Spok Mobile 5.2 Pre-Implementation Guide
Mobile Device Management (MDM) Recommendations
Spok Mobile High Availability Configuration
Preparing for a Spok Mobile Implementation with AlwaysOn
An AlwaysOn configuration is supported by Spok Mobile.
Customers who will implement a Spok Mobile environment with Smart Suite, MediCall Suite, Spok Console Suite, or Messenger may opt to use an AlwaysOn configuration.
SQL Server Enterprise Editions
AlwaysOn configurations for Spok Mobile environments require the Enterprise edition of SQL Server. SQL Enterprise meets recommended encryption standards that are not supported by SQL Server Standard.
SQL Server Guidance
When creating a SQL environment for an AlwaysOn configuration for Spok Mobile, consider the following best practices. See Microsoft's documentation for detailed guidance on SQL Server and AlwaysOn configurations.
- Availability Groups must be used. Clustering requires availability groups.
- Use multiple sub-nets for SQL to enhance redundancy. The number of sub-nets will vary by customer site based on the configuration of the entire implemented solution.
- Deliver the following, to ensure that messages are delivered across the solution:
- Automatic failover,
- Synchronous-commit availability mode,
Using manual failover and/or asynchronous commit mode may result in message/data loss.
F5 Load Balancer Recommendations for Spok Mobile
NetScaler Recommendations
When configuring the Spok Mobile service in NetScaler, set the Monitoring Connection Close Bit to RESET. This forces the health monitoring process to close the connection after the initial handshake. After the connection closes, the Spok Mobile Windows service will not generate log entries for any connection attempts from the NetScaler IP addresses. Note that this only applies to the 2000x MXPP ports. The supported health monitor for ports 443 and 8091 is HTTPS.
HTTP compression should not be enabled with the load balancers (for both Spok Mobile and Care Connect).
Server Environment Requirements
License Requirements
When you install any Care Connect application, you must provide an XML license file in order to activate application features. The Spok PSG professional is responsible for obtaining this license file before or during the on-site implementation. You will be prompted to provide the license file after you finish the Care Connect installer.
Database Requirements
The following database server requirements must be met in order for Spok Mobile to function. A database login with “sysadmin” rights must be available prior to installing the Spok Mobile database.
Spok Mobile supports the Clustering, Mirroring, and AlwaysOn High Availability solutions.
The following table shows the SQL Server selection, configuration, and administration requirements for the Spok Mobile database.
General Database Options |
If you choose the SQL Cluster option, you must provide Spok with the login, password, host name, and instance information. |
Database Maintenance Activity |
Spok Mobile does not include a data archive/delete function, but this feature can be added upon request. |
User Permission Requirements |
The Spok Mobile installer requires an account with "sysadmin" rights to install. |
Supported SQL Server Clustering and Mirroring Versions |
|
Additional SQL Mirroring Specifications |
|
Run Time (After installation) |
|
Firewall and Communication Requirements
Firewall Requirements
The Spok Mobile application depends on communication between in-house servers, smartphones, and tablets on the wireless LAN, and Spok’s hosted server. Ports must be opened within the intranet as well as on the firewall to facilitate the exchange of information via the internet. The firewall can be configured to accommodate outbound access via URL or IP ranges.
Using URLs eliminates the need to update the configuration if any underlying IP address changes.
The Spok Mobile application communicates between servers at your location, and between smartphone and tablet devices on your wireless LAN and Spok’s hosted location. Spok recommends allowing outbound access by URL. However, you can also allow access by IP range. Information for both access types is included below.
You must grant Spok access to the URLs listed below in order for the application to function.
Allowing Outbound Access by URL
- https://amclr1.amcomamc.com (443/8091)
- https://amclr2.amcomamc.com (443/8091)
- https://amccore1.amcomamc.com (443/8091)
- https://www.amcomamc.com (443/2001/8091)
Allowing Outbound Access by IP Ranges
If you have enabled access by IP address, Spok recommends either using the URL or opening access to the following IP ranges:
- 107.21.32.168, 107.21.32.169 (East Coast Data Center)
- 50.112.130.246 (West Coast Data Center)
If you have enabled firewall rules based on URLs, you do not need to make any changes. As we migrate the URLs to new IP addresses by updating the DNS (Domain Name System) records, your systems and devices will automatically connect to the new systems.
Communication Requirements
Spok Mobile sends email messages that are vital to the implementation and use of the overall Spok solution. To ensure that these messages are received, the environment should be configured to allow SpokMobile@spok.com through any configured email filters. These emails will be sent from the following SMTP servers: planodb1.amcomenotify.com
and mspdb1.amcomenotify.com
.
Wi-Fi Access Point Requirements
Sites with Spok Mobile clients that use Wi-Fi connections need a wireless router that meets the following requirements:
- Wireless-N 802.11n or newer router.
- Lower power state Wi-Fi connection.
- Instant reconnect from sleep.
Wireless 802.11g routers disconnect when a device goes to sleep, which means that messages will be missed until the device is woken up. Wireless 802.11n routers keep devices connected in a low power mode to support push notifications.
Port Requirements
Security
Required Ciphers for Spok Mobile
New Cipher Suites for Windows Server 2019
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Windows Security
TLS 1.2 Security Protocol for Spok Mobile
Spok Mobile requires the TLS 1.2 security protocol on all Windows servers that host Spok products. If TLS 1.2 is disabled, it may result in Spok Mobile users being unable to register, send or receive messages, or search for users in the enterprise directory. Older protocols including SSL 3, TLS 1.0, and TLS 1.1 may be disabled.
Exporting the Certificate to PFX Format for the Spok Notification Framework
This procedure only needs to be completed at Spok Mobile customer sites at which the Spok Notification Framework will be used to support non-GCM Android devices. This procedure is typically completed by a customer-site IT professional prior to a Spok Mobile implementation, to make sure the security certificate needed for the Spok Notification Framework is available in a format that a Spok PSG professional can convert during the implementation.
Setting Up SSL Certificates
For detailed information on how to configure the certificate to Spok Mobile, see Implementing Spok Mobile 5.2.
The following SSL certificate requirements must be met in order for Spok Mobile to function properly:
- The SSL certificate cannot be self-signed. The certificate must be from a trusted root authority. Examples include Verisign, Thawte, and GoDaddy.
- If Smart Suite is being used with Spok Mobile, the following requirements must be met:
- Smart Suite 4.8.x requires SHA1.
- Smart Suite 5.x requires SHA1 or SHA2.
- The certificate can be a wildcard, single-site, or SAN certificate.
If a SAN certificate is used, Spok recommends adding the FQDN of the individual Spok Mobile servers along with the alias. This is needed to secure traffic between the two Spok Mobile servers in a Highly-Available environment.
SSL Certificates (Non-Wildcard)
If a non-wildcard certificate is used with Spok Mobile, the certificate must be installed, bound to the Spok Mobile server, and then tested. Certificates can also be imported and backed up. The following sections contain Information on how to perform these actions.
Creating an SSL Certificate
-
Choose a certificate name. Please note that this name should not be the host name of the server. For example, if your host name was
www32-a-node1.yourmedicalfacility.org
, the customer may not know to access this location. Instead, the customer may know to go towww.yourmedicalfacility.org
. Therefore, this name needs to be registered. This SSL host name is shared between all applications that serve data for this application. Because of this, pick a generic SSL website name, such asspokmobile.customer.org
. -
Access the Internet Information Services (IIS) Manager on the Spok Mobile server. In most cases, this can be accessed by choosing the Start > Internet Information Services (IIS) menu option from the Windows start menu.
-
In the left navigation pane, select the server.
-
Select the Server Certificates option to navigate to the Server Certificates screen.
-
Click the Create Certificate Request option from the Actions list on the right-hand side of the screen to navigate to the Distinguished Name Properties dialog.
-
In the Distinguished Name Properties dialog, enter any desired information.
-
Click the Next button to navigate to the Cryptographic Service Provider Properties dialog.
-
From the Cryptographic service provider drop-down menu, choose the Microsoft RSA SChannel Cryptographic Provider option.
-
From the Bit length drop down menu, choose the 2048 option.
-
Click Next to navigate to the File Name dialog.
-
In the Specify a file name for the certificate request field, specify a location and file name where the Cryptographic Service Provider (“CSR”) file should be saved.
-
Click Finish to navigate to the Server Certificates screen.
-
Send the generated file (Example: c:\messengeramc_csr.txt) to your certificate vendor.
-
Obtain the certificate file (.p7b, .pfx, or .cer file).
Installing the SSL Certificate on the Server
-
On the right-hand side of the Server Certificates screen, click the Complete Certificate Request link to navigate to the Specify Certificate Authority Response dialog.
-
Next to the File name containing the certification authority’s response field, click the ellipsis (…) to display files.
-
Choose the desired file. The chosen file appears in the File name containing the certification authority’s response field.
The File name containing the certification authority’s response field should include a .cer file. However, if you would like to use a .p7b or .crt file, change the file type to *.*.
-
In the Friendly name field, enter the server host name that is specified in the certificate SSL name. Note that the file name entered in this field must match the Common Name entry on the Distinguished Name Properties display.
-
Click OK to navigate to the Server Certificates screen with the newly installed certificate.
Adding the HTTPS Binding to IIS
The bindings are created automatically during Spok Mobile Implementation, so no further action is required.
Importing Certificates
-
If an environment is configured for high availability, export the .pfx file for each server.
-
Navigate to the IIS manager.
-
Click the Server Certificates option.
-
In the Server Certificates screen, click the Import link.
-
In the Certificate file field, choose the desired certificate.
-
In the Password field, enter the password that is linked to the certificate entered in the Certificate file field.
-
Click OK to import the certificate.
Testing SSL Certificates
-
To test the installation of the certificate, add an entry to the C:\Windows\System32\Drivers\Etc\hosts file that points to the external DNS SSL name, specified as the Common Name during set up, to
127.0.0.1
.
Example: add the line 127.0.0.1 messengeramc.amcomsoft.com messengeramc
to the hosts file.
Testing the Host Name
-
To test the host name, execute
ping <hostname>
from that machine. If the localhost is accessed, the test is successful.
-
Test the external resolution of the name.
-
Test the internal resolution of the name. This can be done by using
nslookup
.
Testing the Certificate
-
Access the installed certificate via HTTPS by entering the certificate’s Common Name from the previous steps in a browser session.
If the navigation bar does not display red text, it means that the browser believes the certificate is valid. If the navigation bar displays red text, the browsers believes the certificate is invalid.
Backing Up the SSL Certificate
Backing up an SSL certificate allows the certificate to be re-imported if a system failure occurs that requires a disaster recovery.
-
Navigate to the Internet Information Services (IIS) Manager screen.
-
Select the server name in the left-hand side of the screen. Menu options will appear.
-
Click the Server Certificates icon to navigate to the Server Certificates screen.
-
Right-click on the desired SSL name.
-
Choose the Export menu option to navigate to the Export Certificate dialog.
-
Click the ellipsis (…) to the right of the Export to field.
-
In the File name field, enter the file name to use.
-
Click Open. You are returned to the Export Certificate dialog and the chosen file name will appear in the Export to field.
-
In the Password field, enter a password to associate with the certificate.
-
In the Confirm password field, re-enter the password that is entered in the Password field.
-
Click OK.
-
Exit the IIS Manager.
-
Navigate to the path where the certificate is stored.
-
Copy the certificate to send it to the Spok Project Manager who is involved with the implementation.
-
Send this certificate to the Spok Project Manager who is involved with the implementation. Doing so allows for a re-import if a system failure occurs that requires a disaster recovery.
-
Access the Spok Enterprise Administration page at
http://localhost/Amc/Admin
. For detailed information about the Spok Mobile Administration page, see Spok Hosted Administration Guide 5.2. -
Ensure that the Local message delivery option is selected. For detailed information about configuring the message delivery type, see Implementing Guide Spok Mobile 5.2.
-
Enable the HTTPS option. For detailed information on how to enable the HTTPS option, see Implementing Spok Mobile 5..2.
-
Ensure that the information in the Message Download URL matches the SSL name of the certificate that you registered. For detailed information about how to configure the Message Download URL, see Implementing Spok Mobile 5.2. Note that wildcard certificates can be used if they match a server on the domain.
-
Click Save.
-
Click Apply. The application will restart and the HTTPS functionality can then be used.
SSL Certificates (Wildcard)
When an existing wildcard certificate is used with Spok Mobile, the wildcard certificate must be added to the Spok Mobile server, installed on and bound to Spok Mobile, and then tested.
Adding an SSL Certificate to the Server
The SSL certificate must be added to the server. For detailed information on how to do this, please refer to Importing Certificates.
Installing an SSL Certificate into IIS
-
Open the Internet Information Services (IIS) Manager.
-
Select the desired server.
-
Choose the Server Certificates menu option.
-
Right-click on the working area in the Server Certificates screen.
-
Choose the Import menu option to navigate to the Import Certificate dialog.
-
In the Certificate file (.pfx) field, enter the .pfx license’s file location.
-
In the Password field, enter the password for the .pfx file that is entered into the Certificate file (.pfx) field.
-
Select the Allow this certificate to be exported option.
-
Click OK.