Configure Windows Server for hosting the EDC service and login site
Please complete the prerequisites below on a server that is on your network. It can be in a DMZ so long as proper ports are setup. Port forwarding to an internal domain joined server is not recommended but also possible. If you do not require general internet access, but only VPN or internal network access then an internal network only server is possible.
Server specs
- Windows Server 2019+
- 2 GB memory
- 4 GB hard disk space
- This is a lightweight application. It can run on an existing server with spare resources.
Site Url and DNS
A fully qualified domain name must be used in order to facilitate the SAML authentication process (e.g. https://login-thoughtfarmer.domain.com NOT https://login-thoughtfarmer). This is separate from your cloud URL. Users will be redirected to this URL to complete the login process.
If you require public internet access and have a DMZ server configuration setup then you must also own the domain and be able to add public DNS entries for it. Add a public A record in your DNS that points to the public gateway for your network. You will need to apply the proper Firewall forwarding rules to redirect requests from your gateway to the DMZ server.
For internal network only sites you will need to create an internal DNS record on your Domain Controller.
In some cases you may need to have both an internal and public DNS record depending on your specific DNS configuration and domain. If you are unsure contact a Systems Administrator from your IT Team.
TLS Certificate
A secure https connection is required for all network connections regarldess if it is in a DMZ or internal network configuration. Since the domain you use is your own, your IT team will have to be responsible for ongoing generation and update of certificates when they expire. We can provide monitoring services to remind your team when certificates will expire if publicly available.
Generation of TLS certificates will depend on your certificate provider. You may use any valid modern certificate. Self-signed certificates are not supported as they are a security risk for production systems.
See our page on Installing or updating a TLS certificate for more details.
Outbound Firewall rules
For both internal network and DMZ configurations the server needs to be able to make https requests on port 443 to your cloud site URL.
In addition, if you have a DMZ configuration port 636 needs to be open from the EDC server to your internal network. Additional Network Address Translation configuration will need to be in place for the server to resolve the name of the domain controller.
Install prerequisites
- Install URL Rewrite 2.0.
- Install NET Framework 4.8 runtime (requires a server reboot).
- Install ASP.NET Core runtime - Windows hosting bundle (requires a server reboot).
Configure Features and Role services
The following instructions are for configuring Windows Server 2019+ from scratch. If IIS is already installed and running please use this section as a checklist to ensure all additional required components are configured.
- From Server Manager, click Manage in the upper right hand corner and then click Add Roles and Features.
- You can also select this from the quick select menu if it has not been hidden.
- Under Server roles add Web Server (IIS). Accept and click Next.
- Add required role services for Web Server (IIS):
- Common HTTP Features
- Static Content
- Default Document
- HTTP Errors
- Application Development
- .Net Extensibility 4.7
- Application Initialization
- ASP.NET 4.7
- ISAPI Extensions
- ISAPI Filters
- Security
- Windows Authentication
- Basic Authentication
- Request Filtering
- Management tools
- IIS Management Console
- Performance
- Static Content Compression
- Dynamic Content Compression
- Health and Diagnostics
- HTTP Logging
- Request Monitor
- Tracing (recommended but not required)
- Common HTTP Features
- Confirm selections and click Install.
Comments
0 comments
Please sign in to leave a comment.