Prerequisites:

• Windows Server 2019

• If using Active Directory, then the server must be part of the AD Domain.

Use the following steps to set up your server environment for installing Nintex RPA.

1. If your installation uses Microsoft SQL:

   1. Install Microsoft SQL Server Management Studio.

      • Download and install SQL Server Management Studio on the Nintex RPA server. This is required for access to the managed database. You can download the installer from Download SQL Server Management Studio (SSMS).

   2. Install Microsoft SQL Server. The Nintex RPA Server installation has the option of installing MS SQL 2017 Express as part of the installation and installs two databases. If you're happy using MS SQL 2017 Express, then skip this step and the next step.

      • Download and install MS SQL Server 2016 or later. During installation, ensure that installation is using default instance AND that mixed mode authentication is enabled with valid credentials for “sa” user.

   3. Verify your database user permissions.

      • If MS SQL Server was previously installed, you must confirm that the database user used for your Nintex RPA system has sysadmin and public server role permissions. To verify this:

        1. Log-in to SQL Management Studio.

        2. Select the Security tab and open the Logins folder.

        3. Right-click on the provided user and select Properties.

        4. Navigate to the Server roles tab and verify that the user has sysadmin and public permissions selected.

2. Verify if the IIS service is running.

   1. Open your Windows services configuration panel (run Services.msc).

   2. Check the list of services for the World Wide Web Publishing Service. If the service is in the list and is running, first Stop the service and then set the Startup Type to Disabled. If the service is not available, continue to the next step.

3. Verify your Powershell privileges.

   1. Start your Windows Powershell client using Run as Administrator.

   2. At the command line run Get-ExecutionPolicy.
   3. Confirm that the returned policy is Bypass, AllSigned, or Unrestricted.
   4. If the policy returned is not one of the above, run Set-ExecutionPolicy Bypass to update your policy privileges to Bypass.
   5. When prompted with the execution policy change, select [A] Yes to All.
4. Verify that the required ports are not in use.

   1. Launch the command prompt.

   2. Verify for each port (except 80 and 443) to be used for your installation that it is not in use. Use the command “netstat -aon | findstr “<YourPortNo>”.

      Ports Utilized by the RPA environment:

      Port Number	Purpose	Usage
      80 / 443 (Configurable)	Nginx	Client to Server Comms
      1433 (Configurable)	Database	RPA Server to DB server
      3555	Idp Api Svc	RPA Server to Aerobase
      5000	RDP Svc	Client to Server Comms
      5011	LeoJSWebServer	Internal Comms (Client)
      5341	Seq	RPA Server to Seq Server
      5353	Discovery Svc	Internal Comms (Server)
      5671 / 5672	RabbitMQ	RPA Server to RabbitMQ (AMQP)
      5698	Aerobase (Master Realm)	RPA Server to Aerobase
      6379	Redis	RPA Server to Redis server
      7600	High Availability (HA)	Bi-directional between RPA servers
      8081 (Configurable)	HttpComPort	Internal Comms (Server)
      8082 (Configurable)	NetComPort	Internal Comms (Server)
      8083 (Configurable)	HttpsComPort	Internal Comms (Server)
      8085	Kryon Connector	Internal Comms (Client)
      8090	High Availability (HA)	Bi-directional between RPA servers
      31336	Kryon Updater	Internal Comms (Client)
      50000	Queue Collector Svc	Internal Comms (Server)
      50001	Queue Manager Svc	Internal Comms (Server)
      50002	Task Manager Svc	Internal Comms (Server)
      50003	Studio Manager Svc	Internal Comms (Server)
      50004	Feature Toggle Svc	Internal Comms (Server)
      50005	Robots Manager Svc	Internal Comms (Server)
      50006	Public Api Svc	Internal Comms (Server)
      50007	History Manager Svc	Internal Comms (Server)
      50008	Clients Manager Svc	Internal Comms (Server)
      50009	Unattended Ui Svc	Internal Comms (Server)
      50010	License Manager Svc	Internal Comms (Server)
      50016	Notifications Svc	Internal Comms (Server)
      50023	Calendars Svc	Internal Comms (Server)
      50025	Magician Svc	Internal Comms (Server)
      50100	Triggers Svc	Internal Comms (Server)
      50103	ConsoleX Ocelot Svc	Internal Comms (Server)
      50104	ConsoleX Auth Svc	Internal Comms (Server)
      50105	ConsoleX Settings	Internal Comms (Server)
      50106	ConsoleX Unattended	Internal Comms (Server)
      51012	Raw Fetcher Svc	Internal Comms (Server)
      51018	Vault Svc	Internal Comms (Server)
      52935	DAC Comms	Internal Comms (Client)

   3. If no result is returned, then that port is not in use. If you see results, identify the PID seen in the result and verify it against the Details tab in Window's Task Manager.

   4. Ensure that any port conflict is deemed to be risk free before proceeding. If port conflict is seen, try restarting the server to clear any ports being locked from earlier processes and verify again. If conflicts are still seen, consider using a different port or seek further advice internally.

5. Check the SSL Certificate.

   1. Ensure that the SSL certificate provided is issued against the either the FQDN of the Nintex RPA server or a wild-card certificate against the user’s domain. The certificate must also be CA certified and not self-signed. If it isn’t, please reach out to the administrator to ensure the correct certificate is provided.

   2. The password of the certificate issued must not contain the following special characters. If the password contains any of these special characters, please request that the administrator to regenerates the certificate with a valid password. There is no workaround available.

• ‘ (apostrophe)

• “ (double-quotes)

• \ (backslash)

• \t (tab)

• \n (line feed)

• \r (caret return)

• \v (vertical tab)

• and space

6. Disable the anti-virus.

   • Verify if any anti-virus or end point protection software is installed and enabled on the Nintex RPA server. It must be disabled before you start the installation.

7. Restart the server.

   • It is a good practice to restart the server after completing all the steps above before commencing the upgrade. After restarting the server, open Task Manager and click on Users tab, and ensure that there are no other active users seen. If there are, disconnect them from the session.

1. Before you start, make sure you have the correct installer version, and that it has not been blocked by Windows.

2. Run NintexServerSetup64bit with administration rights, or run it from an administrator command line using the following switches:

   • start /wait NintexServerSetup64bit_22.9.1.7.exe check_install_folder=false

3. When the installer splash screen displays, click Next. The Express install option is not recommended, as it skips all the configuration steps using default values.
   

4. In the Target Folder screen, update the path of the installation location. We recommend using a Nintex folder on the desired drive, i.e. C:\Nintex. Click Next.

   The path is limited by the operating system, so a short path is best.

   Make sure the Install folder:

   • is on a local drive that has at least 100Gb free storage and at least 20Gb free storage on C:\.

   • isn't a root folder of a drive (e.g., C:\).

   • has a full path that doesn't exceed 20 characters in length.

   
   

5. In the Deployment Type screen, select Unattended Automation. For more information on Unattended and Attended automation types below. Click Next.

   Unattended Automation:

   • Robots are installed on a virtual machine.

   • Connected to the RPA server.

   • Run a predefined sequence of actions on a preset schedule or trigger.

   • Operate independently without human intervention.

     

   Attended Automation:

   • Robots are installed on the employee desktop.

   • Connected to the RPA server.

   • Remain dormant until triggered by an employee or an action.

   • Similar to virtual assistants and require human intervention.

     

   To change the automation type after your installation is complete, see how to edit the config files in Nintex Assistant - Attended Automation.
   
   

6. In the Servers screen, update the Application server name. This should be the FQDN (Fully Qualified Domain Name) hostname of the server that you are installing on. Click Next.

   If FQDN is not available, this should be the hostname of the server. DO NOT use the server’s IP address.

   
   

7. In the High Availability screen select Single machine deployment. If you need a High Availability environment, please contact Nintex support for further assistance. Click Next.
   

8. In the RabbitMQ service screen type or change the default RabbitMQ admin password as desired. If RabbitMQ is already installed, this screen won't show.

   Typically, you won't need the Work with SSL or Join cluster options as RabbitMQ is an internal service. For those options see RabbitMQ service. Click Next.

   Do not use special characters @, # or ? in the password, as these will cause issues.
   
   

9. In the RPA Clients screen, select English as the default Search engine language. This configures the language used in the RPA Client applications, such as Nintex RPA Robots, and Studio. It can be manually changed in the config file. Click Next.
   

10. In the Secured connection (TLS) screen, you have three options:

    • Without SSL/TLS Certificate

    • Secured (generate a new certificate)

    • Secured (provide an existing certificate).

    An installation without an SSL/TLS certificate is only used for simple installations for testing.

    Secured (generate a new certificate).

    Under CA certificate, click on Browse to locate the organization's certificate authority (CA) PFX file and let the installation generate the certificate automatically for you.

    • You must have the CA trusted on the client machines (Robot and Studio).

    • Secured SSL/TLS connection is recommended for RPA System Hardening and Vulnerability Management.

    

    See Preparing a self-signed certificate for installation.

    Secured (provide an existing certificate).

    If you are upgrading or re-installing or have an existing certificate, then select the Secured (provide an existing certificate) option. Then either select a PFX file and provide the password, or select Certificate is already installed and configure the certificate from the Windows Store and the CRT, KEY, and PEM files for NGINX communication certificate settings. Click Next.
    

    Your files must:

    • be signed by the organization's certificate authority (CA) .

    • contain the RPA server FQDN in the Subject field (for example, CN=prodserver.mycompany.com).

    • contain the RPA server FQDN in the Subject Alternative Names field (for example, DNS=prodserver.mycompany.co).

11. In the Ports screen, make sure the default ports are not in use on the server, and if they are then change them to ports that are open.

    Select Open all ports in Windows Firewall to have the corresponding firewall rules established on the server.
    
    
    If you encounter a Failed getting ports in use list error, please close the installer window and start the installation again to overcome the issue.
    
    Click Next.

12. In the SEQ - centralized log repository screen, leave the default option as Install SEQ locally. If you have an existing SEQ server, then select the Use remote server option and configure the options. Click Next.

    You can pull the remote Seq information from the URL used to access Seq on the remote server. The URL structure is as follows: {SEQ Protocol}://{SEQ serverFQDN}:{SEQ Server Port}/{End point}

    Check out the Seq developer's website to learn more about installing and working with Seq.

    
    

13. There are three options in the User Authentication screen:

    • Single sign on (Kerberos)

    • Require username and password

    • Enable Nintex permissions system

    You can select one or more of these options. Once you have selected the options required for your organization, click Next.

    Single sing on (Kerberos) for Active Directory

    This option sets your Nintex RPA system to use Active Directory, and enables the Connect to Active Directory, Active Directory Groups and Platform Security configuration screens.

    Select Single sign on (Kerberos).
    

    Selecting Single sign on means you must sync users between Active Directory and the RPA server after installation.

    Require username and password

    If your organization requires username and password authentication, select the Require username and password option. You then need to configure users and their passwords using your local Nintex Admin application.

    Enable Nintex permissions system

    If your organization requires specific levels of user permissions, select this checkbox to enable using Nintex's internal permissions system. This enables the assignment of read, write, and publish permissions to Studio users and robots for specific libraries and categories of automation workflows.

14. For Service Credentials, specify a user's Username and Password. This user must have local administration rights. This sets up credentials for the Nintex RPA application services. Click Next.

    If you selected Single sing on (Kerberos) in the previous screen, use an Active Directory user's Username and Password.
    

    When running the installation using a Local Admin user, if you apply the credentials of a user who isn’t a member of the local admin group, that user is automatically added to the local admin group.

15. In the Authentication Service Credentials screen, leave the default selection of the same user configured for Service Credentials. This screen configures the Aerobase authentication service user for the Aerobase services. Aerobase is an open-source identity and access management (IAM) platform. If your security policies require different users for difference services, you can configure a dedicated domain user by using the option in the drop-down. Click Next.
    

16. If you selected If you selected Single sign on (Kerberos) in the User Authentication screen in the User Authentication screen you now configure the Active Directory options:

    Active Directory User Authentication

    1. On the Connect to Active Directory screen the Connection URL is automatically configured from the domain, the drop-down shows both connections and either URL will work. Select the Organization unit that contains the users groups to use . You must sync the users between the services after the installation is complete. Click Next.
       You can only select one Organizational unit.
    2. On the Active Directory Groups screen, leave the default Do not use Active Directory groups to authenticate option selected unless you only need to grant access to specific AD Groups from the Organization unit. If you select Use Active Directory groups to authenticate, then the installer returns the AD groups available (this can take some time). Click Next.
       You can select multiple groups.
       
       
    3. On the Authentication Platform Security screen you have the following three options for applying the KEYTAB file:
       1. Provide a KEYTAB file post installation.
       2. Use an existing KEYTAB file.
       3. Generate a KEYTAB file.

       Select the Generate a KEYTAB file option. You can either enter the domain administrator username and password, or generate the KEYTAB file using the Copy command to clipboard command line, and then apply that KEYTAB file using the Use an existing KEYTAB file option. See Authentication Platform Security for more information. Click Next.
       

       If you choose to generate the KEYTAB file using the command line, the user performing the command must have Domain Administration rights. The resulting KEYTAB file is located in C:\ProgramData.
17. In the Connect to Database screen, configure access to your Microsoft SQL Server database, or if you don't have select Install local SQL Server 2017 Express. Click Next. For more information, see Connect to Database. Click Next.
    
18. Use the RPA Authentication DB screen to test the connection to the authentication database, or select Skip DB connection test. Click Next.
    
19. In the Keycloak default user credentials screen enter passwords for the AuthAdmin and test user. The AuthAdmin account is used to log in to the Aerobase system. Click Next.
    
    These credentials must be remembered or stored securely as you must enter these passwords when you upgrade to a new version.
20. In the Support Tools screen, select to install the additional helper applications you need. Click Next.
    
    If any of these tools are already installed, that option will appear grayed out.
21. Use the Components to Install screen to review what will be installed and configured. Click Previous to return to the previous screens. Click Install to install the Nintex RPA Server.
    
    If any of these components are already installed, they will appear grayed out.
    Once the Nintex RPA Server is installed, you must activate your license and sync users before using the client applications.
22. Your installation of Nintex RPA Server is now complete. Click Close.

    

1. From the Windows Start menu, locate and run the Nintex Admin tool.
2. Log in with the credentials created during your installation. You may be prompted to change the temporary password upon first log in.

   Username: admin

   Password: Aa123456!

   You can also access this user and password in Aerobase user management.
3. Activate your License. Follow the steps in Activating Your RPA License.
4. Turn the Credentials Vault on. Follow the steps in Enabling the Credentials Vault..
5. Add an Application. Follow the steps in Managing Applications.
6. Create new wizard and sensor Libraries. Follow the steps in Managing Libraries. Link them to your application and company. .
7. If you installed your Nintex RPA server with Single sign on (Active Directory)
   Sync your users

   1. Add your federation in the Nintex Admin tool.
      Follow these steps:

      Connect a federation with a company

      To connect a federation with a company:

      1. In the Menu Pane, click Companies and Users.

      2. In the Entities Pane, select the company with which you want to associate a user federation.

      3. The selected company's data appears in the Properties Pane.

      4. In the General tab's User management section, click the link.

         

      5. The Add federation window appears.

      6. Select the federation to connect to the company.

      7. Optional: Select the default permissions that you wish to automatically assign to each user. These permissions can be manually edited for individual users following sync.

         

      8. Click the OK button to save your changes.

      9. The connected user federation will now appear in the User management section.

         

   2. Log into Aerobase, select User Federation and then select Kryonaws. At the bottom of the Settings tab click Synchronize all users. This synchronizes with Active Directory.
   3. Sync your users in the Nintex Admin tool.
      Follow these steps:

      Sync users to Nintex Admin Tool

      After connecting the user federation, follow these steps to sync the federation's users to the Admin:

      1. In the Properties Pane, select the Users tab.

      2. Click the Sync Users button.

         

      3. The Sync Users Window opens.

      4. Click the Run button to begin the sync.

         

      5. The Sync Users Window will close, and you will be returned to the Users tab. At any point, click the Sync Users button again to see the status of the sync process (but close the window without clicking the Run button again).

      6. When the sync is complete, the Status column in the Sync Users Window displays Finished

         

   If you are using the three day free license and want to use a domain user to test the system, use the Nintex Admin tool to search for and edit that user's Status.
   

Now that your Nintex RPA Server has been installed and configured, you can install the client applications on the client computers.

Nintex RPA Studio

Use Nintex RPA Studio to create and manage automation content for Nintex Robots. Automation wizards are recorded by the RPA developer in Studio and then accessed by users who run it on their own computers (attended automation) or by robots who run it on virtual machines (unattended automation).

Nintex RPA Studio must be installed on the same server as your Nintex RPA server, and on the client computers.

Nintex RPA Robots - Unattended Automation

In this scenario we installed the Nintex RPA server for unattended robots. Unattended means a client installed on a virtual machine that runs wizards (i.e., sequences of instructions) on target applications with no human intervention, working behind the scenes to automate high-volume, repetitive, time-consuming business processes.

Nintex RPA Dynamic Commands

Nintex RPA Dynamic Commands can be installed on both the server and client computers.

When installing on the client, a set of predefined commands is installed by the installer. Installing on the server allows for a distributed system of commands. See Dynamic Commands for more information.

1. On your client computer, run the Nintex RPA Robot application (double click on the desktop icon or run it from the Start menu).

2. You should get a message telling you that this robot is pending approval, as shown below:
   

3. On your Nintex RPA Server, log in to Nintex Console.

4. Select the Robots option, then select the Pending approval tab.

5. Click the three dots menu option and select Approve.
   

6. Enter a new name for this Robot and click Yes, approve.

7. Now that the Robot is approved, assign it to a queue. Click the three dots menu option , select Assign to queue. Select the queue from the list of option and click Assign 1 queue.

8. Back on your client computer, restart the Nintex RPA Robot application. The Nintex Robot app should show.
   

9. Start Nintex RPA Studio.

10. In Wizards, create a New Category, then create a New Wizard. Give the wizard a Name and click Get Started.

11. In the Nintex Wizard Editor, add a Show message action to Step 1.

12. In the message dialogue enter Test is complete as your message and click OK.

13. Close the editor and publish the wizard. On the Status option click Change, then select Published and click Set Status.

14. Click Save changes to complete the wizard.

15. On your server computer, in Nintex RPA Console, select Tasks.

16. Create a new Task with the name Test.

17. For this task select the wizard that you just created and add it to the default queue.

18. Click Add to queue.

19. Back on the client computer the Robot should display the Test is complete message pop up.

20. This shows that your Nintex RPA system is working, and you can go on with creating automations for your business.