Configure Windows Server for hosting the EDC service and login site
This document outlines the infrastructure, networking, and software requirements for deploying the ThoughtFarmer Employee Directory Connector (EDC).
The EDC is installed within your network and enables synchronization between ThoughtFarmer and your directory service. Before installing the EDC, ensure that the server, networking, DNS, and security requirements outlined below have been completed.
Server requirements
Please provision a server within your network that adheres to one of the following architectural models depending on your security requirements:
DMZ Configuration: Accessible from the public internet. Ensure proper port-forwarding rules are established. Note: Direct port-forwarding to an internal domain-joined server is highly discouraged due to security risks.
Internal Network Configuration: Restricted to VPN or local corporate network access only. In this deployment, internet access is not required, provided the server can reach the ThoughtFarmer Cloud endpoint.
Minimum server specifications
The gateway is a lightweight application and may be co-hosted on an existing enterprise server with sufficient spare capacity.
| Requirement | Minimum Specification |
|---|---|
| Operating System | Windows Server 2019 or later |
| Memory (RAM) | 2 GB allocated |
| Storage Space | 4 GB available hard disk space |
Network, DNS, & Security Configuration
Site URL and DNS requirements
To facilitate the SAML authentication handshake, you must assign a fully qualified domain name (FQDN) to this service (e.g., https://login-thoughtfarmer.domain.com). Short names (e.g., https://login-thoughtfarmer) are not supported. Users will be redirected to this FQDN to complete their login workflow.
- Public Internet Access (DMZ Deployments): You must own the target domain and have administrative rights to modify its public DNS zone. Create a public A Record pointing to your network's public gateway IP address, and implement firewall rules to route inbound requests from the gateway to the DMZ server.
- Internal Network Only Deployments: Create an internal DNS record on your primary Domain Controller pointing directly to the host server.
- Split-Brain DNS Deployments: Depending on your internal domain routing architecture, you may need to configure identical internal and public DNS zones. If you require assistance, please contact your internal Identity and Access Management (IAM) or Systems Administration team.
TLS Certificates
A secure HTTPS connection is mandatory for all network architectures, including internal network-only environments.
Management: Because the domain belongs to your organization, your IT team is fully responsible for generating, deploying, and renewing these certificates before expiration.
Monitoring: ThoughtFarmer can provide automated external monitoring and expiration alerts for gateways that are publicly accessible over the internet.
Compliance: You may utilize any valid, modern certificate from a trusted Certificate Authority (CA). Self-signed certificates are explicitly unsupported due to the security vulnerabilities they introduce to production authentication workflows.
See our page on Installing or updating a TLS certificate for more details.
Firewall & port architecture
Ensure the network topology permits traffic through the following ports:
| Source | Destination | Port / Protocol | Requirement |
|---|---|---|---|
| Gateway Server | ThoughtFarmer Cloud Site | Port 443 (HTTPS) | Mandatory for both DMZ and Internal configurations. |
| DMZ Gateway Server | Internal Active Directory | Port 636 (LDAPS) | Mandatory for DMZ configurations utilizing the Employee Directory Connector (EDC). |
Note for DMZ setups: Network Address Translation (NAT) rules must be explicitly configured to allow the DMZ gateway server to correctly resolve the FQDN of your internal Domain Controllers.
Software prerequisites
- Install URL Rewrite 2.0.
- Install NET Framework 4.8 runtime (requires a server reboot).
- Install ASP.NET Core runtime - Windows hosting bundle (requires a server reboot).
Configure Features and Role services
The instructions below detail how to configure an unmanaged instance of Windows Server 2019 or later from scratch. If Internet Information Services (IIS) is already operational on the host, utilize this list as a compliance checklist to ensure all mandatory subsystems are enabled.
- Open Server Manager, click Manage in the upper-right corner, and select Add Roles and Features.
- Progress to the Server Roles selection screen, check the box for Web Server (IIS), accept the required dependencies, and click Next.
- Advance to the Role Services subsection and ensure the following features are checked:
- Common HTTP Features
- Static Content
- Default Document
- HTTP Errors
- Application Development
- .Net Extensibility 4.7
- Application Initialization
- ASP.NET 4.7
- ISAPI Extensions
- ISAPI Filters
- Security
- Windows Authentication
- Basic Authentication
- Request Filtering
- Management tools
- IIS Management Console
- Performance
- Static Content Compression
- Dynamic Content Compression
- Health and Diagnostics
- HTTP Logging
- Request Monitor
- Tracing (recommended but not required)
- Common HTTP Features
- Review and confirm your structural selections, then click Install.
Comments
0 comments
Please sign in to leave a comment.