TeamTalk 5 Professional Server for Windows
-------------------------------------------

TeamTalk 5 Professional Server works pretty much the same as the
TeamTalk 5 Server included with the TeamTalk 5 distribution. The only
difference is the following features in the TeamTalk 5 Professional
Server:

- Support for encrypted connection between clients and server
- Support for BearWare.dk WebLogin

The following sections explains how to:

- Setup Simple Encryption Without Server Verification
- Setup Encryption With Server Verification
- Setup Encryption For Client Verification
- Setup BearWare.dk WebLogin
- Start the TeamTalk Professional Server
- Trouble Shooting


Setup Simple Encryption Without Server Verification
---------------------------------------------------

Here's a quick introduction on how to set up a TeamTalk 5 Professional
Server which enables encrypted connections.

Setting up encryption requires a tool called OpenSSL. OpenSSL for
Windows can be downloaded from this website: https://wiki.openssl.org/index.php/Binaries

Locate openssl.exe in the installation folder and use it as a
reference onwards.

First create a server certificate and private key for your TeamTalk
server by running the following command:

$ openssl req -newkey rsa:4096 -keyout ttserverkey.pem -nodes -x509 -days 3650 -out ttservercert.pem -outform PEM

Remember the location of the generated private key file
"ttserverkey.pem" and certificate file "ttservercert.pem".

Now run the TeamTalk 5 Professional Server's setup wizard:

$ ./tt5prosrv -wizard

When asked "Should server run in encrypted mode?" answer "Y".

The wizard will then ask you for the server's certificate file. Here
you write the location of "ttservercert.pem".

Next the wizard will ask for the server's private key file. Here you
write the location of "ttserverkey.pem".


Setup Encryption With Server Verification
-----------------------------------------

Enabling encryption on your server is not enough to guarantee that the
connection is secure. A man-in-the-middle might fake the server which
the client is trying to connect to and thereby extract the client's
credentials. To avoid this from happening the server can be set up to
use a certificate from certificate authority (CA) which is shared
between the client and server. The client is then able to verify that
the server it is connecting to is authentic.

To enable this extra layer of security we first need to create a
CA certificate by running the following command:

$ openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.cer

The CA certificate is now located in file "ca.cer". This will be used
by both client and server. Remember your password for "ca.key". You
will need it later.

Now we need to generate the server's private key using the following:

$ openssl genrsa -out ttserverkey.pem 4096

The server private key is now located in the file "ttserverkey.pem".

Now we need to create a request for the CA to generate a server
certificate. This is done using the following command:

$ openssl req -new -key ttserverkey.pem -out server.req -sha256

The server's request for a certificate is now located in the file
"server.req".

Now use the server's request to generate the server's certificate by
providing the "ca.cer" file along with password for "ca.key":

$ openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -days 365 -outform PEM -out ttservercert.pem -sha256

The server certificate is now located in the file "ttservercert.pem".

Now we have the files we need to run the TeamTalk Pro Server with
verifiable certificates:

- ca.cer
  - The certificate of the Certificate Authority (CA).
- ttserverkey.pem
  - The server's private key
- ttservercert.pem
  - The server's certificate issued by the CA

Now run the TeamTalk Pro Server's wizard:

$ ./tt5prosrv -wizard

When asked whether to enable encryption choose "Yes". When asked to
provide "Server certificate file" then type the path to
"ttservercert.pem". When asked to provide the "Server private key file"
then type the path to "ttserverkey.pem".

Given that we want TeamTalk clients to be able to verify that the
server is authentic we need to provide them with the certificate of
the Certificate Authority (CA). I.e. the file "ca.cer" must be sent to
TeamTalk clients, so they will be able to activate "Verify Server
Certificate" when connecting to your TeamTalk Pro Server.

Now that everything has been configured it is time to start the
TeamTalk Pro Server which is explained in section "Start the TeamTalk
Professional Server".

Setup Encryption For Client Verification
----------------------------------------

A TeamTalk Pro Server can also verify that the clients who connect are
authentic, i.e. having obtained login credentials will not be enough
to log on to your server. Only clients with correct credentials and a
cerficate generated by the TeamTalk Pro Server owner will be allowed
in.

To enable client verification first run through the steps in section
"Setup Encryption With Server Verification". This gives us the
cerficate of the Certificate Authority (CA) that is needed to generate
client certificates. Onwards the certificate of the CA is in file
"ca.cer".

Now generate the client's private key file using the following
command:

$ openssl genrsa -out ttclientkey.pem 4096

Next create the client's request for a certificate from the CA:

$ openssl req -new -key ttclientkey.pem -out client.req -sha256

Now use the client's certificate request to generate the client's
certificate using the password of the Certificate Authority's private
key file:

$ openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out ttclientcert.pem

Now we have the files we need for the client so it can be verified by
the TeamTalk Pro Server:

- ca.cer
  - The certificate of the Certificate Authority (CA).
- ttclientkey.pem
  - The client's private key
- ttclientcert.pem
  - The client's certificate issued by the CA

Send these three files to the clients so they can activate the extra
layer of security or better yet generate a .tt file (using the
TeamTalk client application) with credentials and the three above
files.

To have the TeamTalk Pro Server verify client certificate run the
setup wizard:

$ ./tt5prosrv -wizard

When asked whether the server should verify client certificates type
"Yes".

When asked for file of Certificate Authority type the path of
"ca.cer".

Now that everything has been configured it is time to start the
TeamTalk Pro Server which is explained in section "Start the TeamTalk
Professional Server".


Setup BearWare.dk WebLogin
--------------------------

Next up is creating the BearWare.dk WebLogin account. This account can
be created when the wizard asks to create user accounts.

Select the option "Create BearWare.dk web-login account" to enable
BearWare.dk WebLogin. The BearWare.dk WebLogin account is name
"bearware" and is a general account for all users who log on to your
server with a BearWare.dk WebLogin account.


Start the TeamTalk Professional Server
--------------------------------------

Once the configuration wizard has completed you're ready to start your
server using the follow command:

$ ./tt5prosrv -nd -verbose

To run the server as a service, so you can log out of your session,
run:

$ tt5prosvc_install.bat


Trouble Shooting
----------------

Email contact@bearware.dk for additional support.
