Table of Contents |
---|
This installation procedure is made using the following Windows Server versions: 2012 r2 and 2019 Standard. Some installation steps might differ in other Windows versions. This is not production setup guide. This guidance can be used in restricted test environment installation.
Info |
---|
Note that since v. 8.4 also the Accounting Service URLs configured in |
Step 1: Add Internet Information Service - Feature into Windows Server 2012/2019
- Use Server manager for installing IIS: Manage → Add Roles and Features
...
Click Add roles and features.
...
Select IIS feature and accept all additional component that is suggested.
...
Before installing, setup shows confirmation where components are listed. Click Install.
...
After Installation, IIS is shown in Server Management view.
Info |
---|
Microsoft IIS does not support server farms by default and to make this feature work, an update packages have to be installed. For installing additional extensions or plugins, Microsoft Web Platform Installer is convenient way to do it. Web Platform installer can be found from https://www.microsoft.com/web/downloads/platform.aspx If that is not an option: Web Farm extension can be found from https://www.iis.net/downloads/microsoft/web-farm-framework Application Request Routing 3.0 extension can be found from https://www.iis.net/downloads/microsoft/application-request-routing |
...
Info |
---|
If port 8080 is used for the SSO HTTP traffic an outbound rule has to be created for the firewall to pass the traffic. |
...
Since v. 8.4 add to the list of the ports the configured Accounting Service local port, e.g. "8080, 8084", and name the rule accordingly. |
Open the Firewall advanced settings: click the Windows button → type: firewall → select Windows Firewall with Advanced Security.
- Create a new Outbound rule:
- Under the Windows Firewall with Advanced Security on Local Computer field,
...
- click the Outbound Rules
...
- Under the Actions field, click
...
- New Rule..
...
- .
Under the Rule Type page, select the option Port and click the Next button.
- Under the Protocols and Ports page, choose the following:
- Does this rule apply to TCP or UDP:
TCP
- Specific remote ports:
8080
- Click the Next button.
- Does this rule apply to TCP or UDP:
- Under the Action page
...
- :
- Choose the option: Allow the connection.
- Click the Next button.
- Under the Profile page
...
- :
- Choose that the rule applies with Domain, Private and Public.
- Click the Next button.
- Under the Name page
...
- :
- Assign a name for the rule.
- Click the Finish button.
Step 3. Configure Reverse Proxy for SSO
Info |
---|
This is an example configuration for an IIS Server to function as a reverse proxy in front of two SSO-servers. This configuration example is not intended for production environments. In production, encrypted communication between the proxy and the SSO server is strongly recommended. |
Reverse proxy configuration consists of the following operations:
- Open the Internet Information Services (ISS) Manager
- Create a self-signed certificate
- Add a website
- Add a server farm
- Verify the Routing rule and URL Rewrite Rule
- Configure the Server Affinity
- Configure the Proxy settings
- Configure the load balancer
- Open the Internet Information Services (ISS) Manager:
- Windows button → Type and click Server
...
- Manager.
- Under the Servers field, highlight the IIS on the left
- Manager.
...
- .
- Right click the Proxy Server name
...
- .
- Select Internet Information Services (IIS) Manager.
...
- Create a self-signed certificate:
- Go to IIS Manager
...
- Under the Connections field, left-click the server name
...
- Double-click the Server Certificates icon.
Info HTTPS connections require a web certificate. Either self-signed or trusted certificate can be used. In
...
this example, a self-signed certificate is used.
...
You can also use for testing the self-signed certificate created during SSO installation process by importing
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx
. This certificate has as alternative subjects both SSO and Accounting Service host names.- Click the Self-Signed Certificate under the Actions field
...
- .
- Assign a name for the certificate.
- Use value Personal for the certificate store.
...
Under the Connections field, right-click the Sites
...
→ Select Add Website...
In the Add Website dialog, define the following parameters:
Site name:
<your site name>
Physical Path:
C:\inetpub\wwwroot
Type:
https
Host name:
...
<uas.url from win32.config>
SSL certificate:
<certificate created before>
- Click the OK button.
...
...
- Under the Connections field, right-click the Server Farm
...
- .
- Select Create Server Farm...
Assign a name for the server
...
farm
Click the Next button
...
Add the SSO servers to the server farm.
Define the Server address (host name or IP address).
Under the advanced settings, verify that you have the correct HTTP and HTTPS port numbers. In this example, the default HTTP port 80 is changed to 8080 (from
proxy.local.url
inwin32.config
).Click the
...
Finish button.
Click Yes to create a URL
...
rewrite rule to automatically route all incoming requests to your
...
server farm.
...
- Under the Connections field, select your Server Farm name
...
- Double-click the Routing Rules icon.
- Verify that the Use URL Rewrite to inspect incoming requests checkbox is enabled.
Under the Actions field, click the URL Rewrite... link.
The URL Rewrite name has to use the syntax:
ARR_< Server Farm Name >_loadbalance
.
...
Note If you rename the rule it will break the link between ARR (Application Request Routing) and URL Rewrite rule.
To open the rule: Right-click the rule name → Select Inbound Rules → Select Edit...
Verify the following values:
Action type:
Route to Server Farm
Scheme:
http://
Server Farm:
<Your Server Farm Name>
Path:
/{R:0}
...
Click the Conditions drop-down list → Click the Add... button and specify the following values:
...
Input:
{HTTP_HOST}
Check if input
...
string:
Matches the Pattern
Pattern:
...
<uas.url from win32.config>
...
Under the Connections field, select your Server Farm name → Double-click the Server Affinity icon.
...
Check the Client affinity checkbox
...
.
Under the Actions field, click the Apply.
Info "Sticky Sessions and client affinity are ways of maintaining a persistent connection to a specific webfarm node until the client session ends. When a client connects to a website, the load balancer starts a session on a specific node: as long as the client is connected, all requests are sent back to that node."
...
...
Under the Connections field, Select your Server Farm name → Double-click the Proxy icon.
...
Check the Reverse rewrite host in response header checkbox and
...
uncheck the Include TCP port from client IP checkbox.
...
- Under the Actions field, click
...
- Apply.
...
...
Under the Connections field, select your Server Farm name → Double-click the Load Balance icon.
Under the Load Balance field, configure the parameters:
Load balance algorithm:
Weighted round robin
Load distribution:
Custom distribution
Relative Weight of SSO Server 1:
1000000000
Relative Weight of SSO Server 2:
1
Click
...
Apply under
...
Actions
...
.
Info For High-Performance setup, only proxy related setting is "Load Balance". In High-Performance setup, requests are distributed equally.
For High-Performance setup, SSO has to be setup for REDIS in-memory database for session management.
...
Step 4. Configure Reverse Proxy additionally for the Accounting Service
Info |
---|
This is an example configuration for an IIS Server to function as a reverse proxy additionally in front of the two Accounting Service instances on the SSO servers. This configuration example is not intended for production environments. In production, encrypted communication between the proxy and the server is strongly recommended. |
Reverse proxy configuration consists of the following operations
- Add binding to the website
- Create another server farm
- Verify the Routing rule and URL Rewrite Rule
- Create a specific Inbound rule
- Configure the Server Affinity
- Configure the Proxy settings
- Configure the load balancer
Add binding to the website: choose the site created in the previous step (let's assume it was sso.example.com and not www.example.com like in the screen captures above), select Bindings... from Actions, and click Add.., enter following parameters:
Type:
https
Port:
443
Host name:
<accounting.url from win32.config>
SSL certificate:
<certificate selected above>
Create another server farm with name e.g. "Acc Cluster Farm", and add the same servers as to the SSO server farm but with different http port numbers (port number from
accounting.proxy.local.url
inwin32.config
):Click Yes to create a URL rewrite rule to automatically route all incoming requests to your server farm.
- Verify the Routing rule and URL Rewrite Rule for the new server farm in the same way as with SSO configuration above.
Create a specific Inbound rule on top of the routing rules: choose Add Rule(s)... from Actions:
Choose Blank rule and enter the following parameters:
Name:
add-forward-headers
Match URL Pattern:
(.*)
Server Variables:
Name:
HTTP_X_FORWARDED_PROTO
Value:https
Action Rewrite URL:
{R:0
Click Apply to confirm and click Move Up to move the new rule on top of the rules. This rule is needed for Accounting Service OAuth2 authentication flow to provide both
X-Forwarded-For
andX-Forwarded-Proto
headers when redirecting back from SSO to Accounting Service.The outcome is shown in the following screen capture:
Configure the Server Affinity the same way as with SSO configuration above except use a different cookie name.
Configure the Proxy settings otherwise the same way as with SSO configuration above except disable the Reverse rewrite host in response headers checkbox. Otherwise redirecting from Accounting Service to SSO for OAuth2 login does not work.
Configure the load balancer as you wish to - there is no server side session in the Accounting Service.