password.

IIS 8 or IIS 8.5 (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2)

1. Open the Control Panel.

(IIS) Manager.

3. In the Connections pane on the left, under Default Web Site, select

Laserfiche

4. In the middle pane, under IIS, double-click Authentication 5. Right-click Anonymous Authentication and select Disable. 6. Right-click Basic Authentication and select Enable.

Basic Authentication should not be used without also using SSL to protect the password.

Configuring SSL (HTTPS)

To set up an SSL (HTTPS) connection between the machine hosting the Web Access server and the Internet browser

IIS 6 (Windows Server 2003)

(IIS).

3. In the left pane, double-click your computer name, then Web Sites. 4. Right-click Default Web Site and select Properties.

5. Select the Directory Security tab.

6. Under Secure communications, click Server Certificate.

7. In the Welcome to the Web Server Certificate Wizard, click Next. 8. Select Create a new certificate and click Next.

9. Select Send the request immediately to an online certification

authority and click Next.

(36)

11. Type your Organization and Organizational unit. For example, your organization might be Laserfiche and your unit might be Human

Resources. Click Next.

12. Type the common name for your site and click Next.

13. Type your Country/Region, State/province, City/locality and click

Next.

14. Select a certificate authority from the drop-down menu and click Next. 15. Click Next, then Finish.

16. Click OK to close the Default Web Site Properties dialog box. 17. In the left pane, double-click your computer name, then Web Sites,

then Default Web Site.

18. Right-click Laserfiche and select Properties. 19. Select the Directory Security tab.

20. Under Authentication and access control, click Edit. 21. Under Secure communications click Edit.

22. Select Require secure channel (SSL) and Require 128-bit encryption. 23. Click OK to close the Secure Communications dialog box.

24. Click OK to close the Laserfiche Properties dialog box. 25. Restart IIS.

IIS 7 (Windows Server 2008 and Windows 7)

(IIS) Manager.

3. In the Connections pane on the left, select the computer name. 4. Under the IIS section, double-click Server Certificates.

5. In the Actions pane on the right, click Create Domain Certificate. 6. In the Distinguished Name Properties step, specify the required

information for the certificate and click Next.

7. In the Online Certification Authority step, click Select, choose your certificate authority, and click OK.

8. Give your certificate authority a friendly name and click Finish. 9. In the Connections pane on the left, double-click the computer name,

then double-click Sites.

Laserfiche Web Access 9.2 Installation Guide. White Paper