Install memoQ TMS

First, the memoQ TMS setup program checks the system, detecting available folders and SQL databases. Then, this window opens:

The data folder for memoQ TMS is displayed in the Data folder box, at the top of the window. To change it, click the (Browse) button next to the box, and browse to a different folder, preferably on a different physical disk or storage subsystem.

After you make your choice, stay in this screen, and set up the database for memoQ TMS. (See the next section on this page.)

The second section of the setup screen contains the database settings. By default, memoQ TMS setup will install a new SQL Server instance that is set up like this:

1. It runs on the same computer as the memoQ TMS service;
2. The SQL Server instance is called MemoQServer.

To choose a SQL Server instance that is running on a different computer, type the address of that computer in the SQL Server address box, and then click Choose to choose an instance from the other computer.

To choose a different SQL Server instance on the same computer, leave localhost in the SQL Server address text box, but click Choose to choose a different SQL Server instance on the same computer.

If SQL Server is not yet installed on the computer, the setup program will use these settings nevertheless. When you click Next, it will attempt to install a new instance using the SQL Server installer included in the memoQ TMS setup package. memoQ TMS 11.2 uses SQL Server 2014 Express.

Note: If you are using the memoQ TMS setup package that does not include the SQL Server installer (this is mainly available to developers), the memoQ TMS installer will look for the SQL Server instance that you specified, but it will not attempt to look for and run an SQL Server installer package.

memoQ TMS needs permissions to access SQL server: When you choose a SQL Server instance, two users - the person who is installing memoQ TMS and the memoQ TMS service account - need sufficient privileges to access the memoQ TMS database. Normally, the memoQ TMS setup program configures this, but it cannot do that if, for example, SQL Server is installed on a different computer, and the user installing memoQ TMS has insufficient privileges to configure permissions on databases.

Installing SQL Server separately? Two users need privileges

Separate SQL Server? Do not forget the server-level and database-level roles of affected users.

If you install SQL Server separately, grant specific roles to at least two users.

The user account that represents memoQ TMS (that is the service user) needs the following:

• Over the SQL Server, the preferred server-level role is sysadmin.
• Over the memoQ TMS database, the memoQ TMS service user must be db_owner.

  The user who installs and manages memoQ TMS on the server computer needs the following:

• Over the SQL server, the minimum role is bulkadmin (to make backups of the database), the preferred privilege is sysadmin.
• Over the memoQ TMS database, the user needs to be db_owner.

  To set these up, use the sqlcmd program. To learn more about the commands to set server-level and database-level roles, see the Useful SQL commands topic.

By default, the database is called MemoQServer. It is recommended to leave it that way.

Normally, the database file is stored in the data folder of memoQ TMS – if SQL Server is running on the same computer as memoQ TMS itself.

After you make your choice about the database (normally, you would leave the default settings as they are), stay on the same screen, and configure the service account for the memoQ TMS service.

At the bottom of the setup window, you can choose a service account for memoQ TMS. Practically, this is a ‘user’ on the Windows server, and memoQ TMS will be running under this user’s name. This means that the memoQ TMS service will have the same privileges and permissions as this user account.

Normally, memoQ TMS is set up to work under the name of a virtual service account (called NT SERVICE\MemoQ server service) on operating systems that allow this. This means that the memoQ TMS service has its separate user account, and it can be granted or denied permissions without affecting any other services or programs running on the server computer. This provides for maximum permission security, and will be the preferred option for most IT infrastructure specialists.

It is highly recommended to use the virtual service account: the memoQ TMS setup program will configure all necessary privileges and permissions for it.

After you choose the data folder, the SQL Server instance and the service account, click Next.

As a next step, you need to specify the initial administrative password for memoQ TMS. This will be the password of the ‘admin’ user. In addition, you can set a client connect address for your server. The client connect address is the Internet address or URL that memoQ clients will use to connect to your server. Before choosing and configuring a client connect address, make sure that your server will be accessible by this address.

To set the password, type the password twice in the upper half of this wizard page:

memoQ TMS enforces password complexity. You will not be able to use simple names or words as your password: it must be 12 characters or longer, and it must contain at least one lowercase letter, one capital letter, a digit, and a special character.

To change the client connect address - the external web address of memoQ TMS -, check the Override client connect address check box, and then type the client connect address in the Client connect address box.

Click the links at the bottom of this wizard page to adjust various settings for your memoQ TMS system. To learn more, read the next few sections from this topic.

After setting the password and configuring other settings, click Next.

memoQ TMS can encrypt the connection between the server and the memoQ desktop program. memoQ TMS can use the HTTPS or the TLS protocol for that purpose.

You need a certificate: Before you can configure HTTPS connections to memoQ TMS, you need a certificate on the same computer. You must acquire a certificate from a public certification authority, or else you must create a root certificate for your organization, and derive the server certificate from that.

If you have no public certificate, the memoQ TMS deployment tool – the installer – can create a self-signed certificate for you. To do this, click Configure Resources API in the Install memoQ TMS window. The Configure Resources API window appears:

You need to enable the Resources API before you can create the certificate. Do the following:

1. Check the Enable Resources API check box.
2. Click Install certificates. The memoQ TMS installer will create and install two certificates: a self-signed root certificate to sign the server certificate, and the server certificate itself. While this is happening, command-line windows may briefly appear on the screen.
3. Once the certificates are created, you need to insert the thumbprint (a long numeric identifier) of the server certificate in the Certificate thumbprint box in the same window. To do this, click Use the generated certificate.

   The thumbprint appears in the Certificate thumbprint box:

Click OK to use the certificate and enable the Resources API.

Reinstalling? Use the existing certificate, don't create a new one: On a computer, you only need to create the certificate once. If you reinstall memoQ TMS, you will not be able to create the certificate again. However, in this case, you can click Browse next to the Certificate thumbprint box, and choose the certificate from a menu.

If you are using a self-signed certificate, you may need to install the root certificate on the client computers. To retrieve this certificate, use the Certificates console in Windows, and save the certificate in a file. Transfer this file to the client computers, and use the Certificates console to install the root certificate there.

Once you create the certificate and enable the Resources API, you can use the same certificate to turn on secure connections for other protocols on memoQ TMS. To use the certificate for generic HTTPS connections to the memoQ TMS itself, do the following:

1. In the Install memoQ TMS window, click Configure network connections. The Configure network protocols window opens:

   

2. Check the HTTPS check box to enable HTTPS. For HTTPS to work, you need to specify the certificate you just created. Next to the Certificate thumbprint box, click Browse.
3. In the Windows Security window that appears, click the certificate you have created, and then click OK. The thumbprint of the certificate (a very long hexadecimal string) will appear in the Certificate thumbprint box.

   You can also set the port number where memoQ TMS will listen through each protocol.

Click OK to save the settings and return to the previous window.

If you plan to use the WS API: In the Install memoQ TMS window, click Configure Web Service API. The Configure Web Service API window opens. In this window, check the Use secure con-nection (https) check box. Next to the Certificate thumbprint box, click Browse. From the menu that appears, choose the same certificate you created with the Resources API.

Older memoQ versions don't have secure communication: Earlier versions of the memoQ desktop program – older than memoQ 2015 (7.8) – do not support secure communication. Both the memoQ desktop program and the memoQ TMS must be upgraded to the latest version (at the time of writing, memoQ 11.2).

Proxy servers are OK: HTTP and HTTPS support communication through proxy servers.

To change these settings or set them up later, use the Deployment tool again. In the memoQ TMS section, click Advanced, and from the menu, choose Configure server. This will open the Configure server window, which has a tab for the Network connection, and two other tabs for the Web Service API and the Resources API. To learn more, read the topic about configuring memoQ TMS.

The Web Service API or WS API is the main automation interface of memoQ TMS. Through the WS API, other programs – such as project management systems – can create and manage users, projects, and resources on memoQ TMS.

The WS API is licensed separately. memoQ TMS will not offer this interface if there is no specific license for it.

Exposing the WS API without protection is extremely dangerous. Although the API is not so easy to figure out, a thorough attacker can gain full control of the server in time.

You have three options to secure the WS API:

1. Encryption – you can force callers to use a HTTPS connection, with the same certificate you used to secure the Resources API. (See the previous section on this page.)
2. Shared secret or API key – you can force callers to authenticate using a so-called API key. The API key is the same for every caller, which means you need to protect it well: the more callers know the secret key, the less protected the API is.
3. IP address filtering – Normally, the caller of the WS API will be a server application, running on a computer that has a fixed IP address. You can make sure that no-one can reach the WS API from any other IP address. In addition, if there are numerous callers, but they all belong to a corporate network, you can filter for the addresses of that network, excluding everyone else.

To set up security for the WS API: In the Install memoQ TMS wizard, click Configure Web Service API.

Do not enable the WS API if you are not using it. If you plan to use it later, keep the Enable the WS API check box cleared until there actually is at least one caller application in your organization. Check the check box only if the API needs to be called immediately after that.

In the Base address and security box, enter the address and port where the API will listen. The default port is 8080, but you can use any free port. Make sure that the firewall rules allow the callers to connect to memoQ TMS over this port. For the base address, enter the external address of the server (if the caller application is not on the same computer).

To turn on encryption, check the Use secure connection (https) check box, and choose a certificate. You must choose from existing certificates; you cannot generate or install a new certificate here. To acquire or install a new certificate, configure the security of the Resources API first. To learn how, see the previous section in this topic.

To restrict the IP address of the callers, click the Limit connections to a list of IP addresses radio button, and add the allowed IP addresses to the list below the radio button. You must add the IP ad-dresses one by one; you cannot add IP address ranges (subnets), only individual IP addresses.

To secure the connection using a secret key, check the Enable API key check box. This is a sort of password that callers must send before they can call on the WS API. The deployment tool will automatically fill in the API key box with a randomly generated API key.

If you need to change the auto-generated API key for any reason – for example, because your previous API key was compromised –, you can either paste another key from the clipboard, or make the installer generate a new one. It is recommended to keep the auto-generated key or generate a new one by clicking Generate new API key, because that makes sure that the key will be complex enough not to be guessed easily.

Always use encryption (HTTPS) when you use an API key. If the connection is not encrypted, an eavesdropping attacker could easily extract it from the network traffic, and then impersonate a legitimate caller.

If you set up an API key without using a secure connection (HTTPS) at the same time, the deployment tool will display a warning icon. If you place the mouse pointer over the icon, a message will appear saying your server will not be more secure this way:

These are only the security options that memoQ TMS offers out of the box. You can further strengthen security using industry-standard methods such as setting up a VPN or an IPSec connection to the memoQ TMS – then you can introduce proper authentication where the caller must impersonate a legitimate user of your network, and thus be identified more precisely.

Do not clear the Use advanced fault handling check box unless you need to use an application that was written for a memoQ TMS of version 5.0.52 or earlier. This fault handling mode is crucial for external programs to receive detailed error and status messages from the API.

You can enable or disable the WS API and configure its security later, after memoQ TMS is installed. To return to these settings, use the Deployment tool again. In the memoQ TMS section, click Advanced, and click Configure server. In the Configure server window, click the WS API tab.

memoQ TMS needs to send e-mails for several reasons. to configure how your system will send e-mails, click Configure e-mail SMTP options. You need to specify the e-mail server you are planning to use, and the e-mail address from which memoQ TMS will send e-mails:

1. In the Server URL box, type the Internet address of your organization's e-mail server. If you are not sure, contact your IT staff.

   Modern e-mail systems all require authentication - e-mails must always be sent from a mailbox that can be traced back to the organization. memoQ TMS will need a user name and a password to send e-mails.

2. Check the Authentication check box. In the User name box, type the user name that memoQ TMS will use. In the Password box, type the password that belongs to that user name.
3. Modern e-mail systems all use encryption as well. If your IT staff does not give you different information, check the SSL check box, and type 465 in the Port box. That is the most common configuration. (If the memoQ TMS is in the same secure area of the network as the e-mail server - behind the same firewall -, authentication and encryption may be unnecessary. If you are not sure, contact your IT staff.)
4. Recipients need to know who is sending the e-mail (so that memoQ TMS does not send e-mails directly to the translators' Junk folders). Under Sender, fill in the Address and Name boxes. Address is the e-mail address of the memoQ TMS. Normally, it's a no-reply address because memoQ TMS does not read e-mails. The Name box has the full name for the memoQ TMS. Use a name that tells the user the e-mail is from a memoQ TMS.
5. When everything else is filled in, type your own e-mail address in the Send test e-mail to box, and click Send test e-mail. Watch your e-mail program. If the test e-mail does not arrive in reasonable time, check the settings - but if you cannot find anything amiss, contact your IT staff to resolve the problem.
6. After the test e-mail arrives, click OK. This will save the settings and return to the previous window.

After you choose the data folder, the SQL Server instance, the service account, and at least your administrative password, the memoQ TMS setup program will check if all is set for a successful installation:

If any of the above checks fails (indicated by a red X), you will not be able install the program files. In this case, you will need to click Back, and review your settings.

Troubleshooting: If the setup program complains that the database name is not unique in the SQL Server (that is, a red X appears next to Database name is unique in the SQL Server), you are probably attempting to use an existing memoQ TMS database, but the corresponding copy of memoQ TMS is no longer available on the server. To prevent this, do not remove the previous installation of memoQ TMS before you begin to install memoQ TMS's current version. However, if you have already done that, you can still install memoQ TMS, and start using your existing database. To learn how, see the Troubleshooting memoQ TMS topic.

If all checks pass, click Install to proceed with the installation.

memoQ TMS setup will install memoQ TMS:

When the Install has completed text appears, click Finish to return to the main setup screen. However, memoQ TMS needs to be activated before you can start it. If this is a first-time installation, the memoQ TMS activator program will start automatically.

Keep the main setup screen open while you activate memoQ TMS. You will be able to return to this screen to start the memoQ TMS service afterwards.