Installation Guide - : IIS Server Hosting Guideline (EPM)

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 20

GfK Media Software Solutions IIS Server Hosting Guideline

Installation Guide IIS Server Hosting Guideline (EPM)

_____________________________________________________________________________ 2011 GfK Media Software Solutions

GfK Media Software Solutions IIS Server Hosting Guideline

Revision History Date 2010-12-23 2011-01-10 2011-01-11 2011-01-18 Version 0.1 0.2 0.3 0.4 Description Initial version Minor improvements Minor improvements Detailed install steps added Author Pter Kovcs Pter Kovcs Pter Kovcs Gbor Prtr, Pter Kovcs

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 2/22

GfK Media Software Solutions IIS Server Hosting Guideline

Table of Content 1. Objectives .............................................................................................. 4 2. Requirements .......................................................................................... 5 2.1. Software Requirements.....................................................................................................5 2.2. Windows Features............................................................................................................5 3. Administrative tasks ................................................................................. 6 3.1. SSL Configuration.............................................................................................................6 3.2. Administrative tasks before install...................................................................................17 3.3. Administrative tasks after installation..............................................................................18 3.4. Security administration....................................................................................................20

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 3/22

GfK Media Software Solutions IIS Server Hosting Guideline

1.

Objectives

This document describes the system administrative tasks required for installing and operating Evogenius Production System Server (EPM server). This document is intended for system administrators, and assumes that the reader has an in depth knowledge in Windows Server 2008 administration.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 4/22

GfK Media Software Solutions IIS Server Hosting Guideline

2. 2.1.

Requirements Software Requirements

The EPM server has the following software requirements: Windows Server 2008 or later (for test purposes Windows Vista, or 7 can be also used) 2.2. Internet Information Services 7.5 or later .NET Framework 4.0 or later (Installer package will install this, if not present) Windows Features

The EPM server requires the following Windows Features to be switched on: Windows Communication Foundation HTTP Activation Windows Communication Foundation non-HTTP Activation Both features can be found under Microsoft .NET Framework 3.5.1 node.

Note: If these two features are switched on after .NET Framework 4.0 has been installed the following command needs to be executed: aspnet_regiis.exe iru The reason for this is that turning on these features will reinstall ASP.NET 3.5 under IIS, and this command will install ASP.NET 4.0, which is also required by the EPM server. This tool can be found at .NET 4.0 frameworks directory (usually this directory is c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ or c:\Windows\Microsoft.NET\Framework\v4.0.30319\ in 32-bit systems.)

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 5/22

GfK Media Software Solutions IIS Server Hosting Guideline

3. 3.1.

Administrative tasks SSL Configuration

3.1.1. Obtaining an SSL Certificate A server side certificate is required for a productive EPM installation. A valid certificate must be purchased from a trusted Certificate Authority (eg: VeriSign), otherwise client machines wont trust the server, and connection wont be able to be established. Note: a certificate is connected to a specific domain, it cannot be changed after creation. For testing purposes it is possible to generate a self-signed certificate using one of these options: 1. generate a certificate using the IIS certificate management tool 2. using the makecert command line tool, that is the part of Windows SDK Note: A self-signed certificate needs an extra configuration when the EPM client and server components are not running on the same machine, because another machine wont accept it as it is not signed by a trusted certification authority (CA). 3.1.2. Generate a self-signed certificate using the IIS Certificate Management Tool First select the machine node in the Internet Information Services Manager, and double-click on Server Certificates .

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 6/22

GfK Media Software Solutions IIS Server Hosting Guideline

Right-click on the Server Certificates-grid, and select Create Self-Signed Certificate in the context menu.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 7/22

GfK Media Software Solutions IIS Server Hosting Guideline

Note: This creates a certification authority, puts that authority into trusted authorities store in the current machine, and then creates a certificate signed by this CA. Next a name should be selected for the certificate. Press OK is pressed, the certificate is created.

The generated certificate is then displayed in the Server Certificates-grid.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 8/22

GfK Media Software Solutions IIS Server Hosting Guideline

Important note: When accessing this machine with SSL (https) the client must use the domain name that is displayed in column Issued To. Using alternative address (such as localhost), or IP will make the connection to fail. The reason for this strictness is that a certificate validates an exact domain or machine. That means when installing the client within EvogeniusConfig.xml the "<WebServiceRoot>" entry must contain the exact domain name! Otherwise the client will not be able to authenticate against the server. Regarding that the domain name is NOT case sensitive! In order that the client machine would accept the certificate, the self-created CA, that signed our self-signed certificate, must be installed as a trusted authority on the client. One way to do this is to export the self-signed certificate to a file and transfer it to the client machine. Remark: The following steps must be done also in case the EPM client is installed on the same machine as the EPM server! To do this, right-click on the certificate in the Server Certificates-grid and select Export in the context menu.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 9/22

GfK Media Software Solutions IIS Server Hosting Guideline

Note: this will export both the self-signed certificate and the self-created CA. IIS Manager Tool will then ask for a destination file path, and a password for the certificate file. Click OK to finish the export process.

This file should be transferred to the client machine. _____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 10/22

GfK Media Software Solutions IIS Server Hosting Guideline

3.1.3. Install the certificate and the Certificate Authority to the client machine On the client machine the certificate and the CA has to be imported: Start mmc.ex e, then select File -> Add/Remove Snap-in.

Select Certificates under Available snap-ins , and click Add.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 11/22

GfK Media Software Solutions IIS Server Hosting Guideline

In the dialog window select Computer Account , and click Next.

In the next page Local computer will be selected by default. This is what is needed, so click Finish .

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 12/22

GfK Media Software Solutions IIS Server Hosting Guideline

The certification should be imported to Trusted People store so connection could be established. Right-click on Trusted People node and select All Tasks -> Import . Please note: if the client operating system is Windows XP, this certificate file needs to be imported to the Trusted Root Certificate Authorities node. This step is done automatically by newer Windows versions (Vista, 7, Server 2008).

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 13/22

GfK Media Software Solutions IIS Server Hosting Guideline

An Import Wizard will come up. Click Next in the Welcome page. In the File import page select the certificate file which was transferred from the server, and then click Next.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 14/22

GfK Media Software Solutions IIS Server Hosting Guideline

In the next page give the password for the certificate, and click Next.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 15/22

GfK Media Software Solutions IIS Server Hosting Guideline

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 16/22

GfK Media Software Solutions IIS Server Hosting Guideline

The Next page is the page Certificate Store. Trusted People is selected, so simply click Next.

Click Finish on the last page, and both the certificate and CA will be imported in the client machine. Remark: You can leave the MMC without saving the changes - the new certificate will remain on your PC. 3.1.4. Using the Windows SDK with the makecert command line tool For a tutorial on how to create self-signed certificates for test purposes see this page: http://msdn.microsoft.com/en-us/library/ff648498.aspx. 3.2. Administrative tasks before install

The web site which will host EPM Server web application has to support the following bindings: https net.tcp When adding net.tcp binding to a web site the binding information should be the following: <port>: <hostname or ip>. Usually <port>:* is sufficient _____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 17/22

GfK Media Software Solutions IIS Server Hosting Guideline

Be sure to use port 8733 - for IIS hosting a different port is used compared to self hosting. net.pipe When adding net. pipe binding to a web site the binding information should be: *

Binding for net.pipe protocol is mandatory, since authentication service uses it internally. Bindings for https and net.tcp are optional, however at least one of them are necessary otherwise clients wont be able to use any of the services. Important note: In rare cases using https binding in conjunction with http can be problematic, so in case of issues try deleting http binding while retaining https binding. If there is a conflict because of being both https and http at the same time in the list of Site Bindings you will receive during the login an "Unknown error occurred" message accompanied by the hint that the service "net.tcp://<machine_name_or_IP>:8733/Evogenius/ProductionSystem/UtilityService/UtilityServi ce.svc" could not be activated. Removing the http binding from the list of Site Bindings solves this problem. 3.3. Administrative tasks after installation

The installer application will create a web application, however before using net.tcp and net.pipe protocols must be enabled. Navigate to the EPM Server web application node in IIS Manager (default is /Evogenius/ProductionSystem). Click Advanced settings in the Actions list to the right. Fill http,net.tcp,net.pipe into the Enabled Protocols field. If either https or net.tcp protocol is not an available binding in the hosting web site, they can be left out from the enabled protocols.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 18/22

GfK Media Software Solutions IIS Server Hosting Guideline

Also be sure that the application pool of the web application uses v4.0 .NET Framework Version. To do that please press the button at Application Pool in Evogenius IISS sites the Advanced Settings dialog.

At Select Application Pool please make sure the ASP.NET v4.0 is selected from the combo-box.

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 19/22

GfK Media Software Solutions IIS Server Hosting Guideline

3.4.

Security administration

3.4.1. net.tcp By default EPM server uses default security configuration of transport security and Windows authentication. This protocol internally, so no extra configuration is required in IIS, only in authentication makes this protocol usable only in an intranet, requires configuration changes both for client and server. 3.4.2. https By default EPM server uses transport security configuration for http protocol, meaning it can be served as a standard https service, so configuration of https binding is required. Note: For a tutorial on how to create self-signed certificates for test purposes see this page http://msdn.microsoft.com/en-us/library/ff648498.aspx. net.tcp protocol, which uses is used by .NET Framework the web.config file. Windows using different authentication

_____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 20/22

You might also like