Dalet Galaxy on Windows OS Special Settings

Benjamin KAHANE
  • Updated

Information concerning UAC, TOE, JAVA Varialbles, Offline Files, Desktop Experience, Security Policies

 

Disclaimer

Please note that in the versioning history of this article below, you can access information relevant to earlier Dalet software/Windows generations and their requirements. The active/future versions of this article will refer only to the current state of affairs.

The content below concentrates on particular modifications introduced in Windows versions following Windows XP. General software settings are listed in the Recommendations document.

 

Integrating Dalet Galaxy with Windows Server 2022, Windows 11 and older

Link to Dalet minimum AD user requirements table Full_Windows_Authentication_for_Dalet.

This document describes the additional configuration required on the above mentioned Windows versions, to assure proper operation of Dalet applications.
The actions described in this white paper should be performed prior to the Dalet software installation.

 

DEP

Data Execution Prevention (DEP) is a security feature included in current Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region.
On Windows servers the DEP has to be set to Data Execution Prevention for essential Windows Programs and Services Only. To access this setting, right-click on "My Computer", select "Properties". On the Properties Window, click "Advanced". Click on the Data Execution Prevention tab. Setting it to “All Programs” can lead to software crashes and other problems.
For Dalet Brio, DEP must be enabled, this can be done via command-line (with elevated rights):

 

 

bcdedit.exe /set {current} nx AlwaysOn

 

This command will enable it, as the GUI setting, to Windows services only.

 

 

 

Installing the Desktop Experience Feature (Windows Server OSs)

Since Microsoft has released Windows Server 2008, it has moved most of the common Windows features services (like Windows Media & DirectX Support) into the Desktop Experience feature, which can be added on top of the basic Windows Server 2008/2012 installation. Otherwise these features are disabled.

In order that Dalet will be able to run, the desktop experience feature should be enabled on the server:

1. Open the Administrative Tools page and then double-click the icon of the Server Manager.2. In the server manager, Click Add Features under Features Summary.3. In the Add Features Wizard dialog box, ensure that the Desktop Experience is selected.4. Click Next, and then click Install.5. After the installation is complete, click Close, and then close Server Manager.

Alternatively, use the command line “ServerManagerCmd –install Desktop-Experience”

 

Additional Actions performed by Software tools

The previous tools SetServer/SetClient  have been retired by the ZET Powershell tool. please refer to the ZET powershell tool article.

 

Disable or Moditfy User Account Control (UAC)

User Account Control (UAC) is a new technology and security infrastructure introduced on Windows Servers family with Windows Server 2008 and Windows 7 and later. It aims at improving the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes and increases/elevates the privileges.
By default Dalet servers require Administrator privileges on the running machine. At the simplest level, this requires turning off the UAC. If this is not an option, jump to: If UAC cannot be disabled due to Customer’s Security Policy.

 

Click Start, and then click Control Panel
In Control Panel, click User Accounts. You can also click the User’s Image in the Start Menu



 

Click on Change User Account Control settings and in the properties window pull the slider all the way down.






 

If UAC does not show any possibility to be switched off you can do the following per setting of local policy on each server: Run all administrators in Admin Approval Mode policy setting turns UAC off. When UAC is turned off, files and folders are no longer virtualized to per-user locations for applications that are not UAC compliant, and all local administrators are automatically logged on with a full administrative access token. 

 

 

 

If UAC cannot be disabled due to Customer’s Security Policy

Described here are the minimal settings required so that Dalet can run normally under UAC restrictions.
Changing these settings obviously requires administrator access.
These are the settings:
In the Local Group Policy Editor (start it by running 'gpedit.msc'), go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment, and change the following settings:
To 'Create global objects' add the local 'Users' group (it should include the 'Domain Users' group).
To 'Increase a process working set' also add the local 'Users' group.



 

Same settings apply in Domain scenarios, the difference being that instead of using the Local Group Policy Editor and Regedit, the domain administrator usually performs the settings by changing the computer group's or OU's GPO.

 

Windows 11, 10

Concerning Windows 11, 10 and Windows 2022 and earlier, you need to  run Dalet applications "As Administrator". To run without this specific option, and to be able to drag and drop media into a Dalet Galaxy client (Windows showing a drop-forbidden icon), you have to add the current user as a local administrator in the server manager app., and in the Local Security Policy app>Local Policies>Security Options: User Account Control: Run all administarors in Admin Approval... to "Disabled"

 



Radio Suite HD (legacy)

In order to make it work the machine must have Dalet agent “channel detector” running and in the computer management console under Security Settings> Local Policies> Users, make sure that for the policy CreateGlobalObject all Groups on this machine are assigned.

 

 

Firewall

Since Windows 2016 an later, the firewall does not need to be disabled. Read more in System Recommendations for Dalet Products.

 

Legacy Versions

Dalet requires running the Dalet servers without firewalls. To disable the firewall on, perform the following operations:
1. Click Start, click Control Panel, click Network and Internet and then under Windows Firewall, click Turn Windows Firewall on or off.2. On the General tab of Windows Firewall Settings dialog box, select Off and then click OK.Or via the command line “netsh advfirewall set AllProfiles state off”.
If the customer insists on using Windows firewall, Dalet applications are using TCP Ports in the range of 7900 to 9000 and should be left open.
This can be done via the firewall GUI or via command line with:
for /L %i in (7900,1,9000) do netsh firewall add portopening TCP %i "Dalet Port %i"
An in-depth list of ports used in Dalet is linked here.

 

Disabling Offline Files

Using the Synch Center’s feature to enable offline files can lead to access problems to files associated with titles. In the relevant Dalet logs, you may find the error: \\xxx.xxx.xxx.xxx\dalet\storage\SPLIT_Audio_12\000c5e0f.wav (The specified network name is no longer available.
That can be resolved by disabling offline files, from within the Synch Center (Control Panel\All Control Panel Items\Sync Center), Manage offline files.
Restart the computer once this setting has been modified.




 

Creating ODBC Data Source

Dalet Galaxy uses the native ODBC wizard. Concerning the SQL driver there, consult: Native SQL driver version.

 

Updating JAVA Path Variables

Updating Java path variables is not necessary. Dalet solutions use their own Java.

 

Disabling TOE capabilities of WindowsServer OSs

Windows Server OSs's TOE (TCP Offload Engine) capabilities should be disabled (without any connection to which NIC you are using), this can be done via CLI and modifying registries keys.
Via CLI, Perform the following commands:

 

netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
netsh int tcp set global netdma=disabled.


And then Add/Modify the following at HKLM\System\CurrentControlSet\Services\TCPIP\Parameters:

 

EnableRSS with DWORD value of 0
DisableTaskOffLoad with DWORD value of 1
EnableTCPA with DWORD value of 0


The above registry setting modification can be achieved via CLI:

 

Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v EnableRSS /t REG_DWORD /d 0
Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v DisableTaskOffLoad /t REG_DWORD /d 1
Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v EnableTCPA /t REG_DWORD /d 0

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk