Internet Client Access (ICA) Installation

This document covers setting up the ICA module on your own webserver. If you are leasing the ICA module, contact Patriot for installation instructions.

ICA Diagram

Prerequisites

Database Setup

Run the following script against the patriot database. Make sure you change the password 'Str0Ng_Passw0rd' in the script below. Choose a suitably strong password, preferably including some numbers and non-alphanumeric characters. Keep a note of this password.

This will set up an SQL user that can login and access the Patriot Database. It will grant all the necessary rights required for the ICA Website.


-- This section only needed if 'ila' user already exists.
EXEC sp_revokedbaccess 'ila'
EXEC sp_droplogin 'ila'

-- Create 'ila' security user, and grant access to Patriot db.
-- Make sure to change the password below.
EXEC sp_addlogin 'ila', 'Str0Ng_Passw0rd','patriot'
EXEC sp_grantdbaccess 'ila', 'ila'
GRANT SELECT ON ActionPlan TO ILA
GRANT SELECT ON Attend TO ILA
GRANT SELECT ON CallChain TO ILA
GRANT SELECT, INSERT, UPDATE, DELETE ON Calllist TO ILA
GRANT SELECT, INSERT, DELETE ON CalllistUserGroupings TO ILA
GRANT SELECT ON Cities TO ILA
GRANT SELECT ON Countries TO ILA
GRANT SELECT, INSERT, UPDATE ON MZone TO ILA
GRANT SELECT, UPDATE ON Memalarm TO ILA
GRANT SELECT ON MemalarmBg TO ILA
GRANT SELECT, INSERT, UPDATE ON MUser TO ILA
GRANT INSERT ON OperatorLog TO ILA
GRANT INSERT ON RecSigs TO ILA
GRANT SELECT ON OpenClosTimes TO ILA
GRANT SELECT ON PanelTypes TO ILA
GRANT SELECT ON Reason TO ILA
GRANT SELECT ON Reminders TO ILA
GRANT SELECT ON Signal TO ILA
GRANT SELECT ON States TO ILA
GRANT SELECT ON Tasks TO ILA
GRANT SELECT ON UserGroupings TO ILA
GRANT SELECT ON UserGroupingAP TO ILA
GRANT SELECT, INSERT, UPDATE ON UserToClient TO ILA
GRANT SELECT ON UserToUserGroupings TO ILA
GRANT SELECT, INSERT ON WebAccess TO ILA

You can test the script has run correctly by, still on the SQL server, bringing up a command line prompt and enter:

sqlcmd -U ILA

And then enter the password.

This will log you into SQL. Type exit to exit out of the SQL Command line utility.

Server .NET Setup

All the following instructions are performed on the webserver, unless specified.

  1. Install .NET framework (version 4.5) if it is not already present.

    You can check what versions of .NET are installed by looking in Control Panel under Programs and Features, or "Turn Windows Features on or off".

    .NET Framework installed
    The list of installed software on the ICA webserver should show .NET Framework 4.5 is installed.

    If you dont have .NET V4.XX installed, download and install it from the offical ASP.Net website: www.asp.net

    Once you have the .NET Framework 4.5 installed, you should be able to add an Application Pool to Internet Information Services (IIS) which uses version 4.5:

  2. Enable 32 bit applications within your .NET Framework v4 AppPool:

    Enable 32 bit applications
    32-Bit Applications must be enabled within your ICA Application Pool for the latest ICA versions to run correctly.
  3. Reboot and check to make sure everything is installed by one of the methods listed above.
  4. If you are using IIS v6 or v6.1 you need to make sure that ASP.NET v4 has status Allowed.

    In IIS v6 this setting is under Web Service Extensions:

    Web Service Extensions

    In IIS v6.1, the setting is under ISAPI and CGI Restrictions (setting visible under the home folder):

    ISAPI and CGI Restrictions Button

    ISAPI and CGI Restrictions

Patriot ICA Website Install

  1. Download the Patriot ICA Install Files (ICAInstall64.exe) from the ICA downloads page on the Patriot website.

  2. Create a folder under default website folder (usually c:\Inetpub\wwwroot by default) called 'ICA'. Run ICAInstall.exe and extract all contents into the ICA folder(C:\Inetpub\wwwroot\ICA).

  3. Run IIS

  4. Change settings on the ICA folder to Application.

  5. If SSL certificate is installed, under SSL Settings, tick Require SSL.

Setup ICA Website config files

  1. Go into the ICA folder, and find the file appsettings.config (you may have to show system hidden files). Edit this file with Notepad.

  2. Set Site ID: Replace xxxx (or the 4 digit number after key=") in the keys with a chosen 4 digit code. This will be your Site ID for your monitoring station, and will be used when logging in to the ICA website, as part of the username.

    Examples:

    Key Name Change to
    key="xxxxDBConn"
    key="1000DBConn"
    key="xxxxHomePage"
    key="1000HomePage"
    key="xxxxStationName"
    key="1000StationName"

    When a user logs into the ICA Website, their username will be the Site ID + their Patriot User ID.

    Example:

    Site ID User ID ICA Login
    1000 2049 10002049
  3. Connection Strings:

    <add key="xxxxDBConn" value="server=[Webserver IP Address];database=patriot;uid=ila;pwd=[ICA User Password]" />

    Replace [Webserver IP Address] with the IP address or host name of the patriot server.

    Replace [ICA User Password] with the password you gave the ila user.

    If you are hosting your own ICA, the value for "DBConn" should be the same as "HostDBConn". Just copy and paste the value.

  4. Station ID:

    <add key="xxxxStationID" value="[Your Company Name]" />

    Replace [Your Company Name] with your Monitoring station name. This name appears in web access log. Keep this under 30 characters in length.

  5. Home Page:

    <add key="xxxxHomePage" value="[Your Home Page URL]" />

    Replace [Your Home Page URL] with station home page address. The page you wish your clients to go to on exit.

  6. Station Name:

    <add key="xxxxStationName" value="[Company Name]" />

    Enter in your company name. This name appears in header of each page.

  7. Station Moto:

    <add key="xxxxStationMoto" value="[Your Moto]" />

    This appears underneath Station name.

  8. Station Logo:

    <add key="xxxxStationLogo" value="Images/[Image Name]" />

    Appears above station name in page headers. Include extension, eg Logo.gif

  9. Station Email:

    <add key="xxxxStationEmail" value="[Station Email Address]" />

    Email address that feedback/change requests are sent to.

  10. Station Email Server:

    <add key="xxxxStationEmailServer" value="[smpt server name]" />

    Replace with Stations smtp server.

    eg smtp.xtra.co.nz

    You must also add 3 additional key entries to configure email server authentication, as follows

    add key="XXXXStationEmailLogin" value=""

    add key="XXXXStationEmailPassword" value=""

    add key="XXXXStationEmailSSL" value="NO"

    If your email server does not require authentication, enter the keys as above, otherwise fill in the authentication details. SSL can be enabled by changing the SSL value to "YES"

  11. Show Header:

    <add key="xxxxShowHeader" value="YES" />

    Make sure the following key exists. For now set the value to "YES". If you wish to use your own header and footer files, you will need to change this to "NO".

  12. Encryption

    <add key="UseEncrypt" value="NO" />

    Make sure the following key exists. Leave the value as "NO" for now.

  13. Support for legacy IIS web server

    Note: you can skip this step if you are running the latest version of IIS in Integrated mode.

    <system.webServer>

    <modules runAllManagedModulesForAllRequests="true" />

    </system.webServer>

    If your webserver is running IIS 6 (or IIS 7 in Classic mode) you will need to set the "runAllManagedModulesForAllRequests" attribute to true in the modules section of your web.config (which should be located in the same folder as appsettings.config).

    After setting this attribute, you will also need to explicitly allow unverified access to your style sheets and images so they can be rendered on your user login form. You can do this by adding location sections to your web.config:

    <location path="Content">

    <system.web>

    <authorization>

    <allow users ="*" />

    </authorization>

    </system.web>

    </location>

    Allow unverified access to the Content subdirectory (style sheets)

    <location path="Images">

    <system.web>

    <authorization>

    <allow users ="*" />

    </authorization>

    </system.web>

    </location>

    Allow unverified access to the Images subdirectory

  14. Also in web.config, if the following key exists:

    <compilation debug="true" targetFramework="4.5" />

    Change the value of debug from "true" to "false".

  15. Save the changes to appsettings.config and web.config

Configuring ICA for Data Service Access

Some ICA functionality requires the web server to access the Patriot Data service. If the web server is located on the same machine as your Patriot Data service, or the connection between the web server and the Patriot server is on a secure internal connection, this communication doesn't need to be encrypted, so follow the Setup - Unencrypted. If the connection to the Patriot Data service is not via a secure internal connection then it is highly recommended secondary encrytion is used to encrypt the connection, see Setup - Encrypted.

Setup - Unencrypted

The following keys must be added to the ICA config (appsettings.config),

<appSettings>
    ...
    <add key="1000ServerName" value="PATRIOTSERVER1" />
    <add key="1000ServerPortNumber" value="8001" />
    <add key="1000ServerUseEncryption" value="NO" />
    <add key="1000ServerDomain" value="" />
    <add key="1000ServerPassword" value="" />
    <add key="1000ServerUserName" value="" />
    ...
</appSettings>

Where 1000 should be replaced with your appropriate Station ID.

ServerName needs to be set to the address of the machine hosting the Patriot Data service. ServerPortNumber needs to the same port number the Patriot clients use to connect.

No further configuration is required.

Setup - Encrypted

The Patriot Data Service must first be configured so an encrypted connection can be made to it. A windows user also needs to be created to authenticate against. See Encrypting Communication.

To enable secondary encryption, edit the PatriotService.exe.config file in the Patriot Data Service installation folder. Look for the <PatriotService.Settings1> section, and locate the following setting:

<setting name="EnableSecondaryEncryption" serializeAs="String">
	<value>False</value>
</setting>

Change the value to True to enable this mode, if this setting is missing from your configuration file, add it below the other settings.

The default port used by this service is 10001. To change this port number, open the PatriotService.exe.config file using a text editor, the secondary port is set as follows:

<setting name="EncryptedServicePortNo" serializeAs="String>
	<value>10001</value>
</setting>

The changes will take effect the next time that the Data Service is restarted.

The following keys must be added to the ICA config (appsettings.config),

<appSettings>
    ...
    <add key="1000ServerName" value="PATRIOTSERVER1" />
    <add key="1000ServerPortNumber" value="10001" />
    <add key="1000ServerUseEncryption" value="YES" />
    <add key="1000ServerDomain" value="EncryptedDomainName" />
    <add key="1000ServerPassword" value="EncryptedUserName" />
    <add key="1000ServerUserName" value="EncryptedUserPassword" />
    ...
</appSettings>

Where 1000 should be replaced with your appropriate Station ID.

ServerName needs to be set to the external address of the machine hosting the Patriot Data service.

ServerPortNumber needs to be set to the encrypted service port used on the Patriot Data service.

Set UseEncryption to YES.

A windows user must be setup on the domain hosting the Patriot Data service. This user can have limited access as its only required to authenticate the password. This users credentials will be used to access authenticate access to the data service. Details of setting up this user, and configuring the data service are contained in the above link on Encrypting Communication.

The values for ServerDomain, ServerUserName, and ServerPassword must be encrypted. The easiest way to do this is to use the Patriot Client. From the login window, edit the settings, set encryption on, and set Use Alternate Authentication. This will display the 3 entry boxes for domain, user, and password. Enter in your values here, then save. From the Patriot Client installation folder, open the config file, and copy the values for these 3 fields, as they will now be encrypted.

Reporting Setup

ICA has the ability to allow reports to be run. These reports are temporarily saved onto the ICA server. Write permission to this folder must be given to the Windows User running the application pool the ICA website is running in.

These steps may vary depending on which version of IIS is being used. This example applies to IIS7.

  1. Open IIS7
  2. Select ICA Website
  3. Go to Basic Settings and see which application pool you're using.
  4. Go to Application pools and find application pool from #3
  5. Find system account used for running this application pool (Identity column)
  6. Navigate to the Reports folder in IIS (this will be a sub directory directly in the ICA folder, if it doesn't exist you'll need to create it first), select it and click on Edit Permissions (under Actions sub menu on the right)
  7. Open security tab and add write permission to the user you identified in #

Microsoft's ReportViewer 2010 Redistributable must also be installed on the webserver. The ReportViewer installation file is included as part of the Patriot Installer (by default this will be located on the Patriot Server, in the folder \\Program Files (x86)\Patriot Systems\Patriot Installer\). Alternatively you can download it from the Microsoft website.

Patriot User Setup

Full documentation on ICA User groupings and access rights can be found in ICA User Setup. A quick summary is also provided in this section.

ICA User Access Group Configuration

  1. In Patriot go to Maintenance -> Users -> User Groupings.
  2. Add a new Grouping.
  3. Name it appropriatly and give it Special Group Properties of 'ClientWebAccess' from the drop down menu.
  4. You can also change Special Group Properties to allow or deny access to specific data.
ICA User Group Settings
Creating a user group with ICA rights.

ICA User Configuration

  1. Select a site User from the Users tab of a client file or directly with the User Maintenance tool

  2. In the Global Details section, on the 'Groups' tab assign the new ICA Group you created.

  3. On the 'Passwords' Tab enter a password in the ICA Pin input feild.

  4. Take note of the USER ID.

ICA User Settings
Assigning a site user to an ICA grouping.


Testing the ICA Website

  1. Open a web browser.

  2. Go to:
    http://[Your ICA webserver address]/ICA/memalarm3.aspx
  3. In the User ID field, enter the 4 digit Site ID code (you used in the appsettings.config), followed by the user's User ID, then use the ICA Pin you entered for this user.

    In our set up example, the User ID is 14, and the Site ID we used was 1000. This would make the User: 100014 and the Password: 5555.

Once you have logged in, you will have access to view all the Patriot Clients that this user has been assigned to.

ICA Advanced

If you have the Advanced ICA module registered your users will have access to a number of advanced features including site user, alarm response and schedule maintenance.

Each advanced ICA function has a corresponding security right which can be assigned to individual ICA access user groupings via Maintenance -> Users -> User Groupings within Patriot.

Additional Setup - Security, Language and Timezones

Encryption:

For additional security, the database connection string should be encrypted.

  1. Go into the ICA folder, and find the file appsettings.config (you may have to show system hidden files). Edit this file with Notepad.

  2. Copy the value of the "HostDBConn" key

  3. Startup a browser and login to ICA. Then enter the following URL into the address field of your browser,

    http://[ICA address]/ICA/TestEncryption.aspx

    This should display the Test Encryption Page. Paste the value of the "HostDBConn" key into the Data To Encrypt field. Don't include the " " around the connection string. Press the Encrypt button, this should display an encrypted string in the Encrypted Data field. Copy this string, then go back into the appsettings.config file, and paste it into the value of the "HostDBConn" key and the "xxxxDBConn" key.

  4. Alter the "UseEncrypt" key in the appsettings.config file and change the value to "YES"

  5. Save the changes to the appsettings.config file. And test logging in to ICA.

  6. Remove the file testencryption.aspx from the ICA folder, but keep a copy of this incase you need to change the value of the connection strings.

Regional Settings:

It is possible to change the regional settings to control how dates and numbers are displayed in ICA, and also to translate all phrases used in ICA. To do this, edit the appsettings.config file. Directly underneath the <system.web> line, add in a new line as follows:

<globalization culture="en-NZ" uiCulture="en-NZ"/>

Change en-NZ to whichever regional settings you require. Click here for a list of valid culture codes.

The regional settings can also be adjusted from inside Internet Information Services Manager. Select the ICA site in the IIS settings manager, and select .NET Globalisation. In this section you can select the required regional setting from a drop-down list.

It is also possible to attempt auto-detection of the users regional settings. This is useful if your users are from different regions and require different settings. To do this, set the culture to "auto" (Auto-Detect when using IIS Manager). When auto detection is being used, the users browser selects the regional settings used (if their browser supports this feature and is configured with the correct regional settings). To specify a fallback setting if the user browser doesn't support auto-detection, you can add a : and then the fallback culture name, e.g. culture="auto:en-NZ"

The culture selected dictates what language ICA is translated into. ICA shares the same translation resources as the Patriot client. See ICA Translation for details on how to setup additional language translation resources for ICA.

Timezone Support:

ICA should be setup to match the time zone configuration setting of Patriot (System Menu -> Settings -> System Wide Settings -> Data Service Settings).

Add a new key in the appsettings.config to set the time zone support mode of ICA

add key="XXXXTimeZoneMode" value="Standard"

where XXXX is replaced by your monitoring station ID. The value should be one of "Disabled", "Legacy", or "Standard", so it matches the Patriot System settings for time zone mode.

If you are using Legacy mode, you must also add 2 new key entries to the appsettings.config file, as follows

add key="XXXXDLSStart" value="0000"
add key="XXXXDLSEnd" value="0000"

where XXXX is replaced by your monitoring station ID. If you don't require time zone support, enter the keys as above. If you do require time zone support, 0000 can be replaced with the start and end dates of daylight saving for the monitoring station, in the format of DDMM

Logout Timeout:

The deafult time for the ICA webpage logout is 20 mins, there are couple of ways to increase the session timeout:

Open the web.config in your ICA folder, under system.web node, provide the follow code:

<sessionState timeout="60" />

Under <authentication mode="Forms"> node, add timeout attribute in the following key :

<forms name="SampleAuth" loginUrl="UserLogin.aspx" defaultUrl="memalarm3.aspx" slidingExpiration="true" timeout="60"/>

Save the changes to web.config, this will set the ICA logout timeout to 60 mins.

Open your IIS and go to your ICA website.

Click on Session State under ASP.net

Scroll down to Cookie Settings.

Here you can change the Session Timeout as shown in the figure.

SessionState

Session State

Modifying the Look

For details on how to edit the way ICA looks, go to ICA Customisation.